View on GitHub

PKI.js

PKIjs is a pure JavaScript library implementing the formats that are used in PKI applications (signing, encryption, certificate requests, OCSP and TSP requests/responses). It is built on WebCrypto (Web Cryptography API) and requires no plug-ins.

Download this project as a .zip file Download this project as a tar.gz file

TOP | FEATURES | EXAMPLES | DOCUMENTAION

FEATURES

First and ONLY (April 2015) open-source JS library with full support for all "Suite B" algorithms in CMS messages;
First library with support for CMS Enveloped data (encrypt/decrypt) in pure JavaScript + Web Cryptography API;
Fully object-oriented library. Inhiritence is using everywhere inside the lib;
Working with HTML5 data objects (ArrayBuffer, Uint8Array, Promises, Web Cryptography API, etc.);
Has a complete set of helpers for working with types like:
- GeneralName;
- RelativeDistinguishedName;
- Time;
- AlgorithmIdentifier;
- All types of ASN.1 strings, including "international" like UniversalString, UTF8String and BMPString (with help from ASN1js);
- All extension types of X.509 certificates (BasicConstraints, CertificatePolicies, AuthorityKeyIdentifier etc.);
- All "support types" for OCSP requests and responces;
- All "support types" for Time-Stamping Protocol (TSP) requests and responces;
Has own certification chain verification engine, purelly made on JavaScript with help from Promises and Web Cryptography API latest standard implementation;
Working with all Web Cryptography API signature algorithms:
- RSASSA-PKCS1-v1_5;
- RSA-PSS;
- ECDSA;
Working with all "Suite B" (and more) encryption algorithms and schemas:
- RSASSA-OAEP + AES-KW + AES-CBC/GCM;
- ECDH + KDF on SHA-1/256/384/512 + AES-KW + AES-CBC/GCM;
- Pre-defined "key encryption key" + AES-KW + AES-CBC/GCM;
- Password-based encryption for CMS with PBKDF2 on HMAC on SHA-1/256/384/512 + AES-KW + AES-CBC/GCM;
Working with all major PKI-related types ("minor" types are not mentioned here but there are huge number of such "minor types"):
- X.509 certificates:
  - Parsing internal values;
  - Getting/setting any internal values;
  - Creatiion of a new X.509 certificate "from scratch";
  - Internal certificate chain validation engine;
- X.509 "certificate revocation lists" (CRLs):
  - Parsing internal values;
  - Getting/setting any internal values;
  - Creation of a new CRL "from scratch";
  - Validation of CRL signature;
  - Search inside CRL for specific revoked certificate.
- PKCS#10 certificate request:
  - Parsing internal values;
  - Getting/setting any internal values;
  - Creation of a new PKCS#10 certificate request "from scratch";
  - Validation of PKCS#10 signature;
- OCSP request:
  - Parsing internal values;
  - Getting/setting any internal values;
  - Creation of a new OCSP request "from scratch".
- OCSP response:
  - Parsing internal values;
  - Getting/setting any internal values;
  - Creation of a new OCSP response "from scratch";
  - Validation of OCSP response signature.
- Time-stamping request:
  - Parsing internal values;
  - Getting/setting any internal values;
  - Creation of a new Time-stamping request "from scratch";
  - Validation of Time-stamping request signature;
- Time-stamping response:
  - Parsing internal values;
  - Getting/setting any internal values;
  - Creation of a new Time-stamping response "from scratch";
  - Validation of Time-stamping response signature;
- CMS Signed Data:
  - Parsing internal values;
  - Getting/setting any internal values;
  - Creation of a new CMS Signed Data "from scratch" (signing);
  - Validation of CMS Signed Data signature;
- CMS Enveloped Data:
  - Parsing internal values;
  - Getting/setting any internal values;
  - Creation (encryption) with full support for "Suite B" algorithms and more;
  - Decryption with full support for "Suite B" algorithms and more;

EXAMPLES

NOTE: As of April 2015 the Web Cryptography API is not fully implemented in all browsers. This means even though a browser may support WebCrypto they do not support all mandatory elements of the standard so some options in the examples will not work. For the best experience we recommend you to install latest development version of Google Chrome.

CMS Signed complex example
- In this example you will be able to sign any file, get BASE-64 encoded CMS Signed Data content, encoded certificate and private key. Also there you will see existing CMS Envelopd Data parsing. Moreover, PKIjs supports full-featured "chain validation engine" passing all major NIST tests and in this example you will see how it works with CMS Signed Data content.
P7B simple example (with certificates only)
- In this example you will be able to create a "certificate bag" having three X.509 certificates inside. Such "certificate bag" could be usefull while exporting/importing a set of certificates and revocation data.
CRL complex example
- In this example you will see how PKIjs create new CRL, parse existing CRL data and validates CRL signature. For testign you could use existing CRL and existing X.509 certificate of CRL's issuer
Certificate complex example
- This example shows how to create new self-signed X.509 certificate, parse existing X.509 certificate file and shows working with PKIjs integrated "chain verification engine". In order to work with "certificate chain validation engine" you could need CA Bundle from Mozilla.
How to create new CMS Signed Data
- Its very simple example making new CMS Signed Data content for any existing file.
How to create new X.509 certificate
- Its very simple example making new X.509 certificate and encoded private key for the certificate.
How To Encrypt CMS via certificate
- Example on how to create new CMS encrypted content (CMS Enveloped Data) having existing X.509 certificate. There you will be able to encrypt any test content and get decrypted existing contents using X.509 certificates and private key. More specific information about how to encrypt/decrypt CMS via PKIjs may be found in Wiki.
How To Encrypt CMS via password
- Example on how to create encrypted CMS data using pre-defined data (password or pre-shared "key encryption key"). Again, more specific information about how encrypt/decrypt via PKIjs may be found in Wiki.
OCSP request complex example
- In this example you would be able to create new OCSP request or parse existing OCSP request. For test purposes you can use this OCSP request.
OCSP response complex example
- In this example you would be able to create new OCSP response, parse existing OCSP response and validate signature for OCSP response. For test purposes you can use this OCSP response.
How to verify signature in PDF file
- This example intended to show how to verify signatures inside PDF files using PKIjs library. You can use existing signed PDF file for testing.
PKCS#10 complex example
- In this example you would be able to create new PKCS#10 (CSR, X.509 certificate request), parse existing CSR or verify signature on CSR.
PKCS#12 simple example
- In this example you would be able to create new PKCS#12 (or PFX) and parse existing PKCS#12 data. Most of options given in this example are not supported by OpenSSL and Microsoft CryptoAPI.
S/MIME Verification Example
- This is example shows how to verify S/MIME messages using PKIjs on pure JavaScript. You can use test signed message for testing.
S/MIME Encryption Example
- This is example shows how to encrypt S/MIME messages using PKIjs on pure JavaScript.
TSP request complex example
- This example shows how to create TSP (time-stamping protocol) request messages and parse existing TSP requests.
TSP response complex example
- This example shows how to create TSP responses messages, parse existing TSP responses and verify signature for TSP responses. For testing you could use this file.