From 922e52675085d13d931003c985245beadf25cab9 Mon Sep 17 00:00:00 2001 From: Kenji Urushima Date: Thu, 17 Feb 2022 03:18:28 +0900 Subject: [PATCH] 10.5.5 release --- ChangeLog.txt | 8 + api/files.html | 2 +- api/symbols/X509CRL.html | 243 ++++++++++ api/symbols/src/x509crl.js.html | 833 ++++++++++++++++++-------------- bower.json | 2 +- jsrsasign-all-min.js | 4 +- jsrsasign-jwths-min.js | 2 +- jsrsasign-rsa-min.js | 2 +- min/x509crl.min.js | 2 +- npm/lib/jsrsasign-all-min.js | 4 +- npm/lib/jsrsasign-jwths-min.js | 2 +- npm/lib/jsrsasign-rsa-min.js | 2 +- npm/lib/jsrsasign.js | 4 +- npm/package.json | 2 +- src/x509crl.js | 115 ++++- test/x509crl.html | 21 +- 16 files changed, 864 insertions(+), 384 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index 5c4d5b65..cc2c8b4b 100755 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,6 +1,14 @@ ChangeLog for jsrsasign +CRL parser update +* Changes from 10.5.4 to 10.5.5 (2022-Feb-17) + - src/x509crl.js X509CRL class + - add getIssuerHex method + - add findRevCert method + - add findRevCertBySN method + - test/x509crl.html update + ASN.1 parser update and fix * Changes from 10.5.3 to 10.5.4 (2022-Feb-15) - src/asn1.js diff --git a/api/files.html b/api/files.html index da45c0e0..ca4edb20 100644 --- a/api/files.html +++ b/api/files.html @@ -905,7 +905,7 @@

x509crl.js

Version:
-
jsrsasign 10.1.0 x509crl 1.0.2 (2020-Nov-18)
+
jsrsasign 10.5.5 x509crl 1.0.3 (2021-Feb-17)
diff --git a/api/symbols/X509CRL.html b/api/symbols/X509CRL.html index 0aa233d3..00fed226 100644 --- a/api/symbols/X509CRL.html +++ b/api/symbols/X509CRL.html @@ -626,6 +626,28 @@

+ +   + +
findRevCert(PEM) +
+
get revokedCertificate associative array for checking certificate
+This method will find revokedCertificate entry as JSON object +for a specified certificate.
+ + + + +   + +
findRevCertBySN(hexadecimal) +
+
get revokedCertificate associative array for serial number
+This method will find revokedCertificate entry as JSON object +for a specified serial number.
+ + +   @@ -637,6 +659,15 @@

+ +   + + +
get hexadecimal string of issuer field TLV of certificate.
+ + +   @@ -762,6 +793,7 @@

  • version - X509CRL#getVersion
  • signatureAlgorithm - X509CRL#getSignatureAlgorithmField
  • issuer - X509CRL#getIssuer
  • +
  • issuer - X509CRL#getIssuerHex
  • thisUpdate - X509CRL#getThisUpdate
  • nextUpdate - X509CRL#getNextUpdate
  • revokedCertificates - X509CRL#getRevCertArray
  • @@ -777,6 +809,12 @@

    +
    // constructor
    +crl = new X509CRL("-----BEGIN X509 CRL...");
    +crl = new X509CRL("3082...");
    + + +
    @@ -889,6 +927,159 @@

    Method Detail + +
    + + {object} + findRevCert(PEM) + +
    +
    + get revokedCertificate associative array for checking certificate
    +This method will find revokedCertificate entry as JSON object +for a specified certificate.
    +When the serial number is not found in the entry, this returns null.
    +Before finding, X509CRL#getParam is called internally +to parse CRL.
    +NOTE: This method will just find an entry for a serial number. +You need to check whether CRL is proper one or not +for checking certificate such as signature validation or +name checking. + + +
    + + + +
    crl = new X509CRL(PEMCRL);
    +
    +crl.findRevCert(PEMCERT-REVOKED) → 
    +{sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]}
    +
    +crl.findRevCert(PEMCERT-NOTREVOKED) → null
    +
    +crl.findRevCert(CERT-HEX) → null or {sn:...}
    + + + + +
    +
    Parameters:
    + +
    + {string} PEM + +
    +
    or hexadecimal string of certificate to be revocation-checked
    + +
    + + + +
    +
    Since:
    +
    jsrsasign 10.5.5 x509crl 1.0.3
    +
    +

    + + + +
    +
    Returns:
    + +
    {object} JSON object for revokedCertificate or null
    + +
    + + + +
    +
    See:
    + +
    X509CRL#getParam
    + +
    X509CRL#findRevCertBySN
    + +
    + + +
    + + +
    + + {object} + findRevCertBySN(hexadecimal) + +
    +
    + get revokedCertificate associative array for serial number
    +This method will find revokedCertificate entry as JSON object +for a specified serial number.
    +When the serial number is not found in the entry, this returns null.
    +Before finding, X509CRL#getParam is called internally +to parse CRL.
    +NOTE: This method will just find an entry for a serial number. +You need to check whether CRL is proper one or not +for checking certificate such as signature validation or +name checking. + + +
    + + + +
    crl = new X509CRL(PEMCRL);
    +crl.findRevCertBySN("123a") → // revoked
    +{sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]}
    +
    +crl.findRevCertBySN("0000") → null // not revoked
    + + + + +
    +
    Parameters:
    + +
    + {string} hexadecimal + +
    +
    string of checking certificate serial number
    + +
    + + + +
    +
    Since:
    +
    jsrsasign 10.5.5 x509crl 1.0.3
    +
    + + + + +
    +
    Returns:
    + +
    {object} JSON object for revokedCertificate or null
    + +
    + + + +
    +
    See:
    + +
    X509CRL#getParam
    + +
    X509CRL#findRevCert
    + +
    + + +
    +
    @@ -939,6 +1130,58 @@

    +
    + + +
    + + {string} + getIssuerHex() + +
    +
    + get hexadecimal string of issuer field TLV of certificate.
    +This method returns ASN.1 DER hexadecimal string of +issuer field. + + +
    + + + +
    crl = new X509CRL("-----BEGIN X509 CRL...");
    +x.getIssuerHex() → "30..."
    + + + + + + +
    +
    Since:
    +
    jsrsasign 10.5.5 x509crl 1.0.3
    +
    + + + + +
    +
    Returns:
    + +
    {string} hexadecial string of issuer DN ASN.1
    + +
    + + + +
    +
    See:
    + +
    X509CRL#getIssuer
    + +
    + +
    diff --git a/api/symbols/src/x509crl.js.html b/api/symbols/src/x509crl.js.html index 64e9e9dd..838d8a0c 100644 --- a/api/symbols/src/x509crl.js.html +++ b/api/symbols/src/x509crl.js.html @@ -5,12 +5,12 @@ .STRN {color: #393;} .REGX {color: #339;} .line {border-right: 1px dotted #666; color: #666; font-style: normal;} -
      1 /* x509crl.js (c) 2012-2021 Kenji Urushima | kjur.github.io/jsrsasign/license
    +	
      1 /* x509crl.js (c) 2012-2022 Kenji Urushima | kjur.github.io/jsrsasign/license
       2  */
       3 /*
       4  * x509crl.js - X509CRL class to parse X.509 CRL
       5  *
    -  6  * Copyright (c) 2010-2020 Kenji Urushima (kenji.urushima@gmail.com)
    +  6  * Copyright (c) 2010-2022 Kenji Urushima (kenji.urushima@gmail.com)
       7  *
       8  * This software is licensed under the terms of the MIT License.
       9  * https://kjur.github.io/jsrsasign/license
    @@ -23,7 +23,7 @@
      16  * @fileOverview
      17  * @name x509crl.js
      18  * @author Kenji Urushima kenji.urushima@gmail.com
    - 19  * @version jsrsasign 10.1.0 x509crl 1.0.2 (2020-Nov-18)
    + 19  * @version jsrsasign 10.5.5 x509crl 1.0.3 (2021-Feb-17)
      20  * @since jsrsasign 10.1.0
      21  * @license <a href="https://kjur.github.io/jsrsasign/license/">MIT License</a>
      22  */
    @@ -48,364 +48,469 @@
      41  * <li>version - {@link X509CRL#getVersion}</li>
      42  * <li>signatureAlgorithm - {@link X509CRL#getSignatureAlgorithmField}</li>
      43  * <li>issuer - {@link X509CRL#getIssuer}</li>
    - 44  * <li>thisUpdate - {@link X509CRL#getThisUpdate}</li>
    - 45  * <li>nextUpdate - {@link X509CRL#getNextUpdate}</li>
    - 46  * <li>revokedCertificates - {@link X509CRL#getRevCertArray}</li>
    - 47  * <li>revokedCertificate - {@link X509CRL#getRevCert}</li>
    - 48  * <li>signature - {@link X509CRL#getSignatureValueHex}</li>
    - 49  * </ul>
    - 50  * <b>UTILITIES</b><br/>
    - 51  * <ul>
    - 52  * <li>{@link X509CRL#getParam} - get all parameters</li>
    - 53  * </ul>
    - 54  */
    - 55 var X509CRL = function(params) {
    - 56     var _KJUR = KJUR,
    - 57 	_isHex = _KJUR.lang.String.isHex,
    - 58 	_ASN1HEX = ASN1HEX,
    - 59 	_getV = _ASN1HEX.getV,
    - 60 	_getTLV = _ASN1HEX.getTLV,
    - 61 	_getVbyList = _ASN1HEX.getVbyList,
    - 62 	_getTLVbyList = _ASN1HEX.getTLVbyList,
    - 63 	_getTLVbyListEx = _ASN1HEX.getTLVbyListEx,
    - 64 	_getIdxbyList = _ASN1HEX.getIdxbyList,
    - 65 	_getIdxbyListEx = _ASN1HEX.getIdxbyListEx,
    - 66 	_getChildIdx = _ASN1HEX.getChildIdx,
    - 67 	_x509obj = new X509();
    - 68     
    - 69     this.hex = null;
    - 70     this.posSigAlg = null;
    - 71     this.posRevCert = null;
    - 72 
    - 73     /*
    - 74      * set field position of SignatureAlgorithm and revokedCertificates<br/>
    - 75      * @description
    - 76      * This method will set "posSigAlg" and "posRevCert" properties.
