node_modules/sshpk/lib/certificate.js - nifi-fds - Git at Google

 // Copyright 2016 Joyent, Inc.

 module.exports = Certificate;

 var assert = require('assert-plus');
 var Buffer = require('safer-buffer').Buffer;
 var algs = require('./algs');
 var crypto = require('crypto');
 var Fingerprint = require('./fingerprint');
 var Signature = require('./signature');
 var errs = require('./errors');
 var util = require('util');
 var utils = require('./utils');
 var Key = require('./key');
 var PrivateKey = require('./private-key');
 var Identity = require('./identity');

 var formats = {};
 formats['openssh'] = require('./formats/openssh-cert');
 formats['x509'] = require('./formats/x509');
 formats['pem'] = require('./formats/x509-pem');

 var CertificateParseError = errs.CertificateParseError;
 var InvalidAlgorithmError = errs.InvalidAlgorithmError;

 function Certificate(opts) {
 	assert.object(opts, 'options');
 	assert.arrayOfObject(opts.subjects, 'options.subjects');
 	utils.assertCompatible(opts.subjects[0], Identity, [1, 0],
 	    'options.subjects');
 	utils.assertCompatible(opts.subjectKey, Key, [1, 0],
 	    'options.subjectKey');
 	utils.assertCompatible(opts.issuer, Identity, [1, 0], 'options.issuer');
 	if (opts.issuerKey !== undefined) {
 		utils.assertCompatible(opts.issuerKey, Key, [1, 0],
 		    'options.issuerKey');
 	}
 	assert.object(opts.signatures, 'options.signatures');
 	assert.buffer(opts.serial, 'options.serial');
 	assert.date(opts.validFrom, 'options.validFrom');
 	assert.date(opts.validUntil, 'optons.validUntil');

 	assert.optionalArrayOfString(opts.purposes, 'options.purposes');

 	this._hashCache = {};

 	this.subjects = opts.subjects;
 	this.issuer = opts.issuer;
 	this.subjectKey = opts.subjectKey;
 	this.issuerKey = opts.issuerKey;
 	this.signatures = opts.signatures;
 	this.serial = opts.serial;
 	this.validFrom = opts.validFrom;
 	this.validUntil = opts.validUntil;
 	this.purposes = opts.purposes;
 }

 Certificate.formats = formats;

 Certificate.prototype.toBuffer = function (format, options) {
 	if (format === undefined)
 		format = 'x509';
 	assert.string(format, 'format');
 	assert.object(formats[format], 'formats[format]');
 	assert.optionalObject(options, 'options');

 	return (formats[format].write(this, options));
 };

 Certificate.prototype.toString = function (format, options) {
 	if (format === undefined)
 		format = 'pem';
 	return (this.toBuffer(format, options).toString());
 };

 Certificate.prototype.fingerprint = function (algo) {
 	if (algo === undefined)
 		algo = 'sha256';
 	assert.string(algo, 'algorithm');
 	var opts = {
 		type: 'certificate',
 		hash: this.hash(algo),
 		algorithm: algo
 	};
 	return (new Fingerprint(opts));
 };

 Certificate.prototype.hash = function (algo) {
 	assert.string(algo, 'algorithm');
 	algo = algo.toLowerCase();
 	if (algs.hashAlgs[algo] === undefined)
 		throw (new InvalidAlgorithmError(algo));

 	if (this._hashCache[algo])
 		return (this._hashCache[algo]);

 	var hash = crypto.createHash(algo).
 	    update(this.toBuffer('x509')).digest();
 	this._hashCache[algo] = hash;
 	return (hash);
 };

 Certificate.prototype.isExpired = function (when) {
 	if (when === undefined)
 		when = new Date();
 	return (!((when.getTime() >= this.validFrom.getTime()) &&
 		(when.getTime() < this.validUntil.getTime())));
 };

