@relaycorp/relaynet-core - npm Package Compare versions

Comparing version 1.7.0 to 1.8.0

build/main/lib/crypto_wrappers/x509/Certificate.d.ts

 /// <reference types="node" />
 import * as pkijs from 'pkijs';
-import CertificateOptions from './CertificateOptions';
+import FullCertificateIssuanceOptions from './FullCertificateIssuanceOptions';
 /**
@@ -24,3 +24,3 @@ * X.509 Certificate.
      */
-    static issue(options: CertificateOptions): Promise<Certificate>;
+    static issue(options: FullCertificateIssuanceOptions): Promise<Certificate>;
     constructor(pkijsCertificate: pkijs.Certificate);
@@ -27,0 +27,0 @@ /**

build/main/lib/crypto_wrappers/x509/Certificate.js

@@ -19,2 +19,3 @@ "use strict";
 const CertificateError_1 = __importDefault(require("./CertificateError"));
+const MAX_PATH_LENGTH_CONSTRAINT = 2; // Per Relaynet PKI
 /**
@@ -49,3 +50,3 @@ * X.509 Certificate.
     static async issue(options) {
-        var _a;
+        var _a, _b;
         //region Validation
@@ -67,3 +68,3 @@ const validityStartDate = options.validityStartDate || new Date();
             extensions: [
-                makeBasicConstraintsExtension(options.isCA === true),
+                makeBasicConstraintsExtension(options.isCA === true, (_b = options.pathLenConstraint, (_b !== null && _b !== void 0 ? _b : 0))),
                 await makeAuthorityKeyIdExtension(issuerPublicKey),
@@ -167,7 +168,11 @@ await makeSubjectKeyIdExtension(options.subjectPublicKey),
 //region Extensions
-function makeBasicConstraintsExtension(isCA) {
+function makeBasicConstraintsExtension(cA, pathLenConstraint) {
+    if (pathLenConstraint < 0 || MAX_PATH_LENGTH_CONSTRAINT < pathLenConstraint) {
+        throw new CertificateError_1.default(`pathLenConstraint must be between 0 and 2 (got ${pathLenConstraint})`);
+    }
+    const basicConstraints = new pkijs.BasicConstraints({ cA, pathLenConstraint });
     return new pkijs.Extension({
         critical: true,
         extnID: oids.BASIC_CONSTRAINTS,
-        extnValue: new pkijs.BasicConstraints({ cA: isCA }).toSchema().toBER(false),
+        extnValue: basicConstraints.toSchema().toBER(false),
     });
@@ -174,0 +179,0 @@ }

build/main/lib/pki.d.ts

@@ -1,7 +0,39 @@
-import BaseCertificateOptions from './crypto_wrappers/x509/BaseCertificateOptions';
+import BasicCertificateIssuanceOptions from './crypto_wrappers/x509/BasicCertificateIssuanceOptions';
 import Certificate from './crypto_wrappers/x509/Certificate';
 import CertificateError from './crypto_wrappers/x509/CertificateError';
-export interface NodeCertificateOptions extends BaseCertificateOptions {
+export interface GatewayCertificateIssuanceOptions extends BasicCertificateIssuanceOptions {
+    readonly issuerCertificate?: Certificate;
 }
-export declare function issueNodeCertificate(options: NodeCertificateOptions): Promise<Certificate>;
+/**
+ * Issue a Relaynet PKI certificate for a gateway.
+ *
+ * The issuer must be a gateway (itself or a peer).
+ *
+ * @param options
+ */
+export declare function issueGatewayCertificate(options: GatewayCertificateIssuanceOptions): Promise<Certificate>;
+export interface EndpointCertificateIssuanceOptions extends BasicCertificateIssuanceOptions {
+    readonly issuerCertificate?: Certificate;
+}
+/**
+ * Issue a Relaynet PKI certificate for an endpoint.
+ *
+ * If the endpoint is public, it should self-issue its certificate. If it's private, its
+ * certificate must be issued by its local gateway.
+ *
+ * @param options
+ */
+export declare function issueEndpointCertificate(options: EndpointCertificateIssuanceOptions): Promise<Certificate>;
+export interface DeliveryAuthorizationIssuanceOptions extends BasicCertificateIssuanceOptions {
+    readonly issuerCertificate: Certificate;
+}
+/**
+ * Issue an initial (EC)DH certificate to initiate a channel session.
+ *
+ * The issuer must be the *private* node wishing to receive messages from the subject. Both
+ * nodes must be of the same type: Both gateways or both endpoints.
+ *
+ * @param options
+ */
+export declare function issueDeliveryAuthorization(options: DeliveryAuthorizationIssuanceOptions): Promise<Certificate>;
 export declare class DHCertificateError extends CertificateError {
@@ -17,3 +49,11 @@ }
 }
+/**
+ * Issue an initial (EC)DH certificate to initiate a channel session.
+ *
+ * The subject must be the node initiating the session and the issue must be the recipient of the
+ * initial message.
+ *
+ * @param options
+ */
 export declare function issueInitialDHKeyCertificate(options: DHKeyCertificateOptions): Promise<Certificate>;
 export {};

