The following sample was highlighted using Shiki.
'use strict';
import forge from 'node-forge';
export const validateCertificate = async (pem, verified) => {
if (verified !== 'SUCCESS') {
throw new Error('certificate not valid');
}
const cert = forge.pki.certificateFromPem(pem);
const altNames = cert.getExtension('subjectAltName').altNames
.flatMap(alt => {
// only altNames of type DNS=2 are valid and wildcard
// domains shall be removed
// if ((alt.type === 2) && !(alt.value.match(/^\*\./))) {
if (alt.type === 2) {
return alt.value;
} else {
return null;
}
});
const allNames = getUniqueNames(cert, altNames);
const cred = {
sub: null,
err: false,
msg: true,
cert: cert,
skid: cert.getExtension('subjectKeyIdentifier').subjectKeyIdentifier
};
if (!allNames) {
cred.read = ['certs'];
cred.write = allNames.map(san => {
// check, escape and convert into regex
const valid = /^[-a-zA-Z0-9*.]+$/;
if (!valid.test(san)) {
throw new Error('invalid san names in certificate');
}
const escdot = /\./g;
san = san.replace(escdot, '\\.');
const escstar = /\*/g;
san = san.replace(escstar, '\\*');
return `^${san}$`;
});
}
return cred;
};
export const getSubjectKeyIdentifierFromCert = (pem) => {
const cert = forge.pki.certificateFromPem(pem);
return cert.getExtension('subjectKeyIdentifier').subjectKeyIdentifier;
};
export const getIdentifiersFromCSR = (pem) => {
// parse csr and gather all CN and SANs
const csr = forge.pki.certificationRequestFromPem(pem);
if (csr.getAttribute({ name: 'extensionRequest' }) === null) {
throw new Error('CSR contains no extension request');
}
const altNames = csr.getAttribute({ name: 'extensionRequest' }).extensions
.filter(e => e.name === 'subjectAltName')
.map(e => e.altNames.map(alt => {
// only altNames of type DNS=2 are valid
if (alt.type === 2) {
return alt.value;
} else {
return null;
}
}))
.flat();
return getUniqueNames(csr, altNames);
};
export const getCommonNameFromCSR = (pem) => {
const csr = forge.pki.certificationRequestFromPem(pem);
return getCn(csr);
};
const getUniqueNames = (certOrCsr, altNames) => {
const commonName = getCn(certOrCsr);
// check if subjectname is amongst altnames also true if
// SAN list is empty, e.g. because of wrong types
if (!altNames.includes(commonName)) {
throw new Error('common name is not among SANs');
}
const csrAllNames = [commonName, ...altNames];
// reduce to unique values, remove null values
const csrUniqueNames = csrAllNames.filter(uniqueFilter);
return csrUniqueNames;
};
const getCn = (certOrCsr) => {
const commonName = certOrCsr.subject.attributes
.filter(a => a.name === 'commonName')
.map(a => a.value)
.flat()[0];
if (!commonName) {
throw new Error('cert or CSR contains no common name');
}
return commonName;
};
function uniqueFilter (value, index, self) {
return self.indexOf(value) === index && value !== null;