Certificate

Represents an X.509 certificate described in RFC5280 Section 4.

Examples

const asn1 = asn1js.fromBER(raw);
if (asn1.offset === -1) {
  throw new Error("Incorrect encoded ASN.1 data");
}

const cert = new pkijs.Certificate({ schema: asn1.result });

const crypto = pkijs.getCrypto(true);

// Create certificate
const certificate = new pkijs.Certificate();
certificate.version = 2;
certificate.serialNumber = new asn1js.Integer({ value: 1 });
certificate.issuer.typesAndValues.push(new pkijs.AttributeTypeAndValue({
  type: "2.5.4.3", // Common name
  value: new asn1js.BmpString({ value: "Test" })
}));
certificate.subject.typesAndValues.push(new pkijs.AttributeTypeAndValue({
  type: "2.5.4.3", // Common name
  value: new asn1js.BmpString({ value: "Test" })
}));

certificate.notBefore.value = new Date();
const notAfter = new Date();
notAfter.setUTCFullYear(notAfter.getUTCFullYear() + 1);
certificate.notAfter.value = notAfter;

certificate.extensions = []; // Extensions are not a part of certificate by default, it's an optional array

// "BasicConstraints" extension
const basicConstr = new pkijs.BasicConstraints({
  cA: true,
  pathLenConstraint: 3
});
certificate.extensions.push(new pkijs.Extension({
  extnID: "2.5.29.19",
  critical: false,
  extnValue: basicConstr.toSchema().toBER(false),
  parsedValue: basicConstr // Parsed value for well-known extensions
}));

// "KeyUsage" extension
const bitArray = new ArrayBuffer(1);
const bitView = new Uint8Array(bitArray);
bitView[0] |= 0x02; // Key usage "cRLSign" flag
bitView[0] |= 0x04; // Key usage "keyCertSign" flag
const keyUsage = new asn1js.BitString({ valueHex: bitArray });
certificate.extensions.push(new pkijs.Extension({
  extnID: "2.5.29.15",
  critical: false,
  extnValue: keyUsage.toBER(false),
  parsedValue: keyUsage // Parsed value for well-known extensions
}));

const algorithm = pkijs.getAlgorithmParameters("RSASSA-PKCS1-v1_5", "generateKey");
if ("hash" in algorithm.algorithm) {
  algorithm.algorithm.hash.name = "SHA-256";
}

const keys = await crypto.generateKey(algorithm.algorithm, true, algorithm.usages);

// Exporting public key into "subjectPublicKeyInfo" value of certificate
await certificate.subjectPublicKeyInfo.importKey(keys.publicKey);

// Signing final certificate
await certificate.sign(keys.privateKey, "SHA-256");

const raw = certificate.toSchema().toBER();

Extends

• PkiObject

Implements

• ICertificate

Constructors

new Certificate()

new Certificate(parameters): Certificate

Initializes a new instance of the Certificate class

Parameters

parameters

CertificateParameters = {}

Initialization parameters

Returns

Certificate

Overrides

PkiObject.constructor

Properties

extensions?

optional extensions: Extension[]

If present, this field is a SEQUENCE of one or more certificate extensions

Implementation of

ICertificate.extensions

---

issuer

issuer: RelativeDistinguishedNames

The issuer field identifies the entity that has signed and issued the certificate

Implementation of

ICertificate.issuer

---

issuerUniqueID?

optional issuerUniqueID: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

Implementation of

ICertificate.issuerUniqueID

---

notAfter

notAfter: Time

The date on which the certificate validity period ends

Implementation of

ICertificate.notAfter

---

notBefore

notBefore: Time

The date on which the certificate validity period begins

Implementation of

ICertificate.notBefore

---

serialNumber

serialNumber: Integer

Serial number of the certificate

Implementation of

ICertificate.serialNumber

---

signature

signature: AlgorithmIdentifier

This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate

Implementation of

ICertificate.signature

---

signatureAlgorithm

signatureAlgorithm: AlgorithmIdentifier

The signatureAlgorithm field contains the identifier for the cryptographic algorithm used by the CA to sign this certificate

Implementation of

ICertificate.signatureAlgorithm

---

signatureValue

signatureValue: BitString

The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate

Implementation of

ICertificate.signatureValue

---

subject

subject: RelativeDistinguishedNames

The subject field identifies the entity associated with the public key stored in the subject public key field

Implementation of

ICertificate.subject

---

subjectPublicKeyInfo

subjectPublicKeyInfo: PublicKeyInfo

This field is used to carry the public key and identify the algorithm with which the key is used

Implementation of

ICertificate.subjectPublicKeyInfo

---

subjectUniqueID?

optional subjectUniqueID: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

Implementation of

ICertificate.subjectUniqueID

---

tbsView

tbsView: Uint8Array

---

version

version: number

Version number

Implementation of

ICertificate.version

---

CLASS_NAME

static CLASS_NAME: string = "Certificate"

Name of the class

Overrides

PkiObject.CLASS_NAME

Accessors

className

Get Signature

get className(): string

Returns

string

Inherited from

PkiObject.className

---

tbs

Get Signature

get tbs(): ArrayBuffer

Deprecated

Since version 3.0.0

Returns

ArrayBuffer

Set Signature

set tbs(value): void

Deprecated

Since version 3.0.0

Parameters

value

ArrayBuffer

Returns

void

ToBeSigned (TBS) part of the certificate

Implementation of

ICertificate.tbs

Methods

encodeTBS()

encodeTBS(): Sequence

Creates ASN.1 schema for existing values of TBS part for the certificate

Returns

Sequence

ASN.1 SEQUENCE

---

fromSchema()

fromSchema(schema): void

Converts parsed ASN.1 object into current class

Parameters

schema

any

ASN.1 schema

Returns

void

Overrides

PkiObject.fromSchema

---

getKeyHash()

getKeyHash(hashAlgorithm, crypto): Promise<ArrayBuffer>

Get hash value for subject public key (default SHA-1)

Parameters

hashAlgorithm

string = "SHA-1"

Hashing algorithm name

crypto

ICryptoEngine = ...

