|
|
- // Copyright 2017 Joyent, Inc.
-
- module.exports = {
- read: read,
- verify: verify,
- sign: sign,
- signAsync: signAsync,
- write: write
- };
-
- var assert = require('assert-plus');
- var asn1 = require('asn1');
- var Buffer = require('safer-buffer').Buffer;
- var algs = require('../algs');
- var utils = require('../utils');
- var Key = require('../key');
- var PrivateKey = require('../private-key');
- var pem = require('./pem');
- var Identity = require('../identity');
- var Signature = require('../signature');
- var Certificate = require('../certificate');
- var pkcs8 = require('./pkcs8');
-
- /*
- * This file is based on RFC5280 (X.509).
- */
-
- /* Helper to read in a single mpint */
- function readMPInt(der, nm) {
- assert.strictEqual(der.peek(), asn1.Ber.Integer,
- nm + ' is not an Integer');
- return (utils.mpNormalize(der.readString(asn1.Ber.Integer, true)));
- }
-
- function verify(cert, key) {
- var sig = cert.signatures.x509;
- assert.object(sig, 'x509 signature');
-
- var algParts = sig.algo.split('-');
- if (algParts[0] !== key.type)
- return (false);
-
- var blob = sig.cache;
- if (blob === undefined) {
- var der = new asn1.BerWriter();
- writeTBSCert(cert, der);
- blob = der.buffer;
- }
-
- var verifier = key.createVerify(algParts[1]);
- verifier.write(blob);
- return (verifier.verify(sig.signature));
- }
-
- function Local(i) {
- return (asn1.Ber.Context | asn1.Ber.Constructor | i);
- }
-
- function Context(i) {
- return (asn1.Ber.Context | i);
- }
-
- var SIGN_ALGS = {
- 'rsa-md5': '1.2.840.113549.1.1.4',
- 'rsa-sha1': '1.2.840.113549.1.1.5',
- 'rsa-sha256': '1.2.840.113549.1.1.11',
- 'rsa-sha384': '1.2.840.113549.1.1.12',
- 'rsa-sha512': '1.2.840.113549.1.1.13',
- 'dsa-sha1': '1.2.840.10040.4.3',
- 'dsa-sha256': '2.16.840.1.101.3.4.3.2',
- 'ecdsa-sha1': '1.2.840.10045.4.1',
- 'ecdsa-sha256': '1.2.840.10045.4.3.2',
- 'ecdsa-sha384': '1.2.840.10045.4.3.3',
- 'ecdsa-sha512': '1.2.840.10045.4.3.4',
- 'ed25519-sha512': '1.3.101.112'
- };
- Object.keys(SIGN_ALGS).forEach(function (k) {
- SIGN_ALGS[SIGN_ALGS[k]] = k;
- });
- SIGN_ALGS['1.3.14.3.2.3'] = 'rsa-md5';
- SIGN_ALGS['1.3.14.3.2.29'] = 'rsa-sha1';
-
- var EXTS = {
- 'issuerKeyId': '2.5.29.35',
- 'altName': '2.5.29.17',
- 'basicConstraints': '2.5.29.19',
- 'keyUsage': '2.5.29.15',
- 'extKeyUsage': '2.5.29.37'
- };
-
- function read(buf, options) {
- if (typeof (buf) === 'string') {
- buf = Buffer.from(buf, 'binary');
- }
- assert.buffer(buf, 'buf');
-
- var der = new asn1.BerReader(buf);
-
- der.readSequence();
- if (Math.abs(der.length - der.remain) > 1) {
- throw (new Error('DER sequence does not contain whole byte ' +
- 'stream'));
- }
-
- var tbsStart = der.offset;
- der.readSequence();
- var sigOffset = der.offset + der.length;
- var tbsEnd = sigOffset;
-
- if (der.peek() === Local(0)) {
- der.readSequence(Local(0));
- var version = der.readInt();
- assert.ok(version <= 3,
- 'only x.509 versions up to v3 supported');
- }
-
- var cert = {};
- cert.signatures = {};
- var sig = (cert.signatures.x509 = {});
- sig.extras = {};
-
- cert.serial = readMPInt(der, 'serial');
-
- der.readSequence();
- var after = der.offset + der.length;
- var certAlgOid = der.readOID();
- var certAlg = SIGN_ALGS[certAlgOid];
