Strona główna Odkrywaj Pomoc
Zaloguj się
lovecoding
/
W250511
10
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Drzewo: 7d9b12ad3f
Gałęzie Tagi
W250511
/
20.webpack
/
node_modules
/
selfsigned
/
test
/
ca-signing.js

ca-signing.js 8.7 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242 
  1. var { assert } = require('chai');
    2. 

  2. var crypto = require('crypto');
    3. 

  3. 

  4. describe('CA signing', function () {
    5. 

  5.   var generate = require('../index').generate;
    6. 

  6. 

  7.   it('should generate certificate signed by provided CA', async function () {
    8. 

  8.     // First generate a self-signed CA certificate
    9. 

  9.     const ca = await generate([
    10. 

  10.       { name: 'commonName', value: 'Test CA' },
    11. 

  11.       { name: 'organizationName', value: 'Test Organization' }
    12. 

  12.     ], {
    13. 

  13.       algorithm: 'sha256'
    14. 

  14.     });
    15. 

  15. 

  16.     // Generate a certificate signed by the CA
    17. 

  17.     const pems = await generate([
    18. 

  18.       { name: 'commonName', value: 'localhost' }
    19. 

  19.     ], {
    20. 

  20.       algorithm: 'sha256',
    21. 

  21.       ca: {
    22. 

  22.         key: ca.private,
    23. 

  23.         cert: ca.cert
    24. 

  24.       }
    25. 

  25.     });
    26. 

  26. 

  27.     assert.ok(!!pems.private, 'has a private key');
    28. 

  28.     assert.ok(!!pems.public, 'has a public key');
    29. 

  29.     assert.ok(!!pems.cert, 'has a certificate');
    30. 

  30.     assert.ok(!!pems.fingerprint, 'has fingerprint');
    31. 

  31. 

  32.     const cert = new crypto.X509Certificate(pems.cert);
    33. 

  33.     const caCert = new crypto.X509Certificate(ca.cert);
    34. 

  34. 

  35.     // Verify issuer is the CA, not self-signed
    36. 

  36.     assert.include(cert.issuer, 'CN=Test CA', 'issuer should be the CA');
    37. 

  37.     assert.include(cert.subject, 'CN=localhost', 'subject should be localhost');
    38. 

  38.     assert.notEqual(cert.issuer, cert.subject, 'should not be self-signed');
    39. 

  39. 

  40.     // Verify the certificate is signed by the CA
    41. 

  41.     assert.isTrue(cert.verify(caCert.publicKey), 'certificate should be verified by CA public key');
    42. 

  42.   });
    43. 

  43. 

  44.   it('should include Subject Alternative Name extension', async function () {
    45. 

  45.     const ca = await generate([{ name: 'commonName', value: 'Test CA' }], {
    46. 

  46.       algorithm: 'sha256'
    47. 

  47.     });
    48. 

  48. 

  49.     const pems = await generate([
    50. 

  50.       { name: 'commonName', value: 'example.com' }
    51. 

  51.     ], {
    52. 

  52.       algorithm: 'sha256',
    53. 

  53.       ca: { key: ca.private, cert: ca.cert }
    54. 

  54.     });
    55. 

  55. 

  56.     const cert = new crypto.X509Certificate(pems.cert);
    57. 

  57.     assert.include(cert.subjectAltName, 'DNS:example.com', 'should have DNS SAN matching CN');
    58. 

  58.   });
    59. 

  59. 

  60.   it('should include IP SAN for localhost', async function () {
    61. 

  61.     const ca = await generate([{ name: 'commonName', value: 'Test CA' }], {
    62. 

  62.       algorithm: 'sha256'
    63. 

  63.     });
    64. 

  64. 

  65.     const pems = await generate([
    66. 

  66.       { name: 'commonName', value: 'localhost' }
    67. 

  67.     ], {
    68. 

  68.       algorithm: 'sha256',
    69. 

  69.       ca: { key: ca.private, cert: ca.cert }
    70. 

  70.     });
    71. 

  71. 

  72.     const cert = new crypto.X509Certificate(pems.cert);
    73. 

  73.     assert.include(cert.subjectAltName, 'DNS:localhost', 'should have DNS SAN');
    74. 

  74.     assert.include(cert.subjectAltName, 'IP Address:127.0.0.1', 'should have IP SAN for localhost');
    75. 

  75.   });
    76. 

  76. 

  77.   it('should support different hash algorithms with CA signing', async function () {
    78. 

  78.     const ca = await generate([{ name: 'commonName', value: 'Test CA' }], {
    79. 

  79.       algorithm: 'sha256'
    80. 

  80.     });
    81. 

  81. 

  82.     // Test sha384
    83. 

