'use strict'; var crypto = require('crypto'); var ASN1 = require('./asn1.js'); var Enc = require('./encoding.js'); var PEM = require('./pem.js'); var X509 = require('./x509.js'); var RSA = {}; /*global Promise*/ var CSR = module.exports = function rsacsr(opts) { // We're using a Promise here to be compatible with the browser version // which will probably use the webcrypto API for some of the conversions opts = CSR._prepare(opts); return CSR.create(opts).then(function (bytes) { return CSR._encode(opts, bytes); }); }; CSR._prepare = function (opts) { var Rasha; opts = JSON.parse(JSON.stringify(opts)); var pem, jwk; // We do a bit of extra error checking for user convenience if (!opts) { throw new Error("You must pass options with key and domains to rsacsr"); } if (!Array.isArray(opts.domains) || 0 === opts.domains.length) { new Error("You must pass options.domains as a non-empty array"); } // I need to check that 例.中国 is a valid domain name if (!opts.domains.every(function (d) { // allow punycode? xn-- if ('string' === typeof d /*&& /\./.test(d) && !/--/.test(d)*/) { return true; } })) { throw new Error("You must pass options.domains as strings"); } if (opts.pem) { pem = opts.pem; } else if (opts.jwk) { jwk = opts.jwk; } else { if (!opts.key) { throw new Error("You must pass options.key as a JSON web key"); } else if (opts.key.kty) { jwk = opts.key; } else { pem = opts.key; } } if (pem) { try { Rasha = require('rasha'); } catch(e) { throw new Error("Rasha.js is an optional dependency for PEM-to-JWK.\n" + "Install it if you'd like to use it:\n" + "\tnpm install --save rasha\n" + "Otherwise supply a jwk as the private key." ); } jwk = Rasha.importSync({ pem: pem }); } opts.jwk = jwk; return opts; }; CSR.sync = function (opts) { opts = CSR._prepare(opts); var bytes = CSR.createSync(opts); return CSR._encode(opts, bytes); }; CSR._encode = function (opts, bytes) { if ('der' === (opts.encoding||'').toLowerCase()) { return bytes; } return PEM.packBlock({ type: "CERTIFICATE REQUEST" , bytes: bytes /* { jwk: jwk, domains: opts.domains } */ }); }; CSR.createSync = function createCsr(opts) { var hex = CSR.request(opts.jwk, opts.domains); var csr = CSR.signSync(opts.jwk, hex); return Enc.hexToBuf(csr); }; CSR.create = function createCsr(opts) { var hex = CSR.request(opts.jwk, opts.domains); return CSR.sign(opts.jwk, hex).then(function (csr) { return Enc.hexToBuf(csr); }); }; CSR.request = function createCsrBodyEc(jwk, domains) { var asn1pub = X509.packCsrPublicKey(jwk); return X509.packCsr(asn1pub, domains); }; CSR.signSync = function csrEcSig(jwk, request) { var keypem = PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: X509.packPkcs1(jwk) }); var sig = RSA.signSync(keypem, Enc.hexToBuf(request)); return CSR.toDer({ request: request, signature: sig }); }; CSR.sign = function csrEcSig(jwk, request) { var keypem = PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: X509.packPkcs1(jwk) }); return RSA.sign(keypem, Enc.hexToBuf(request)).then(function (sig) { return CSR.toDer({ request: request, signature: sig }); }); }; CSR.toDer = function encode(opts) { var sty = ASN1('30' // 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1) , ASN1('06', '2a864886f70d01010b') , ASN1('05') ); return ASN1('30' // The Full CSR Request Body , opts.request // The Signature Type , sty // The Signature , ASN1.BitStr(Enc.bufToHex(opts.signature)) ); }; // // RSA // // Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a RSA.signSync = function signRsaSync(keypem, ab) { // Signer is a stream var sign = crypto.createSign('SHA256'); sign.write(new Uint8Array(ab)); sign.end(); // The signature is ASN1 encoded, as it turns out var sig = sign.sign(keypem); // Convert to a JavaScript ArrayBuffer just because return new Uint8Array(sig.buffer.slice(sig.byteOffset, sig.byteOffset + sig.byteLength)); }; RSA.sign = function signRsa(keypem, ab) { return Promise.resolve().then(function () { return RSA.signSync(keypem, ab); }); }; X509.packCsrRsa = function (asn1pubkey, domains) { return ASN1('30' // Version (0) , ASN1.UInt('00') // 2.5.4.3 commonName (X.520 DN component) , ASN1('30', ASN1('31', ASN1('30', ASN1('06', '550403'), ASN1('0c', Enc.utf8ToHex(domains[0]))))) // Public Key (RSA or EC) , asn1pubkey // Request Body , ASN1('a0' , ASN1('30' // 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF) , ASN1('06', '2a864886f70d01090e') , ASN1('31' , ASN1('30' , ASN1('30' // 2.5.29.17 subjectAltName (X.509 extension) , ASN1('06', '551d11') , ASN1('04' , ASN1('30', domains.map(function (d) { return ASN1('82', Enc.utf8ToHex(d)); }).join('')))))))) ); }; X509.packPkcs1 = function (jwk) { var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); if (!jwk.d) { return Enc.hexToBuf(ASN1('30', n, e)); } return Enc.hexToBuf(ASN1('30' , ASN1.UInt('00') , n , e , ASN1.UInt(Enc.base64ToHex(jwk.d)) , ASN1.UInt(Enc.base64ToHex(jwk.p)) , ASN1.UInt(Enc.base64ToHex(jwk.q)) , ASN1.UInt(Enc.base64ToHex(jwk.dp)) , ASN1.UInt(Enc.base64ToHex(jwk.dq)) , ASN1.UInt(Enc.base64ToHex(jwk.qi)) )); }; X509.packCsrRsaPublicKey = function (jwk) { // Sequence the key var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); var asn1pub = ASN1('30', n, e); //var asn1pub = X509.packPkcs1({ kty: jwk.kty, n: jwk.n, e: jwk.e }); // Add the CSR pub key header return ASN1('30', ASN1('30', ASN1('06', '2a864886f70d010101'), ASN1('05')), ASN1.BitStr(asn1pub)); };