- if (certAlg === undefined)
- throw (new Error('unknown signature algorithm ' + certAlgOid));
-
- der._offset = after;
- cert.issuer = Identity.parseAsn1(der);
-
- der.readSequence();
- cert.validFrom = readDate(der);
- cert.validUntil = readDate(der);
-
- cert.subjects = [Identity.parseAsn1(der)];
-
- der.readSequence();
- after = der.offset + der.length;
- cert.subjectKey = pkcs8.readPkcs8(undefined, 'public', der);
- der._offset = after;
-
- /* issuerUniqueID */
- if (der.peek() === Local(1)) {
- der.readSequence(Local(1));
- sig.extras.issuerUniqueID =
- buf.slice(der.offset, der.offset + der.length);
- der._offset += der.length;
- }
-
- /* subjectUniqueID */
- if (der.peek() === Local(2)) {
- der.readSequence(Local(2));
- sig.extras.subjectUniqueID =
- buf.slice(der.offset, der.offset + der.length);
- der._offset += der.length;
- }
-
- /* extensions */
- if (der.peek() === Local(3)) {
- der.readSequence(Local(3));
- var extEnd = der.offset + der.length;
- der.readSequence();
-
- while (der.offset < extEnd)
- readExtension(cert, buf, der);
-
- assert.strictEqual(der.offset, extEnd);
- }
-
- assert.strictEqual(der.offset, sigOffset);
-
- der.readSequence();
- after = der.offset + der.length;
- var sigAlgOid = der.readOID();
- var sigAlg = SIGN_ALGS[sigAlgOid];
- if (sigAlg === undefined)
- throw (new Error('unknown signature algorithm ' + sigAlgOid));
- der._offset = after;
-
- var sigData = der.readString(asn1.Ber.BitString, true);
- if (sigData[0] === 0)
- sigData = sigData.slice(1);
- var algParts = sigAlg.split('-');
-
- sig.signature = Signature.parse(sigData, algParts[0], 'asn1');
- sig.signature.hashAlgorithm = algParts[1];
- sig.algo = sigAlg;
- sig.cache = buf.slice(tbsStart, tbsEnd);
-
- return (new Certificate(cert));
- }
-
- function readDate(der) {
- if (der.peek() === asn1.Ber.UTCTime) {
- return (utcTimeToDate(der.readString(asn1.Ber.UTCTime)));
- } else if (der.peek() === asn1.Ber.GeneralizedTime) {
- return (gTimeToDate(der.readString(asn1.Ber.GeneralizedTime)));
- } else {
- throw (new Error('Unsupported date format'));
- }
- }
-
- function writeDate(der, date) {
- if (date.getUTCFullYear() >= 2050 || date.getUTCFullYear() < 1950) {
- der.writeString(dateToGTime(date), asn1.Ber.GeneralizedTime);
- } else {
- der.writeString(dateToUTCTime(date), asn1.Ber.UTCTime);
- }
- }
-
- /* RFC5280, section 4.2.1.6 (GeneralName type) */
- var ALTNAME = {
- OtherName: Local(0),
- RFC822Name: Context(1),
- DNSName: Context(2),
- X400Address: Local(3),
- DirectoryName: Local(4),
- EDIPartyName: Local(5),
- URI: Context(6),
- IPAddress: Context(7),
- OID: Context(8)
- };
-
- /* RFC5280, section 4.2.1.12 (KeyPurposeId) */
- var EXTPURPOSE = {
- 'serverAuth': '1.3.6.1.5.5.7.3.1',
- 'clientAuth': '1.3.6.1.5.5.7.3.2',
- 'codeSigning': '1.3.6.1.5.5.7.3.3',
-
- /* See https://github.com/joyent/oid-docs/blob/master/root.md */
- 'joyentDocker': '1.3.6.1.4.1.38678.1.4.1',
- 'joyentCmon': '1.3.6.1.4.1.38678.1.4.2'
- };
- var EXTPURPOSE_REV = {};
- Object.keys(EXTPURPOSE).forEach(function (k) {
- EXTPURPOSE_REV[EXTPURPOSE[k]] = k;
- });
-
- var KEYUSEBITS = [
- 'signature', 'identity', 'keyEncryption',
- 'encryption', 'keyAgreement', 'ca', 'crl'
- ];
-