    - 77      */
    - 78     this._setPos = function() {
    - 79 	// for sigAlg
    - 80 	var idx = _getIdxbyList(this.hex, 0, [0, 0]);
    - 81 	var tag = this.hex.substr(idx, 2);
    - 82 	if (tag == "02") {
    - 83 	    this.posSigAlg = 1;
    - 84 	} else if (tag == "30") {
    - 85 	    this.posSigAlg = 0;
    - 86 	} else {
    - 87 	    throw new Error("malformed 1st item of TBSCertList: " + tag);
    - 88 	}
    - 89 
    - 90 	// for revCerts
    - 91 	var idx2 = _getIdxbyList(this.hex, 0, [0, this.posSigAlg + 3]);
    - 92 	var tag2 = this.hex.substr(idx2, 2);
    - 93 	if (tag2 == "17" || tag2 == "18") {
    - 94 	    var idx3, tag3;
    - 95 	    idx3 = _getIdxbyList(this.hex, 0, [0, this.posSigAlg + 4]);
    - 96 	    this.posRevCert = null;
    - 97 	    if (idx3 != -1) {
    - 98 		tag3 = this.hex.substr(idx3, 2);
    - 99 		if (tag3 == "30") {
    -100 		    this.posRevCert = this.posSigAlg + 4;
    -101 		}
    -102 	    }
    -103 	} else if (tag2 == "30") { // found revCert
    -104 	    this.posRevCert = this.posSigAlg + 3;
    -105 	} else if (tag2 == "a0") { // no nextUpdate and revCert
    -106 	    this.posRevCert = null;
    -107 	} else {
    -108 	    throw new Error("malformed nextUpdate or revCert tag: " + tag2);
    -109 	}
    -110     };
    -111 
    -112     /**
    -113      * get X.509 CRL format version<br/>
    -114      * @name getVersion
    -115      * @memberOf X509CRL#
    -116      * @function
    -117      * @return {Number} version field value (generally 2) or null
    -118      * @description
    -119      * This method returns a version field value TBSCertList.
    -120      * This returns null if there is no such field.
    -121      * @example
    -122      * crl = new X509CRL("-----BEGIN X509 CRL...");
    -123      * crl.getVersion() → 2
    -124      */
    -125     this.getVersion = function() {
    -126 	if (this.posSigAlg == 0) return null;
    -127 	return parseInt(_getVbyList(this.hex, 0, [0, 0], "02"), 16) + 1;
    -128     }
    -129 
    -130     /**
    -131      * get signature algorithm name in basic field
    -132      * @name getSignatureAlgorithmField
    -133      * @memberOf X509CRL#
    -134      * @function
    -135      * @return {String} signature algorithm name (ex. SHA1withRSA, SHA256withECDSA, SHA512withRSAandMGF1)
    -136      * @see X509#getSignatureAlgorithmField
    -137      * @see KJUR.asn1.x509.AlgirithmIdentifier
    -138      * 
    -139      * @description
    -140      * This method will get a name of signature algorithm in CRL.
    -141      *
    -142      * @example
    -143      * crl = new X509CRL("-----BEGIN X509 CRL...");
    -144      * crl.getSignatureAlgorithmField() → "SHA256withRSAandMGF1"
    -145      */
    -146     this.getSignatureAlgorithmField = function() {
    -147 	var hTLV = _getTLVbyList(this.hex, 0, [0, this.posSigAlg], "30");
    -148 	return _x509obj.getAlgorithmIdentifierName(hTLV);
    -149     };
    -150 
    -151     /**
    -152      * get JSON object of issuer field<br/>
    -153      * @name getIssuer
    -154      * @memberOf X509CRL#
    -155      * @function
    -156      * @return {Array} JSON object of issuer field
    -157      * @see X509#getIssuer
    -158      * @see X509#getX500Name
    -159      * @see KJUR.asn1.x509.X500Name
    -160      *
    -161      * @description
    -162      * This method returns parsed issuer field value as
    -163      * JSON object.
    -164      *
    -165      * @example
    -166      * crl = new X509CRL("-----BEGIN X509 CRL...");
    -167      * x.getIssuer() →
    -168      * { array: [[{type:'C',value:'JP',ds:'prn'}],...],
    -169      *   str: "/C=JP/..." }
    -170      */
    -171     this.getIssuer = function() {
    -172 	var hIssuer = _getTLVbyList(this.hex, 0, [0, this.posSigAlg + 1], "30");
    -173 	return _x509obj.getX500Name(hIssuer);
    -174     };
    -175 
    -176     /**
    -177      * get JSON object of thisUpdate field<br/>
    -178      * @name getThisUpdate
    -179      * @memberOf X509CRL#
    -180      * @function
    -181      * @return {String} string of thisUpdate field (ex. "YYMMDDHHmmSSZ")
    -182      * @see X509#getNotBefore
    -183      * @see X509CRL#getNextUpdate
    -184      * @see KJUR.asn1.x509.Time
    -185      *
    -186      * @description
    -187      * This method returns parsed thisUpdate field value as
    -188      * string.
    -189      *
    -190      * @example
    -191      * crl = new X509CRL("-----BEGIN X509 CRL...");
    -192      * x.getThisUpdate() → "200825235959Z"
    -193      */
    -194     this.getThisUpdate = function() {
    -195 	var hThisUpdate = _getVbyList(this.hex, 0, [0, this.posSigAlg + 2]);
    -196 	return result = hextorstr(hThisUpdate);
    -197     };
    -198 
    -199     /**
    -200      * get JSON object of nextUpdate field<br/>
    -201      * @name getNextUpdate
    -202      * @memberOf X509CRL#
    -203      * @function
    -204      * @return {String} string of nextUpdate field or null
    -205      * @see X509#getNotBefore
    -206      * @see X509CRL#getThisUpdate
    -207      * @see KJUR.asn1.x509.Time
    -208      *
    -209      * @description
    -210      * This method returns parsed nextUpdate field value as
    -211      * string. "nextUpdate" is OPTIONAL field so 
    -212      * when nextUpdate field doesn't exists, this returns null.
    -213      *
    -214      * @example
    -215      * crl = new X509CRL("-----BEGIN X509 CRL...");
    -216      * crl.getNextUpdate() → "200825235959Z"
    -217      */
    -218     this.getNextUpdate = function() {
    -219 	var idx = _getIdxbyList(this.hex, 0, [0, this.posSigAlg + 3]);
    -220 	var tag = this.hex.substr(idx, 2);
    -221 	if (tag != "17" && tag != "18") return null;
    -222 	return hextorstr(_getV(this.hex, idx));
    -223     };
    -224 
    -225     /**
    -226      * get array for revokedCertificates field<br/>
    -227      * @name getRevCertArray
    -228      * @memberOf X509CRL#
    -229      * @function
    -230      * @return {Array} array of revokedCertificate parameter or null
    -231      * @see X509CRL#getRevCert
    -232      *
    -233      * @description
    -234      * This method returns parsed revokedCertificates field value as
    -235      * array of revokedCertificate parameter.
    -236      * If the field doesn't exists, it returns null.
    -237      *
    -238      * @example
    -239      * crl = new X509CRL("-----BEGIN X509 CRL...");
    -240      * crl.getRevCertArray() →
    -241      * [{sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]},
    -242      *  {sn:"123b", date:"208026235959Z", ext: [{extname:"cRLReason",code:0}]}]
    -243      */
    -244     this.getRevCertArray = function() {
    -245 	if (this.posRevCert == null) return null;
    -246 	var a = [];
    -247 	var idx = _getIdxbyList(this.hex, 0, [0, this.posRevCert]);
    -248 	var aIdx = _getChildIdx(this.hex, idx);
    -249 	for (var i = 0; i < aIdx.length; i++) {
    -250 	    var hRevCert = _getTLV(this.hex, aIdx[i]);
    -251 	    a.push(this.getRevCert(hRevCert));
    -252 	}
    -253 	return a;
    -254     };
    -255 
    -256     /**
    -257      * get revokedCertificate JSON parameter<br/>
    -258      * @name getRevCert
    -259      * @memberOf X509CRL#
    -260      * @function
    -261      * @return {Array} JSON object for revokedCertificate parameter
    -262      * @see X509CRL#getRevCertArray
    -263      *
    -264      * @description
    -265      * This method returns parsed revokedCertificate parameter
    -266      * as JSON object.
    -267      *
    -268      * @example
    -269      * crl = new X509CRL();
    -270      * crl.getRevCertArray("30...") →
    -271      * {sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]}
    -272      */
    -273     this.getRevCert = function(hRevCert) {
    -274 	var param = {};
    -275 	var aIdx = _getChildIdx(hRevCert, 0);
    -276 
    -277 	param.sn = {hex: _getVbyList(hRevCert, 0, [0], "02")};
    -278 	param.date = hextorstr(_getVbyList(hRevCert, 0, [1]));
    -279 	if (aIdx.length == 3) {
    -280 	    param.ext = 
    -281 		_x509obj.getExtParamArray(_getTLVbyList(hRevCert, 0, [2]));
    -282 	}
    -283 
    -284 	return param;
    -285     };
    -286     
    -287     /**
    -288      * get signature value as hexadecimal string<br/>
    -289      * @name getSignatureValueHex
    -290      * @memberOf X509CRL#
    -291      * @function
    -292      * @return {String} signature value hexadecimal string without BitString unused bits
    -293      *
    -294      * @description
    -295      * This method will get signature value of CRL.
    -296      *
    -297      * @example
    -298      * crl = new X509CRL("-----BEGIN X509 CRL...");
    -299      * crl.getSignatureValueHex() &rarr "8a4c47913..."
    -300      */
    -301     this.getSignatureValueHex = function() {
    -302 	return _getVbyList(this.hex, 0, [2], "03", true);
    -303     };
    -304 
    -305     /**
    -306      * verifies signature value by public key<br/>
    -307      * @name verifySignature
    -308      * @memberOf X509CRL#
    -309      * @function
    -310      * @param {Object} pubKey public key object, pubkey PEM or PEM issuer cert
    -311      * @return {Boolean} true if signature value is valid otherwise false
    -312      * @see X509#verifySignature
    -313      * @see KJUR.crypto.Signature
    -314      *
    -315      * @description
    -316      * This method verifies signature value of hexadecimal string of 
    -317      * X.509 CRL by specified public key.
    -318      * The signature algorithm used to verify will refer
    -319      * signatureAlgorithm field. 
    -320      * (See {@link X509CRL#getSignatureAlgorithmField})
    -321      *
    -322      * @example
    -323      * crl = new X509CRL("-----BEGIN X509 CRL...");
    -324      * x.verifySignature(pubKey) → true, false or raising exception
    -325      */
    -326     this.verifySignature = function(pubKey) {
    -327 	var algName = this.getSignatureAlgorithmField();
    -328 	var hSigVal = this.getSignatureValueHex();
    -329 	var hTbsCertList = _getTLVbyList(this.hex, 0, [0], "30");
    -330 	
    -331 	var sig = new KJUR.crypto.Signature({alg: algName});
    -332 	sig.init(pubKey);
    -333 	sig.updateHex(hTbsCertList);
    -334 	return sig.verify(hSigVal);
    -335     };
    -336 
    -337     /**
    -338      * get JSON object for CRL parameters<br/>
    -339      * @name getParam
    -340      * @memberOf X509CRL#
    -341      * @function
    -342      * @return {Array} JSON object for CRL parameters
    -343      * @see KJUR.asn1.x509.CRL
    -344      *
    -345      * @description
    -346      * This method returns a JSON object of the CRL
    -347      * parameters. 
    -348      * Return value can be passed to
    -349      * {@link KJUR.asn1.x509.CRL} constructor.
    -350      *
    -351      * @example
    -352      * crl = new X509CRL("-----BEGIN X509 CRL...");
    -353      * crl.getParam() →
    -354      * {version: 2,
    -355      *  sigalg: "SHA256withRSA",
    -356      *  issuer: {array:
    -357      *    [[{type:"C",value:"JP",ds:"prn"}],[{type:"O",value:"T1",ds:"prn"}]]},
    -358      *  thisupdate: "200820212434Z",
    -359      *  nextupdate: "200910212434Z",
    -360      *  revcert: [
    -361      *   {sn:{hex:"123d..."},
    -362      *    date:"061110000000Z",
    -363      *    ext:[{extname:"cRLReason",code:4}]}],
    -364      *  ext: [
    -365      *   {extname:"authorityKeyIdentifier",kid:{hex: "03de..."}},
    -366      *   {extname:"cRLNumber",num:{hex:"0211"}}],
    -367      *  sighex: "3c5e..."}
    -368      */
    -369     this.getParam = function() {
    -370 	var result = {};
    -371 
    -372 	var version = this.getVersion();
    -373 	if (version != null) result.version = version;
    -374 	
    -375 	result.sigalg = this.getSignatureAlgorithmField();
    -376 	result.issuer = this.getIssuer();
    -377 	result.thisupdate = this.getThisUpdate();
    -378 
    -379 	var nextUpdate = this.getNextUpdate();
    -380 	if (nextUpdate != null) result.nextupdate = nextUpdate;
    -381 
    -382 	var revCerts = this.getRevCertArray();
    -383 	if (revCerts != null) result.revcert = revCerts;
    -384 
    -385 	var idxExt = _getIdxbyListEx(this.hex, 0, [0, "[0]"]);
    -386 	if (idxExt != -1) {
    -387 	    var hExtSeq = _getTLVbyListEx(this.hex, 0, [0, "[0]", 0]);
    -388 	    result.ext = _x509obj.getExtParamArray(hExtSeq);
    -389 	}
    -390 
    -391 	result.sighex = this.getSignatureValueHex();
    -392 	return result;
    -393     };
    -394 
    -395     if (typeof params == "string") {
    -396 	if (_isHex(params)) {
    -397 	    this.hex = params;
    -398 	} else if (params.match(/-----BEGIN X509 CRL/)) {
    -399 	    this.hex = pemtohex(params);
    -400 	}
    -401 	this._setPos();
    -402     }
    -403 };
    -404 
    \ No newline at end of file + 44 * <li>issuer - {@link X509CRL#getIssuerHex}</li> + 45 * <li>thisUpdate - {@link X509CRL#getThisUpdate}</li> + 46 * <li>nextUpdate - {@link X509CRL#getNextUpdate}</li> + 47 * <li>revokedCertificates - {@link X509CRL#getRevCertArray}</li> + 48 * <li>revokedCertificate - {@link X509CRL#getRevCert}</li> + 49 * <li>signature - {@link X509CRL#getSignatureValueHex}</li> + 50 * </ul> + 51 * <b>UTILITIES</b><br/> + 52 * <ul> + 53 * <li>{@link X509CRL#getParam} - get all parameters</li> + 54 * </ul> + 55 * + 56 * @example + 57 * // constructor + 58 * crl = new X509CRL("-----BEGIN X509 CRL..."); + 59 * crl = new X509CRL("3082..."); + 60 */
    + 61 var X509CRL = function(params) { + 62 var _KJUR = KJUR, + 63 _isHex = _KJUR.lang.String.isHex, + 64 _ASN1HEX = ASN1HEX, + 65 _getV = _ASN1HEX.getV, + 66 _getTLV = _ASN1HEX.getTLV, + 67 _getVbyList = _ASN1HEX.getVbyList, + 68 _getTLVbyList = _ASN1HEX.getTLVbyList, + 69 _getTLVbyListEx = _ASN1HEX.getTLVbyListEx, + 70 _getIdxbyList = _ASN1HEX.getIdxbyList, + 71 _getIdxbyListEx = _ASN1HEX.getIdxbyListEx, + 72 _getChildIdx = _ASN1HEX.getChildIdx, + 73 _x509obj = new X509(); + 74 + 75 this.hex = null; + 76 this.posSigAlg = null; + 77 this.posRevCert = null; + 78 this.parsed = null; + 79 + 80 /* + 81 * set field position of SignatureAlgorithm and revokedCertificates<br/> + 82 * @description + 83 * This method will set "posSigAlg" and "posRevCert" properties. + 84 */ + 85 this._setPos = function() { + 86 // for sigAlg + 87 var idx = _getIdxbyList(this.hex, 0, [0, 0]); + 88 var tag = this.hex.substr(idx, 2); + 89 if (tag == "02") { + 90 this.posSigAlg = 1; + 91 } else if (tag == "30") { + 92 this.posSigAlg = 0; + 93 } else { + 94 throw new Error("malformed 1st item of TBSCertList: " + tag); + 95 } + 96 + 97 // for revCerts + 98 var idx2 = _getIdxbyList(this.hex, 0, [0, this.posSigAlg + 3]); + 99 var tag2 = this.hex.substr(idx2, 2); +100 if (tag2 == "17" || tag2 == "18") { +101 var idx3, tag3; +102 idx3 = _getIdxbyList(this.hex, 0, [0, this.posSigAlg + 4]); +103 this.posRevCert = null; +104 if (idx3 != -1) { +105 tag3 = this.hex.substr(idx3, 2); +106 if (tag3 == "30") { +107 this.posRevCert = this.posSigAlg + 4; +108 } +109 } +110 } else if (tag2 == "30") { // found revCert +111 this.posRevCert = this.posSigAlg + 3; +112 } else if (tag2 == "a0") { // no nextUpdate and revCert +113 this.posRevCert = null; +114 } else { +115 throw new Error("malformed nextUpdate or revCert tag: " + tag2); +116 } +117 }; +118 +119 /** +120 * get X.509 CRL format version<br/> +121 * @name getVersion +122 * @memberOf X509CRL# +123 * @function +124 * @return {Number} version field value (generally 2) or null +125 * @description +126 * This method returns a version field value TBSCertList. +127 * This returns null if there is no such field. +128 * @example +129 * crl = new X509CRL("-----BEGIN X509 CRL..."); +130 * crl.getVersion() → 2 +131 */ +132 this.getVersion = function() { +133 if (this.posSigAlg == 0) return null; +134 return parseInt(_getVbyList(this.hex, 0, [0, 0], "02"), 16) + 1; +135 } +136 +137 /** +138 * get signature algorithm name in basic field +139 * @name getSignatureAlgorithmField +140 * @memberOf X509CRL# +141 * @function +142 * @return {String} signature algorithm name (ex. SHA1withRSA, SHA256withECDSA, SHA512withRSAandMGF1) +143 * @see X509#getSignatureAlgorithmField +144 * @see KJUR.asn1.x509.AlgirithmIdentifier +145 * +146 * @description +147 * This method will get a name of signature algorithm in CRL. +148 * +149 * @example +150 * crl = new X509CRL("-----BEGIN X509 CRL..."); +151 * crl.getSignatureAlgorithmField() → "SHA256withRSAandMGF1" +152 */ +153 this.getSignatureAlgorithmField = function() { +154 var hTLV = _getTLVbyList(this.hex, 0, [0, this.posSigAlg], "30"); +155 return _x509obj.getAlgorithmIdentifierName(hTLV); +156 }; +157 +158 /** +159 * get JSON object of issuer field<br/> +160 * @name getIssuer +161 * @memberOf X509CRL# +162 * @function +163 * @return {Array} JSON object of issuer field +164 * @see X509#getIssuer +165 * @see X509#getX500Name +166 * @see KJUR.asn1.x509.X500Name +167 * +168 * @description +169 * This method returns parsed issuer field value as +170 * JSON object. +171 * +172 * @example +173 * crl = new X509CRL("-----BEGIN X509 CRL..."); +174 * x.getIssuer() → +175 * { array: [[{type:'C',value:'JP',ds:'prn'}],...], +176 * str: "/C=JP/..." } +177 */ +178 this.getIssuer = function() { +179 return _x509obj.getX500Name(this.getIssuerHex()); +180 }; +181 +182 /** +183 * get hexadecimal string of issuer field TLV of certificate.<br/> +184 * @name getIssuerHex +185 * @memberOf X509CRL# +186 * @function +187 * @return {string} hexadecial string of issuer DN ASN.1 +188 * @see X509CRL#getIssuer +189 * @since jsrsasign 10.5.5 x509crl 1.0.3 +190 * +191 * @description +192 * This method returns ASN.1 DER hexadecimal string of +193 * issuer field. +194 * +195 * @example +196 * crl = new X509CRL("-----BEGIN X509 CRL..."); +197 * x.getIssuerHex() → "30..." +198 */ +199 this.getIssuerHex = function() { +200 return _getTLVbyList(this.hex, 0, [0, this.posSigAlg + 1], "30"); +201 }; +202 +203 /** +204 * get JSON object of thisUpdate field<br/> +205 * @name getThisUpdate +206 * @memberOf X509CRL# +207 * @function +208 * @return {String} string of thisUpdate field (ex. "YYMMDDHHmmSSZ") +209 * @see X509#getNotBefore +210 * @see X509CRL#getNextUpdate +211 * @see KJUR.asn1.x509.Time +212 * +213 * @description +214 * This method returns parsed thisUpdate field value as +215 * string. +216 * +217 * @example +218 * crl = new X509CRL("-----BEGIN X509 CRL..."); +219 * x.getThisUpdate() → "200825235959Z" +220 */ +221 this.getThisUpdate = function() { +222 var hThisUpdate = _getVbyList(this.hex, 0, [0, this.posSigAlg + 2]); +223 return result = hextorstr(hThisUpdate); +224 }; +225 +226 /** +227 * get JSON object of nextUpdate field<br/> +228 * @name getNextUpdate +229 * @memberOf X509CRL# +230 * @function +231 * @return {String} string of nextUpdate field or null +232 * @see X509#getNotBefore +233 * @see X509CRL#getThisUpdate +234 * @see KJUR.asn1.x509.Time +235 * +236 * @description +237 * This method returns parsed nextUpdate field value as +238 * string. "nextUpdate" is OPTIONAL field so +239 * when nextUpdate field doesn't exists, this returns null. +240 * +241 * @example +242 * crl = new X509CRL("-----BEGIN X509 CRL..."); +243 * crl.getNextUpdate() → "200825235959Z" +244 */ +245 this.getNextUpdate = function() { +246 var idx = _getIdxbyList(this.hex, 0, [0, this.posSigAlg + 3]); +247 var tag = this.hex.substr(idx, 2); +248 if (tag != "17" && tag != "18") return null; +249 return hextorstr(_getV(this.hex, idx)); +250 }; +251 +252 /** +253 * get array for revokedCertificates field<br/> +254 * @name getRevCertArray +255 * @memberOf X509CRL# +256 * @function +257 * @return {Array} array of revokedCertificate parameter or null +258 * @see X509CRL#getRevCert +259 * +260 * @description +261 * This method returns parsed revokedCertificates field value as +262 * array of revokedCertificate parameter. +263 * If the field doesn't exists, it returns null. +264 * +265 * @example +266 * crl = new X509CRL("-----BEGIN X509 CRL..."); +267 * crl.getRevCertArray() → +268 * [{sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]}, +269 * {sn:"123b", date:"208026235959Z", ext: [{extname:"cRLReason",code:0}]}] +270 */ +271 this.getRevCertArray = function() { +272 if (this.posRevCert == null) return null; +273 var a = []; +274 var idx = _getIdxbyList(this.hex, 0, [0, this.posRevCert]); +275 var aIdx = _getChildIdx(this.hex, idx); +276 for (var i = 0; i < aIdx.length; i++) { +277 var hRevCert = _getTLV(this.hex, aIdx[i]); +278 a.push(this.getRevCert(hRevCert)); +279 } +280 return a; +281 }; +282 +283 /** +284 * get revokedCertificate JSON parameter<br/> +285 * @name getRevCert +286 * @memberOf X509CRL# +287 * @function +288 * @return {Array} JSON object for revokedCertificate parameter +289 * @see X509CRL#getRevCertArray +290 * +291 * @description +292 * This method returns parsed revokedCertificate parameter +293 * as JSON object. +294 * +295 * @example +296 * crl = new X509CRL(); +297 * crl.getRevCertArray("30...") → +298 * {sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]} +299 */ +300 this.getRevCert = function(hRevCert) { +301 var param = {}; +302 var aIdx = _getChildIdx(hRevCert, 0); +303 +304 param.sn = {hex: _getVbyList(hRevCert, 0, [0], "02")}; +305 param.date = hextorstr(_getVbyList(hRevCert, 0, [1])); +306 if (aIdx.length == 3) { +307 param.ext = +308 _x509obj.getExtParamArray(_getTLVbyList(hRevCert, 0, [2])); +309 } +310 +311 return param; +312 }; +313 +314 /** +315 * get revokedCertificate associative array for checking certificate<br/> +316 * @name findRevCert +317 * @memberOf X509CRL# +318 * @function +319 * @param {string} PEM or hexadecimal string of certificate to be revocation-checked +320 * @return {object} JSON object for revokedCertificate or null +321 * @see X509CRL#getParam +322 * @see X509CRL#findRevCertBySN +323 * @since jsrsasign 10.5.5 x509crl 1.0.3 +324 * +325 * @description +326 * This method will find revokedCertificate entry as JSON object +327 * for a specified certificate. <br/> +328 * When the serial number is not found in the entry, this returns null.<br/> +329 * Before finding, {@link X509CRL#getParam} is called internally +330 * to parse CRL.<br/> +331 * NOTE: This method will just find an entry for a serial number. +332 * You need to check whether CRL is proper one or not +333 * for checking certificate such as signature validation or +334 * name checking. +335 * +336 * @example +337 * crl = new X509CRL(PEMCRL); +338 * +339 * crl.findRevCert(PEMCERT-REVOKED) → +340 * {sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]} +341 * +342 * crl.findRevCert(PEMCERT-NOTREVOKED) → null +343 * +344 * crl.findRevCert(CERT-HEX) → null or {sn:...} +345 */ +346 this.findRevCert = function(sCert) { +347 var x = new X509(sCert); +348 var hSN = x.getSerialNumberHex(); +349 return this.findRevCertBySN(sn); +350 }; +351 +352 /** +353 * get revokedCertificate associative array for serial number<br/> +354 * @name findRevCertBySN +355 * @memberOf X509CRL# +356 * @function +357 * @param {string} hexadecimal string of checking certificate serial number +358 * @return {object} JSON object for revokedCertificate or null +359 * @see X509CRL#getParam +360 * @see X509CRL#findRevCert +361 * @since jsrsasign 10.5.5 x509crl 1.0.3 +362 * +363 * @description +364 * This method will find revokedCertificate entry as JSON object +365 * for a specified serial number. <br/> +366 * When the serial number is not found in the entry, this returns null.<br/> +367 * Before finding, {@link X509CRL#getParam} is called internally +368 * to parse CRL.<br/> +369 * NOTE: This method will just find an entry for a serial number. +370 * You need to check whether CRL is proper one or not +371 * for checking certificate such as signature validation or +372 * name checking. +373 * +374 * @example +375 * crl = new X509CRL(PEMCRL); +376 * crl.findRevCertBySN("123a") → // revoked +377 * {sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]} +378 * +379 * crl.findRevCertBySN("0000") → null // not revoked +380 */ +381 this.findRevCertBySN = function(hSN) { +382 if (this.parsed == null) this.getParam(); +383 var revcert = this.parsed.revcert; +384 for (var i = 0; i < revcert.length; i++) { +385 if (hSN == revcert[i].sn.hex) return revcert[i]; +386 } +387 return null; +388 }; +389 +390 /** +391 * get signature value as hexadecimal string<br/> +392 * @name getSignatureValueHex +393 * @memberOf X509CRL# +394 * @function +395 * @return {String} signature value hexadecimal string without BitString unused bits +396 * +397 * @description +398 * This method will get signature value of CRL. +399 * +400 * @example +401 * crl = new X509CRL("-----BEGIN X509 CRL..."); +402 * crl.getSignatureValueHex() &rarr "8a4c47913..." +403 */ +404 this.getSignatureValueHex = function() { +405 return _getVbyList(this.hex, 0, [2], "03", true); +406 }; +407 +408 /** +409 * verifies signature value by public key<br/> +410 * @name verifySignature +411 * @memberOf X509CRL# +412 * @function +413 * @param {Object} pubKey public key object, pubkey PEM or PEM issuer cert +414 * @return {Boolean} true if signature value is valid otherwise false +415 * @see X509#verifySignature +416 * @see KJUR.crypto.Signature +417 * +418 * @description +419 * This method verifies signature value of hexadecimal string of +420 * X.509 CRL by specified public key. +421 * The signature algorithm used to verify will refer +422 * signatureAlgorithm field. +423 * (See {@link X509CRL#getSignatureAlgorithmField}) +424 * +425 * @example +426 * crl = new X509CRL("-----BEGIN X509 CRL..."); +427 * x.verifySignature(pubKey) → true, false or raising exception +428 */ +429 this.verifySignature = function(pubKey) { +430 var algName = this.getSignatureAlgorithmField(); +431 var hSigVal = this.getSignatureValueHex(); +432 var hTbsCertList = _getTLVbyList(this.hex, 0, [0], "30"); +433 +434 var sig = new KJUR.crypto.Signature({alg: algName}); +435 sig.init(pubKey); +436 sig.updateHex(hTbsCertList); +437 return sig.verify(hSigVal); +438 }; +439 +440 /** +441 * get JSON object for CRL parameters<br/> +442 * @name getParam +443 * @memberOf X509CRL# +444 * @function +445 * @return {Array} JSON object for CRL parameters +446 * @see KJUR.asn1.x509.CRL +447 * +448 * @description +449 * This method returns a JSON object of the CRL +450 * parameters. +451 * Return value can be passed to +452 * {@link KJUR.asn1.x509.CRL} constructor. +453 * +454 * @example +455 * crl = new X509CRL("-----BEGIN X509 CRL..."); +456 * crl.getParam() → +457 * {version: 2, +458 * sigalg: "SHA256withRSA", +459 * issuer: {array: +460 * [[{type:"C",value:"JP",ds:"prn"}],[{type:"O",value:"T1",ds:"prn"}]]}, +461 * thisupdate: "200820212434Z", +462 * nextupdate: "200910212434Z", +463 * revcert: [ +464 * {sn:{hex:"123d..."}, +465 * date:"061110000000Z", +466 * ext:[{extname:"cRLReason",code:4}]}], +467 * ext: [ +468 * {extname:"authorityKeyIdentifier",kid:{hex: "03de..."}}, +469 * {extname:"cRLNumber",num:{hex:"0211"}}], +470 * sighex: "3c5e..."} +471 */ +472 this.getParam = function() { +473 var result = {}; +474 +475 var version = this.getVersion(); +476 if (version != null) result.version = version; +477 +478 result.sigalg = this.getSignatureAlgorithmField(); +479 result.issuer = this.getIssuer(); +480 result.thisupdate = this.getThisUpdate(); +481 +482 var nextUpdate = this.getNextUpdate(); +483 if (nextUpdate != null) result.nextupdate = nextUpdate; +484 +485 var revCerts = this.getRevCertArray(); +486 if (revCerts != null) result.revcert = revCerts; +487 +488 var idxExt = _getIdxbyListEx(this.hex, 0, [0, "[0]"]); +489 if (idxExt != -1) { +490 var hExtSeq = _getTLVbyListEx(this.hex, 0, [0, "[0]", 0]); +491 result.ext = _x509obj.getExtParamArray(hExtSeq); +492 } +493 +494 result.sighex = this.getSignatureValueHex(); +495 +496 this.parsed = result; +497 return result; +498 }; +499 +500 if (typeof params == "string") { +501 if (_isHex(params)) { +502 this.hex = params; +503 } else if (params.match(/-----BEGIN X509 CRL/)) { +504 this.hex = pemtohex(params); +505 } +506 this._setPos(); +507 } +508 }; +509
