WIP more asn1
This commit is contained in:
parent
afec646eb1
commit
4031cb791b
|
|
@ -10,21 +10,35 @@ function ASN1() {
|
|||
var args = Array.prototype.slice.call(arguments);
|
||||
var typ = args.shift();
|
||||
var str = args.join('').replace(/\s+/g, '');
|
||||
console.log('typ:', typ, 'str:', str);
|
||||
var len = (str.length/2);
|
||||
var len2 = len;
|
||||
var lenlen = 1;
|
||||
var lenlen = 0;
|
||||
var hex = typ;
|
||||
var hlen = '';
|
||||
// high-order bit means multiple bytes
|
||||
if (len2 !== Math.round(len2)) {
|
||||
throw new Error("invalid hex");
|
||||
}
|
||||
console.log(len);
|
||||
if (0x80 & len) {
|
||||
while (len2 > 127) { lenlen += 1; len2 = len2 >> 8; }
|
||||
hex += numToHex(0x80 + lenlen);
|
||||
if (len2 > 127) {
|
||||
lenlen += 1;
|
||||
while (len2 > 255) {
|
||||
lenlen += 1;
|
||||
len2 = len2 >> 8;
|
||||
//console.warn("LEN2", len2);
|
||||
}
|
||||
}
|
||||
return hex + numToHex(len) + str;
|
||||
if (lenlen) {
|
||||
hlen = numToHex(0x80 + lenlen);
|
||||
}
|
||||
/*
|
||||
console.warn(
|
||||
'typ:', typ
|
||||
, 'lenlen:', hlen
|
||||
, 'len:', len, numToHex(len)
|
||||
);
|
||||
console.warn('str:', str);
|
||||
*/
|
||||
return hex + hlen + numToHex(len) + str;
|
||||
}
|
||||
ASN1.UInt = function UINT() {
|
||||
var str = Array.prototype.slice.call(arguments).join('');
|
||||
|
|
@ -49,9 +63,7 @@ function SET() {
|
|||
return ASN1('31', Array.prototype.slice.call(arguments).join(''));
|
||||
}
|
||||
*/
|
||||
function OBJID() {
|
||||
return ASN1('06', Array.prototype.slice.call(arguments).join(''));
|
||||
}
|
||||
|
||||
/*
|
||||
function NULL() {
|
||||
return '0500';
|
||||
|
|
@ -191,30 +203,22 @@ function toBase64(der) {
|
|||
return btoa(chs.join(''));
|
||||
}
|
||||
|
||||
// these are static ASN.1 segments
|
||||
// The head specifies that there will be 3 segments and a content length
|
||||
// (those segments will be content, signature header, and signature)
|
||||
var csrHead = '30 82 {0seq0len}'.replace(/\s+/g, '');
|
||||
// The tail specifies the ES256 signature header (and is followed by the signature
|
||||
|
||||
function csrEcSig(r, s) {
|
||||
return [
|
||||
SEQ(
|
||||
ASN1('30'
|
||||
// 1.2.840.10045.4.3.2 ecdsaWithSHA256
|
||||
// (ANSI X9.62 ECDSA algorithm with SHA256)
|
||||
OBJID('2A 86 48 CE 3D 04 03 02')
|
||||
, ASN1('06', '2A 86 48 CE 3D 04 03 02')
|
||||
)
|
||||
, ASN1.BitStr(
|
||||
SEQ(
|
||||
ASN1.UInt(toHex(r))
|
||||
ASN1('30'
|
||||
, ASN1.UInt(toHex(r))
|
||||
, ASN1.UInt(toHex(s))
|
||||
)
|
||||
)
|
||||
].join('');
|
||||
}
|
||||
var csrDomains = '82 {dlen} {domain.tld}'; // 2+n bytes (type 82?)
|
||||
|
||||
// TODO utf8
|
||||
function strToHex(str) {
|
||||
var escstr = encodeURIComponent(str);
|
||||
// replaces any uri escape sequence, such as %0A,
|
||||
|
|
@ -307,8 +311,7 @@ function createCsrBodyEc(domains, xy) {
|
|||
, ASN1('30', domains.map(function (d) {
|
||||
return ASN1('82', strToHex(d));
|
||||
}).join(''))))))));
|
||||
var body = [ '30 81 {+85+n}' // 4 bytes, sequence
|
||||
.replace(/{[^}]+}/, numToHex(3 + 13 + sublen + 27 + publen + 30 + sanlen))
|
||||
var body = ASN1('30'
|
||||
|
||||
// #0 Total 3
|
||||
, version
|
||||
|
|
@ -324,9 +327,9 @@ function createCsrBodyEc(domains, xy) {
|
|||
// Altnames
|
||||
// #3 Total 2+28+n
|
||||
, altnames
|
||||
];
|
||||
body = body.join('').replace(/\s+/g, '');
|
||||
return fromHex(body);
|
||||
);
|
||||
|
||||
return body;
|
||||
}
|
||||
|
||||
// https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a
|
||||
|
|
@ -369,7 +372,7 @@ function createEcCsr(domains, keypem, ecpub) {
|
|||
// TODO get pub from priv
|
||||
|
||||
var csrBody = createCsrBodyEc(domains, ecpub);
|
||||
var sig = signEc(keypem, csrBody);
|
||||
var sig = signEc(keypem, fromHex(csrBody));
|
||||
var rLen = sig.r.byteLength;
|
||||
var rc = '';
|
||||
var sLen = sig.s.byteLength;
|
||||
|
|