  83.     const pems384 = await generate([{ name: 'commonName', value: 'test384.local' }], {
    84. 

  84.       algorithm: 'sha384',
    85. 

  85.       ca: { key: ca.private, cert: ca.cert }
    86. 

  86.     });
    87. 

  87. 

  88.     const cert384 = new crypto.X509Certificate(pems384.cert);
    89. 

  89.     assert.ok(cert384.publicKey, 'should generate sha384 CA-signed cert');
    90. 

  90. 

  91.     // Test sha512
    92. 

  92.     const pems512 = await generate([{ name: 'commonName', value: 'test512.local' }], {
    93. 

  93.       algorithm: 'sha512',
    94. 

  94.       ca: { key: ca.private, cert: ca.cert }
    95. 

  95.     });
    96. 

  96. 

  97.     const cert512 = new crypto.X509Certificate(pems512.cert);
    98. 

  98.     assert.ok(cert512.publicKey, 'should generate sha512 CA-signed cert');
    99. 

  99.   });
    100. 

  100. 

  101.   it('should respect notAfterDate option with CA signing', async function () {
    102. 

  102.     const ca = await generate([{ name: 'commonName', value: 'Test CA' }], {
    103. 

  103.       algorithm: 'sha256'
    104. 

  104.     });
    105. 

  105. 

  106.     const notBefore = new Date('2025-01-01T00:00:00Z');
    107. 

  107.     const notAfter = new Date('2025-01-31T00:00:00Z'); // 30 days validity
    108. 

  108.     const pems = await generate([{ name: 'commonName', value: 'short-lived.local' }], {
    109. 

  109.       algorithm: 'sha256',
    110. 

  110.       notBeforeDate: notBefore,
    111. 

  111.       notAfterDate: notAfter,
    112. 

  112.       ca: { key: ca.private, cert: ca.cert }
    113. 

  113.     });
    114. 

  114. 

  115.     const cert = new crypto.X509Certificate(pems.cert);
    116. 

  116.     const validFrom = new Date(cert.validFrom);
    117. 

  117.     const validTo = new Date(cert.validTo);
    118. 

  118. 

  119.     assert.approximately(validFrom.getTime(), notBefore.getTime(), 5000, 'should use custom notBeforeDate');
    120. 

  120.     assert.approximately(validTo.getTime(), notAfter.getTime(), 5000, 'should use custom notAfterDate');
    121. 

  121.   });
    122. 

  122. 

  123.   it('should generate unique certificates with same CA', async function () {
    124. 

  124.     const ca = await generate([{ name: 'commonName', value: 'Test CA' }], {
    125. 

  125.       algorithm: 'sha256'
    126. 

  126.     });
    127. 

  127. 

  128.     const pems1 = await generate([{ name: 'commonName', value: 'test1.local' }], {
    129. 

  129.       algorithm: 'sha256',
    130. 

  130.       ca: { key: ca.private, cert: ca.cert }
    131. 

  131.     });
    132. 

  132. 

  133.     const pems2 = await generate([{ name: 'commonName', value: 'test2.local' }], {
    134. 

  134.       algorithm: 'sha256',
    135. 

  135.       ca: { key: ca.private, cert: ca.cert }
    136. 

  136.     });
    137. 

  137. 

  138.     const cert1 = new crypto.X509Certificate(pems1.cert);
    139. 

  139.     const cert2 = new crypto.X509Certificate(pems2.cert);
    140. 

  140. 

  141.     assert.notEqual(cert1.serialNumber, cert2.serialNumber, 'serial numbers should be unique');
    142. 

  142.     assert.notEqual(pems1.private, pems2.private, 'private keys should be different');
    143. 

  143.   });
    144. 

  144. 

  145.   it('should work with custom keySize and CA signing', async function () {
    146. 

  146.     const ca = await generate([{ name: 'commonName', value: 'Test CA' }], {
    147. 

  147.       algorithm: 'sha256',
    148. 

  148.       keySize: 4096
    149. 

  149.     });
    150. 

  150. 

  151.     const pems = await generate([{ name: 'commonName', value: 'bigkey.local' }], {
    152. 

  152.       algorithm: 'sha256',
    153. 

  153.       keySize: 4096,
    154. 

  154.       ca: { key: ca.private, cert: ca.cert }
    155. 

  155.     });
    156. 

  156. 

  157.     const privateKey = crypto.createPrivateKey(pems.private);
    158. 

  158.     assert.strictEqual(privateKey.asymmetricKeyDetails.modulusLength, 4096, 'should use custom key size');
    159. 

  159. 

  160.     const cert = new crypto.X509Certificate(pems.cert);
    161. 

  161.     const caCert = new crypto.X509Certificate(ca.cert);
    162. 