    \ No newline at end of file diff --git a/bower.json b/bower.json index 6a836c93..8553ea49 100644 --- a/bower.json +++ b/bower.json @@ -1,6 +1,6 @@ { "name": "kjur-jsrsasign", - "version": "10.5.4", + "version": "10.5.5", "main": "jsrsasign-all-min.js", "description": "The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES, JWS and JWT in pure JavaScript.", "license": "MIT", diff --git a/jsrsasign-all-min.js b/jsrsasign-all-min.js index 5c2d6874..a8a1c6f2 100644 --- a/jsrsasign-all-min.js +++ b/jsrsasign-all-min.js @@ -1,5 +1,5 @@ /* - * jsrsasign(all) 10.5.4 (2022-02-15) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license + * jsrsasign(all) 10.5.5 (2022-02-17) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license */ /*! CryptoJS v3.1.2 core-fix.js @@ -234,6 +234,6 @@ var KEYUTIL=function(){var d=function(p,r,q){return k(CryptoJS.AES,p,r,q)};var e RSAKey.getPosArrayOfChildrenFromHex=function(a){return ASN1HEX.getChildIdx(a,0)};RSAKey.getHexValueArrayOfChildrenFromHex=function(f){var n=ASN1HEX;var i=n.getV;var k=RSAKey.getPosArrayOfChildrenFromHex(f);var e=i(f,k[0]);var j=i(f,k[1]);var b=i(f,k[2]);var c=i(f,k[3]);var h=i(f,k[4]);var g=i(f,k[5]);var m=i(f,k[6]);var l=i(f,k[7]);var d=i(f,k[8]);var k=new Array();k.push(e,j,b,c,h,g,m,l,d);return k};RSAKey.prototype.readPrivateKeyFromPEMString=function(d){var c=pemtohex(d);var b=RSAKey.getHexValueArrayOfChildrenFromHex(c);this.setPrivateEx(b[1],b[2],b[3],b[4],b[5],b[6],b[7],b[8])};RSAKey.prototype.readPKCS5PrvKeyHex=function(c){var b=RSAKey.getHexValueArrayOfChildrenFromHex(c);this.setPrivateEx(b[1],b[2],b[3],b[4],b[5],b[6],b[7],b[8])};RSAKey.prototype.readPKCS8PrvKeyHex=function(e){var c,i,k,b,a,f,d,j;var m=ASN1HEX;var l=m.getVbyListEx;if(m.isASN1HEX(e)===false){throw new Error("not ASN.1 hex string")}try{c=l(e,0,[2,0,1],"02");i=l(e,0,[2,0,2],"02");k=l(e,0,[2,0,3],"02");b=l(e,0,[2,0,4],"02");a=l(e,0,[2,0,5],"02");f=l(e,0,[2,0,6],"02");d=l(e,0,[2,0,7],"02");j=l(e,0,[2,0,8],"02")}catch(g){throw new Error("malformed PKCS#8 plain RSA private key")}this.setPrivateEx(c,i,k,b,a,f,d,j)};RSAKey.prototype.readPKCS5PubKeyHex=function(c){var e=ASN1HEX;var b=e.getV;if(e.isASN1HEX(c)===false){throw new Error("keyHex is not ASN.1 hex string")}var a=e.getChildIdx(c,0);if(a.length!==2||c.substr(a[0],2)!=="02"||c.substr(a[1],2)!=="02"){throw new Error("wrong hex for PKCS#5 public key")}var f=b(c,a[0]);var d=b(c,a[1]);this.setPublic(f,d)};RSAKey.prototype.readPKCS8PubKeyHex=function(b){var c=ASN1HEX;if(c.isASN1HEX(b)===false){throw new Error("not ASN.1 hex string")}if(c.getTLVbyListEx(b,0,[0,0])!=="06092a864886f70d010101"){throw new Error("not PKCS8 RSA public key")}var a=c.getTLVbyListEx(b,0,[1,0]);this.readPKCS5PubKeyHex(a)};RSAKey.prototype.readCertPubKeyHex=function(b,d){var a,c;a=new X509();a.readCertHex(b);c=a.getPublicKeyHex();this.readPKCS8PubKeyHex(c)}; var _RE_HEXDECONLY=new RegExp("[^0-9a-f]","gi");function _rsasign_getHexPaddedDigestInfoForString(d,e,a){var b=function(f){return KJUR.crypto.Util.hashString(f,a)};var c=b(d);return KJUR.crypto.Util.getPaddedDigestInfoHex(c,a,e)}function _zeroPaddingOfSignature(e,d){var c="";var a=d/4-e.length;for(var b=0;b>24,(d&16711680)>>16,(d&65280)>>8,d&255]))));d+=1}return b}RSAKey.prototype.signPSS=function(e,a,d){var c=function(f){return KJUR.crypto.Util.hashHex(f,a)};var b=c(rstrtohex(e));if(d===undefined){d=-1}return this.signWithMessageHashPSS(b,a,d)};RSAKey.prototype.signWithMessageHashPSS=function(l,a,k){var b=hextorstr(l);var g=b.length;var m=this.n.bitLength()-1;var c=Math.ceil(m/8);var d;var o=function(i){return KJUR.crypto.Util.hashHex(i,a)};if(k===-1||k===undefined){k=g}else{if(k===-2){k=c-g-2}else{if(k<-2){throw new Error("invalid salt length")}}}if(c<(g+k+2)){throw new Error("data too long")}var f="";if(k>0){f=new Array(k);new SecureRandom().nextBytes(f);f=String.fromCharCode.apply(String,f)}var n=hextorstr(o(rstrtohex("\x00\x00\x00\x00\x00\x00\x00\x00"+b+f)));var j=[];for(d=0;d>(8*c-m))&255;q[0]&=~p;for(d=0;dk){return false}var j=this.doPublic(b);var i=j.toString(16);if(i.length+3!=k/4){return false}var e=i.replace(/^1f+00/,"");var g=_rsasign_getAlgNameAndHashFromHexDisgestInfo(e);if(g.length==0){return false}var d=g[0];var h=g[1];var a=function(m){return KJUR.crypto.Util.hashString(m,d)};var c=a(f);return(h==c)};RSAKey.prototype.verifyWithMessageHash=function(e,a){if(a.length!=Math.ceil(this.n.bitLength()/4)){return false}var b=parseBigInt(a,16);if(b.bitLength()>this.n.bitLength()){return 0}var h=this.doPublic(b);var g=h.toString(16).replace(/^1f+00/,"");var c=_rsasign_getAlgNameAndHashFromHexDisgestInfo(g);if(c.length==0){return false}var d=c[0];var f=c[1];return(f==e)};RSAKey.prototype.verifyPSS=function(c,b,a,f){var e=function(g){return KJUR.crypto.Util.hashHex(g,a)};var d=e(rstrtohex(c));if(f===undefined){f=-1}return this.verifyWithMessageHashPSS(d,b,a,f)};RSAKey.prototype.verifyWithMessageHashPSS=function(f,s,l,c){if(s.length!=Math.ceil(this.n.bitLength()/4)){return false}var k=new BigInteger(s,16);var r=function(i){return KJUR.crypto.Util.hashHex(i,l)};var j=hextorstr(f);var h=j.length;var g=this.n.bitLength()-1;var m=Math.ceil(g/8);var q;if(c===-1||c===undefined){c=h}else{if(c===-2){c=m-h-2}else{if(c<-2){throw new Error("invalid salt length")}}}if(m<(h+c+2)){throw new Error("data too long")}var a=this.doPublic(k).toByteArray();for(q=0;q>(8*m-g))&255;if((d.charCodeAt(0)&p)!==0){throw new Error("bits beyond keysize not zero")}var n=pss_mgf1_str(e,d.length,r);var o=[];for(q=0;q1){var C=b(y,x[1]);var w=this.getGeneralName(C);if(w.uri!=undefined){v.uri=w.uri}}if(x.length>2){var z=b(y,x[2]);if(z=="0101ff"){v.reqauth=true}if(z=="010100"){v.reqauth=false}}return v};this.getX500NameRule=function(v){var C=true;var G=true;var F=false;var w="";var z="";var I=null;var D=[];for(var y=0;y0){v.ext=this.getExtParamArray()}v.sighex=this.getSignatureValueHex();return v};this.getExtParamArray=function(w){if(w==undefined){var y=e(this.hex,0,[0,"[3]"]);if(y!=-1){w=m(this.hex,0,[0,"[3]",0],"30")}}var v=[];var x=o(w,0);for(var z=0;z0){var b=":"+n.join(":")+":";if(b.indexOf(":"+k+":")==-1){throw"algorithm '"+k+"' not accepted in the list"}}if(k!="none"&&B===null){throw"key shall be specified to verify."}if(typeof B=="string"&&B.indexOf("-----BEGIN ")!=-1){B=KEYUTIL.getKey(B)}if(z=="RS"||z=="PS"){if(!(B instanceof m)){throw"key shall be a RSAKey obj for RS* and PS* algs"}}if(z=="ES"){if(!(B instanceof p)){throw"key shall be a ECDSA obj for ES* algs"}}if(k=="none"){}var u=null;if(t.jwsalg2sigalg[l.alg]===undefined){throw"unsupported alg name: "+k}else{u=t.jwsalg2sigalg[k]}if(u=="none"){throw"not supported"}else{if(u.substr(0,4)=="Hmac"){var o=null;if(B===undefined){throw"hexadecimal key shall be specified for HMAC"}var j=new s({alg:u,pass:B});j.updateString(c);o=j.doFinal();return A==o}else{if(u.indexOf("withECDSA")!=-1){var h=null;try{h=p.concatSigToASN1Sig(A)}catch(v){return false}var g=new d({alg:u});g.init(B);g.updateString(c);return g.verify(h)}else{var g=new d({alg:u});g.init(B);g.updateString(c);return g.verify(A)}}}};KJUR.jws.JWS.parse=function(g){var c=g.split(".");var b={};var f,e,d;if(c.length!=2&&c.length!=3){throw"malformed sJWS: wrong number of '.' splitted elements"}f=c[0];e=c[1];if(c.length==3){d=c[2]}b.headerObj=KJUR.jws.JWS.readSafeJSONString(b64utoutf8(f));b.payloadObj=KJUR.jws.JWS.readSafeJSONString(b64utoutf8(e));b.headerPP=JSON.stringify(b.headerObj,null," ");if(b.payloadObj==null){b.payloadPP=b64utoutf8(e)}else{b.payloadPP=JSON.stringify(b.payloadObj,null," ")}if(d!==undefined){b.sigHex=b64utohex(d)}return b};KJUR.jws.JWS.verifyJWT=function(e,l,r){var d=KJUR,j=d.jws,o=j.JWS,n=o.readSafeJSONString,p=o.inArray,f=o.includedArray;var k=e.split(".");var c=k[0];var i=k[1];var q=c+"."+i;var m=b64utohex(k[2]);var h=n(b64utoutf8(c));var g=n(b64utoutf8(i));if(h.alg===undefined){return false}if(r.alg===undefined){throw"acceptField.alg shall be specified"}if(!p(h.alg,r.alg)){return false}if(g.iss!==undefined&&typeof r.iss==="object"){if(!p(g.iss,r.iss)){return false}}if(g.sub!==undefined&&typeof r.sub==="object"){if(!p(g.sub,r.sub)){return false}}if(g.aud!==undefined&&typeof r.aud==="object"){if(typeof g.aud=="string"){if(!p(g.aud,r.aud)){return false}}else{if(typeof g.aud=="object"){if(!f(g.aud,r.aud)){return false}}}}var b=j.IntDate.getNow();if(r.verifyAt!==undefined&&typeof r.verifyAt==="number"){b=r.verifyAt}if(r.gracePeriod===undefined||typeof r.gracePeriod!=="number"){r.gracePeriod=0}if(g.exp!==undefined&&typeof g.exp=="number"){if(g.exp+r.gracePeriodl){this.aHeader.pop()}if(this.aSignature.length>l){this.aSignature.pop()}throw"addSignature failed: "+i}};this.verifyAll=function(h){if(this.aHeader.length!