- function readExtension(cert, buf, der) {
- der.readSequence();
- var after = der.offset + der.length;
- var extId = der.readOID();
- var id;
- var sig = cert.signatures.x509;
- if (!sig.extras.exts)
- sig.extras.exts = [];
-
- var critical;
- if (der.peek() === asn1.Ber.Boolean)
- critical = der.readBoolean();
-
- switch (extId) {
- case (EXTS.basicConstraints):
- der.readSequence(asn1.Ber.OctetString);
- der.readSequence();
- var bcEnd = der.offset + der.length;
- var ca = false;
- if (der.peek() === asn1.Ber.Boolean)
- ca = der.readBoolean();
- if (cert.purposes === undefined)
- cert.purposes = [];
- if (ca === true)
- cert.purposes.push('ca');
- var bc = { oid: extId, critical: critical };
- if (der.offset < bcEnd && der.peek() === asn1.Ber.Integer)
- bc.pathLen = der.readInt();
- sig.extras.exts.push(bc);
- break;
- case (EXTS.extKeyUsage):
- der.readSequence(asn1.Ber.OctetString);
- der.readSequence();
- if (cert.purposes === undefined)
- cert.purposes = [];
- var ekEnd = der.offset + der.length;
- while (der.offset < ekEnd) {
- var oid = der.readOID();
- cert.purposes.push(EXTPURPOSE_REV[oid] || oid);
- }
- /*
- * This is a bit of a hack: in the case where we have a cert
- * that's only allowed to do serverAuth or clientAuth (and not
- * the other), we want to make sure all our Subjects are of
- * the right type. But we already parsed our Subjects and
- * decided if they were hosts or users earlier (since it appears
- * first in the cert).
- *
- * So we go through and mutate them into the right kind here if
- * it doesn't match. This might not be hugely beneficial, as it
- * seems that single-purpose certs are not often seen in the
- * wild.
- */
- if (cert.purposes.indexOf('serverAuth') !== -1 &&
- cert.purposes.indexOf('clientAuth') === -1) {
- cert.subjects.forEach(function (ide) {
- if (ide.type !== 'host') {
- ide.type = 'host';
- ide.hostname = ide.uid ||
- ide.email ||
- ide.components[0].value;
- }
- });
- } else if (cert.purposes.indexOf('clientAuth') !== -1 &&
- cert.purposes.indexOf('serverAuth') === -1) {
- cert.subjects.forEach(function (ide) {
- if (ide.type !== 'user') {
- ide.type = 'user';
- ide.uid = ide.hostname ||
- ide.email ||
- ide.components[0].value;
- }
- });
- }
- sig.extras.exts.push({ oid: extId, critical: critical });
- break;
- case (EXTS.keyUsage):
- der.readSequence(asn1.Ber.OctetString);
- var bits = der.readString(asn1.Ber.BitString, true);
- var setBits = readBitField(bits, KEYUSEBITS);
- setBits.forEach(function (bit) {
- if (cert.purposes === undefined)
- cert.purposes = [];
- if (cert.purposes.indexOf(bit) === -1)
- cert.purposes.push(bit);
- });
- sig.extras.exts.push({ oid: extId, critical: critical,
- bits: bits });
- break;
- case (EXTS.altName):
- der.readSequence(asn1.Ber.OctetString);
- der.readSequence();
- var aeEnd = der.offset + der.length;
- while (der.offset < aeEnd) {
- switch (der.peek()) {
- case ALTNAME.OtherName:
- case ALTNAME.EDIPartyName:
- der.readSequence();
- der._offset += der.length;
- break;
- case ALTNAME.OID:
- der.readOID(ALTNAME.OID);
- break;
- case ALTNAME.RFC822Name:
- /* RFC822 specifies email addresses */
- var email = der.readString(ALTNAME.RFC822Name);
- id = Identity.forEmail(email);