build/main/lib/pki.js

@@ -13,15 +13,49 @@ "use strict";
 const DEFAULT_DH_CERT_LENGTH_DAYS = 30;
-async function issueNodeCertificate(options) {
-    var _a;
-    const address = await computePrivateNodeAddress(options.subjectPublicKey);
-    return Certificate_1.default.issue(Object.assign(Object.assign({}, options), { commonName: address, isCA: (_a = options.isCA, (_a !== null && _a !== void 0 ? _a : true)) }));
+/**
+ * Issue a Relaynet PKI certificate for a gateway.
+ *
+ * The issuer must be a gateway (itself or a peer).
+ *
+ * @param options
+ */
+async function issueGatewayCertificate(options) {
+    const pathLenConstraint = options.issuerCertificate ? 1 : 2;
+    return issueNodeCertificate(Object.assign(Object.assign({}, options), { isCA: true, pathLenConstraint }));
 }
-exports.issueNodeCertificate = issueNodeCertificate;
-async function computePrivateNodeAddress(publicKey) {
-    const publicKeyDigest = Buffer.from(await keys_1.getPublicKeyDigest(publicKey));
-    return `0${publicKeyDigest.toString('hex')}`;
+exports.issueGatewayCertificate = issueGatewayCertificate;
+/**
+ * Issue a Relaynet PKI certificate for an endpoint.
+ *
+ * If the endpoint is public, it should self-issue its certificate. If it's private, its
+ * certificate must be issued by its local gateway.
+ *
+ * @param options
+ */
+async function issueEndpointCertificate(options) {
+    return issueNodeCertificate(Object.assign(Object.assign({}, options), { isCA: true, pathLenConstraint: 0 }));
 }
+exports.issueEndpointCertificate = issueEndpointCertificate;
+/**
+ * Issue an initial (EC)DH certificate to initiate a channel session.
+ *
+ * The issuer must be the *private* node wishing to receive messages from the subject. Both
+ * nodes must be of the same type: Both gateways or both endpoints.
+ *
+ * @param options
+ */
+async function issueDeliveryAuthorization(options) {
+    return issueNodeCertificate(Object.assign(Object.assign({}, options), { isCA: false, pathLenConstraint: 0 }));
+}
+exports.issueDeliveryAuthorization = issueDeliveryAuthorization;
 class DHCertificateError extends CertificateError_1.default {
 }
 exports.DHCertificateError = DHCertificateError;
+/**
+ * Issue an initial (EC)DH certificate to initiate a channel session.
+ *
+ * The subject must be the node initiating the session and the issue must be the recipient of the
+ * initial message.
+ *
+ * @param options
+ */
 async function issueInitialDHKeyCertificate(options) {
@@ -39,2 +73,3 @@ const startDate = options.validityStartDate || new Date();
         issuerPrivateKey: options.nodePrivateKey,
+        pathLenConstraint: 0,
         serialNumber: options.serialNumber,
@@ -47,2 +82,10 @@ subjectPublicKey: options.dhPublicKey,
 exports.issueInitialDHKeyCertificate = issueInitialDHKeyCertificate;
+async function issueNodeCertificate(options) {
+    const address = await computePrivateNodeAddress(options.subjectPublicKey);
+    return Certificate_1.default.issue(Object.assign(Object.assign({}, options), { commonName: address }));
+}
+async function computePrivateNodeAddress(publicKey) {
+    const publicKeyDigest = Buffer.from(await keys_1.getPublicKeyDigest(publicKey));
+    return `0${publicKeyDigest.toString('hex')}`;
+}
 function getDateAfterDays(initialDate, additionalDays) {
@@ -49,0 +92,0 @@ const newDate = new Date(initialDate);

