rsa-csr.js/lib/csr.js

'use strict';

var crypto = require('crypto');
var ASN1 = require('./asn1.js');
var Enc = require('./encoding.js');
var PEM = require('./pem.js');
var X509 = require('./x509.js');
var RSA = {};

/*global Promise*/
var CSR = module.exports = function rsacsr(opts) {
  // We're using a Promise here to be compatible with the browser version
  // which will probably use the webcrypto API for some of the conversions
  return Promise.resolve().then(function () {
    var Rasha;
    opts = JSON.parse(JSON.stringify(opts));
    var pem, jwk;

    // We do a bit of extra error checking for user convenience
    if (!opts) { throw new Error("You must pass options with key and domains to rsacsr"); }
    if (!Array.isArray(opts.domains) || 0 === opts.domains.length) {
      new Error("You must pass options.domains as a non-empty array");
    }

    // I need to check that 例.中国 is a valid domain name
    if (!opts.domains.every(function (d) {
      // allow punycode? xn--
      if ('string' === typeof d /*&& /\./.test(d) && !/--/.test(d)*/) {
        return true;
      }
    })) {
      throw new Error("You must pass options.domains as strings");
    }

    if (opts.pem) {
      pem = opts.pem;
    } else if (opts.jwk) {
      jwk = opts.jwk;
    } else {
      if (!opts.key) {
        throw new Error("You must pass options.key as a JSON web key");
      } else if (opts.key.kty) {
        jwk = opts.key;
      } else {
        pem = opts.key;
      }
    }

    if (pem) {
      try {
        Rasha = require('rasha');
      } catch(e) {
        throw new Error("Rasha.js is an optional dependency for PEM-to-JWK.\n"
          + "Install it if you'd like to use it:\n"
          + "\tnpm install --save rasha\n"
          + "Otherwise supply a jwk as the private key."
        );
      }
      jwk = Rasha.importSync({ pem: pem });
    }

    opts.jwk = jwk;
    return CSR.create(opts).then(function (bytes) {
      return PEM.packBlock({
        type: "CERTIFICATE REQUEST"
      , bytes: bytes /* { jwk: jwk, domains: opts.domains } */
      });
    });
  });
};

CSR.create = function createCsr(opts) {
  var hex = CSR.request(opts.jwk, opts.domains);
  return CSR.sign(opts.jwk, hex).then(function (csr) {
    return Enc.hexToBuf(csr);
  });
};

CSR.request = function createCsrBodyEc(jwk, domains) {
  var asn1pub = X509.packCsrPublicKey(jwk);
  return X509.packCsr(asn1pub, domains);
};

CSR.sign = function csrEcSig(jwk, request) {
  var keypem = PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: X509.packPkcs1(jwk) });

  return RSA.sign(keypem, Enc.hexToBuf(request)).then(function (sig) {
    var sty = ASN1('30'
      // 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
    , ASN1('06', '2a864886f70d01010b')
    , ASN1('05')
    );
    return ASN1('30'
      // The Full CSR Request Body
    , request
      // The Signature Type
    , sty
      // The Signature
    , ASN1.BitStr(Enc.bufToHex(sig))
    );
  });
};

//
// RSA
//

// Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a
RSA.sign = function signRsa(keypem, ab) {
  return Promise.resolve().then(function () {
    // Signer is a stream
    var sign = crypto.createSign('SHA256');
    sign.write(new Uint8Array(ab));
    sign.end();

    // The signature is ASN1 encoded, as it turns out
    var sig = sign.sign(keypem);

    // Convert to a JavaScript ArrayBuffer just because
    return new Uint8Array(sig.buffer.slice(sig.byteOffset, sig.byteOffset + sig.byteLength));
  });
};
v0.7.0: it's working! it's working! (and tested) 2018-11-23 22:22:34 -07:00			`'use strict';`

			`var crypto = require('crypto');`
			`var ASN1 = require('./asn1.js');`
			`var Enc = require('./encoding.js');`
			`var PEM = require('./pem.js');`
			`var X509 = require('./x509.js');`
			`var RSA = {};`

