-
Notifications
You must be signed in to change notification settings - Fork 41
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
x509: finish JSON interface with extensions
- Loading branch information
Showing
3 changed files
with
134 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,6 +14,8 @@ const certsData = fs.readFileSync(certs, 'utf8'); | |
const certificate = Path.resolve(__dirname, 'data', 'x509', 'certificate.crt'); | ||
const certificateData = fs.readFileSync(certificate, 'utf8'); | ||
|
||
let certFromJSON; | ||
|
||
describe('X509', function() { | ||
if (process.env.BMOCHA_VALGRIND) | ||
this.skip(); | ||
|
@@ -31,7 +33,7 @@ describe('X509', function() { | |
assert.bufferEqual(raw1, block.data); | ||
}); | ||
|
||
it(`should read JSON and write JSON (${i++})`, () => { | ||
it(`should read JSON and write JSON (${i})`, () => { | ||
const crt1 = x509.Certificate.decode(block.data); | ||
const json1 = crt1.getJSON(); | ||
|
||
|
@@ -73,4 +75,116 @@ describe('X509', function() { | |
assert(r); | ||
}); | ||
} | ||
|
||
it('should create a self-signed certificate using JSON', () => { | ||
// Create key pair and get JSON for pubkey | ||
const priv = rsa.privateKeyGenerate(2048); | ||
const pub = rsa.publicKeyCreate(priv); | ||
const pubJSON = rsa.publicKeyExport(pub); | ||
|
||
// Basic details, leave out optional and more complex stuff | ||
const json = { | ||
version: 2, | ||
serialNumber: 'deadbeef0101', | ||
signature: { | ||
algorithm: 'RSASHA256' | ||
}, | ||
issuer: [], | ||
validity: { | ||
notBefore: { type: 'UTCTime', node: '2020-04-20T18:53:25Z' }, | ||
notAfter: { type: 'UTCTime', node: '2021-04-20T18:53:25Z' } | ||
}, | ||
subject: [], | ||
subjectPublicKeyInfo: { | ||
algorithm: { | ||
algorithm: 'RSAPublicKey' | ||
}, | ||
publicKey: { | ||
modulus: pubJSON.n, | ||
publicExponent: pubJSON.e | ||
} | ||
}, | ||
extensions: [ | ||
{ | ||
extnID: 'SubjectAltName', | ||
critical: false, | ||
extnValue: [ | ||
{ type: 'DNSName', node: '*.bcoin.io' }, | ||
{ type: 'DNSName', node: 'bcoin.io' } | ||
] | ||
}, | ||
{ | ||
extnID: 'BasicConstraints', | ||
critical: false, | ||
extnValue: {cA: false, pathLenConstraint: 0} | ||
} | ||
] | ||
}; | ||
|
||
// Create to-be-signed certificate object | ||
const tbs = x509.TBSCertificate.fromJSON(json); | ||
|
||
// Use helper functions for the complicated details | ||
tbs.issuer = x509.Entity.fromJSON({ | ||
COUNTRY: 'US', | ||
PROVINCE: 'CA', | ||
LOCALITY: 'San Francisco', | ||
ORGANIZATION: 'bcrypto', | ||
ORGANIZATIONALUNIT: 'encodings', | ||
COMMONNAME: 'bcoin.io', | ||
EMAILADDRESS: '[email protected]' | ||
}); | ||
tbs.subject = x509.Entity.fromJSON({ | ||
COUNTRY: 'US', | ||
PROVINCE: 'CA', | ||
LOCALITY: 'San Francisco', | ||
ORGANIZATION: 'bcrypto', | ||
ORGANIZATIONALUNIT: 'encodings', | ||
COMMONNAME: 'bcoin.io', | ||
EMAILADDRESS: '[email protected]' | ||
}); | ||
|
||
// Serialize | ||
const msg = sha256.digest(tbs.encode()); | ||
|
||
// Sign | ||
const sig = rsa.sign('SHA256', msg, priv); | ||
|
||
// Complete | ||
certFromJSON = new x509.Certificate(); | ||
certFromJSON.tbsCertificate = tbs; | ||
certFromJSON.signatureAlgorithm.fromJSON({algorithm: 'RSASHA256'}); | ||
certFromJSON.signature.fromJSON({bits: sig.length * 8, value: sig.toString('hex')}); | ||
}); | ||
|
||
it('should verify with openssl', () => { | ||
const os = require('os'); | ||
const {exec} = require('child_process'); | ||
|
||
// Write file | ||
let tmp = Path.join(os.tmpdir(), 'bcrypto-test.crt'); | ||
fs.writeFileSync(tmp, certFromJSON.toPEM()); | ||
|
||
// Test | ||
exec(`openssl verify -check_ss_sig ${tmp}`, (error, stdout, stderr) => { | ||
assert(!error); | ||
assert.strictEqual('OK\n', stdout.slice(-3)); | ||
}); | ||
|
||
// Sanity check 1: certificate produced by openssl | ||
exec(`openssl verify -check_ss_sig ${certificate}`, (error, stdout, stderr) => { | ||
assert(!error); | ||
assert.strictEqual('OK\n', stdout.slice(-3)); | ||
}); | ||
|
||
// Sanity check 2: malleated signature fails verification | ||
certFromJSON.signature.value[100]++; | ||
tmp = Path.join(os.tmpdir(), 'bcrypto-test2.crt'); | ||
fs.writeFileSync(tmp, certFromJSON.toPEM()); | ||
exec(`openssl verify -check_ss_sig ${tmp}`, (error, stdout, stderr) => { | ||
assert(error); | ||
const msg = 'certificate signature failure\n'; | ||
assert.strictEqual(msg, stdout.slice(-1 * msg.length)); | ||
}); | ||
}); | ||
}); |