build/module/lib/crypto_wrappers/x509/Certificate.d.ts

 /// <reference types="node" />
 import * as pkijs from 'pkijs';
-import CertificateOptions from './CertificateOptions';
+import FullCertificateIssuanceOptions from './FullCertificateIssuanceOptions';
 /**
@@ -24,3 +24,3 @@ * X.509 Certificate.
      */
-    static issue(options: CertificateOptions): Promise<Certificate>;
+    static issue(options: FullCertificateIssuanceOptions): Promise<Certificate>;
     constructor(pkijsCertificate: pkijs.Certificate);
@@ -27,0 +27,0 @@ /**

build/module/lib/crypto_wrappers/x509/Certificate.js

@@ -7,2 +7,3 @@ import * as asn1js from 'asn1js';
 import CertificateError from './CertificateError';
+const MAX_PATH_LENGTH_CONSTRAINT = 2; // Per Relaynet PKI
 /**
@@ -53,3 +54,3 @@ * X.509 Certificate.
             extensions: [
-                makeBasicConstraintsExtension(options.isCA === true),
+                makeBasicConstraintsExtension(options.isCA === true, options.pathLenConstraint ?? 0),
                 await makeAuthorityKeyIdExtension(issuerPublicKey),
@@ -152,7 +153,11 @@ await makeSubjectKeyIdExtension(options.subjectPublicKey),
 //region Extensions
-function makeBasicConstraintsExtension(isCA) {
+function makeBasicConstraintsExtension(cA, pathLenConstraint) {
+    if (pathLenConstraint < 0 || MAX_PATH_LENGTH_CONSTRAINT < pathLenConstraint) {
+        throw new CertificateError(`pathLenConstraint must be between 0 and 2 (got ${pathLenConstraint})`);
+    }
+    const basicConstraints = new pkijs.BasicConstraints({ cA, pathLenConstraint });
     return new pkijs.Extension({
         critical: true,
         extnID: oids.BASIC_CONSTRAINTS,
-        extnValue: new pkijs.BasicConstraints({ cA: isCA }).toSchema().toBER(false),
+        extnValue: basicConstraints.toSchema().toBER(false),
     });
@@ -159,0 +164,0 @@ }

build/module/lib/pki.d.ts

@@ -1,7 +0,39 @@
-import BaseCertificateOptions from './crypto_wrappers/x509/BaseCertificateOptions';
+import BasicCertificateIssuanceOptions from './crypto_wrappers/x509/BasicCertificateIssuanceOptions';
 import Certificate from './crypto_wrappers/x509/Certificate';
 import CertificateError from './crypto_wrappers/x509/CertificateError';
-export interface NodeCertificateOptions extends BaseCertificateOptions {
+export interface GatewayCertificateIssuanceOptions extends BasicCertificateIssuanceOptions {
+    readonly issuerCertificate?: Certificate;
 }
-export declare function issueNodeCertificate(options: NodeCertificateOptions): Promise<Certificate>;
+/**
+ * Issue a Relaynet PKI certificate for a gateway.
+ *
+ * The issuer must be a gateway (itself or a peer).
+ *
+ * @param options
+ */
+export declare function issueGatewayCertificate(options: GatewayCertificateIssuanceOptions): Promise<Certificate>;
+export interface EndpointCertificateIssuanceOptions extends BasicCertificateIssuanceOptions {
+    readonly issuerCertificate?: Certificate;
+}
+/**
+ * Issue a Relaynet PKI certificate for an endpoint.
+ *
+ * If the endpoint is public, it should self-issue its certificate. If it's private, its
+ * certificate must be issued by its local gateway.
+ *
+ * @param options
+ */
+export declare function issueEndpointCertificate(options: EndpointCertificateIssuanceOptions): Promise<Certificate>;
+export interface DeliveryAuthorizationIssuanceOptions extends BasicCertificateIssuanceOptions {
+    readonly issuerCertificate: Certificate;
+}
+/**
+ * Issue an initial (EC)DH certificate to initiate a channel session.
+ *
+ * The issuer must be the *private* node wishing to receive messages from the subject. Both
+ * nodes must be of the same type: Both gateways or both endpoints.
+ *
+ * @param options
+ */
+export declare function issueDeliveryAuthorization(options: DeliveryAuthorizationIssuanceOptions): Promise<Certificate>;
 export declare class DHCertificateError extends CertificateError {
@@ -17,3 +49,11 @@ }
 }
+/**
+ * Issue an initial (EC)DH certificate to initiate a channel session.
+ *
+ * The subject must be the node initiating the session and the issue must be the recipient of the
+ * initial message.
+ *
+ * @param options
+ */
 export declare function issueInitialDHKeyCertificate(options: DHKeyCertificateOptions): Promise<Certificate>;
 export {};