==h.length||this.aSignature.length!==h.length){return false}for(var g=0;g0){this.aHeader=g.headers}else{throw"malformed header"}if(typeof g.payload==="string"){this.sPayload=g.payload}else{throw"malformed signatures"}if(g.signatures.length>0){this.aSignature=g.signatures}else{throw"malformed signatures"}}catch(e){throw"malformed JWS-JS JSON object: "+e}}};this.getJSON=function(){return{headers:this.aHeader,payload:this.sPayload,signatures:this.aSignature}};this.isEmpty=function(){if(this.aHeader.length==0){return 1}return 0}}; diff --git a/jsrsasign-jwths-min.js b/jsrsasign-jwths-min.js index 41d09451..581817b5 100644 --- a/jsrsasign-jwths-min.js +++ b/jsrsasign-jwths-min.js @@ -1,5 +1,5 @@ /* - * jsrsasign(jwths) 10.5.4 (2022-02-15) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license + * jsrsasign(jwths) 10.5.5 (2022-02-17) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license */ /*! CryptoJS v3.1.2 core-fix.js diff --git a/jsrsasign-rsa-min.js b/jsrsasign-rsa-min.js index 6882be01..f2a16f0b 100644 --- a/jsrsasign-rsa-min.js +++ b/jsrsasign-rsa-min.js @@ -1,5 +1,5 @@ /* - * jsrsasign(rsa) 10.5.4 (2022-02-15) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license + * jsrsasign(rsa) 10.5.5 (2022-02-17) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license */ /*! CryptoJS v3.1.2 core-fix.js diff --git a/min/x509crl.min.js b/min/x509crl.min.js index 5dec9934..88db69a4 100644 --- a/min/x509crl.min.js +++ b/min/x509crl.min.js @@ -1 +1 @@ -var X509CRL=function(e){var a=KJUR,f=a.lang.String.isHex,m=ASN1HEX,k=m.getV,b=m.getTLV,h=m.getVbyList,c=m.getTLVbyList,d=m.getTLVbyListEx,i=m.getIdxbyList,g=m.getIdxbyListEx,l=m.getChildIdx,j=new X509();this.hex=null;this.posSigAlg=null;this.posRevCert=null;this._setPos=function(){var o=i(this.hex,0,[0,0]);var n=this.hex.substr(o,2);if(n=="02"){this.posSigAlg=1}else{if(n=="30"){this.posSigAlg=0}else{throw new Error("malformed 1st item of TBSCertList: "+n)}}var s=i(this.hex,0,[0,this.posSigAlg+3]);var r=this.hex.substr(s,2);if(r=="17"||r=="18"){var q,p;q=i(this.hex,0,[0,this.posSigAlg+4]);this.posRevCert=null;if(q!=-1){p=this.hex.substr(q,2);if(p=="30"){this.posRevCert=this.posSigAlg+4}}}else{if(r=="30"){this.posRevCert=this.posSigAlg+3}else{if(r=="a0"){this.posRevCert=null}else{throw new Error("malformed nextUpdate or revCert tag: "+r)}}}};this.getVersion=function(){if(this.posSigAlg==0){return null}return parseInt(h(this.hex,0,[0,0],"02"),16)+1};this.getSignatureAlgorithmField=function(){var n=c(this.hex,0,[0,this.posSigAlg],"30");return j.getAlgorithmIdentifierName(n)};this.getIssuer=function(){var n=c(this.hex,0,[0,this.posSigAlg+1],"30");return j.getX500Name(n)};this.getThisUpdate=function(){var n=h(this.hex,0,[0,this.posSigAlg+2]);return result=hextorstr(n)};this.getNextUpdate=function(){var o=i(this.hex,0,[0,this.posSigAlg+3]);var n=this.hex.substr(o,2);if(n!="17"&&n!="18"){return null}return hextorstr(k(this.hex,o))};this.getRevCertArray=function(){if(this.posRevCert==null){return null}var o=[];var n=i(this.hex,0,[0,this.posRevCert]);var p=l(this.hex,n);for(var q=0;q>24,(d&16711680)>>16,(d&65280)>>8,d&255]))));d+=1}return b}RSAKey.prototype.signPSS=function(e,a,d){var c=function(f){return KJUR.crypto.Util.hashHex(f,a)};var b=c(rstrtohex(e));if(d===undefined){d=-1}return this.signWithMessageHashPSS(b,a,d)};RSAKey.prototype.signWithMessageHashPSS=function(l,a,k){var b=hextorstr(l);var g=b.length;var m=this.n.bitLength()-1;var c=Math.ceil(m/8);var d;var o=function(i){return KJUR.crypto.Util.hashHex(i,a)};if(k===-1||k===undefined){k=g}else{if(k===-2){k=c-g-2}else{if(k<-2){throw new Error("invalid salt length")}}}if(c<(g+k+2)){throw new Error("data too long")}var f="";if(k>0){f=new Array(k);new SecureRandom().nextBytes(f);f=String.fromCharCode.apply(String,f)}var n=hextorstr(o(rstrtohex("\x00\x00\x00\x00\x00\x00\x00\x00"+b+f)));var j=[];for(d=0;d>(8*c-m))&255;q[0]&=~p;for(d=0;dk){return false}var j=this.doPublic(b);var i=j.toString(16);if(i.length+3!=k/4){return false}var e=i.replace(/^1f+00/,"");var g=_rsasign_getAlgNameAndHashFromHexDisgestInfo(e);if(g.length==0){return false}var d=g[0];var h=g[1];var a=function(m){return KJUR.crypto.Util.hashString(m,d)};var c=a(f);return(h==c)};RSAKey.prototype.verifyWithMessageHash=function(e,a){if(a.length!=Math.ceil(this.n.bitLength()/4)){return false}var b=parseBigInt(a,16);if(b.bitLength()>this.n.bitLength()){return 0}var h=this.doPublic(b);var g=h.toString(16).replace(/^1f+00/,"");var c=_rsasign_getAlgNameAndHashFromHexDisgestInfo(g);if(c.length==0){return false}var d=c[0];var f=c[1];return(f==e)};RSAKey.prototype.verifyPSS=function(c,b,a,f){var e=function(g){return KJUR.crypto.Util.hashHex(g,a)};var d=e(rstrtohex(c));if(f===undefined){f=-1}return this.verifyWithMessageHashPSS(d,b,a,f)};RSAKey.prototype.verifyWithMessageHashPSS=function(f,s,l,c){if(s.length!=Math.ceil(this.n.bitLength()/4)){return false}var k=new BigInteger(s,16);var r=function(i){return KJUR.crypto.Util.hashHex(i,l)};var j=hextorstr(f);var h=j.length;var g=this.n.bitLength()-1;var m=Math.ceil(g/8);var q;if(c===-1||c===undefined){c=h}else{if(c===-2){c=m-h-2}else{if(c<-2){throw new Error("invalid salt length")}}}if(m<(h+c+2)){throw new Error("data too long")}var a=this.doPublic(k).toByteArray();for(q=0;q>(8*m-g))&255;if((d.charCodeAt(0)&p)!==0){throw new Error("bits beyond keysize not zero")}var n=pss_mgf1_str(e,d.length,r);var o=[];for(q=0;q1){var C=b(y,x[1]);var w=this.getGeneralName(C);if(w.uri!=undefined){v.uri=w.uri}}if(x.length>2){var z=b(y,x[2]);if(z=="0101ff"){v.reqauth=true}if(z=="010100"){v.reqauth=false}}return v};this.getX500NameRule=function(v){var C=true;var G=true;var F=false;var w="";var z="";var I=null;var D=[];for(var y=0;y0){v.ext=this.getExtParamArray()}v.sighex=this.getSignatureValueHex();return v};this.getExtParamArray=function(w){if(w==undefined){var y=e(this.hex,0,[0,"[3]"]);if(y!=-1){w=m(this.hex,0,[0,"[3]",0],"30")}}var v=[];var x=o(w,0);for(var z=0;z0){var b=":"+n.join(":")+":";if(b.indexOf(":"+k+":")==-1){throw"algorithm '"+k+"' not accepted in the list"}}if(k!="none"&&B===null){throw"key shall be specified to verify."}if(typeof B=="string"&&B.indexOf("-----BEGIN ")!=-1){B=KEYUTIL.getKey(B)}if(z=="RS"||z=="PS"){if(!(B instanceof m)){throw"key shall be a RSAKey obj for RS* and PS* algs"}}if(z=="ES"){if(!(B instanceof p)){throw"key shall be a ECDSA obj for ES* algs"}}if(k=="none"){}var u=null;if(t.jwsalg2sigalg[l.alg]===undefined){throw"unsupported alg name: "+k}else{u=t.jwsalg2sigalg[k]}if(u=="none"){throw"not supported"}else{if(u.substr(0,4)=="Hmac"){var o=null;if(B===undefined){throw"hexadecimal key shall be specified for HMAC"}var j=new s({alg:u,pass:B});j.updateString(c);o=j.doFinal();return A==o}else{if(u.indexOf("withECDSA")!=-1){var h=null;try{h=p.concatSigToASN1Sig(A)}catch(v){return false}var g=new d({alg:u});g.init(B);g.updateString(c);return g.verify(h)}else{var g=new d({alg:u});g.init(B);g.updateString(c);return g.verify(A)}}}};KJUR.jws.JWS.parse=function(g){var c=g.split(".");var b={};var f,e,d;if(c.length!=2&&c.length!=3){throw"malformed sJWS: wrong number of '.' splitted elements"}f=c[0];e=c[1];if(c.length==3){d=c[2]}b.headerObj=KJUR.jws.JWS.readSafeJSONString(b64utoutf8(f));b.payloadObj=KJUR.jws.JWS.readSafeJSONString(b64utoutf8(e));b.headerPP=JSON.stringify(b.headerObj,null," ");if(b.payloadObj==null){b.payloadPP=b64utoutf8(e)}else{b.payloadPP=JSON.stringify(b.payloadObj,null," ")}if(d!==undefined){b.sigHex=b64utohex(d)}return b};KJUR.jws.JWS.verifyJWT=function(e,l,r){var d=KJUR,j=d.jws,o=j.JWS,n=o.readSafeJSONString,p=o.inArray,f=o.includedArray;var k=e.split(".");var c=k[0];var i=k[1];var q=c+"."+i;var m=b64utohex(k[2]);var h=n(b64utoutf8(c));var g=n(b64utoutf8(i));if(h.alg===undefined){return false}if(r.alg===undefined){throw"acceptField.alg shall be specified"}if(!p(h.alg,r.alg)){return false}if(g.iss!==undefined&&typeof r.iss==="object"){if(!p(g.iss,r.iss)){return false}}if(g.sub!==undefined&&typeof r.sub==="object"){if(!p(g.sub,r.sub)){return false}}if(g.aud!==undefined&&typeof r.aud==="object"){if(typeof g.aud=="string"){if(!p(g.aud,r.aud)){return false}}else{if(typeof g.aud=="object"){if(!f(g.aud,r.aud)){return false}}}}var b=j.IntDate.getNow();if(r.verifyAt!==undefined&&typeof r.verifyAt==="number"){b=r.verifyAt}if(r.gracePeriod===undefined||typeof r.gracePeriod!=="number"){r.gracePeriod=0}if(g.exp!==undefined&&typeof g.exp=="number"){if(g.exp+r.gracePeriodl){this.aHeader.pop()}if(this.aSignature.length>l){this.aSignature.pop()}throw"addSignature failed: "+i}};this.verifyAll=function(h){if(this.aHeader.length!==h.length||this.aSignature.length!