  162.     assert.isTrue(cert.verify(caCert.publicKey), 'certificate should verify with CA');
    163. 

  163.   });
    164. 

  164. 

  165.   it('should support existing keyPair with CA signing', async function () {
    166. 

  166.     const ca = await generate([{ name: 'commonName', value: 'Test CA' }], {
    167. 

  167.       algorithm: 'sha256'
    168. 

  168.     });
    169. 

  169. 

  170.     // Generate a key pair first
    171. 

  171.     const keyPair = await generate([{ name: 'commonName', value: 'keypair.local' }], {
    172. 

  172.       algorithm: 'sha256'
    173. 

  173.     });
    174. 

  174. 

  175.     // Use existing key pair with CA signing
    176. 

  176.     const pems = await generate([{ name: 'commonName', value: 'reused.local' }], {
    177. 

  177.       algorithm: 'sha256',
    178. 

  178.       keyPair: {
    179. 

  179.         privateKey: keyPair.private,
    180. 

  180.         publicKey: keyPair.public
    181. 

  181.       },
    182. 

  182.       ca: { key: ca.private, cert: ca.cert }
    183. 

  183.     });
    184. 

  184. 

  185.     assert.strictEqual(pems.private, keyPair.private, 'should use provided private key');
    186. 

  186.     assert.strictEqual(pems.public, keyPair.public, 'should use provided public key');
    187. 

  187. 

  188.     const cert = new crypto.X509Certificate(pems.cert);
    189. 

  189.     const caCert = new crypto.X509Certificate(ca.cert);
    190. 

  190.     assert.isTrue(cert.verify(caCert.publicKey), 'certificate should verify with CA');
    191. 

  191.   });
    192. 

  192. 

  193.   it('should include proper extended key usage extensions', async function () {
    194. 

  194.     const ca = await generate([{ name: 'commonName', value: 'Test CA' }], {
    195. 

  195.       algorithm: 'sha256'
    196. 

  196.     });
    197. 

  197. 

  198.     const pems = await generate([{ name: 'commonName', value: 'server.local' }], {
    199. 

  199.       algorithm: 'sha256',
    200. 

  200.       ca: { key: ca.private, cert: ca.cert }
    201. 

  201.     });
    202. 

  202. 

  203.     const cert = new crypto.X509Certificate(pems.cert);
    204. 

  204. 

  205.     // Check extended key usage (OIDs)
    206. 

  206.     // 1.3.6.1.5.5.7.3.1 = serverAuth
    207. 

  207.     // 1.3.6.1.5.5.7.3.2 = clientAuth
    208. 

  208.     assert.include(cert.keyUsage, '1.3.6.1.5.5.7.3.1', 'should have serverAuth extended key usage');
    209. 

  209.     assert.include(cert.keyUsage, '1.3.6.1.5.5.7.3.2', 'should have clientAuth extended key usage');
    210. 

  210.   });
    211. 

  211. 

  212.   it('should work with PKCS#1 RSA key format', async function () {
    213. 

  213.     // Generate a CA with PKCS#1 format key (like mkcert uses)
    214. 

  214.     const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
    215. 

  215.       modulusLength: 2048,
    216. 

  216.       privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
    217. 

  217.       publicKeyEncoding: { type: 'spki', format: 'pem' }
    218. 

  218.     });
    219. 

  219. 

  220.     // Create a self-signed CA cert using the PKCS#1 key
    221. 

  221.     const ca = await generate([{ name: 'commonName', value: 'PKCS1 CA' }], {
    222. 

  222.       algorithm: 'sha256'
    223. 

  223.     });
    224. 

  224. 

  225.     // Now test that we can use a PKCS#1 formatted key as CA
    226. 

  226.     // Convert our generated key to PKCS#1 for testing
    227. 

  227.     const caKeyObject = crypto.createPrivateKey(ca.private);
    228. 

  228.     const pkcs1Key = caKeyObject.export({ type: 'pkcs1', format: 'pem' });
    229. 

  229. 

  230.     const pems = await generate([{ name: 'commonName', value: 'pkcs1-test.local' }], {
    231. 

  231.       algorithm: 'sha256',
    232. 

  232.       ca: {
    233. 

  233.         key: pkcs1Key,
    234. 

  234.         cert: ca.cert
    235. 

  235.       }
    236. 

  236.     });
    237. 

  237. 

  238.     const cert = new crypto.X509Certificate(pems.cert);
    239. 

  239.     const caCert = new crypto.X509Certificate(ca.cert);
    240. 

  240.     assert.isTrue(cert.verify(caCert.publicKey), 'should work with PKCS#1 key format');
    241. 

  241.   });
    242. 

  242. });
    243.