build/module/lib/pki.js

@@ -8,12 +8,45 @@ import { getPublicKeyDigest } from './crypto_wrappers/keys';
 const DEFAULT_DH_CERT_LENGTH_DAYS = 30;
-export async function issueNodeCertificate(options) {
-    const address = await computePrivateNodeAddress(options.subjectPublicKey);
-    return Certificate.issue({ ...options, commonName: address, isCA: options.isCA ?? true });
+/**
+ * Issue a Relaynet PKI certificate for a gateway.
+ *
+ * The issuer must be a gateway (itself or a peer).
+ *
+ * @param options
+ */
+export async function issueGatewayCertificate(options) {
+    const pathLenConstraint = options.issuerCertificate ? 1 : 2;
+    return issueNodeCertificate({ ...options, isCA: true, pathLenConstraint });
 }
-async function computePrivateNodeAddress(publicKey) {
-    const publicKeyDigest = Buffer.from(await getPublicKeyDigest(publicKey));
-    return `0${publicKeyDigest.toString('hex')}`;
+/**
+ * Issue a Relaynet PKI certificate for an endpoint.
+ *
+ * If the endpoint is public, it should self-issue its certificate. If it's private, its
+ * certificate must be issued by its local gateway.
+ *
+ * @param options
+ */
+export async function issueEndpointCertificate(options) {
+    return issueNodeCertificate({ ...options, isCA: true, pathLenConstraint: 0 });
 }
+/**
+ * Issue an initial (EC)DH certificate to initiate a channel session.
+ *
+ * The issuer must be the *private* node wishing to receive messages from the subject. Both
+ * nodes must be of the same type: Both gateways or both endpoints.
+ *
+ * @param options
+ */
+export async function issueDeliveryAuthorization(options) {
+    return issueNodeCertificate({ ...options, isCA: false, pathLenConstraint: 0 });
+}
 export class DHCertificateError extends CertificateError {
 }
+/**
+ * Issue an initial (EC)DH certificate to initiate a channel session.
+ *
+ * The subject must be the node initiating the session and the issue must be the recipient of the
+ * initial message.
+ *
+ * @param options
+ */
 export async function issueInitialDHKeyCertificate(options) {
@@ -31,2 +64,3 @@ const startDate = options.validityStartDate || new Date();
         issuerPrivateKey: options.nodePrivateKey,
+        pathLenConstraint: 0,
         serialNumber: options.serialNumber,
@@ -38,2 +72,10 @@ subjectPublicKey: options.dhPublicKey,
 }
+async function issueNodeCertificate(options) {
+    const address = await computePrivateNodeAddress(options.subjectPublicKey);
+    return Certificate.issue({ ...options, commonName: address });
+}
+async function computePrivateNodeAddress(publicKey) {
+    const publicKeyDigest = Buffer.from(await getPublicKeyDigest(publicKey));
+    return `0${publicKeyDigest.toString('hex')}`;
+}
 function getDateAfterDays(initialDate, additionalDays) {
@@ -40,0 +82,0 @@ const newDate = new Date(initialDate);

package.json

 {
   "name": "@relaycorp/relaynet-core",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "author": {
@@ -5,0 +5,0 @@ "email": "no-reply@relaycorp.tech",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

223042

increased by3.95%

Lines of code

3225

increased by5.81%

No dependency changes