==h.length){return false}for(var g=0;g0){this.aHeader=g.headers}else{throw"malformed header"}if(typeof g.payload==="string"){this.sPayload=g.payload}else{throw"malformed signatures"}if(g.signatures.length>0){this.aSignature=g.signatures}else{throw"malformed signatures"}}catch(e){throw"malformed JWS-JS JSON object: "+e}}};this.getJSON=function(){return{headers:this.aHeader,payload:this.sPayload,signatures:this.aSignature}};this.isEmpty=function(){if(this.aHeader.length==0){return 1}return 0}}; diff --git a/npm/lib/jsrsasign-jwths-min.js b/npm/lib/jsrsasign-jwths-min.js index 41d09451..581817b5 100644 --- a/npm/lib/jsrsasign-jwths-min.js +++ b/npm/lib/jsrsasign-jwths-min.js @@ -1,5 +1,5 @@ /* - * jsrsasign(jwths) 10.5.4 (2022-02-15) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license + * jsrsasign(jwths) 10.5.5 (2022-02-17) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license */ /*! CryptoJS v3.1.2 core-fix.js diff --git a/npm/lib/jsrsasign-rsa-min.js b/npm/lib/jsrsasign-rsa-min.js index 6882be01..f2a16f0b 100644 --- a/npm/lib/jsrsasign-rsa-min.js +++ b/npm/lib/jsrsasign-rsa-min.js @@ -1,5 +1,5 @@ /* - * jsrsasign(rsa) 10.5.4 (2022-02-15) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license + * jsrsasign(rsa) 10.5.5 (2022-02-17) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license */ /*! CryptoJS v3.1.2 core-fix.js diff --git a/npm/lib/jsrsasign.js b/npm/lib/jsrsasign.js index f1111b90..e1a860f5 100755 --- a/npm/lib/jsrsasign.js +++ b/npm/lib/jsrsasign.js @@ -4,7 +4,7 @@ navigator.userAgent = false; var window = {}; /* - * jsrsasign(all) 10.5.4 (2022-02-15) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license + * jsrsasign(all) 10.5.5 (2022-02-17) (c) 2010-2021 Kenji Urushima | kjur.github.io/jsrsasign/license */ /*! CryptoJS v3.1.2 core-fix.js @@ -239,7 +239,7 @@ var KEYUTIL=function(){var d=function(p,r,q){return k(CryptoJS.AES,p,r,q)};var e RSAKey.getPosArrayOfChildrenFromHex=function(a){return ASN1HEX.getChildIdx(a,0)};RSAKey.getHexValueArrayOfChildrenFromHex=function(f){var n=ASN1HEX;var i=n.getV;var k=RSAKey.getPosArrayOfChildrenFromHex(f);var e=i(f,k[0]);var j=i(f,k[1]);var b=i(f,k[2]);var c=i(f,k[3]);var h=i(f,k[4]);var g=i(f,k[5]);var m=i(f,k[6]);var l=i(f,k[7]);var d=i(f,k[8]);var k=new Array();k.push(e,j,b,c,h,g,m,l,d);return k};RSAKey.prototype.readPrivateKeyFromPEMString=function(d){var c=pemtohex(d);var b=RSAKey.getHexValueArrayOfChildrenFromHex(c);this.setPrivateEx(b[1],b[2],b[3],b[4],b[5],b[6],b[7],b[8])};RSAKey.prototype.readPKCS5PrvKeyHex=function(c){var b=RSAKey.getHexValueArrayOfChildrenFromHex(c);this.setPrivateEx(b[1],b[2],b[3],b[4],b[5],b[6],b[7],b[8])};RSAKey.prototype.readPKCS8PrvKeyHex=function(e){var c,i,k,b,a,f,d,j;var m=ASN1HEX;var l=m.getVbyListEx;if(m.isASN1HEX(e)===false){throw new Error("not ASN.1 hex string")}try{c=l(e,0,[2,0,1],"02");i=l(e,0,[2,0,2],"02");k=l(e,0,[2,0,3],"02");b=l(e,0,[2,0,4],"02");a=l(e,0,[2,0,5],"02");f=l(e,0,[2,0,6],"02");d=l(e,0,[2,0,7],"02");j=l(e,0,[2,0,8],"02")}catch(g){throw new Error("malformed PKCS#8 plain RSA private key")}this.setPrivateEx(c,i,k,b,a,f,d,j)};RSAKey.prototype.readPKCS5PubKeyHex=function(c){var e=ASN1HEX;var b=e.getV;if(e.isASN1HEX(c)===false){throw new Error("keyHex is not ASN.1 hex string")}var a=e.getChildIdx(c,0);if(a.length!==2||c.substr(a[0],2)!=="02"||c.substr(a[1],2)!=="02"){throw new Error("wrong hex for PKCS#5 public key")}var f=b(c,a[0]);var d=b(c,a[1]);this.setPublic(f,d)};RSAKey.prototype.readPKCS8PubKeyHex=function(b){var c=ASN1HEX;if(c.isASN1HEX(b)===false){throw new Error("not ASN.1 hex string")}if(c.getTLVbyListEx(b,0,[0,0])!=="06092a864886f70d010101"){throw new Error("not PKCS8 RSA public key")}var a=c.getTLVbyListEx(b,0,[1,0]);this.readPKCS5PubKeyHex(a)};RSAKey.prototype.readCertPubKeyHex=function(b,d){var a,c;a=new X509();a.readCertHex(b);c=a.getPublicKeyHex();this.readPKCS8PubKeyHex(c)}; var _RE_HEXDECONLY=new RegExp("[^0-9a-f]","gi");function _rsasign_getHexPaddedDigestInfoForString(d,e,a){var b=function(f){return KJUR.crypto.Util.hashString(f,a)};var c=b(d);return KJUR.crypto.Util.getPaddedDigestInfoHex(c,a,e)}function _zeroPaddingOfSignature(e,d){var c="";var a=d/4-e.length;for(var b=0;b>24,(d&16711680)>>16,(d&65280)>>8,d&255]))));d+=1}return b}RSAKey.prototype.signPSS=function(e,a,d){var c=function(f){return KJUR.crypto.Util.hashHex(f,a)};var b=c(rstrtohex(e));if(d===undefined){d=-1}return this.signWithMessageHashPSS(b,a,d)};RSAKey.prototype.signWithMessageHashPSS=function(l,a,k){var b=hextorstr(l);var g=b.length;var m=this.n.bitLength()-1;var c=Math.ceil(m/8);var d;var o=function(i){return KJUR.crypto.Util.hashHex(i,a)};if(k===-1||k===undefined){k=g}else{if(k===-2){k=c-g-2}else{if(k<-2){throw new Error("invalid salt length")}}}if(c<(g+k+2)){throw new Error("data too long")}var f="";if(k>0){f=new Array(k);new SecureRandom().nextBytes(f);f=String.fromCharCode.apply(String,f)}var n=hextorstr(o(rstrtohex("\x00\x00\x00\x00\x00\x00\x00\x00"+b+f)));var j=[];for(d=0;d>(8*c-m))&255;q[0]&=~p;for(d=0;dk){return false}var j=this.doPublic(b);var i=j.toString(16);if(i.length+3!=k/4){return false}var e=i.replace(/^1f+00/,"");var g=_rsasign_getAlgNameAndHashFromHexDisgestInfo(e);if(g.length==0){return false}var d=g[0];var h=g[1];var a=function(m){return KJUR.crypto.Util.hashString(m,d)};var c=a(f);return(h==c)};RSAKey.prototype.verifyWithMessageHash=function(e,a){if(a.length!=Math.ceil(this.n.bitLength()/4)){return false}var b=parseBigInt(a,16);if(b.bitLength()>this.n.bitLength()){return 0}var h=this.doPublic(b);var g=h.toString(16).replace(/^1f+00/,"");var c=_rsasign_getAlgNameAndHashFromHexDisgestInfo(g);if(c.length==0){return false}var d=c[0];var f=c[1];return(f==e)};RSAKey.prototype.verifyPSS=function(c,b,a,f){var e=function(g){return KJUR.crypto.Util.hashHex(g,a)};var d=e(rstrtohex(c));if(f===undefined){f=-1}return this.verifyWithMessageHashPSS(d,b,a,f)};RSAKey.prototype.verifyWithMessageHashPSS=function(f,s,l,c){if(s.length!=Math.ceil(this.n.bitLength()/4)){return false}var k=new BigInteger(s,16);var r=function(i){return KJUR.crypto.Util.hashHex(i,l)};var j=hextorstr(f);var h=j.length;var g=this.n.bitLength()-1;var m=Math.ceil(g/8);var q;if(c===-1||c===undefined){c=h}else{if(c===-2){c=m-h-2}else{if(c<-2){throw new Error("invalid salt length")}}}if(m<(h+c+2)){throw new Error("data too long")}var a=this.doPublic(k).toByteArray();for(q=0;q>(8*m-g))&255;if((d.charCodeAt(0)&p)!==0){throw new Error("bits beyond keysize not zero")}var n=pss_mgf1_str(e,d.length,r);var o=[];for(q=0;q1){var C=b(y,x[1]);var w=this.getGeneralName(C);if(w.uri!=undefined){v.uri=w.uri}}if(x.length>2){var z=b(y,x[2]);if(z=="0101ff"){v.reqauth=true}if(z=="010100"){v.reqauth=false}}return v};this.getX500NameRule=function(v){var C=true;var G=true;var F=false;var w="";var z="";var I=null;var D=[];for(var y=0;y0){v.ext=this.getExtParamArray()}v.sighex=this.getSignatureValueHex();return v};this.getExtParamArray=function(w){if(w==undefined){var y=e(this.hex,0,[0,"[3]"]);if(y!=-1){w=m(this.hex,0,[0,"[3]",0],"30")}}var v=[];var x=o(w,0);for(var z=0;z0){var b=":"+n.join(":")+":";if(b.indexOf(":"+k+":")==-1){throw"algorithm '"+k+"' not accepted in the list"}}if(k!="none"&&B===null){throw"key shall be specified to verify."}if(typeof B=="string"&&B.indexOf("-----BEGIN ")!=-1){B=KEYUTIL.getKey(B)}if(z=="RS"||z=="PS"){if(!(B instanceof m)){throw"key shall be a RSAKey obj for RS* and PS* algs"}}if(z=="ES"){if(!(B instanceof p)){throw"key shall be a ECDSA obj for ES* algs"}}if(k=="none"){}var u=null;if(t.jwsalg2sigalg[l.alg]===undefined){throw"unsupported alg name: "+k}else{u=t.jwsalg2sigalg[k]}if(u=="none"){throw"not supported"}else{if(u.substr(0,4)=="Hmac"){var o=null;if(B===undefined){throw"hexadecimal key shall be specified for HMAC"}var j=new s({alg:u,pass:B});j.updateString(c);o=j.doFinal();return A==o}else{if(u.indexOf("withECDSA")!=-1){var h=null;try{h=p.concatSigToASN1Sig(A)}catch(v){return false}var g=new d({alg:u});g.init(B);g.updateString(c);return g.verify(h)}else{var g=new d({alg:u});g.init(B);g.updateString(c);return g.verify(A)}}}};KJUR.jws.JWS.parse=function(g){var c=g.split(".");var b={};var f,e,d;if(c.length!=2&&c.length!=3){throw"malformed sJWS: wrong number of '.' splitted elements"}f=c[0];e=c[1];if(c.length==3){d=c[2]}b.headerObj=KJUR.jws.JWS.readSafeJSONString(b64utoutf8(f));b.payloadObj=KJUR.jws.JWS.readSafeJSONString(b64utoutf8(e));b.headerPP=JSON.stringify(b.headerObj,null," ");if(b.payloadObj==null){b.payloadPP=b64utoutf8(e)}else{b.payloadPP=JSON.stringify(b.payloadObj,null," ")}if(d!==undefined){b.sigHex=b64utohex(d)}return b};KJUR.jws.JWS.verifyJWT=function(e,l,r){var d=KJUR,j=d.jws,o=j.JWS,n=o.readSafeJSONString,p=o.inArray,f=o.includedArray;var k=e.split(".");var c=k[0];var i=k[1];var q=c+"."