- if (!cert.subjects[0].equals(id))
- cert.subjects.push(id);
- break;
- case ALTNAME.DirectoryName:
- der.readSequence(ALTNAME.DirectoryName);
- id = Identity.parseAsn1(der);
- if (!cert.subjects[0].equals(id))
- cert.subjects.push(id);
- break;
- case ALTNAME.DNSName:
- var host = der.readString(
- ALTNAME.DNSName);
- id = Identity.forHost(host);
- if (!cert.subjects[0].equals(id))
- cert.subjects.push(id);
- break;
- default:
- der.readString(der.peek());
- break;
- }
- }
- sig.extras.exts.push({ oid: extId, critical: critical });
- break;
- default:
- sig.extras.exts.push({
- oid: extId,
- critical: critical,
- data: der.readString(asn1.Ber.OctetString, true)
- });
- break;
- }
-
- der._offset = after;
- }
-
- var UTCTIME_RE =
- /^([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;
- function utcTimeToDate(t) {
- var m = t.match(UTCTIME_RE);
- assert.ok(m, 'timestamps must be in UTC');
- var d = new Date();
-
- var thisYear = d.getUTCFullYear();
- var century = Math.floor(thisYear / 100) * 100;
-
- var year = parseInt(m[1], 10);
- if (thisYear % 100 < 50 && year >= 60)
- year += (century - 1);
- else
- year += century;
- d.setUTCFullYear(year, parseInt(m[2], 10) - 1, parseInt(m[3], 10));
- d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));
- if (m[6] && m[6].length > 0)
- d.setUTCSeconds(parseInt(m[6], 10));
- return (d);
- }
-
- var GTIME_RE =
- /^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;
- function gTimeToDate(t) {
- var m = t.match(GTIME_RE);
- assert.ok(m);
- var d = new Date();
-
- d.setUTCFullYear(parseInt(m[1], 10), parseInt(m[2], 10) - 1,
- parseInt(m[3], 10));
- d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));
- if (m[6] && m[6].length > 0)
- d.setUTCSeconds(parseInt(m[6], 10));
- return (d);
- }
-
- function zeroPad(n, m) {
- if (m === undefined)
- m = 2;
- var s = '' + n;
- while (s.length < m)
- s = '0' + s;
- return (s);
- }
-
- function dateToUTCTime(d) {
- var s = '';
- s += zeroPad(d.getUTCFullYear() % 100);
- s += zeroPad(d.getUTCMonth() + 1);
- s += zeroPad(d.getUTCDate());
- s += zeroPad(d.getUTCHours());
- s += zeroPad(d.getUTCMinutes());
- s += zeroPad(d.getUTCSeconds());
- s += 'Z';
- return (s);
- }
-
- function dateToGTime(d) {
- var s = '';
- s += zeroPad(d.getUTCFullYear(), 4);
- s += zeroPad(d.getUTCMonth() + 1);
- s += zeroPad(d.getUTCDate());
- s += zeroPad(d.getUTCHours());
- s += zeroPad(d.getUTCMinutes());
- s += zeroPad(d.getUTCSeconds());
- s += 'Z';
- return (s);
- }
-
- function sign(cert, key) {
- if (cert.signatures.x509 === undefined)
- cert.signatures.x509 = {};
- var sig = cert.signatures.x509;
-
- sig.algo = key.type + '-' + key.defaultHashAlgorithm();
- if (SIGN_ALGS[sig.algo] === undefined)
- return (false);
-
- var der = new asn1.BerWriter();
- writeTBSCert(cert, der);
- var blob = der.buffer;
- sig.cache = blob;
-
- var signer = key.createSign();
- signer.write(blob);
- cert.signatures.x509.signature = signer.sign();
-
- return (true);
- }
-
- function signAsync(cert, signer, done) {
- if (cert.signatures.x509 === undefined)
- cert.signatures.x509 = {};
- var sig = cert.signatures.x509;
-
- var der = new asn1.BerWriter();
- writeTBSCert(cert, der);
- var blob = der.buffer;
- sig.cache = blob;
-