Crypto engine

Returns

Promise<ArrayBuffer>

Computed hash value from Certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey

---

getPublicKey()

getPublicKey(parameters?, crypto?): Promise<CryptoKey>

Importing public key for current certificate

Parameters

parameters?

CryptoEnginePublicKeyParams

Public key export parameters

crypto?

ICryptoEngine = ...

Crypto engine

Returns

Promise<CryptoKey>

WebCrypto public key

---

sign()

sign(privateKey, hashAlgorithm, crypto): Promise<void>

Make a signature for current value from TBS section

Parameters

privateKey

CryptoKey

Private key for SUBJECT_PUBLIC_KEY_INFO structure

hashAlgorithm

string = "SHA-1"

Hashing algorithm

crypto

ICryptoEngine = ...

Crypto engine

Returns

Promise<void>

---

toJSON()

toJSON(): CertificateJson

Converts the class to JSON object

Returns

CertificateJson

JSON object

Overrides

PkiObject.toJSON

---

toSchema()

toSchema(encodeFlag): Sequence

Converts current object to ASN.1 object and sets correct values

Parameters

encodeFlag

boolean = false

If param equal to false then creates schema via decoding stored value. In other case creates schema via assembling from cached parts

Returns

Sequence

ASN.1 object

Overrides

PkiObject.toSchema

---

toString()

toString(encoding): string

Parameters

encoding

"base64" | "base64url" | "hex"

Returns

string

Inherited from

PkiObject.toString

---

verify()

verify(issuerCertificate?, crypto?): Promise<boolean>

Verifies the certificate signature

Parameters

issuerCertificate?

Certificate

crypto?

ICryptoEngine = ...

Crypto engine

Returns

Promise<boolean>

---

blockName()

static blockName(): string

Returns block name

Returns

string

Returns string block name

Inherited from

PkiObject.blockName

---

defaultValues()

Call Signature

static defaultValues(memberName): ArrayBuffer

Return default values for all class members

Parameters

memberName

"tbs"

String name for a class member

Returns

ArrayBuffer

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): number

Return default values for all class members

Parameters

memberName

"version"

String name for a class member

Returns

number

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): Integer

Return default values for all class members

Parameters

memberName

"serialNumber"

String name for a class member

Returns

Integer

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): AlgorithmIdentifier

Return default values for all class members

Parameters

memberName

"signature"

String name for a class member

Returns

AlgorithmIdentifier

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): RelativeDistinguishedNames

Return default values for all class members

Parameters

memberName

"issuer"

String name for a class member

Returns

RelativeDistinguishedNames

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): Time

Return default values for all class members

Parameters

memberName

"notBefore"

String name for a class member

Returns

Time

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): Time

Return default values for all class members

Parameters

memberName

"notAfter"

String name for a class member

Returns

Time

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): RelativeDistinguishedNames

Return default values for all class members

Parameters

memberName

"subject"

String name for a class member

Returns

RelativeDistinguishedNames

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): PublicKeyInfo

Return default values for all class members

Parameters

memberName

"subjectPublicKeyInfo"

String name for a class member

Returns

PublicKeyInfo

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): ArrayBuffer

Return default values for all class members

Parameters

memberName

"issuerUniqueID"

String name for a class member

Returns

ArrayBuffer

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): ArrayBuffer

Return default values for all class members

Parameters

memberName

"subjectUniqueID"

String name for a class member

Returns

ArrayBuffer

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): Extension[]

Return default values for all class members

Parameters

memberName

"extensions"

String name for a class member

Returns

Extension[]

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): AlgorithmIdentifier

Return default values for all class members

Parameters

memberName

"signatureAlgorithm"

String name for a class member

Returns

AlgorithmIdentifier

Predefined default value

Overrides

PkiObject.defaultValues

Call Signature

static defaultValues(memberName): BitString

Return default values for all class members

Parameters

memberName

"signatureValue"

String name for a class member

Returns

BitString

Predefined default value

Overrides

PkiObject.defaultValues

---

fromBER()

static fromBER<T>(this, raw): T

Creates PKI object from the raw data

Type Parameters

• T extends PkiObject

Parameters

this

PkiObjectConstructor<T>

raw

BufferSource

ASN.1 encoded raw data

Returns

T

Initialized and filled current class object

Inherited from

PkiObject.fromBER

---

schema()

static schema(parameters): any

Returns value of pre-defined ASN.1 schema for current class

Parameters

parameters

CertificateSchema = {}

Input parameters for the schema

Returns

any

ASN.1 schema object

Overrides

PkiObject.schema