From f5287a4b7b0b14f69b264d8017b76c100f5bc2c1 Mon Sep 17 00:00:00 2001 From: James M Snell Date: Mon, 4 Jan 2021 21:27:20 -0800 Subject: [PATCH] crypto: introduce X509Certificate API Introduces the `crypto.X509Certificate` object. ```js const { X509Certificate } = require('crypto'); const x509 = new X509Certificate('{pem encoded cert}'); console.log(x509.subject); ``` Fixes: https://github.com/nodejs/node/issues/29181 Signed-off-by: James M Snell PR-URL: https://github.com/nodejs/node/pull/36804 Reviewed-By: Anna Henningsen Reviewed-By: Filip Skokan --- doc/api/crypto.md | 254 ++++++++++++++ doc/api/worker_threads.md | 8 +- lib/crypto.js | 6 +- lib/internal/crypto/x509.js | 334 +++++++++++++++++++ node.gyp | 3 + src/crypto/crypto_common.cc | 260 +++++++-------- src/crypto/crypto_common.h | 55 ++++ src/crypto/crypto_context.cc | 2 +- src/crypto/crypto_context.h | 2 + src/crypto/crypto_x509.cc | 531 ++++++++++++++++++++++++++++++ src/crypto/crypto_x509.h | 136 ++++++++ src/env.h | 1 + src/node_crypto.cc | 1 + src/node_crypto.h | 1 + test/parallel/test-crypto-x509.js | 245 ++++++++++++++ tools/doc/type-parser.js | 2 + 16 files changed, 1695 insertions(+), 146 deletions(-) create mode 100644 lib/internal/crypto/x509.js create mode 100644 src/crypto/crypto_x509.cc create mode 100644 src/crypto/crypto_x509.h create mode 100644 test/parallel/test-crypto-x509.js diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 0c12b1fc77f519..a1030dacedf0af 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -1645,6 +1645,259 @@ thrown. Because public keys can be derived from private keys, a private key may be passed instead of a public key. +## Class: `X509Certificate` + + +Encapsulates an X509 certificate and provides read-only access to +it's information. + +```js +const { X509Certificate } = require('crypto'); + +const x509 = new X509Certificate('{... pem encoded cert ...}'); + +console.log(x509.subject); +``` + +### `new X509Certificate(buffer)` + + +* `buffer` {string|TypedArray|Buffer|DataView} A PEM or DER encoded + X509 Certificate. + +### `x509.ca` + + +* Type: {boolean} Will be `true` if this is a Certificate Authority (ca) + certificate. + +### `x509.checkEmail(email[, options])` + + +* `email` {string} +* `options` {Object} + * `subject` {string} `'always'` or `'never'`. **Defaults**: `'always'`. + * `wildcards` {boolean} **Defaults**: `true`. + * `partialWildcards` {boolean} **Defaults**: `true`. + * `multiLabelWildcards` {boolean} **Defaults**: `false`. + * `singleLabelSubdomains` {boolean} **Defaults**: `false`. +* Returns: {string|undefined} Returns `email` if the certificate matches, + `undefined` if it does not. + +Checks whether the certificate matches the given email address. + +### `x509.checkHost(name[, options])` + + +* `name` {string} +* `options` {Object} + * `subject` {string} `'always'` or `'never'`. **Defaults**: `'always'`. + * `wildcards` {boolean} **Defaults**: `true`. + * `partialWildcards` {boolean} **Defaults**: `true`. + * `multiLabelWildcards` {boolean} **Defaults**: `false`. + * `singleLabelSubdomains` {boolean} **Defaults**: `false`. +* Returns: {string|undefined} Returns `name` if the certificate matches, + `undefined` if it does not. + +Checks whether the certificate matches the given host name. + +### `x509.checkIP(ip[, options])` + + +* `ip` {string} +* `options` {Object} + * `subject` {string} `'always'` or `'never'`. **Defaults**: `'always'`. + * `wildcards` {boolean} **Defaults**: `true`. + * `partialWildcards` {boolean} **Defaults**: `true`. + * `multiLabelWildcards` {boolean} **Defaults**: `false`. + * `singleLabelSubdomains` {boolean} **Defaults**: `false`. +* Returns: {string|undefined} Returns `ip` if the certificate matches, + `undefined` if it does not. + +Checks whether the certificate matches the given IP address (IPv4 or IPv6). + +### `x509.checkIssued(otherCert)` + + +* `otherCert` {X509Certificate} +* Returns: {boolean} + +Checks whether this certificate was issued by the given `otherCert`. + +### `x509.checkPrivateKey(privateKey)` + + +* `privateKey` {KeyObject} A private key. +* Returns: {boolean} + +Checks whether the public key for this certificate is consistent with +the given private key. + +### `x509.fingerprint` + + +* Type: {string} + +The SHA-1 fingerprint of this certificate. + +### `x509.fingerprint256` + + +* Type: {string} + +The SHA-256 fingerprint of this certificate. + +### `x509.infoAccess` + + +* Type: {string} + +The information access content of this certificate. + +### `x509.issuer` + + +* Type: {string} + +The issuer identification included in this certificate. + +### `x509.keyUsage` + + +* Type: {string[]} + +An array detailing the key usages for this certificate. + +### `x509.publicKey` + + +* Type: {KeyObject} + +The public key {KeyObject} for this certificate. + +### `x509.raw` + + +* Type: {Buffer} + +A `Buffer` containing the DER encoding of this certificate. + +### `x509.serialNumber` + + +* Type: {string} + +The serial number of this certificate. + +### `x509.subject` + + +* Type: {string} + +The complete subject of this certificate. + +### `x509.subjectAltName` + + +* Type: {string} + +The subject alternative name specified for this certificate. + +### `x509.toJSON()` + + +* Type: {string} + +There is no standard JSON encoding for X509 certificates. The +`toJSON()` method returns a string containing the PEM encoded +certificate. + +### `x509.toLegacyObject()` + + +* Type: {Object} + +Returns information about this certificate using the legacy +[certificate object][] encoding. + +### `x509.toString()` + + +* Type: {string} + +Returns the PEM-encoded certificate. + +### `x509.validFrom` + + +* Type: {string} + +The date/time from which this certificate is considered valid. + +### `x509.validTo` + + +* Type: {string} + +The date/time until which this certificate is considered valid. + +### `x509.verify(publicKey)` + + +* `publicKey` {KeyObject} A public key. +* Returns: {boolean} + +Verifies that this certificate was signed by the given public key. +Does not perform any other validation checks on the certificate. + ## `crypto` module methods and properties ### `crypto.constants` @@ -3997,6 +4250,7 @@ See the [list of SSL OP Flags][] for details. [`util.promisify()`]: util.md#util_util_promisify_original [`verify.update()`]: #crypto_verify_update_data_inputencoding [`verify.verify()`]: #crypto_verify_verify_object_signature_signatureencoding +[certificate object]: tls.md#tls_certificate_object [encoding]: buffer.md#buffer_buffers_and_character_encodings [initialization vector]: https://en.wikipedia.org/wiki/Initialization_vector [list of SSL OP Flags]: https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags#Table_of_Options diff --git a/doc/api/worker_threads.md b/doc/api/worker_threads.md index e745b5aa799319..f7dfea6b9eaa07 100644 --- a/doc/api/worker_threads.md +++ b/doc/api/worker_threads.md @@ -474,6 +474,9 @@ are part of the channel.