- signer(blob, function (err, signature) {
- if (err) {
- done(err);
- return;
- }
- sig.algo = signature.type + '-' + signature.hashAlgorithm;
- if (SIGN_ALGS[sig.algo] === undefined) {
- done(new Error('Invalid signing algorithm "' +
- sig.algo + '"'));
- return;
- }
- sig.signature = signature;
- done();
- });
- }
-
- function write(cert, options) {
- var sig = cert.signatures.x509;
- assert.object(sig, 'x509 signature');
-
- var der = new asn1.BerWriter();
- der.startSequence();
- if (sig.cache) {
- der._ensure(sig.cache.length);
- sig.cache.copy(der._buf, der._offset);
- der._offset += sig.cache.length;
- } else {
- writeTBSCert(cert, der);
- }
-
- der.startSequence();
- der.writeOID(SIGN_ALGS[sig.algo]);
- if (sig.algo.match(/^rsa-/))
- der.writeNull();
- der.endSequence();
-
- var sigData = sig.signature.toBuffer('asn1');
- var data = Buffer.alloc(sigData.length + 1);
- data[0] = 0;
- sigData.copy(data, 1);
- der.writeBuffer(data, asn1.Ber.BitString);
- der.endSequence();
-
- return (der.buffer);
- }
-
- function writeTBSCert(cert, der) {
- var sig = cert.signatures.x509;
- assert.object(sig, 'x509 signature');
-
- der.startSequence();
-
- der.startSequence(Local(0));
- der.writeInt(2);
- der.endSequence();
-
- der.writeBuffer(utils.mpNormalize(cert.serial), asn1.Ber.Integer);
-
- der.startSequence();
- der.writeOID(SIGN_ALGS[sig.algo]);
- if (sig.algo.match(/^rsa-/))
- der.writeNull();
- der.endSequence();
-
- cert.issuer.toAsn1(der);
-
- der.startSequence();
- writeDate(der, cert.validFrom);
- writeDate(der, cert.validUntil);
- der.endSequence();
-
- var subject = cert.subjects[0];
- var altNames = cert.subjects.slice(1);
- subject.toAsn1(der);
-
- pkcs8.writePkcs8(der, cert.subjectKey);
-
- if (sig.extras && sig.extras.issuerUniqueID) {
- der.writeBuffer(sig.extras.issuerUniqueID, Local(1));
- }
-
- if (sig.extras && sig.extras.subjectUniqueID) {
- der.writeBuffer(sig.extras.subjectUniqueID, Local(2));
- }
-
- if (altNames.length > 0 || subject.type === 'host' ||
- (cert.purposes !== undefined && cert.purposes.length > 0) ||
- (sig.extras && sig.extras.exts)) {
- der.startSequence(Local(3));
- der.startSequence();
-
- var exts = [];
- if (cert.purposes !== undefined && cert.purposes.length > 0) {
- exts.push({
- oid: EXTS.basicConstraints,
- critical: true
- });
- exts.push({
- oid: EXTS.keyUsage,
- critical: true
- });
- exts.push({
- oid: EXTS.extKeyUsage,
- critical: true
- });
- }
- exts.push({ oid: EXTS.altName });
- if (sig.extras && sig.extras.exts)
- exts = sig.extras.exts;
-
- for (var i = 0; i < exts.length; ++i) {
- der.startSequence();
- der.writeOID(exts[i].oid);
-
- if (exts[i].critical !== undefined)
- der.writeBoolean(exts[i].critical);
-
- if (exts[i].oid === EXTS.altName) {
- der.startSequence(asn1.Ber.OctetString);
- der.startSequence();
- if (subject.type === 'host') {
- der.writeString(subject.hostname,
- Context(2));
- }
- for (var j = 0; j < altNames.length; ++j) {
- if (altNames[j].type === 'host') {
- der.writeString(
- altNames[j].hostname,
- ALTNAME.DNSName);
- } else if (altNames[j].type ===
- 'email') {
- der.writeString(
- altNames[j].email,
- ALTNAME.RFC822Name);
- } else {
- /*
- * Encode anything else as a
- * DN style name for now.
