diff --git a/lib/ecdsacsr.js b/lib/ecdsacsr.js index adb1d42..98b3e7c 100644 --- a/lib/ecdsacsr.js +++ b/lib/ecdsacsr.js @@ -10,21 +10,35 @@ function ASN1() { var args = Array.prototype.slice.call(arguments); var typ = args.shift(); var str = args.join('').replace(/\s+/g, ''); - console.log('typ:', typ, 'str:', str); var len = (str.length/2); var len2 = len; - var lenlen = 1; + var lenlen = 0; var hex = typ; + var hlen = ''; // high-order bit means multiple bytes if (len2 !== Math.round(len2)) { throw new Error("invalid hex"); } - console.log(len); - if (0x80 & len) { - while (len2 > 127) { lenlen += 1; len2 = len2 >> 8; } - hex += numToHex(0x80 + lenlen); + if (len2 > 127) { + lenlen += 1; + while (len2 > 255) { + lenlen += 1; + len2 = len2 >> 8; + //console.warn("LEN2", len2); + } } - return hex + numToHex(len) + str; + if (lenlen) { + hlen = numToHex(0x80 + lenlen); + } + /* + console.warn( + 'typ:', typ + , 'lenlen:', hlen + , 'len:', len, numToHex(len) + ); + console.warn('str:', str); + */ + return hex + hlen + numToHex(len) + str; } ASN1.UInt = function UINT() { var str = Array.prototype.slice.call(arguments).join(''); @@ -49,9 +63,7 @@ function SET() { return ASN1('31', Array.prototype.slice.call(arguments).join('')); } */ -function OBJID() { - return ASN1('06', Array.prototype.slice.call(arguments).join('')); -} + /* function NULL() { return '0500'; @@ -191,30 +203,22 @@ function toBase64(der) { return btoa(chs.join('')); } -// these are static ASN.1 segments -// The head specifies that there will be 3 segments and a content length -// (those segments will be content, signature header, and signature) -var csrHead = '30 82 {0seq0len}'.replace(/\s+/g, ''); -// The tail specifies the ES256 signature header (and is followed by the signature - function csrEcSig(r, s) { return [ - SEQ( + ASN1('30' // 1.2.840.10045.4.3.2 ecdsaWithSHA256 // (ANSI X9.62 ECDSA algorithm with SHA256) - OBJID('2A 86 48 CE 3D 04 03 02') + , ASN1('06', '2A 86 48 CE 3D 04 03 02') ) , ASN1.BitStr( - SEQ( - ASN1.UInt(toHex(r)) + ASN1('30' + , ASN1.UInt(toHex(r)) , ASN1.UInt(toHex(s)) ) ) ].join(''); } -var csrDomains = '82 {dlen} {domain.tld}'; // 2+n bytes (type 82?) -// TODO utf8 function strToHex(str) { var escstr = encodeURIComponent(str); // replaces any uri escape sequence, such as %0A, @@ -307,8 +311,7 @@ function createCsrBodyEc(domains, xy) { , ASN1('30', domains.map(function (d) { return ASN1('82', strToHex(d)); }).join('')))))))); - var body = [ '30 81 {+85+n}' // 4 bytes, sequence - .replace(/{[^}]+}/, numToHex(3 + 13 + sublen + 27 + publen + 30 + sanlen)) + var body = ASN1('30' // #0 Total 3 , version @@ -324,9 +327,9 @@ function createCsrBodyEc(domains, xy) { // Altnames // #3 Total 2+28+n , altnames - ]; - body = body.join('').replace(/\s+/g, ''); - return fromHex(body); + ); + + return body; } // https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a @@ -369,7 +372,7 @@ function createEcCsr(domains, keypem, ecpub) { // TODO get pub from priv var csrBody = createCsrBodyEc(domains, ecpub); - var sig = signEc(keypem, csrBody); + var sig = signEc(keypem, fromHex(csrBody)); var rLen = sig.r.byteLength; var rc = ''; var sLen = sig.s.byteLength; @@ -379,19 +382,7 @@ function createEcCsr(domains, keypem, ecpub) { if (0x80 & new Uint8Array(sig.s)[0]) { sc = '00'; sLen += 1; } var csrSig = csrEcSig(sig.r, sig.s); - /* - .replace(/{len}/, numToHex(1 + 2 + 2 + 2 + rLen + sLen)) - .replace(/{rslen}/, numToHex(2 + 2 + rLen + sLen)) - .replace(/{rlen}/, numToHex(rLen)) - .replace(/{r}/, rc + toHex(sig.r)) - .replace(/{slen}/, numToHex(sLen)) - .replace(/{s}/, sc + toHex(sig.s)) - ; - */ - // Note: If we supported P-521 a number of the lengths would change - // by one byte and that would be... annoying to update - var len = csrBody.byteLength + (csrSig.length/2); /* console.log('sig:', sig.raw.byteLength, toHex(sig.raw)); console.log('r:', sig.r.byteLength, toHex(sig.r)); @@ -399,23 +390,7 @@ function createEcCsr(domains, keypem, ecpub) { console.log('csr sig:', csrSig.length / 2, csrSig); console.log('csrBodyLen + csrSigLen', numToHex(len)); */ - var head = csrHead.replace(/{[^}]+}/, numToHex(len)); - var ab = new Uint8Array(new ArrayBuffer((head.length/2) + len)); - var i = 0; - fromHex(head).forEach(function (b) { - ab[i] = b; - i += 1; - }); - csrBody.forEach(function (b) { - ab[i] = b; - i += 1; - }); - fromHex(csrSig).forEach(function (b) { - ab[i] = b; - i += 1; - }); - - return ab; + return fromHex(ASN1('30', csrBody, csrSig)); } function createEcCsrPem(domains, keypem) { diff --git a/test.sh b/test.sh new file mode 100644 index 0000000..22ad594 --- /dev/null +++ b/test.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +# creating privkey +openssl ecparam -genkey -name prime256v1 -noout -out ./privkey-ec-p256.pem + + +# canonical example +rm csr.pem +node bin/ecdsacsr.js ./privkey-ec-p256.pem example.com,www.example.com > csr.pem +cat csr.pem +openssl req -text -noout -verify -in csr.pem +sleep 2 + + +# 100 domains (max allowed by Let's Encrypt) +rm csr.pem +node bin/ecdsacsr.js ./privkey-ec-p256.pem example.com,www.example.com,api.example.com,assets.example.com,ftp.example.com,example.org,www.example.org,api.example.org,assets.example.org,ftp.example.org,example.co,www.example.co,api.example.co,assets.example.co,ftp.example.co,example.net,www.example.net,api.example.net,assets.example.net,ftp.example.net,whatever.com,www.whatever.com,api.whatever.com,assets.whatever.com,ftp.whatever.com,whatever.org,www.whatever.org,api.whatever.org,assets.whatever.org,ftp.whatever.org,whatever.net,www.whatever.net,api.whatever.net,assets.whatever.net,ftp.whatever.net,whatever.co,www.whatever.co,api.whatever.co,assets.whatever.co,ftp.whatever.co,sample.com,www.sample.com,api.sample.com,assets.sample.com,ftp.sample.com,sample.org,www.sample.org,api.sample.org,assets.sample.org,ftp.sample.org,sample.net,www.sample.net,api.sample.net,assets.sample.net,ftp.sample.net,sample.co,www.sample.co,api.sample.co,assets.sample.co,ftp.sample.co,foobar.com,www.foobar.com,api.foobar.com,assets.foobar.com,ftp.foobar.com,foobar.org,www.foobar.org,api.foobar.org,assets.foobar.org,ftp.foobar.org,foobar.net,www.foobar.net,api.foobar.net,assets.foobar.net,ftp.foobar.net,foobar.co,www.foobar.co,api.foobar.co,assets.foobar.co,ftp.foobar.co,quux.com,www.quux.com,api.quux.com,assets.quux.com,ftp.quux.com,quux.org,www.quux.org,api.quux.org,assets.quux.org,ftp.quux.org,quux.net,www.quux.net,api.quux.net,assets.quux.net,ftp.quux.net,quux.co,www.quux.co,api.quux.co,assets.quux.co,ftp.quux.co >csr.pem +cat csr.pem +openssl req -text -noout -verify -in csr.pem +sleep 2 + +# single domain +rm csr.pem +node bin/ecdsacsr.js ./privkey-ec-p256.pem example.com > csr.pem +cat csr.pem +openssl req -text -noout -verify -in csr.pem