CasperSecurity
var forge = require('node-forge');
// a hexString is considered negative if it's most significant bit is 1
// because serial numbers use ones' complement notation
// this RFC in section 4.1.2.2 requires serial numbers to be positive
// http://www.ietf.org/rfc/rfc5280.txt
function toPositiveHex(hexString){
var mostSiginficativeHexAsInt = parseInt(hexString[0], 16);
if (mostSiginficativeHexAsInt < 8){
return hexString;
}
mostSiginficativeHexAsInt -= 8;
return mostSiginficativeHexAsInt.toString() + hexString.substring(1);
}
function getAlgorithm(key) {
switch (key) {
case 'sha256':
return forge.md.sha256.create();
default:
return forge.md.sha1.create();
}
}
/**
*
* @param {forge.pki.CertificateField[]} attrs Attributes used for subject and issuer.
* @param {object} options
* @param {number} [options.days=365] the number of days before expiration
* @param {number} [options.keySize=1024] the size for the private key in bits
* @param {object} [options.extensions] additional extensions for the certificate
* @param {string} [options.algorithm="sha1"] The signature algorithm sha256 or sha1
* @param {boolean} [options.pkcs7=false] include PKCS#7 as part of the output
* @param {boolean} [options.clientCertificate=false] generate client cert signed by the original key
* @param {string} [options.clientCertificateCN="John Doe jdoe123"] client certificate's common name
* @param {function} [done] Optional callback, if not provided the generation is synchronous
* @returns
*/
exports.generate = function generate(attrs, options, done) {
if (typeof attrs === 'function') {
done = attrs;
attrs = undefined;
} else if (typeof options === 'function') {
done = options;
options = {};
}
options = options || {};
var generatePem = function (keyPair) {
var cert = forge.pki.createCertificate();
cert.serialNumber = toPositiveHex(forge.util.bytesToHex(forge.random.getBytesSync(9))); // the serial number can be decimal or hex (if preceded by 0x)
cert.validity.notBefore = new Date();
cert.validity.notAfter = new Date();
cert.validity.notAfter.setDate(cert.validity.notBefore.getDate() + (options.days || 365));
attrs = attrs || [{
name: 'commonName',
value: 'example.org'
}, {
name: 'countryName',
value: 'US'
}, {
shortName: 'ST',
value: 'Virginia'
}, {
name: 'localityName',
value: 'Blacksburg'
}, {
name: 'organizationName',
value: 'Test'
}, {
shortName: 'OU',
value: 'Test'
}];
cert.setSubject(attrs);
cert.setIssuer(attrs);
cert.publicKey = keyPair.publicKey;
cert.setExtensions(options.extensions || [{
name: 'basicConstraints',
cA: true
}, {
name: 'keyUsage',
keyCertSign: true,
digitalSignature: true,
nonRepudiation: true,
keyEncipherment: true,
dataEncipherment: true
}, {
name: 'subjectAltName',
altNames: [{
type: 6, // URI
value: 'http://example.org/webid#me'
}]
}]);
cert.sign(keyPair.privateKey, getAlgorithm(options && options.algorithm));
const fingerprint = forge.md.sha1
.create()
.update(forge.asn1.toDer(forge.pki.certificateToAsn1(cert)).getBytes())
.digest()
.toHex()
.match(/.{2}/g)
.join(':');
var pem = {
private: forge.pki.privateKeyToPem(keyPair.privateKey),
public: forge.pki.publicKeyToPem(keyPair.publicKey),
cert: forge.pki.certificateToPem(cert),
fingerprint: fingerprint,
};
if (options && options.pkcs7) {
var p7 = forge.pkcs7.createSignedData();
p7.addCertificate(cert);
pem.pkcs7 = forge.pkcs7.messageToPem(p7);
}
if (options && options.clientCertificate) {
var clientkeys = forge.pki.rsa.generateKeyPair(1024);
var clientcert = forge.pki.createCertificate();
clientcert.serialNumber = toPositiveHex(forge.util.bytesToHex(forge.random.getBytesSync(9)));
clientcert.validity.notBefore = new Date();
clientcert.validity.notAfter = new Date();
clientcert.validity.notAfter.setFullYear(clientcert.validity.notBefore.getFullYear() + 1);
var clientAttrs = JSON.parse(JSON.stringify(attrs));
for(var i = 0; i < clientAttrs.length; i++) {
if(clientAttrs[i].name === 'commonName') {
if( options.clientCertificateCN )
clientAttrs[i] = { name: 'commonName', value: options.clientCertificateCN };
else
clientAttrs[i] = { name: 'commonName', value: 'John Doe jdoe123' };
}
}
clientcert.setSubject(clientAttrs);
// Set the issuer to the parent key
clientcert.setIssuer(attrs);
clientcert.publicKey = clientkeys.publicKey;
// Sign client cert with root cert
clientcert.sign(keyPair.privateKey);
pem.clientprivate = forge.pki.privateKeyToPem(clientkeys.privateKey);
pem.clientpublic = forge.pki.publicKeyToPem(clientkeys.publicKey);
pem.clientcert = forge.pki.certificateToPem(clientcert);
if (options.pkcs7) {
var clientp7 = forge.pkcs7.createSignedData();
clientp7.addCertificate(clientcert);
pem.clientpkcs7 = forge.pkcs7.messageToPem(clientp7);
}
}
var caStore = forge.pki.createCaStore();
caStore.addCertificate(cert);
try {
forge.pki.verifyCertificateChain(caStore, [cert],
function (vfd, depth, chain) {
if (vfd !== true) {
throw new Error('Certificate could not be verified.');
}
return true;
});
}
catch(ex) {
throw new Error(ex);
}
return pem;
};
var keySize = options.keySize || 1024;
if (done) { // async scenario
return forge.pki.rsa.generateKeyPair({ bits: keySize }, function (err, keyPair) {
if (err) { return done(err); }
try {
return done(null, generatePem(keyPair));
} catch (ex) {
return done(ex);
}
});
}
var keyPair = options.keyPair ? {
privateKey: forge.pki.privateKeyFromPem(options.keyPair.privateKey),
publicKey: forge.pki.publicKeyFromPem(options.keyPair.publicKey)
} : forge.pki.rsa.generateKeyPair(keySize);
return generatePem(keyPair);
};