Certificate

Represents an X.509 certificate described in RFC5280 Section 4.

Examples

const asn1 = asn1js.fromBER(raw);
if (asn1.offset === -1) {
  throw new Error("Incorrect encoded ASN.1 data");
}

const cert = new pkijs.Certificate({ schema: asn1.result });

const crypto = pkijs.getCrypto(true);

// Create certificate
const certificate = new pkijs.Certificate();
certificate.version = 2;
certificate.serialNumber = new asn1js.Integer({ value: 1 });
certificate.issuer.typesAndValues.push(new pkijs.AttributeTypeAndValue({
  type: "2.5.4.3", // Common name
  value: new asn1js.BmpString({ value: "Test" })
}));
certificate.subject.typesAndValues.push(new pkijs.AttributeTypeAndValue({
  type: "2.5.4.3", // Common name
  value: new asn1js.BmpString({ value: "Test" })
}));

certificate.notBefore.value = new Date();
const notAfter = new Date();
notAfter.setUTCFullYear(notAfter.getUTCFullYear() + 1);
certificate.notAfter.value = notAfter;

certificate.extensions = []; // Extensions are not a part of certificate by default, it's an optional array

// "BasicConstraints" extension
const basicConstr = new pkijs.BasicConstraints({
  cA: true,
  pathLenConstraint: 3
});
certificate.extensions.push(new pkijs.Extension({
  extnID: "2.5.29.19",
  critical: false,
  extnValue: basicConstr.toSchema().toBER(false),
  parsedValue: basicConstr // Parsed value for well-known extensions
}));

// "KeyUsage" extension
const bitArray = new ArrayBuffer(1);
const bitView = new Uint8Array(bitArray);
bitView[0] |= 0x02; // Key usage "cRLSign" flag
bitView[0] |= 0x04; // Key usage "keyCertSign" flag
const keyUsage = new asn1js.BitString({ valueHex: bitArray });
certificate.extensions.push(new pkijs.Extension({
  extnID: "2.5.29.15",
  critical: false,
  extnValue: keyUsage.toBER(false),
  parsedValue: keyUsage // Parsed value for well-known extensions
}));

const algorithm = pkijs.getAlgorithmParameters("RSASSA-PKCS1-v1_5", "generateKey");
if ("hash" in algorithm.algorithm) {
  algorithm.algorithm.hash.name = "SHA-256";
}

const keys = await crypto.generateKey(algorithm.algorithm, true, algorithm.usages);

// Exporting public key into "subjectPublicKeyInfo" value of certificate
await certificate.subjectPublicKeyInfo.importKey(keys.publicKey);

// Signing final certificate
await certificate.sign(keys.privateKey, "SHA-256");

const raw = certificate.toSchema().toBER();

Extends

PkiObject

Implements

ICertificate

Constructors

new Certificate()

new Certificate(parameters): Certificate

Initializes a new instance of the Certificate class

Parameters

• parameters: CertificateParameters = {}

Initialization parameters

Returns

Certificate

Overrides

PkiObject.constructor

Properties

extensions?

optional extensions: Extension[]

If present, this field is a SEQUENCE of one or more certificate extensions

Implementation of

ICertificate.extensions

issuer

issuer: RelativeDistinguishedNames

The issuer field identifies the entity that has signed and issued the certificate

Implementation of

ICertificate.issuer

issuerUniqueID?

optional issuerUniqueID: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

Implementation of

ICertificate.issuerUniqueID

notAfter

notAfter: Time

The date on which the certificate validity period ends

Implementation of

ICertificate.notAfter

notBefore

notBefore: Time

The date on which the certificate validity period begins

Implementation of

ICertificate.notBefore

serialNumber

serialNumber: Integer

Serial number of the certificate

Implementation of

ICertificate.serialNumber

signature

signature: AlgorithmIdentifier

This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate

Implementation of

ICertificate.signature

signatureAlgorithm

signatureAlgorithm: AlgorithmIdentifier

The signatureAlgorithm field contains the identifier for the cryptographic algorithm used by the CA to sign this certificate

Implementation of

ICertificate.signatureAlgorithm

signatureValue

signatureValue: BitString

The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate

Implementation of

ICertificate.signatureValue

subject

subject: RelativeDistinguishedNames

The subject field identifies the entity associated with the public key stored in the subject public key field

