Skip to content

Super-Protocol/sp-certs

Repository files navigation

sp-certs

X509 certificate generation, parsing and chain validation helpers extracted from swarm-contracts-sdk.

The library is browser-compatible and can be used in both Node.js and browser environments.

Installation

npm install @super-protocol/certs

Generate a self-signed CA certificate

import {
  CertificateGenerator,
  CryptoKeysTransformer,
  type GenerateCertParams,
} from '@super-protocol/certs';

const keys = await CertificateGenerator.generateKeys('ECDSA-P-256-SHA256');

const certParams: GenerateCertParams = {
  subject: {
    commonName: 'Root CA',
    organization: 'Example Inc',
    country: 'US',
  },
  issuer: {
    commonName: 'Root CA',
    organization: 'Example Inc',
    country: 'US',
  },
  notAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000),
  ca: true,
  dnsNames: ['ca.example.com'],
  publicKey: keys.publicKey,
  privateKey: keys.privateKey,
};

const certPem = await CertificateGenerator.generateCert(certParams);
const privateKeyPem = await CryptoKeysTransformer.cryptoKeyToPkcs8Pem(keys.privateKey);
const publicKeyPem = await CryptoKeysTransformer.cryptoKeyToSpkiPem(keys.publicKey);

console.log(certPem);
console.log(privateKeyPem);
console.log(publicKeyPem);

Generate a leaf certificate signed by a CA

import { CertificateGenerator, type GenerateCertParams } from '@super-protocol/certs';

const caKeys = await CertificateGenerator.generateKeys('ECDSA-P-256-SHA256');
const caSubject = {
  commonName: 'Root CA',
  organization: 'Example Inc',
  country: 'US',
};

const caCertPem = await CertificateGenerator.generateCert({
  subject: caSubject,
  issuer: caSubject,
  notAfter: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000),
  ca: true,
  publicKey: caKeys.publicKey,
  privateKey: caKeys.privateKey,
});

const leafKeys = await CertificateGenerator.generateKeys('ECDSA-P-256-SHA256');

const leafCertParams: GenerateCertParams = {
  subject: {
    commonName: 'api.example.com',
    organization: 'Example Inc',
    country: 'US',
  },
  issuer: caSubject,
  notAfter: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000),
  dnsNames: ['api.example.com', '127.0.0.1'],
  publicKey: leafKeys.publicKey,
  privateKey: caKeys.privateKey,
};

const leafCertPem = await CertificateGenerator.generateCert(leafCertParams);

console.log(caCertPem);
console.log(leafCertPem);

Validate a certificate chain

import { Validator } from '@super-protocol/certs';

const result = await Validator.validateCertChain(
  [leafCertPem, intermediateCertPem],
  rootCertPem,
  {
    offline: true,
  },
);

if (!result.isValid) {
  throw new Error(result.errorMessage);
}

Validate a certificate chain with system root certificates

import { rootCertificates } from 'tls';
import { Validator } from '@super-protocol/certs';

const result = await Validator.validateCertChain(
  [leafCertPem, intermediateCertPem],
  rootCertificates,
  {
    offline: true,
  },
);

if (!result.isValid) {
  throw new Error(result.errorMessage);
}

Validate with OCSP/CRL checks enabled

ocspExtensionOids is a list of certificate OIDs that will also be included in the OCSP request as additional extensions.

import { Validator } from '@super-protocol/certs';

const result = await Validator.validateCertChain(
  [leafCertPem, intermediateCertPem],
  rootCertPem,
  {
    checkCrl: true,
    checkOcsp: true,
    ocspExtensionOids: ['1.2.3.4.5.6.7'],
  },
);

if (!result.isValid) {
  console.error(result.errorMessage);
}

About

X509 certificate generation and validation library

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors