Class Certificate

Represents an X.509 certificate described in RFC5280 Section 4.

Example

The following example demonstrates how to parse X.509 Certificate

const asn1 = asn1js.fromBER(raw);
if (asn1.offset === -1) {
  throw new Error("Incorrect encoded ASN.1 data");
}

const cert = new pkijs.Certificate({ schema: asn1.result });

Example

The following example demonstrates how to create self-signed certificate

const crypto = pkijs.getCrypto(true);

// Create certificate
const certificate = new pkijs.Certificate();
certificate.version = 2;
certificate.serialNumber = new asn1js.Integer({ value: 1 });
certificate.issuer.typesAndValues.push(new pkijs.AttributeTypeAndValue({
  type: "2.5.4.3", // Common name
  value: new asn1js.BmpString({ value: "Test" })
}));
certificate.subject.typesAndValues.push(new pkijs.AttributeTypeAndValue({
  type: "2.5.4.3", // Common name
  value: new asn1js.BmpString({ value: "Test" })
}));

certificate.notBefore.value = new Date();
const notAfter = new Date();
notAfter.setUTCFullYear(notAfter.getUTCFullYear() + 1);
certificate.notAfter.value = notAfter;

certificate.extensions = []; // Extensions are not a part of certificate by default, it's an optional array

// "BasicConstraints" extension
const basicConstr = new pkijs.BasicConstraints({
  cA: true,
  pathLenConstraint: 3
});
certificate.extensions.push(new pkijs.Extension({
  extnID: "2.5.29.19",
  critical: false,
  extnValue: basicConstr.toSchema().toBER(false),
  parsedValue: basicConstr // Parsed value for well-known extensions
}));

// "KeyUsage" extension
const bitArray = new ArrayBuffer(1);
const bitView = new Uint8Array(bitArray);
bitView[0] |= 0x02; // Key usage "cRLSign" flag
bitView[0] |= 0x04; // Key usage "keyCertSign" flag
const keyUsage = new asn1js.BitString({ valueHex: bitArray });
certificate.extensions.push(new pkijs.Extension({
  extnID: "2.5.29.15",
  critical: false,
  extnValue: keyUsage.toBER(false),
  parsedValue: keyUsage // Parsed value for well-known extensions
}));

const algorithm = pkijs.getAlgorithmParameters("RSASSA-PKCS1-v1_5", "generateKey");
if ("hash" in algorithm.algorithm) {
  algorithm.algorithm.hash.name = "SHA-256";
}

const keys = await crypto.generateKey(algorithm.algorithm, true, algorithm.usages);

// Exporting public key into "subjectPublicKeyInfo" value of certificate
await certificate.subjectPublicKeyInfo.importKey(keys.publicKey);

// Signing final certificate
await certificate.sign(keys.privateKey, "SHA-256");

const raw = certificate.toSchema().toBER();

Hierarchy

Implements

Constructors

constructor

Properties

extensions? issuer issuerUniqueID? notAfter notBefore serialNumber signature signatureAlgorithm signatureValue subject subjectPublicKeyInfo subjectUniqueID? tbsView version CLASS_NAME

Accessors

className tbs

Methods

encodeTBS fromSchema getKeyHash getPublicKey sign toJSON toSchema toString verify blockName defaultValues fromBER schema

Constructors

constructor

Properties

Optional extensions

extensions?: Extension[]

If present, this field is a SEQUENCE of one or more certificate extensions

issuer

issuer: RelativeDistinguishedNames

The issuer field identifies the entity that has signed and issued the certificate

Optional issuerUniqueID

issuerUniqueID?: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

notAfter

notAfter: Time

The date on which the certificate validity period ends

notBefore

notBefore: Time

The date on which the certificate validity period begins

serialNumber

serialNumber: Integer

Serial number of the certificate

signature

signature: AlgorithmIdentifier

This field contains the algorithm identifier for the algorithm used by the CA to sign the certificate

signatureAlgorithm

signatureAlgorithm: AlgorithmIdentifier

The signatureAlgorithm field contains the identifier for the cryptographic algorithm used by the CA to sign this certificate

signatureValue

signatureValue: BitString

The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate

subject

subject: RelativeDistinguishedNames

The subject field identifies the entity associated with the public key stored in the subject public key field

subjectPublicKeyInfo

subjectPublicKeyInfo: PublicKeyInfo

This field is used to carry the public key and identify the algorithm with which the key is used

Optional subjectUniqueID

subjectUniqueID?: ArrayBuffer

The subject and issuer unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time

tbsView

tbsView: Uint8Array

version

version: number

Version number

Static CLASS_NAME

CLASS_NAME: string = "Certificate"

Name of the class

Accessors

className

  • get className(): string

  • Returns string

tbs

Methods

encodeTBS

  • Creates ASN.1 schema for existing values of TBS part for the certificate

    Returns

    ASN.1 SEQUENCE

    Returns Sequence

fromSchema

getKeyHash

  • Get hash value for subject public key (default SHA-1)

    Returns

    Computed hash value from Certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey

    Parameters

    • hashAlgorithm: string = "SHA-1"

      Hashing algorithm name

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<ArrayBuffer>

getPublicKey

sign

  • Make a signature for current value from TBS section

    Parameters

    • privateKey: CryptoKey

      Private key for SUBJECT_PUBLIC_KEY_INFO structure

    • hashAlgorithm: string = "SHA-1"

      Hashing algorithm

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<void>

toJSON

toSchema

  • Converts current object to ASN.1 object and sets correct values

    Returns

    ASN.1 object

    Parameters

    • encodeFlag: boolean = false

      If param equal to false then creates schema via decoding stored value. In other case creates schema via assembling from cached parts

    Returns Sequence

toString

  • Parameters

    • encoding: "base64" | "base64url" | "hex" = "hex"

    Returns string

verify

Static blockName

Static defaultValues

Static fromBER

  • Creates PKI object from the raw data

    Returns

    Initialized and filled current class object

    Type Parameters

    Parameters

    • this: PkiObjectConstructor<T>
    • raw: BufferSource

      ASN.1 encoded raw data

    Returns T

Static schema

Settings

Member Visibility

Theme

Generated using TypeDoc