1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
|
import * as asn1js from "asn1js";
import * as pvtsutils from "pvtsutils";
import * as pvutils from "pvutils";
import * as common from "./common";
import { AlgorithmIdentifier, AlgorithmIdentifierJson, AlgorithmIdentifierSchema } from "./AlgorithmIdentifier";
import { Certificate } from "./Certificate";
import * as Schema from "./Schema";
import { AsnError, ParameterError } from "./errors";
import { PkiObject, PkiObjectParameters } from "./PkiObject";
import { EMPTY_STRING } from "./constants";
const HASH_ALGORITHM = "hashAlgorithm";
const ISSUER_NAME_HASH = "issuerNameHash";
const ISSUER_KEY_HASH = "issuerKeyHash";
const SERIAL_NUMBER = "serialNumber";
const CLEAR_PROPS = [
HASH_ALGORITHM,
ISSUER_NAME_HASH,
ISSUER_KEY_HASH,
SERIAL_NUMBER,
];
export interface ICertID {
/**
* Hash algorithm used to generate the `issuerNameHash` and `issuerKeyHash` values
*/
hashAlgorithm: AlgorithmIdentifier;
/**
* Hash of the issuer's distinguished name (DN). The hash shall be calculated over the DER encoding
* of the issuer's name field in the certificate being checked.
*/
issuerNameHash: asn1js.OctetString;
/**
* Hash of the issuer's public key. The hash shall be calculated over the value (excluding tag and length)
* of the subject public key field in the issuer's certificate.
*/
issuerKeyHash: asn1js.OctetString;
/**
* Serial number of the certificate for which status is being requested
*/
serialNumber: asn1js.Integer;
}
export type CertIDParameters = PkiObjectParameters & Partial<ICertID>;
export type CertIDSchema = Schema.SchemaParameters<{
hashAlgorithm?: string;
hashAlgorithmObject?: AlgorithmIdentifierSchema;
issuerNameHash?: string;
issuerKeyHash?: string;
serialNumber?: string;
}>;
export interface CertIDJson {
hashAlgorithm: AlgorithmIdentifierJson;
issuerNameHash: asn1js.OctetStringJson;
issuerKeyHash: asn1js.OctetStringJson;
serialNumber: asn1js.IntegerJson;
}
export interface CertIDCreateParams {
issuerCertificate: Certificate;
hashAlgorithm: string;
}
/**
* Represents an CertID described in [RFC6960](https://datatracker.ietf.org/doc/html/rfc6960)
*/
export class CertID extends PkiObject implements ICertID {
public static override CLASS_NAME = "CertID";
/**
* Making OCSP certificate identifier for specific certificate
* @param certificate Certificate making OCSP Request for
* @param parameters Additional parameters
* @param crypto Crypto engine
* @returns Returns created CertID object
*/
public static async create(certificate: Certificate, parameters: CertIDCreateParams, crypto = common.getCrypto(true)): Promise<CertID> {
const certID = new CertID();
await certID.createForCertificate(certificate, parameters, crypto);
return certID;
}
public hashAlgorithm!: AlgorithmIdentifier;
public issuerNameHash!: asn1js.OctetString;
public issuerKeyHash!: asn1js.OctetString;
public serialNumber!: asn1js.Integer;
/**
* Initializes a new instance of the {@link CertID} class
* @param parameters Initialization parameters
*/
constructor(parameters: CertIDParameters = {}) {
super();
this.hashAlgorithm = pvutils.getParametersValue(parameters, HASH_ALGORITHM, CertID.defaultValues(HASH_ALGORITHM));
this.issuerNameHash = pvutils.getParametersValue(parameters, ISSUER_NAME_HASH, CertID.defaultValues(ISSUER_NAME_HASH));
this.issuerKeyHash = pvutils.getParametersValue(parameters, ISSUER_KEY_HASH, CertID.defaultValues(ISSUER_KEY_HASH));
this.serialNumber = pvutils.getParametersValue(parameters, SERIAL_NUMBER, CertID.defaultValues(SERIAL_NUMBER));
if (parameters.schema) {
this.fromSchema(parameters.schema);
}
}
/**
* Returns default values for all class members
* @param memberName String name for a class member
* @returns Default value
*/
public static override defaultValues(memberName: typeof HASH_ALGORITHM): AlgorithmIdentifier;
public static override defaultValues(memberName: typeof ISSUER_NAME_HASH): asn1js.OctetString;
public static override defaultValues(memberName: typeof ISSUER_KEY_HASH): asn1js.OctetString;
public static override defaultValues(memberName: typeof SERIAL_NUMBER): asn1js.Integer;
public static override defaultValues(memberName: string): any {
switch (memberName) {
case HASH_ALGORITHM:
return new AlgorithmIdentifier();
case ISSUER_NAME_HASH:
case ISSUER_KEY_HASH:
return new asn1js.OctetString();
case SERIAL_NUMBER:
return new asn1js.Integer();
default:
return super.defaultValues(memberName);
}
}
/**
* Compare values with default values for all class members
* @param memberName String name for a class member
