Options
All
  • Public
  • Public/Protected
  • All
Menu

Class Certificate

Represents an X.509 certificate described in RFC5280 Section 4.

example

The following example demonstrates how to parse X.509 Certificate

const asn1 = asn1js.fromBER(raw);
if (asn1.offset === -1) {
throw new Error("Incorrect encoded ASN.1 data");
}

const cert = new pkijs.Certificate({ schema: asn1.result });
example

The following example demonstrates how to create self-signed certificate

const crypto = pkijs.getCrypto(true);

// Create certificate
const certificate = new pkijs.Certificate();
certificate.version = 2;
certificate.serialNumber = new asn1js.Integer({ value: 1 });
certificate.issuer.typesAndValues.push(new pkijs.AttributeTypeAndValue({
type: "2.5.4.3", // Common name
value: new asn1js.BmpString({ value: "Test" })
}));
certificate.subject.typesAndValues.push(new pkijs.AttributeTypeAndValue({
type: "2.5.4.3", // Common name
value: new asn1js.BmpString({ value: "Test" })
}));

certificate.notBefore.value = new Date();
const notAfter = new Date();
notAfter.setUTCFullYear(notAfter.getUTCFullYear() + 1);
certificate.notAfter.value = notAfter;

certificate.extensions = []; // Extensions are not a part of certificate by default, it's an optional array

// "BasicConstraints" extension
const basicConstr = new pkijs.BasicConstraints({
cA: true,
pathLenConstraint: 3
});
certificate.extensions.push(new pkijs.Extension({
extnID: "2.5.29.19",
critical: false,
extnValue: basicConstr.toSchema().toBER(false),
parsedValue: basicConstr // Parsed value for well-known extensions
}));

// "KeyUsage" extension
const bitArray = new ArrayBuffer(1);
const bitView = new Uint8Array(bitArray);
bitView[0] |= 0x02; // Key usage "cRLSign" flag
bitView[0] |= 0x04; // Key usage "keyCertSign" flag
const keyUsage = new asn1js.BitString({ valueHex: bitArray });
certificate.extensions.push(new pkijs.Extension({
extnID: "2.5.29.15",
critical: false,
extnValue: keyUsage.toBER(false),
parsedValue: keyUsage // Parsed value for well-known extensions
}));

const algorithm = pkijs.getAlgorithmParameters("RSASSA-PKCS1-v1_5", "generateKey");
if ("hash" in algorithm.algorithm) {
algorithm.algorithm.hash.name = "SHA-256";
}

const keys = await crypto.generateKey(algorithm.algorithm, true, algorithm.usages);

// Exporting public key into "subjectPublicKeyInfo" value of certificate
await certificate.subjectPublicKeyInfo.importKey(keys.publicKey);

// Signing final certificate
await certificate.sign(keys.privateKey, "SHA-256");

const raw = certificate.toSchema().toBER();

Hierarchy

Implements

Index

Constructors

Properties

extensions?: Extension[]

If present, this field is a SEQUENCE of one or more certificate extensions

The issuer field identifies the entity that has signed and issued the certificate

issuerUniqueID?: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

notAfter: Time

The date on which the certificate validity period ends

notBefore: Time

The date on which the certificate validity period begins

serialNumber: Integer

Serial number of the certificate

This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate

signatureAlgorithm: AlgorithmIdentifier

The signatureAlgorithm field contains the identifier for the cryptographic algorithm used by the CA to sign this certificate

signatureValue: BitString

The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate

The subject field identifies the entity associated with the public key stored in the subject public key field

subjectPublicKeyInfo: PublicKeyInfo

This field is used to carry the public key and identify the algorithm with which the key is used

subjectUniqueID?: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

tbsView: Uint8Array
version: number

Version number

CLASS_NAME: string = "Certificate"

Name of the class

Accessors

  • get className(): string
  • get tbs(): ArrayBuffer
  • set tbs(value: ArrayBuffer): void

Methods

  • encodeTBS(): Sequence
  • Creates ASN.1 schema for existing values of TBS part for the certificate