 Certificate.prototype.isSignedBy = function (issuerCert) {
 	utils.assertCompatible(issuerCert, Certificate, [1, 0], 'issuer');

 	if (!this.issuer.equals(issuerCert.subjects[0]))
 		return (false);
 	if (this.issuer.purposes && this.issuer.purposes.length > 0 &&
 	    this.issuer.purposes.indexOf('ca') === -1) {
 		return (false);
 	}

 	return (this.isSignedByKey(issuerCert.subjectKey));
 };

 Certificate.prototype.getExtension = function (keyOrOid) {
 	assert.string(keyOrOid, 'keyOrOid');
 	var ext = this.getExtensions().filter(function (maybeExt) {
 		if (maybeExt.format === 'x509')
 			return (maybeExt.oid === keyOrOid);
 		if (maybeExt.format === 'openssh')
 			return (maybeExt.name === keyOrOid);
 		return (false);
 	})[0];
 	return (ext);
 };

 Certificate.prototype.getExtensions = function () {
 	var exts = [];
 	var x509 = this.signatures.x509;
 	if (x509 && x509.extras && x509.extras.exts) {
 		x509.extras.exts.forEach(function (ext) {
 			ext.format = 'x509';
 			exts.push(ext);
 		});
 	}
 	var openssh = this.signatures.openssh;
 	if (openssh && openssh.exts) {
 		openssh.exts.forEach(function (ext) {
 			ext.format = 'openssh';
 			exts.push(ext);
 		});
 	}
 	return (exts);
 };

 Certificate.prototype.isSignedByKey = function (issuerKey) {
 	utils.assertCompatible(issuerKey, Key, [1, 2], 'issuerKey');

 	if (this.issuerKey !== undefined) {
 		return (this.issuerKey.
 		    fingerprint('sha512').matches(issuerKey));
 	}

 	var fmt = Object.keys(this.signatures)[0];
 	var valid = formats[fmt].verify(this, issuerKey);
 	if (valid)
 		this.issuerKey = issuerKey;
 	return (valid);
 };

 Certificate.prototype.signWith = function (key) {
 	utils.assertCompatible(key, PrivateKey, [1, 2], 'key');
 	var fmts = Object.keys(formats);
 	var didOne = false;
 	for (var i = 0; i < fmts.length; ++i) {
 		if (fmts[i] !== 'pem') {
 			var ret = formats[fmts[i]].sign(this, key);
 			if (ret === true)
 				didOne = true;
 		}
 	}
 	if (!didOne) {
 		throw (new Error('Failed to sign the certificate for any ' +
 		    'available certificate formats'));
 	}
 };

 Certificate.createSelfSigned = function (subjectOrSubjects, key, options) {
 	var subjects;
 	if (Array.isArray(subjectOrSubjects))
 		subjects = subjectOrSubjects;
 	else
 		subjects = [subjectOrSubjects];

 	assert.arrayOfObject(subjects);
 	subjects.forEach(function (subject) {
 		utils.assertCompatible(subject, Identity, [1, 0], 'subject');
 	});

 	utils.assertCompatible(key, PrivateKey, [1, 2], 'private key');

 	assert.optionalObject(options, 'options');
 	if (options === undefined)
 		options = {};
 	assert.optionalObject(options.validFrom, 'options.validFrom');
 	assert.optionalObject(options.validUntil, 'options.validUntil');
 	var validFrom = options.validFrom;
 	var validUntil = options.validUntil;
 	if (validFrom === undefined)
 		validFrom = new Date();
 	if (validUntil === undefined) {
 		assert.optionalNumber(options.lifetime, 'options.lifetime');
 		var lifetime = options.lifetime;
 		if (lifetime === undefined)
 			lifetime = 10*365*24*3600;
 		validUntil = new Date();
 		validUntil.setTime(validUntil.getTime() + lifetime*1000);
 	}
 	assert.optionalBuffer(options.serial, 'options.serial');
 	var serial = options.serial;
 	if (serial === undefined)
 		serial = Buffer.from('0000000000000001', 'hex');

 	var purposes = options.purposes;
 	if (purposes === undefined)
 		purposes = [];

 	if (purposes.indexOf('signature') === -1)
 		purposes.push('signature');