* @param memberValue Value to compare with default value
*/
public static compareWithDefault(memberName: string, memberValue: any): boolean {
switch (memberName) {
case HASH_ALGORITHM:
return ((memberValue.algorithmId === EMPTY_STRING) && (("algorithmParams" in memberValue) === false));
case ISSUER_NAME_HASH:
case ISSUER_KEY_HASH:
case SERIAL_NUMBER:
return (memberValue.isEqual(CertID.defaultValues(SERIAL_NUMBER)));
default:
return super.defaultValues(memberName);
}
}
/**
* @inheritdoc
* @asn ASN.1 schema
* ```asn
* CertID ::= SEQUENCE {
* hashAlgorithm AlgorithmIdentifier,
* issuerNameHash OCTET STRING, -- Hash of issuer's DN
* issuerKeyHash OCTET STRING, -- Hash of issuer's public key
* serialNumber CertificateSerialNumber }
*```
*/
public static override schema(parameters: CertIDSchema = {}): Schema.SchemaType {
const names = pvutils.getParametersValue<NonNullable<typeof parameters.names>>(parameters, "names", {});
return (new asn1js.Sequence({
name: (names.blockName || EMPTY_STRING),
value: [
AlgorithmIdentifier.schema(names.hashAlgorithmObject || {
names: {
blockName: (names.hashAlgorithm || EMPTY_STRING)
}
}),
new asn1js.OctetString({ name: (names.issuerNameHash || EMPTY_STRING) }),
new asn1js.OctetString({ name: (names.issuerKeyHash || EMPTY_STRING) }),
new asn1js.Integer({ name: (names.serialNumber || EMPTY_STRING) })
]
}));
}
public fromSchema(schema: Schema.SchemaType): void {
// Clear input data first
pvutils.clearProps(schema, CLEAR_PROPS);
// Check the schema is valid
const asn1 = asn1js.compareSchema(schema,
schema,
CertID.schema({
names: {
hashAlgorithm: HASH_ALGORITHM,
issuerNameHash: ISSUER_NAME_HASH,
issuerKeyHash: ISSUER_KEY_HASH,
serialNumber: SERIAL_NUMBER
}
})
);
AsnError.assertSchema(asn1, this.className);
// Get internal properties from parsed schema
this.hashAlgorithm = new AlgorithmIdentifier({ schema: asn1.result.hashAlgorithm });
this.issuerNameHash = asn1.result.issuerNameHash;
this.issuerKeyHash = asn1.result.issuerKeyHash;
this.serialNumber = asn1.result.serialNumber;
}
public toSchema(): asn1js.Sequence {
return (new asn1js.Sequence({
value: [
this.hashAlgorithm.toSchema(),
this.issuerNameHash,
this.issuerKeyHash,
this.serialNumber
]
}));
}
public toJSON(): CertIDJson {
return {
hashAlgorithm: this.hashAlgorithm.toJSON(),
issuerNameHash: this.issuerNameHash.toJSON(),
issuerKeyHash: this.issuerKeyHash.toJSON(),
serialNumber: this.serialNumber.toJSON(),
};
}
/**
* Checks that two "CertIDs" are equal
* @param certificateID Identifier of the certificate to be checked
*/
public isEqual(certificateID: CertID): boolean {
// Check HASH_ALGORITHM
if (this.hashAlgorithm.algorithmId !== certificateID.hashAlgorithm.algorithmId) {
return false;
}
// Check ISSUER_NAME_HASH
if (!pvtsutils.BufferSourceConverter.isEqual(this.issuerNameHash.valueBlock.valueHexView, certificateID.issuerNameHash.valueBlock.valueHexView)) {
return false;
}
// Check ISSUER_KEY_HASH
if (!pvtsutils.BufferSourceConverter.isEqual(this.issuerKeyHash.valueBlock.valueHexView, certificateID.issuerKeyHash.valueBlock.valueHexView)) {
return false;
}
// Check SERIAL_NUMBER
if (!this.serialNumber.isEqual(certificateID.serialNumber)) {
return false;
}
return true;
}
/**
* Making OCSP certificate identifier for specific certificate
* @param certificate Certificate making OCSP Request for
* @param parameters Additional parameters
* @param crypto Crypto engine
*/
public async createForCertificate(certificate: Certificate, parameters: CertIDCreateParams, crypto = common.getCrypto(true)): Promise<void> {
//#region Check input parameters
ParameterError.assert(parameters, HASH_ALGORITHM, "issuerCertificate");
const hashOID = crypto.getOIDByAlgorithm({ name: parameters.hashAlgorithm }, true, "hashAlgorithm");
this.hashAlgorithm = new AlgorithmIdentifier({
algorithmId: hashOID,
algorithmParams: new asn1js.Null()
});
const issuerCertificate = parameters.issuerCertificate;
//#endregion
// Initialize SERIAL_NUMBER field
this.serialNumber = certificate.serialNumber;
// Create ISSUER_NAME_HASH
const hashIssuerName = await crypto.digest({ name: parameters.hashAlgorithm }, issuerCertificate.subject.toSchema().toBER(false));
this.issuerNameHash = new asn1js.OctetString({ valueHex: hashIssuerName });
// Create ISSUER_KEY_HASH
const issuerKeyBuffer = issuerCertificate.subjectPublicKeyInfo.subjectPublicKey.valueBlock.valueHexView;
const hashIssuerKey = await crypto.digest({ name: parameters.hashAlgorithm }, issuerKeyBuffer);
this.issuerKeyHash = new asn1js.OctetString({ valueHex: hashIssuerKey });
}
}
|
