Options
All
  • Public
  • Public/Protected
  • All
Menu

Class Certificate

Represents an X.509 certificate described in RFC5280 Section 4.

example

The following example demonstrates how to parse X.509 Certificate

const asn1 = asn1js.fromBER(raw);
if (asn1.offset === -1) {
  throw new Error("Incorrect encoded ASN.1 data");
}

const cert = new pkijs.Certificate({ schema: asn1.result });
example

The following example demonstrates how to create self-signed certificate

const crypto = pkijs.getCrypto(true);

// Create certificate
const certificate = new pkijs.Certificate();
certificate.version = 2;
certificate.serialNumber = new asn1js.Integer({ value: 1 });
certificate.issuer.typesAndValues.push(new pkijs.AttributeTypeAndValue({
  type: "2.5.4.3", // Common name
  value: new asn1js.BmpString({ value: "Test" })
}));
certificate.subject.typesAndValues.push(new pkijs.AttributeTypeAndValue({
  type: "2.5.4.3", // Common name
  value: new asn1js.BmpString({ value: "Test" })
}));

certificate.notBefore.value = new Date();
const notAfter = new Date();
notAfter.setUTCFullYear(notAfter.getUTCFullYear() + 1);
certificate.notAfter.value = notAfter;

certificate.extensions = []; // Extensions are not a part of certificate by default, it's an optional array

// "BasicConstraints" extension
const basicConstr = new pkijs.BasicConstraints({
  cA: true,
  pathLenConstraint: 3
});
certificate.extensions.push(new pkijs.Extension({
  extnID: "2.5.29.19",
  critical: false,
  extnValue: basicConstr.toSchema().toBER(false),
  parsedValue: basicConstr // Parsed value for well-known extensions
}));

// "KeyUsage" extension
const bitArray = new ArrayBuffer(1);
const bitView = new Uint8Array(bitArray);
bitView[0] |= 0x02; // Key usage "cRLSign" flag
bitView[0] |= 0x04; // Key usage "keyCertSign" flag
const keyUsage = new asn1js.BitString({ valueHex: bitArray });
certificate.extensions.push(new pkijs.Extension({
  extnID: "2.5.29.15",
  critical: false,
  extnValue: keyUsage.toBER(false),
  parsedValue: keyUsage // Parsed value for well-known extensions
}));

const algorithm = pkijs.getAlgorithmParameters("RSASSA-PKCS1-v1_5", "generateKey");
if ("hash" in algorithm.algorithm) {
  algorithm.algorithm.hash.name = "SHA-256";
}

const keys = await crypto.generateKey(algorithm.algorithm, true, algorithm.usages);

// Exporting public key into "subjectPublicKeyInfo" value of certificate
await certificate.subjectPublicKeyInfo.importKey(keys.publicKey);

// Signing final certificate
await certificate.sign(keys.privateKey, "SHA-256");

const raw = certificate.toSchema().toBER();

Hierarchy

Implements

Index

Constructors

Properties

Accessors

Methods

Constructors

constructor

Properties

Optional extensions

extensions?: Extension[]

If present, this field is a SEQUENCE of one or more certificate extensions

issuer

issuer: RelativeDistinguishedNames

The issuer field identifies the entity that has signed and issued the certificate

Optional issuerUniqueID

issuerUniqueID?: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

notAfter

notAfter: Time

The date on which the certificate validity period ends

notBefore

notBefore: Time

The date on which the certificate validity period begins

serialNumber

serialNumber: Integer

Serial number of the certificate

signature

signature: AlgorithmIdentifier

This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate

signatureAlgorithm

signatureAlgorithm: AlgorithmIdentifier

The signatureAlgorithm field contains the identifier for the cryptographic algorithm used by the CA to sign this certificate

signatureValue

signatureValue: BitString

The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate

subject

subject: RelativeDistinguishedNames

The subject field identifies the entity associated with the public key stored in the subject public key field

subjectPublicKeyInfo

subjectPublicKeyInfo: PublicKeyInfo

This field is used to carry the public key and identify the algorithm with which the key is used

Optional subjectUniqueID

subjectUniqueID?: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

tbsView

tbsView: Uint8Array

version

version: number

Version number

Static CLASS_NAME

CLASS_NAME: string = "Certificate"