 	/* Self-signed certs are always CAs. */
 	if (purposes.indexOf('ca') === -1)
 		purposes.push('ca');
 	if (purposes.indexOf('crl') === -1)
 		purposes.push('crl');

 	/*
 	 * If we weren't explicitly given any other purposes, do the sensible
 	 * thing and add some basic ones depending on the subject type.
 	 */
 	if (purposes.length <= 3) {
 		var hostSubjects = subjects.filter(function (subject) {
 			return (subject.type === 'host');
 		});
 		var userSubjects = subjects.filter(function (subject) {
 			return (subject.type === 'user');
 		});
 		if (hostSubjects.length > 0) {
 			if (purposes.indexOf('serverAuth') === -1)
 				purposes.push('serverAuth');
 		}
 		if (userSubjects.length > 0) {
 			if (purposes.indexOf('clientAuth') === -1)
 				purposes.push('clientAuth');
 		}
 		if (userSubjects.length > 0 || hostSubjects.length > 0) {
 			if (purposes.indexOf('keyAgreement') === -1)
 				purposes.push('keyAgreement');
 			if (key.type === 'rsa' &&
 			    purposes.indexOf('encryption') === -1)
 				purposes.push('encryption');
 		}
 	}

 	var cert = new Certificate({
 		subjects: subjects,
 		issuer: subjects[0],
 		subjectKey: key.toPublic(),
 		issuerKey: key.toPublic(),
 		signatures: {},
 		serial: serial,
 		validFrom: validFrom,
 		validUntil: validUntil,
 		purposes: purposes
 	});
 	cert.signWith(key);

 	return (cert);
 };

 Certificate.create =
     function (subjectOrSubjects, key, issuer, issuerKey, options) {
 	var subjects;
 	if (Array.isArray(subjectOrSubjects))
 		subjects = subjectOrSubjects;
 	else
 		subjects = [subjectOrSubjects];

 	assert.arrayOfObject(subjects);
 	subjects.forEach(function (subject) {
 		utils.assertCompatible(subject, Identity, [1, 0], 'subject');
 	});

 	utils.assertCompatible(key, Key, [1, 0], 'key');
 	if (PrivateKey.isPrivateKey(key))
 		key = key.toPublic();
 	utils.assertCompatible(issuer, Identity, [1, 0], 'issuer');
 	utils.assertCompatible(issuerKey, PrivateKey, [1, 2], 'issuer key');

 	assert.optionalObject(options, 'options');
 	if (options === undefined)
 		options = {};
 	assert.optionalObject(options.validFrom, 'options.validFrom');
 	assert.optionalObject(options.validUntil, 'options.validUntil');
 	var validFrom = options.validFrom;
 	var validUntil = options.validUntil;
 	if (validFrom === undefined)
 		validFrom = new Date();
 	if (validUntil === undefined) {
 		assert.optionalNumber(options.lifetime, 'options.lifetime');
 		var lifetime = options.lifetime;
 		if (lifetime === undefined)
 			lifetime = 10*365*24*3600;
 		validUntil = new Date();
 		validUntil.setTime(validUntil.getTime() + lifetime*1000);
 	}
 	assert.optionalBuffer(options.serial, 'options.serial');
 	var serial = options.serial;
 	if (serial === undefined)
 		serial = Buffer.from('0000000000000001', 'hex');

 	var purposes = options.purposes;
 	if (purposes === undefined)
 		purposes = [];

 	if (purposes.indexOf('signature') === -1)
 		purposes.push('signature');

 	if (options.ca === true) {
 		if (purposes.indexOf('ca') === -1)
 			purposes.push('ca');
 		if (purposes.indexOf('crl') === -1)
 			purposes.push('crl');
 	}