    Returns Sequence

    ASN.1 SEQUENCE

  • fromSchema(schema: any): void
  • getKeyHash(hashAlgorithm?: string, crypto?: ICryptoEngine): Promise<ArrayBuffer>
  • Get hash value for subject public key (default SHA-1)

    Parameters

    • hashAlgorithm: string = "SHA-1"

      Hashing algorithm name

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<ArrayBuffer>

    Computed hash value from Certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey

  • sign(privateKey: CryptoKey, hashAlgorithm?: string, crypto?: ICryptoEngine): Promise<void>
  • Make a signature for current value from TBS section

    Parameters

    • privateKey: CryptoKey

      Private key for SUBJECT_PUBLIC_KEY_INFO structure

    • hashAlgorithm: string = "SHA-1"

      Hashing algorithm

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<void>

  • toSchema(encodeFlag?: boolean): Sequence
  • toString(encoding?: "base64" | "base64url" | "hex"): string
  • blockName(): string
  • defaultValues(memberName: "tbs"): ArrayBuffer
  • defaultValues(memberName: "version"): number
  • defaultValues(memberName: "serialNumber"): Integer
  • defaultValues(memberName: "signature"): AlgorithmIdentifier
  • defaultValues(memberName: "issuer"): RelativeDistinguishedNames
  • defaultValues(memberName: "notBefore"): Time
  • defaultValues(memberName: "notAfter"): Time
  • defaultValues(memberName: "subject"): RelativeDistinguishedNames
  • defaultValues(memberName: "subjectPublicKeyInfo"): PublicKeyInfo
  • defaultValues(memberName: "issuerUniqueID"): ArrayBuffer
  • defaultValues(memberName: "subjectUniqueID"): ArrayBuffer
  • defaultValues(memberName: "extensions"): Extension[]
  • defaultValues(memberName: "signatureAlgorithm"): AlgorithmIdentifier
  • defaultValues(memberName: "signatureValue"): BitString
  • fromBER<T>(this: PkiObjectConstructor<T>, raw: BufferSource): T
  • Creates PKI object from the raw data

    Type Parameters

    Parameters

    • this: PkiObjectConstructor<T>
    • raw: BufferSource

      ASN.1 encoded raw data

    Returns T

    Initialized and filled current class object

  • Returns value of pre-defined ASN.1 schema for current class

    asn

    ASN.1 schema

    Certificate ::= SEQUENCE  {
       tbsCertificate       TBSCertificate,
       signatureAlgorithm   AlgorithmIdentifier,
       signatureValue       BIT STRING  }
    
    TBSCertificate ::= SEQUENCE  {
        version         [0]  EXPLICIT Version DEFAULT v1,
        serialNumber         CertificateSerialNumber,
        signature            AlgorithmIdentifier,
        issuer               Name,
        validity             Validity,
        subject              Name,
        subjectPublicKeyInfo SubjectPublicKeyInfo,
        issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                              -- If present, version MUST be v2 or v3
        subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                              -- If present, version MUST be v2 or v3
        extensions      [3]  EXPLICIT Extensions OPTIONAL
                              -- If present, version MUST be v3
        }
    
    Version ::= INTEGER  {  v1(0), v2(1), v3(2)  }
    
    CertificateSerialNumber ::= INTEGER
    
    Validity ::= SEQUENCE {
        notBefore      Time,
        notAfter       Time }
    
    Time ::= CHOICE {
        utcTime        UTCTime,
        generalTime    GeneralizedTime }
    
    UniqueIdentifier ::= BIT STRING
    
    SubjectPublicKeyInfo ::= SEQUENCE  {
        algorithm            AlgorithmIdentifier,
        subjectPublicKey     BIT STRING  }
    
    Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
    
    Extension ::= SEQUENCE  {
        extnID      OBJECT IDENTIFIER,
        critical    BOOLEAN DEFAULT FALSE,
        extnValue   OCTET STRING
                    -- contains the DER encoding of an ASN.1 value
                    -- corresponding to the extension type identified
                    -- by extnID
        }
    

    Parameters

    Returns any

    ASN.1 schema object

Generated using TypeDoc