+i;var m=b64utohex(k[2]);var h=n(b64utoutf8(c));var g=n(b64utoutf8(i));if(h.alg===undefined){return false}if(r.alg===undefined){throw"acceptField.alg shall be specified"}if(!p(h.alg,r.alg)){return false}if(g.iss!==undefined&&typeof r.iss==="object"){if(!p(g.iss,r.iss)){return false}}if(g.sub!==undefined&&typeof r.sub==="object"){if(!p(g.sub,r.sub)){return false}}if(g.aud!==undefined&&typeof r.aud==="object"){if(typeof g.aud=="string"){if(!p(g.aud,r.aud)){return false}}else{if(typeof g.aud=="object"){if(!f(g.aud,r.aud)){return false}}}}var b=j.IntDate.getNow();if(r.verifyAt!==undefined&&typeof r.verifyAt==="number"){b=r.verifyAt}if(r.gracePeriod===undefined||typeof r.gracePeriod!=="number"){r.gracePeriod=0}if(g.exp!==undefined&&typeof g.exp=="number"){if(g.exp+r.gracePeriodl){this.aHeader.pop()}if(this.aSignature.length>l){this.aSignature.pop()}throw"addSignature failed: "+i}};this.verifyAll=function(h){if(this.aHeader.length!==h.length||this.aSignature.length!==h.length){return false}for(var g=0;g0){this.aHeader=g.headers}else{throw"malformed header"}if(typeof g.payload==="string"){this.sPayload=g.payload}else{throw"malformed signatures"}if(g.signatures.length>0){this.aSignature=g.signatures}else{throw"malformed signatures"}}catch(e){throw"malformed JWS-JS JSON object: "+e}}};this.getJSON=function(){return{headers:this.aHeader,payload:this.sPayload,signatures:this.aSignature}};this.isEmpty=function(){if(this.aHeader.length==0){return 1}return 0}}; exports.SecureRandom = SecureRandom; diff --git a/npm/package.json b/npm/package.json index eb7dc51d..93dc52d0 100755 --- a/npm/package.json +++ b/npm/package.json @@ -1,6 +1,6 @@ { "name": "jsrsasign", - "version": "10.5.4", + "version": "10.5.5", "description": "opensource free pure JavaScript cryptographic library supports RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp and CAdES and JSON Web Signature(JWS)/Token(JWT)/Key(JWK).", "main": "lib/jsrsasign.js", "scripts": { diff --git a/src/x509crl.js b/src/x509crl.js index 9e00b93e..a592f7e2 100644 --- a/src/x509crl.js +++ b/src/x509crl.js @@ -1,9 +1,9 @@ -/* x509crl.js (c) 2012-2020 Kenji Urushima | kjur.github.io/jsrsasign/license +/* x509crl.js (c) 2012-2022 Kenji Urushima | kjur.github.io/jsrsasign/license */ /* * x509crl.js - X509CRL class to parse X.509 CRL * - * Copyright (c) 2010-2020 Kenji Urushima (kenji.urushima@gmail.com) + * Copyright (c) 2010-2022 Kenji Urushima (kenji.urushima@gmail.com) * * This software is licensed under the terms of the MIT License. * https://kjur.github.io/jsrsasign/license @@ -16,7 +16,7 @@ * @fileOverview * @name x509crl.js * @author Kenji Urushima kenji.urushima@gmail.com - * @version jsrsasign 10.1.0 x509crl 1.0.2 (2020-Nov-18) + * @version jsrsasign 10.5.5 x509crl 1.0.3 (2021-Feb-17) * @since jsrsasign 10.1.0 * @license MIT License */ @@ -41,6 +41,7 @@ *
  • version - {@link X509CRL#getVersion}
  • *
  • signatureAlgorithm - {@link X509CRL#getSignatureAlgorithmField}
  • *
  • issuer - {@link X509CRL#getIssuer}
  • + *
  • issuer - {@link X509CRL#getIssuerHex}
  • *
  • thisUpdate - {@link X509CRL#getThisUpdate}
  • *
  • nextUpdate - {@link X509CRL#getNextUpdate}
  • *
  • revokedCertificates - {@link X509CRL#getRevCertArray}
  • @@ -51,6 +52,11 @@ *
      *
    • {@link X509CRL#getParam} - get all parameters
    • *
    + * + * @example + * // constructor + * crl = new X509CRL("-----BEGIN X509 CRL..."); + * crl = new X509CRL("3082..."); */ var X509CRL = function(params) { var _KJUR = KJUR, @@ -69,6 +75,7 @@ var X509CRL = function(params) { this.hex = null; this.posSigAlg = null; this.posRevCert = null; + this.parsed = null; /* * set field position of SignatureAlgorithm and revokedCertificates
    @@ -169,8 +176,28 @@ var X509CRL = function(params) { * str: "/C=JP/..." } */ this.getIssuer = function() { - var hIssuer = _getTLVbyList(this.hex, 0, [0, this.posSigAlg + 1], "30"); - return _x509obj.getX500Name(hIssuer); + return _x509obj.getX500Name(this.getIssuerHex()); + }; + + /** + * get hexadecimal string of issuer field TLV of certificate.
    + * @name getIssuerHex + * @memberOf X509CRL# + * @function + * @return {string} hexadecial string of issuer DN ASN.1 + * @see X509CRL#getIssuer + * @since jsrsasign 10.5.5 x509crl 1.0.3 + * + * @description + * This method returns ASN.1 DER hexadecimal string of + * issuer field. + * + * @example + * crl = new X509CRL("-----BEGIN X509 CRL..."); + * x.getIssuerHex() → "30..." + */ + this.getIssuerHex = function() { + return _getTLVbyList(this.hex, 0, [0, this.posSigAlg + 1], "30"); }; /** @@ -283,7 +310,83 @@ var X509CRL = function(params) { return param; }; + + /** + * get revokedCertificate associative array for checking certificate
    + * @name findRevCert + * @memberOf X509CRL# + * @function + * @param {string} PEM or hexadecimal string of certificate to be revocation-checked + * @return {object} JSON object for revokedCertificate or null + * @see X509CRL#getParam + * @see X509CRL#findRevCertBySN + * @since jsrsasign 10.5.5 x509crl 1.0.3 + * + * @description + * This method will find revokedCertificate entry as JSON object + * for a specified certificate.
    + * When the serial number is not found in the entry, this returns null.
    + * Before finding, {@link X509CRL#getParam} is called internally + * to parse CRL.
    + * NOTE: This method will just find an entry for a serial number. + * You need to check whether CRL is proper one or not + * for checking certificate such as signature validation or + * name checking. + * + * @example + * crl = new X509CRL(PEMCRL); + * + * crl.findRevCert(PEMCERT-REVOKED) → + * {sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]} + * + * crl.findRevCert(PEMCERT-NOTREVOKED) → null + * + * crl.findRevCert(CERT-HEX) → null or {sn:...} + */ + this.findRevCert = function(sCert) { + var x = new X509(sCert); + var hSN = x.getSerialNumberHex(); + return this.findRevCertBySN(sn); + }; + /** + * get revokedCertificate associative array for serial number
    + * @name findRevCertBySN + * @memberOf X509CRL# + * @function + * @param {string} hexadecimal string of checking certificate serial number + * @return {object} JSON object for revokedCertificate or null + * @see X509CRL#getParam + * @see X509CRL#findRevCert + * @since jsrsasign 10.5.5 x509crl 1.0.3 + * + * @description + * This method will find revokedCertificate entry as JSON object + * for a specified serial number.
    + * When the serial number is not found in the entry, this returns null.
    + * Before finding, {@link X509CRL#getParam} is called internally + * to parse CRL.
    + * NOTE: This method will just find an entry for a serial number. + * You need to check whether CRL is proper one or not + * for checking certificate such as signature validation or + * name checking. + * + * @example + * crl = new X509CRL(PEMCRL); + * crl.findRevCertBySN("123a") → // revoked + * {sn:"123a", date:"208025235959Z", ext: [{extname:"cRLReason",code:3}]} + * + * crl.findRevCertBySN("0000") → null // not revoked + */ + this.findRevCertBySN = function(hSN) { + if (this.parsed == null) this.getParam(); + var revcert = this.parsed.revcert; + for (var i = 0; i < revcert.length; i++) { + if (hSN == revcert[i].sn.hex) return revcert[i]; + } + return null; + }; + /** * get signature value as hexadecimal string
    * @name getSignatureValueHex @@ -389,6 +492,8 @@ var X509CRL = function(params) { } result.sighex = this.getSignatureValueHex(); + + this.parsed = result; return result; }; diff --git a/test/x509crl.html b/test/x509crl.html index 869e62a0..53f9c4d6 100755 --- a/test/x509crl.html +++ b/test/x509crl.html @@ -39,6 +39,7 @@ + @@ -140,7 +141,25 @@ deepEqual(crl.getParam(), hExpect, "param"); }); -test("X509CRL.verifySignature test (digicert global root crl)", function() { +test("getIssuerHex test (digicert global root crl)", function() { +var crl = new X509CRL(pemCRLDigiCert); +equal(crl.getIssuerHex(), "3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341", "hex"); +}); + +test("findRevCertBySN test (digicert global root crl)", function() { +var crl = new X509CRL(pemCRLDigiCert); +var sn = "2a846fb0eac24af297540ac0ea634e08"; +var pExpect = { + sn:{hex:"2a846fb0eac24af297540ac0ea634e08"}, + date:"061110000000Z", + ext:[{extname:"cRLReason",code:4}] +}; +deepEqual(crl.findRevCertBySN(sn), pExpect, "2a84..."); +deepEqual(crl.findRevCertBySN("0000"), null, "0000 > null(not found)"); +}); + + +test("verifySignature test (digicert global root crl)", function() { var crl = new X509CRL(pemCRLDigiCert); equal(crl.verifySignature(pemPubDigiCert), true, "verify=true digicert"); equal(crl.verifySignature(pemPubGitHub), false, "verify=false github");