 	var hostSubjects = subjects.filter(function (subject) {
 		return (subject.type === 'host');
 	});
 	var userSubjects = subjects.filter(function (subject) {
 		return (subject.type === 'user');
 	});
 	if (hostSubjects.length > 0) {
 		if (purposes.indexOf('serverAuth') === -1)
 			purposes.push('serverAuth');
 	}
 	if (userSubjects.length > 0) {
 		if (purposes.indexOf('clientAuth') === -1)
 			purposes.push('clientAuth');
 	}
 	if (userSubjects.length > 0 || hostSubjects.length > 0) {
 		if (purposes.indexOf('keyAgreement') === -1)
 			purposes.push('keyAgreement');
 		if (key.type === 'rsa' &&
 		    purposes.indexOf('encryption') === -1)
 			purposes.push('encryption');
 	}

 	var cert = new Certificate({
 		subjects: subjects,
 		issuer: issuer,
 		subjectKey: key,
 		issuerKey: issuerKey.toPublic(),
 		signatures: {},
 		serial: serial,
 		validFrom: validFrom,
 		validUntil: validUntil,
 		purposes: purposes
 	});
 	cert.signWith(issuerKey);

 	return (cert);
 };

 Certificate.parse = function (data, format, options) {
 	if (typeof (data) !== 'string')
 		assert.buffer(data, 'data');
 	if (format === undefined)
 		format = 'auto';
 	assert.string(format, 'format');
 	if (typeof (options) === 'string')
 		options = { filename: options };
 	assert.optionalObject(options, 'options');
 	if (options === undefined)
 		options = {};
 	assert.optionalString(options.filename, 'options.filename');
 	if (options.filename === undefined)
 		options.filename = '(unnamed)';

 	assert.object(formats[format], 'formats[format]');

 	try {
 		var k = formats[format].read(data, options);
 		return (k);
 	} catch (e) {
 		throw (new CertificateParseError(options.filename, format, e));
 	}
 };

 Certificate.isCertificate = function (obj, ver) {
 	return (utils.isCompatible(obj, Certificate, ver));
 };

 /*
  * API versions for Certificate:
  * [1,0] -- initial ver
  * [1,1] -- openssh format now unpacks extensions
  */
 Certificate.prototype._sshpkApiVersion = [1, 1];

 Certificate._oldVersionDetect = function (obj) {
 	return ([1, 0]);
 };
	// Copyright 2016 Joyent, Inc.

	module.exports = Certificate;

	var assert = require('assert-plus');
	var Buffer = require('safer-buffer').Buffer;
	var algs = require('./algs');
	var crypto = require('crypto');
	var Fingerprint = require('./fingerprint');
	var Signature = require('./signature');
	var errs = require('./errors');
	var util = require('util');
	var utils = require('./utils');
	var Key = require('./key');
	var PrivateKey = require('./private-key');
	var Identity = require('./identity');

	var formats = {};
	formats['openssh'] = require('./formats/openssh-cert');
	formats['x509'] = require('./formats/x509');
	formats['pem'] = require('./formats/x509-pem');

	var CertificateParseError = errs.CertificateParseError;
	var InvalidAlgorithmError = errs.InvalidAlgorithmError;

	function Certificate(opts) {
	assert.object(opts, 'options');
	assert.arrayOfObject(opts.subjects, 'options.subjects');
	utils.assertCompatible(opts.subjects[0], Identity, [1, 0],
	'options.subjects');
	utils.assertCompatible(opts.subjectKey, Key, [1, 0],
	'options.subjectKey');
	utils.assertCompatible(opts.issuer, Identity, [1, 0], 'options.issuer');
	if (opts.issuerKey !== undefined) {
	utils.assertCompatible(opts.issuerKey, Key, [1, 0],
	'options.issuerKey');
	}
	assert.object(opts.signatures, 'options.signatures');
	assert.buffer(opts.serial, 'options.serial');
	assert.date(opts.validFrom, 'options.validFrom');
	assert.date(opts.validUntil, 'optons.validUntil');

	assert.optionalArrayOfString(opts.purposes, 'options.purposes');

	this._hashCache = {};

	this.subjects = opts.subjects;
	this.issuer = opts.issuer;
	this.subjectKey = opts.subjectKey;
	this.issuerKey = opts.issuerKey;
	this.signatures = opts.signatures;
	this.serial = opts.serial;
	this.validFrom = opts.validFrom;
	this.validUntil = opts.validUntil;
	this.purposes = opts.purposes;
	}