			`/global Promise/`
			`var CSR = module.exports = function rsacsr(opts) {`
			`// We're using a Promise here to be compatible with the browser version`
			`// which will probably use the webcrypto API for some of the conversions`
			`return Promise.resolve().then(function () {`
			`var Rasha;`
			`opts = JSON.parse(JSON.stringify(opts));`
			`var pem, jwk;`

			`// We do a bit of extra error checking for user convenience`
			`if (!opts) { throw new Error("You must pass options with key and domains to rsacsr"); }`
			`if (!Array.isArray(opts.domains) \|\| 0 === opts.domains.length) {`
			`new Error("You must pass options.domains as a non-empty array");`
			`}`

			`// I need to check that 例.中国 is a valid domain name`
			`if (!opts.domains.every(function (d) {`
			`// allow punycode? xn--`
			`if ('string' === typeof d /&& /\./.test(d) && !/--/.test(d)/) {`
			`return true;`
			`}`
			`})) {`
			`throw new Error("You must pass options.domains as strings");`
			`}`

			`if (opts.pem) {`
			`pem = opts.pem;`
			`} else if (opts.jwk) {`
			`jwk = opts.jwk;`
			`} else {`
			`if (!opts.key) {`
			`throw new Error("You must pass options.key as a JSON web key");`
			`} else if (opts.key.kty) {`
			`jwk = opts.key;`
			`} else {`
			`pem = opts.key;`
			`}`
			`}`

			`if (pem) {`
			`try {`
			`Rasha = require('rasha');`
			`} catch(e) {`
			`throw new Error("Rasha.js is an optional dependency for PEM-to-JWK.\n"`
			`+ "Install it if you'd like to use it:\n"`
			`+ "\tnpm install --save rasha\n"`
			`+ "Otherwise supply a jwk as the private key."`
			`);`
			`}`
			`jwk = Rasha.importSync({ pem: pem });`
			`}`

			`opts.jwk = jwk;`
			`return CSR.create(opts).then(function (bytes) {`
			`return PEM.packBlock({`
			`type: "CERTIFICATE REQUEST"`
			`, bytes: bytes /* { jwk: jwk, domains: opts.domains } */`
			`});`
			`});`
			`});`
			`};`

			`CSR.create = function createCsr(opts) {`
			`var hex = CSR.request(opts.jwk, opts.domains);`
			`return CSR.sign(opts.jwk, hex).then(function (csr) {`
			`return Enc.hexToBuf(csr);`
			`});`
			`};`

			`CSR.request = function createCsrBodyEc(jwk, domains) {`
			`var asn1pub = X509.packCsrPublicKey(jwk);`
			`return X509.packCsr(asn1pub, domains);`
			`};`

			`CSR.sign = function csrEcSig(jwk, request) {`
			`var keypem = PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: X509.packPkcs1(jwk) });`

			`return RSA.sign(keypem, Enc.hexToBuf(request)).then(function (sig) {`
			`var sty = ASN1('30'`
			`// 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)`
			`, ASN1('06', '2a864886f70d01010b')`
			`, ASN1('05')`
			`);`
			`return ASN1('30'`
			`// The Full CSR Request Body`
			`, request`
			`// The Signature Type`
			`, sty`
			`// The Signature`
			`, ASN1.BitStr(Enc.bufToHex(sig))`
			`);`
			`});`
			`};`

			`//`
			`// RSA`
			`//`

			`// Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a`
			`RSA.sign = function signRsa(keypem, ab) {`
			`return Promise.resolve().then(function () {`
			`// Signer is a stream`
			`var sign = crypto.createSign('SHA256');`
			`sign.write(new Uint8Array(ab));`
			`sign.end();`

			`// The signature is ASN1 encoded, as it turns out`
			`var sig = sign.sign(keypem);`

			`// Convert to a JavaScript ArrayBuffer just because`
			`return new Uint8Array(sig.buffer.slice(sig.byteOffset, sig.byteOffset + sig.byteLength));`
			`});`
			`};`