crypto: expose tls's x509 Certificate Object

[panva]

Is your feature request related to a problem? Please describe.

Several use-cases for getting x509 certificate information need to be solved by requiring an asn.1 module, defining the structure and undergoing slow, inefficient and error prone parsing.

Describe the solution you'd like

Seeing how you can already get parsed certificate information from a tlsSocket I wonder if an API like this could be exposed

const { X509Certificate } = require('crypto')

const cert = new X509Certificate(/* Buffer|string */);

// from tls' Certificate Object docs
// { subject:
//    { OU: [ 'Domain Control Validated', 'PositiveSSL Wildcard' ],
//      CN: '*.nodejs.org' },
//   issuer:
//    { C: 'GB',
//      ST: 'Greater Manchester',
//      L: 'Salford',
//      O: 'COMODO CA Limited',
//      CN: 'COMODO RSA Domain Validation Secure Server CA' },
//   subjectaltname: 'DNS:*.nodejs.org, DNS:nodejs.org',
//   infoAccess:
//    { 'CA Issuers - URI':
//       [ 'http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt' ],
//      'OCSP - URI': [ 'http://ocsp.comodoca.com' ] },
// modulus: 'B56CE45CB740B09A13F64AC543B712FF9EE8E4C284B542A1708A27E82A8D151CA178153E12E6DDA15BF70FFD96CB8A88618641BDFCCA03527E665B70D779C8A349A6F88FD4EF6557180BD4C98192872BCFE3AF56E863C09DDD8BC1EC58DF9D94F914F0369102B2870BECFA1348A0838C9C49BD1C20124B442477572347047506B1FCD658A80D0C44BCC16BC5C5496CFE6E4A8428EF654CD3D8972BF6E5BFAD59C93006830B5EB1056BBB38B53D1464FA6E02BFDF2FF66CD949486F0775EC43034EC2602AEFBF1703AD221DAA2A88353C3B6A688EFE8387811F645CEED7B3FE46E1F8B9F59FAD028F349B9BC14211D5830994D055EEA3D547911E07A0ADDEB8A82B9188E58720D95CD478EEC9AF1F17BE8141BE80906F1A339445A7EB5B285F68039B0F294598A7D1C0005FC22B5271B0752F58CCDEF8C8FD856FB7AE21C80B8A2CE983AE94046E53EDE4CB89F42502D31B5360771C01C80155918637490550E3F555E2EE75CC8C636DDE3633CFEDD62E91BF0F7688273694EEEBA20C2FC9F14A2A435517BC1D7373922463409AB603295CEB0BB53787A334C9CA3CA8B30005C5A62FC0715083462E00719A8FA3ED0A9828C3871360A73F8B04A4FC1E71302844E9BB9940B77E745C9D91F226D71AFCAD4B113AAF68D92B24DDB4A2136B55A1CD1ADF39605B63CB639038ED0F4C987689866// 743A68769CC55847E4A06D6E2E3F1',
//   exponent: '0x10001',
//   pubkey: <Buffer ... >,
//   valid_from: 'Aug 14 00:00:00 2017 GMT',
//   valid_to: 'Nov 20 23:59:59 2019 GMT',
//   fingerprint: '01:02:59:D9:C3:D2:0D:08:F7:82:4E:44:A4:B4:53:C5:E2:3A:87:4D',
//   fingerprint256: '69:AE:1A:6A:D4:3D:C6:C1:1B:EA:C6:23:DE:BA:2A:14:62:62:93:5C:7A:EA:06:41:9B:0B:BC:87:CE:48:4E:02',
//   ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
//   serialNumber: '66593D57F20CBC573E433381B5FEC280',
//   raw: <Buffer ... > }

[sam-github]

If anyone wants to take a crack at it, this would be reasonably straight-forward. The code to convert from an OpenSSL X509 exists already,

node/src/node_crypto.cc

Line 1904 in 02c74e7

static Local<Object> X509ToObject(Environment* env, X509* cert) {

, so it just needs a bit of a wrapper to use OpenSSL to parse out an X509 object from js string/buffer data before converting to a js object.

[tniessen]

We should have a unified way of accessing the key and its components for certificates and KeyObjects.

[ebickle]

What if we took this idea a bit further and created an X509Store as well? Not only would we have a structured way of reading the properties of an X509, we could compose them into a store and then pass references to stores in the various parameters of the TLS module. e.g. pass an X509Store to options.ca.

Would provide a solid foundation for certificate handling in node.js going forward and also solve some of the performance issues relating to the parsing of string-formatted certificates on each request.

[RalphBragg]

Hi - Any update on this ticket please? It would be really useful!

[sam-github]

You can see that #30675 is a quick POC, but I make no promises about having the time to finish it.

@RalphBragg If you want to pick it up, feel free to take that code and finish it, there's not much there and you are welcome to call it your own.