- */
- der.startSequence(
- ALTNAME.DirectoryName);
- altNames[j].toAsn1(der);
- der.endSequence();
- }
- }
- der.endSequence();
- der.endSequence();
- } else if (exts[i].oid === EXTS.basicConstraints) {
- der.startSequence(asn1.Ber.OctetString);
- der.startSequence();
- var ca = (cert.purposes.indexOf('ca') !== -1);
- var pathLen = exts[i].pathLen;
- der.writeBoolean(ca);
- if (pathLen !== undefined)
- der.writeInt(pathLen);
- der.endSequence();
- der.endSequence();
- } else if (exts[i].oid === EXTS.extKeyUsage) {
- der.startSequence(asn1.Ber.OctetString);
- der.startSequence();
- cert.purposes.forEach(function (purpose) {
- if (purpose === 'ca')
- return;
- if (KEYUSEBITS.indexOf(purpose) !== -1)
- return;
- var oid = purpose;
- if (EXTPURPOSE[purpose] !== undefined)
- oid = EXTPURPOSE[purpose];
- der.writeOID(oid);
- });
- der.endSequence();
- der.endSequence();
- } else if (exts[i].oid === EXTS.keyUsage) {
- der.startSequence(asn1.Ber.OctetString);
- /*
- * If we parsed this certificate from a byte
- * stream (i.e. we didn't generate it in sshpk)
- * then we'll have a ".bits" property on the
- * ext with the original raw byte contents.
- *
- * If we have this, use it here instead of
- * regenerating it. This guarantees we output
- * the same data we parsed, so signatures still
- * validate.
- */
- if (exts[i].bits !== undefined) {
- der.writeBuffer(exts[i].bits,
- asn1.Ber.BitString);
- } else {
- var bits = writeBitField(cert.purposes,
- KEYUSEBITS);
- der.writeBuffer(bits,
- asn1.Ber.BitString);
- }
- der.endSequence();
- } else {
- der.writeBuffer(exts[i].data,
- asn1.Ber.OctetString);
- }
-
- der.endSequence();
- }
-
- der.endSequence();
- der.endSequence();
- }
-
- der.endSequence();
- }
-
- /*
- * Reads an ASN.1 BER bitfield out of the Buffer produced by doing
- * `BerReader#readString(asn1.Ber.BitString)`. That function gives us the raw
- * contents of the BitString tag, which is a count of unused bits followed by
- * the bits as a right-padded byte string.
- *
- * `bits` is the Buffer, `bitIndex` should contain an array of string names
- * for the bits in the string, ordered starting with bit #0 in the ASN.1 spec.
- *
- * Returns an array of Strings, the names of the bits that were set to 1.
- */
- function readBitField(bits, bitIndex) {
- var bitLen = 8 * (bits.length - 1) - bits[0];
- var setBits = {};
- for (var i = 0; i < bitLen; ++i) {
- var byteN = 1 + Math.floor(i / 8);
- var bit = 7 - (i % 8);
- var mask = 1 << bit;
- var bitVal = ((bits[byteN] & mask) !== 0);
- var name = bitIndex[i];
- if (bitVal && typeof (name) === 'string') {
- setBits[name] = true;
- }
- }
- return (Object.keys(setBits));
- }
-
- /*
- * `setBits` is an array of strings, containing the names for each bit that
- * sould be set to 1. `bitIndex` is same as in `readBitField()`.
- *
- * Returns a Buffer, ready to be written out with `BerWriter#writeString()`.
- */
- function writeBitField(setBits, bitIndex) {
- var bitLen = bitIndex.length;
- var blen = Math.ceil(bitLen / 8);
- var unused = blen * 8 - bitLen;
- var bits = Buffer.alloc(1 + blen); // zero-filled
- bits[0] = unused;
- for (var i = 0; i < bitLen; ++i) {
- var byteN = 1 + Math.floor(i / 8);
- var bit = 7 - (i % 8);
- var mask = 1 << bit;
- var name = bitIndex[i];
- if (name === undefined)
- continue;
- var bitVal = (setBits.indexOf(name) !== -1);
- if (bitVal) {
- bits[byteN] |= mask;
- }
- }
- return (bits);
- }
|