@ -379,19 +382,7 @@ function createEcCsr(domains, keypem, ecpub) {
|
|||
if (0x80 & new Uint8Array(sig.s)[0]) { sc = '00'; sLen += 1; }
|
||||
|
||||
var csrSig = csrEcSig(sig.r, sig.s);
|
||||
/*
|
||||
.replace(/{len}/, numToHex(1 + 2 + 2 + 2 + rLen + sLen))
|
||||
.replace(/{rslen}/, numToHex(2 + 2 + rLen + sLen))
|
||||
.replace(/{rlen}/, numToHex(rLen))
|
||||
.replace(/{r}/, rc + toHex(sig.r))
|
||||
.replace(/{slen}/, numToHex(sLen))
|
||||
.replace(/{s}/, sc + toHex(sig.s))
|
||||
;
|
||||
*/
|
||||
|
||||
// Note: If we supported P-521 a number of the lengths would change
|
||||
// by one byte and that would be... annoying to update
|
||||
var len = csrBody.byteLength + (csrSig.length/2);
|
||||
/*
|
||||
console.log('sig:', sig.raw.byteLength, toHex(sig.raw));
|
||||
console.log('r:', sig.r.byteLength, toHex(sig.r));
|
||||
|
|
@ -399,23 +390,7 @@ function createEcCsr(domains, keypem, ecpub) {
|
|||
console.log('csr sig:', csrSig.length / 2, csrSig);
|
||||
console.log('csrBodyLen + csrSigLen', numToHex(len));
|
||||
*/
|
||||
var head = csrHead.replace(/{[^}]+}/, numToHex(len));
|
||||
var ab = new Uint8Array(new ArrayBuffer((head.length/2) + len));
|
||||
var i = 0;
|
||||
fromHex(head).forEach(function (b) {
|
||||
ab[i] = b;
|
||||
i += 1;
|
||||
});
|
||||
csrBody.forEach(function (b) {
|
||||
ab[i] = b;
|
||||
i += 1;
|
||||
});
|
||||
fromHex(csrSig).forEach(function (b) {
|
||||
ab[i] = b;
|
||||
i += 1;
|
||||
});
|
||||
|
||||
return ab;
|
||||
return fromHex(ASN1('30', csrBody, csrSig));
|
||||
}
|
||||
|
||||
function createEcCsrPem(domains, keypem) {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,26 @@
|
|||
#!/bin/bash
|
||||
|
||||
# creating privkey
|
||||
openssl ecparam -genkey -name prime256v1 -noout -out ./privkey-ec-p256.pem
|
||||
|
||||
|
||||
# canonical example
|
||||
rm csr.pem
|
||||
node bin/ecdsacsr.js ./privkey-ec-p256.pem example.com,www.example.com > csr.pem
|
||||
cat csr.pem
|
||||
openssl req -text -noout -verify -in csr.pem
|
||||
sleep 2
|
||||
|
||||
|
||||
# 100 domains (max allowed by Let's Encrypt)
|
||||
rm csr.pem
|
||||
node bin/ecdsacsr.js ./privkey-ec-p256.pem example.com,www.example.com,api.example.com,assets.example.com,ftp.example.com,example.org,www.example.org,api.example.org,assets.example.org,ftp.example.org,example.co,www.example.co,api.example.co,assets.example.co,ftp.example.co,example.net,www.example.net,api.example.net,assets.example.net,ftp.example.net,whatever.com,www.whatever.com,api.whatever.com,assets.whatever.com,ftp.whatever.com,whatever.org,www.whatever.org,api.whatever.org,assets.whatever.org,ftp.whatever.org,whatever.net,www.whatever.net,api.whatever.net,assets.whatever.net,ftp.whatever.net,whatever.co,www.whatever.co,api.whatever.co,assets.whatever.co,ftp.whatever.co,sample.com,www.sample.com,api.sample.com,assets.sample.com,ftp.sample.com,sample.org,www.sample.org,api.sample.org,assets.sample.org,ftp.sample.org,sample.net,www.sample.net,api.sample.net,assets.sample.net,ftp.sample.net,sample.co,www.sample.co,api.sample.co,assets.sample.co,ftp.sample.co,foobar.com,www.foobar.com,api.foobar.com,assets.foobar.com,ftp.foobar.com,foobar.org,www.foobar.org,api.foobar.org,assets.foobar.org,ftp.foobar.org,foobar.net,www.foobar.net,api.foobar.net,assets.foobar.net,ftp.foobar.net,foobar.co,www.foobar.co,api.foobar.co,assets.foobar.co,ftp.foobar.co,quux.com,www.quux.com,api.quux.com,assets.quux.com,ftp.quux.com,quux.org,www.quux.org,api.quux.org,assets.quux.org,ftp.quux.org,quux.net,www.quux.net,api.quux.net,assets.quux.net,ftp.quux.net,quux.co,www.quux.co,api.quux.co,assets.quux.co,ftp.quux.co >csr.pem
|
||||
cat csr.pem
|
||||
openssl req -text -noout -verify -in csr.pem
|
||||
sleep 2
|
||||
|
||||
# single domain
|
||||
rm csr.pem
|
||||
node bin/ecdsacsr.js ./privkey-ec-p256.pem example.com > csr.pem
|
||||
cat csr.pem
|
||||
openssl req -text -noout -verify -in csr.pem
|
||||
Loading…
Reference in New Issue