Name of the class

Accessors

className

  • get className(): string

tbs

  • get tbs(): ArrayBuffer
  • set tbs(value: ArrayBuffer): void

Methods

encodeTBS

  • encodeTBS(): Sequence

  • Creates ASN.1 schema for existing values of TBS part for the certificate

    Returns Sequence

    ASN.1 SEQUENCE

fromSchema

  • fromSchema(schema: any): void

getKeyHash

  • getKeyHash(hashAlgorithm?: string, crypto?: ICryptoEngine): Promise<ArrayBuffer>

  • Get hash value for subject public key (default SHA-1)

    Parameters

    • hashAlgorithm: string = "SHA-1"

      Hashing algorithm name

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<ArrayBuffer>

    Computed hash value from Certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey

getPublicKey

sign

  • sign(privateKey: CryptoKey, hashAlgorithm?: string, crypto?: ICryptoEngine): Promise<void>

  • Make a signature for current value from TBS section

    Parameters

    • privateKey: CryptoKey

      Private key for SUBJECT_PUBLIC_KEY_INFO structure

    • hashAlgorithm: string = "SHA-1"

      Hashing algorithm

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<void>

toJSON

toSchema

  • toSchema(encodeFlag?: boolean): Sequence

toString

  • toString(encoding?: "base64" | "base64url" | "hex"): string

verify

Static blockName

  • blockName(): string

Static defaultValues

  • defaultValues(memberName: "tbs"): ArrayBuffer
  • defaultValues(memberName: "version"): number
  • defaultValues(memberName: "serialNumber"): Integer
  • defaultValues(memberName: "signature"): AlgorithmIdentifier
  • defaultValues(memberName: "issuer"): RelativeDistinguishedNames
  • defaultValues(memberName: "notBefore"): Time
  • defaultValues(memberName: "notAfter"): Time
  • defaultValues(memberName: "subject"): RelativeDistinguishedNames
  • defaultValues(memberName: "subjectPublicKeyInfo"): PublicKeyInfo
  • defaultValues(memberName: "issuerUniqueID"): ArrayBuffer
  • defaultValues(memberName: "subjectUniqueID"): ArrayBuffer
  • defaultValues(memberName: "extensions"): Extension[]
  • defaultValues(memberName: "signatureAlgorithm"): AlgorithmIdentifier
  • defaultValues(memberName: "signatureValue"): BitString

Static fromBER

  • fromBER<T>(this: PkiObjectConstructor<T>, raw: BufferSource): T

  • Creates PKI object from the raw data

    Type Parameters

    Parameters

    • this: PkiObjectConstructor<T>
    • raw: BufferSource

      ASN.1 encoded raw data

    Returns T

    Initialized and filled current class object

Static schema

  • Returns value of pre-defined ASN.1 schema for current class

    asn

    ASN.1 schema

    Certificate ::= SEQUENCE  {
   tbsCertificate       TBSCertificate,
   signatureAlgorithm   AlgorithmIdentifier,
   signatureValue       BIT STRING  }

TBSCertificate ::= SEQUENCE  {
    version         [0]  EXPLICIT Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    signature            AlgorithmIdentifier,
    issuer               Name,
    validity             Validity,
    subject              Name,
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
    subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
    extensions      [3]  EXPLICIT Extensions OPTIONAL
                          -- If present, version MUST be v3
    }

Version ::= INTEGER  {  v1(0), v2(1), v3(2)  }

CertificateSerialNumber ::= INTEGER

Validity ::= SEQUENCE {
    notBefore      Time,
    notAfter       Time }

Time ::= CHOICE {
    utcTime        UTCTime,
    generalTime    GeneralizedTime }

UniqueIdentifier ::= BIT STRING

SubjectPublicKeyInfo ::= SEQUENCE  {
    algorithm            AlgorithmIdentifier,
    subjectPublicKey     BIT STRING  }

Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension

Extension ::= SEQUENCE  {
    extnID      OBJECT IDENTIFIER,
    critical    BOOLEAN DEFAULT FALSE,
    extnValue   OCTET STRING
                -- contains the DER encoding of an ASN.1 value
                -- corresponding to the extension type identified
                -- by extnID
    }

    Parameters

    Returns any

    ASN.1 schema object

Generated using TypeDoc