Class Certificate

Represents an X.509 certificate described in RFC5280 Section 4.

Example

The following example demonstrates how to parse X.509 Certificate

const asn1 = asn1js.fromBER(raw);
if (asn1.offset === -1) {
throw new Error("Incorrect encoded ASN.1 data");
}

const cert = new pkijs.Certificate({ schema: asn1.result });

Example

The following example demonstrates how to create self-signed certificate

const crypto = pkijs.getCrypto(true);

// Create certificate
const certificate = new pkijs.Certificate();
certificate.version = 2;
certificate.serialNumber = new asn1js.Integer({ value: 1 });
certificate.issuer.typesAndValues.push(new pkijs.AttributeTypeAndValue({
type: "2.5.4.3", // Common name
value: new asn1js.BmpString({ value: "Test" })
}));
certificate.subject.typesAndValues.push(new pkijs.AttributeTypeAndValue({
type: "2.5.4.3", // Common name
value: new asn1js.BmpString({ value: "Test" })
}));

certificate.notBefore.value = new Date();
const notAfter = new Date();
notAfter.setUTCFullYear(notAfter.getUTCFullYear() + 1);
certificate.notAfter.value = notAfter;

certificate.extensions = []; // Extensions are not a part of certificate by default, it's an optional array

// "BasicConstraints" extension
const basicConstr = new pkijs.BasicConstraints({
cA: true,
pathLenConstraint: 3
});
certificate.extensions.push(new pkijs.Extension({
extnID: "2.5.29.19",
critical: false,
extnValue: basicConstr.toSchema().toBER(false),
parsedValue: basicConstr // Parsed value for well-known extensions
}));

// "KeyUsage" extension
const bitArray = new ArrayBuffer(1);
const bitView = new Uint8Array(bitArray);
bitView[0] |= 0x02; // Key usage "cRLSign" flag
bitView[0] |= 0x04; // Key usage "keyCertSign" flag
const keyUsage = new asn1js.BitString({ valueHex: bitArray });
certificate.extensions.push(new pkijs.Extension({
extnID: "2.5.29.15",
critical: false,
extnValue: keyUsage.toBER(false),
parsedValue: keyUsage // Parsed value for well-known extensions
}));

const algorithm = pkijs.getAlgorithmParameters("RSASSA-PKCS1-v1_5", "generateKey");
if ("hash" in algorithm.algorithm) {
algorithm.algorithm.hash.name = "SHA-256";
}

const keys = await crypto.generateKey(algorithm.algorithm, true, algorithm.usages);

// Exporting public key into "subjectPublicKeyInfo" value of certificate
await certificate.subjectPublicKeyInfo.importKey(keys.publicKey);

// Signing final certificate
await certificate.sign(keys.privateKey, "SHA-256");

const raw = certificate.toSchema().toBER();

Hierarchy

Implements

Constructors

Properties

extensions?: Extension[]

If present, this field is a SEQUENCE of one or more certificate extensions

The issuer field identifies the entity that has signed and issued the certificate

issuerUniqueID?: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

notAfter: Time

The date on which the certificate validity period ends

notBefore: Time

The date on which the certificate validity period begins

serialNumber: Integer

Serial number of the certificate

This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate

signatureAlgorithm: AlgorithmIdentifier

The signatureAlgorithm field contains the identifier for the cryptographic algorithm used by the CA to sign this certificate

signatureValue: BitString

The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate

The subject field identifies the entity associated with the public key stored in the subject public key field

subjectPublicKeyInfo: PublicKeyInfo

This field is used to carry the public key and identify the algorithm with which the key is used

subjectUniqueID?: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

tbsView: Uint8Array
version: number

Version number

CLASS_NAME: string = "Certificate"

Name of the class

Accessors

  • get className(): string
  • Returns string

Methods

  • Creates ASN.1 schema for existing values of TBS part for the certificate

    Returns

    ASN.1 SEQUENCE

    Returns Sequence

  • Get hash value for subject public key (default SHA-1)

    Returns

    Computed hash value from Certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey

    Parameters

    • hashAlgorithm: string = "SHA-1"

      Hashing algorithm name

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<ArrayBuffer>

  • Make a signature for current value from TBS section

    Parameters

    • privateKey: CryptoKey

      Private key for SUBJECT_PUBLIC_KEY_INFO structure

    • hashAlgorithm: string = "SHA-1"

      Hashing algorithm

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<void>

  • Converts current object to ASN.1 object and sets correct values

    Returns

    ASN.1 object

    Parameters

    • encodeFlag: boolean = false

      If param equal to false then creates schema via decoding stored value. In other case creates schema via assembling from cached parts

    Returns Sequence

  • Parameters

    • encoding: "base64" | "base64url" | "hex" = "hex"

    Returns string

  • Creates PKI object from the raw data

    Returns

    Initialized and filled current class object

    Type Parameters

    Parameters

    • this: PkiObjectConstructor<T>
    • raw: BufferSource

      ASN.1 encoded raw data

    Returns T

Generated using TypeDoc