Implementation of

ICertificate.subject

subjectPublicKeyInfo

subjectPublicKeyInfo: PublicKeyInfo

This field is used to carry the public key and identify the algorithm with which the key is used

Implementation of

ICertificate.subjectPublicKeyInfo

subjectUniqueID?

optional subjectUniqueID: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

Implementation of

ICertificate.subjectUniqueID

tbsView

tbsView: Uint8Array

version

version: number

Version number

Implementation of

ICertificate.version

CLASS_NAME

static CLASS_NAME: string = "Certificate"

Name of the class

Overrides

PkiObject.CLASS_NAME

Accessors

className

get className(): string

Returns

string

Inherited from

PkiObject.className

tbs

get tbs(): ArrayBuffer

Deprecated

Since version 3.0.0

set tbs(value): void

Deprecated

Since version 3.0.0

Parameters

• value: ArrayBuffer

Returns

ArrayBuffer

ToBeSigned (TBS) part of the certificate

Implementation of

ICertificate.tbs

Methods

encodeTBS()

encodeTBS(): Sequence

Creates ASN.1 schema for existing values of TBS part for the certificate

Returns

Sequence

ASN.1 SEQUENCE

fromSchema()

fromSchema(schema): void

Converts parsed ASN.1 object into current class

Parameters

• schema: any

ASN.1 schema

Returns

void

Overrides

PkiObject.fromSchema

getKeyHash()

getKeyHash(hashAlgorithm, crypto): Promise<ArrayBuffer>

Get hash value for subject public key (default SHA-1)

Parameters

• hashAlgorithm: string = "SHA-1"

Hashing algorithm name

• crypto: ICryptoEngine = ...

Crypto engine

Returns

Promise<ArrayBuffer>

Computed hash value from Certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey

getPublicKey()

getPublicKey(parameters?, crypto?): Promise<CryptoKey>

Importing public key for current certificate

Parameters

• parameters?: CryptoEnginePublicKeyParams

Public key export parameters

• crypto?: ICryptoEngine = ...

Crypto engine

Returns

Promise<CryptoKey>

WebCrypto public key

sign()

sign(privateKey, hashAlgorithm, crypto): Promise<void>

Make a signature for current value from TBS section

Parameters

• privateKey: CryptoKey

Private key for SUBJECT_PUBLIC_KEY_INFO structure

• hashAlgorithm: string = "SHA-1"

Hashing algorithm

• crypto: ICryptoEngine = ...

Crypto engine

Returns

Promise<void>

toJSON()

toJSON(): CertificateJson

Converts the class to JSON object

Returns

CertificateJson

JSON object

Overrides

PkiObject.toJSON

toSchema()

toSchema(encodeFlag): Sequence

Converts current object to ASN.1 object and sets correct values

Parameters

• encodeFlag: boolean = false

If param equal to false then creates schema via decoding stored value. In other case creates schema via assembling from cached parts

Returns

Sequence

ASN.1 object

Overrides

PkiObject.toSchema

toString()

toString(encoding): string

Parameters

• encoding: "base64" | "base64url" | "hex" = "hex"

Returns

string

Inherited from

PkiObject.toString

verify()

verify(issuerCertificate?, crypto?): Promise<boolean>

Verifies the certificate signature

Parameters

• issuerCertificate?: Certificate

• crypto?: ICryptoEngine = ...

Crypto engine

Returns

Promise<boolean>

blockName()

static blockName(): string

Returns block name

Returns

string

Returns string block name

Inherited from

PkiObject.blockName

defaultValues()

defaultValues(memberName)

static defaultValues(memberName): ArrayBuffer

Return default values for all class members

Parameters

• memberName: "tbs"

String name for a class member

Returns

ArrayBuffer

Predefined default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): number

Returns default values for all class members

Parameters

• memberName: "version"

String name for a class member

Returns

number

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): Integer

Returns default values for all class members

Parameters

• memberName: "serialNumber"

String name for a class member

Returns

Integer

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): AlgorithmIdentifier

Returns default values for all class members

Parameters

• memberName: "signature"

String name for a class member

Returns

AlgorithmIdentifier

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): RelativeDistinguishedNames

Returns default values for all class members

Parameters

• memberName: "issuer"