	Certificate.formats = formats;

	Certificate.prototype.toBuffer = function (format, options) {
	if (format === undefined)
	format = 'x509';
	assert.string(format, 'format');
	assert.object(formats[format], 'formats[format]');
	assert.optionalObject(options, 'options');

	return (formats[format].write(this, options));
	};

	Certificate.prototype.toString = function (format, options) {
	if (format === undefined)
	format = 'pem';
	return (this.toBuffer(format, options).toString());
	};

	Certificate.prototype.fingerprint = function (algo) {
	if (algo === undefined)
	algo = 'sha256';
	assert.string(algo, 'algorithm');
	var opts = {
	type: 'certificate',
	hash: this.hash(algo),
	algorithm: algo
	};
	return (new Fingerprint(opts));
	};

	Certificate.prototype.hash = function (algo) {
	assert.string(algo, 'algorithm');
	algo = algo.toLowerCase();
	if (algs.hashAlgs[algo] === undefined)
	throw (new InvalidAlgorithmError(algo));

	if (this._hashCache[algo])
	return (this._hashCache[algo]);

	var hash = crypto.createHash(algo).
	update(this.toBuffer('x509')).digest();
	this._hashCache[algo] = hash;
	return (hash);
	};

	Certificate.prototype.isExpired = function (when) {
	if (when === undefined)
	when = new Date();
	return (!((when.getTime() >= this.validFrom.getTime()) &&
	(when.getTime() < this.validUntil.getTime())));
	};

	Certificate.prototype.isSignedBy = function (issuerCert) {
	utils.assertCompatible(issuerCert, Certificate, [1, 0], 'issuer');

	if (!this.issuer.equals(issuerCert.subjects[0]))
	return (false);
	if (this.issuer.purposes && this.issuer.purposes.length > 0 &&
	this.issuer.purposes.indexOf('ca') === -1) {
	return (false);
	}

	return (this.isSignedByKey(issuerCert.subjectKey));
	};

	Certificate.prototype.getExtension = function (keyOrOid) {
	assert.string(keyOrOid, 'keyOrOid');
	var ext = this.getExtensions().filter(function (maybeExt) {
	if (maybeExt.format === 'x509')
	return (maybeExt.oid === keyOrOid);
	if (maybeExt.format === 'openssh')
	return (maybeExt.name === keyOrOid);
	return (false);
	})[0];
	return (ext);
	};

	Certificate.prototype.getExtensions = function () {
	var exts = [];
	var x509 = this.signatures.x509;
	if (x509 && x509.extras && x509.extras.exts) {
	x509.extras.exts.forEach(function (ext) {
	ext.format = 'x509';
	exts.push(ext);
	});
	}
	var openssh = this.signatures.openssh;
	if (openssh && openssh.exts) {
	openssh.exts.forEach(function (ext) {
	ext.format = 'openssh';
	exts.push(ext);
	});
	}
	return (exts);
	};

	Certificate.prototype.isSignedByKey = function (issuerKey) {
	utils.assertCompatible(issuerKey, Key, [1, 2], 'issuerKey');

	if (this.issuerKey !== undefined) {
	return (this.issuerKey.
	fingerprint('sha512').matches(issuerKey));
	}

	var fmt = Object.keys(this.signatures)[0];
	var valid = formats[fmt].verify(this, issuerKey);
	if (valid)
	this.issuerKey = issuerKey;
	return (valid);
	};

	Certificate.prototype.signWith = function (key) {
	utils.assertCompatible(key, PrivateKey, [1, 2], 'key');
	var fmts = Object.keys(formats);
	var didOne = false;
	for (var i = 0; i < fmts.length; ++i) {
	if (fmts[i] !== 'pem') {
	var ret = formats[fmts[i]].sign(this, key);
	if (ret === true)
	didOne = true;
	}
	}
	if (!didOne) {
	throw (new Error('Failed to sign the certificate for any ' +
	'available certificate formats'));
	}
	};