String name for a class member

Returns

RelativeDistinguishedNames

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): Time

Returns default values for all class members

Parameters

• memberName: "notBefore"

String name for a class member

Returns

Time

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): Time

Returns default values for all class members

Parameters

• memberName: "notAfter"

String name for a class member

Returns

Time

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): RelativeDistinguishedNames

Returns default values for all class members

Parameters

• memberName: "subject"

String name for a class member

Returns

RelativeDistinguishedNames

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): PublicKeyInfo

Returns default values for all class members

Parameters

• memberName: "subjectPublicKeyInfo"

String name for a class member

Returns

PublicKeyInfo

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): ArrayBuffer

Returns default values for all class members

Parameters

• memberName: "issuerUniqueID"

String name for a class member

Returns

ArrayBuffer

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): ArrayBuffer

Returns default values for all class members

Parameters

• memberName: "subjectUniqueID"

String name for a class member

Returns

ArrayBuffer

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): Extension[]

Returns default values for all class members

Parameters

• memberName: "extensions"

String name for a class member

Returns

Extension[]

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): AlgorithmIdentifier

Returns default values for all class members

Parameters

• memberName: "signatureAlgorithm"

String name for a class member

Returns

AlgorithmIdentifier

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): BitString

Returns default values for all class members

Parameters

• memberName: "signatureValue"

String name for a class member

Returns

BitString

Default value

Overrides

PkiObject.defaultValues

fromBER()

static fromBER<T>(this, raw): T

Creates PKI object from the raw data

Type Parameters

• T extends PkiObject

Parameters

• this: PkiObjectConstructor<T>

• raw: BufferSource

ASN.1 encoded raw data

Returns

T

Initialized and filled current class object

Inherited from

PkiObject.fromBER

schema()

static schema(parameters): any

Returns value of pre-defined ASN.1 schema for current class

Parameters

• parameters: CertificateSchema = {}

Input parameters for the schema

Returns

any

ASN.1 schema object

Overrides

PkiObject.schema

Examples​

Extends​

Implements​

Constructors​

new Certificate()​

Parameters​

Returns​

Overrides​

Properties​

extensions?​

Implementation of​

issuer​

Implementation of​

issuerUniqueID?​

Implementation of​

notAfter​

Implementation of​

notBefore​

Implementation of​

serialNumber​

Implementation of​

signature​

Implementation of​

signatureAlgorithm​

Implementation of​

signatureValue​

Implementation of​

subject​

Implementation of​

subjectPublicKeyInfo​

Implementation of​

subjectUniqueID?​

Implementation of​

tbsView​

version​

Implementation of​

CLASS_NAME​

Overrides​

Accessors​

className​

Returns​

Inherited from​

tbs​

Deprecated​

Deprecated​

Parameters​

Returns​

Implementation of​

Methods​

encodeTBS()​

Returns​

fromSchema()​

Parameters​

Returns​

Overrides​

getKeyHash()​

Parameters​

Returns​

getPublicKey()​

Parameters​

Returns​

sign()​

Parameters​

Returns​

toJSON()​

Returns​

Overrides​

toSchema()​

Parameters​

Returns​

Overrides​

toString()​

Parameters​

Returns​

Inherited from​

verify()​

Parameters​

Returns​

blockName()​

Returns​

Examples

Extends

Implements

Constructors

new Certificate()

Parameters

Returns

Overrides

Properties

extensions?

Implementation of

issuer

Implementation of

issuerUniqueID?

Implementation of

notAfter

Implementation of

notBefore

Implementation of

serialNumber

Implementation of

signature

Implementation of

signatureAlgorithm

Implementation of

signatureValue

Implementation of

subject

Implementation of

subjectPublicKeyInfo

Implementation of

subjectUniqueID?

Implementation of

tbsView

version

Implementation of

CLASS_NAME

Overrides

Accessors

className

Returns

Inherited from

tbs

Deprecated

Deprecated

Parameters

Returns

Implementation of

Methods

encodeTBS()

Returns

fromSchema()

Parameters

Returns

Overrides

getKeyHash()

Parameters

Returns

getPublicKey()

Parameters

Returns

sign()

Parameters

Returns

toJSON()

Returns

Overrides

toSchema()

Parameters

Returns

Overrides

toString()

Parameters

Returns

Inherited from

verify()

Parameters

Returns

blockName()

Returns