	Certificate.createSelfSigned = function (subjectOrSubjects, key, options) {
	var subjects;
	if (Array.isArray(subjectOrSubjects))
	subjects = subjectOrSubjects;
	else
	subjects = [subjectOrSubjects];

	assert.arrayOfObject(subjects);
	subjects.forEach(function (subject) {
	utils.assertCompatible(subject, Identity, [1, 0], 'subject');
	});

	utils.assertCompatible(key, PrivateKey, [1, 2], 'private key');

	assert.optionalObject(options, 'options');
	if (options === undefined)
	options = {};
	assert.optionalObject(options.validFrom, 'options.validFrom');
	assert.optionalObject(options.validUntil, 'options.validUntil');
	var validFrom = options.validFrom;
	var validUntil = options.validUntil;
	if (validFrom === undefined)
	validFrom = new Date();
	if (validUntil === undefined) {
	assert.optionalNumber(options.lifetime, 'options.lifetime');
	var lifetime = options.lifetime;
	if (lifetime === undefined)
	lifetime = 1036524*3600;
	validUntil = new Date();
	validUntil.setTime(validUntil.getTime() + lifetime*1000);
	}
	assert.optionalBuffer(options.serial, 'options.serial');
	var serial = options.serial;
	if (serial === undefined)
	serial = Buffer.from('0000000000000001', 'hex');

	var purposes = options.purposes;
	if (purposes === undefined)
	purposes = [];

	if (purposes.indexOf('signature') === -1)
	purposes.push('signature');

	/* Self-signed certs are always CAs. */
	if (purposes.indexOf('ca') === -1)
	purposes.push('ca');
	if (purposes.indexOf('crl') === -1)
	purposes.push('crl');

	/*
	* If we weren't explicitly given any other purposes, do the sensible
	* thing and add some basic ones depending on the subject type.
	*/
	if (purposes.length <= 3) {
	var hostSubjects = subjects.filter(function (subject) {
	return (subject.type === 'host');
	});
	var userSubjects = subjects.filter(function (subject) {
	return (subject.type === 'user');
	});
	if (hostSubjects.length > 0) {
	if (purposes.indexOf('serverAuth') === -1)
	purposes.push('serverAuth');
	}
	if (userSubjects.length > 0) {
	if (purposes.indexOf('clientAuth') === -1)
	purposes.push('clientAuth');
	}
	if (userSubjects.length > 0 \|\| hostSubjects.length > 0) {
	if (purposes.indexOf('keyAgreement') === -1)
	purposes.push('keyAgreement');
	if (key.type === 'rsa' &&
	purposes.indexOf('encryption') === -1)
	purposes.push('encryption');
	}
	}

	var cert = new Certificate({
	subjects: subjects,
	issuer: subjects[0],
	subjectKey: key.toPublic(),
	issuerKey: key.toPublic(),
	signatures: {},
	serial: serial,
	validFrom: validFrom,
	validUntil: validUntil,
	purposes: purposes
	});
	cert.signWith(key);

	return (cert);
	};

	Certificate.create =
	function (subjectOrSubjects, key, issuer, issuerKey, options) {
	var subjects;
	if (Array.isArray(subjectOrSubjects))
	subjects = subjectOrSubjects;
	else
	subjects = [subjectOrSubjects];

	assert.arrayOfObject(subjects);
	subjects.forEach(function (subject) {
	utils.assertCompatible(subject, Identity, [1, 0], 'subject');
	});

	utils.assertCompatible(key, Key, [1, 0], 'key');
	if (PrivateKey.isPrivateKey(key))
	key = key.toPublic();
	utils.assertCompatible(issuer, Identity, [1, 0], 'issuer');
	utils.assertCompatible(issuerKey, PrivateKey, [1, 2], 'issuer key');

	assert.optionalObject(options, 'options');
	if (options === undefined)
	options = {};
	assert.optionalObject(options.validFrom, 'options.validFrom');
	assert.optionalObject(options.validUntil, 'options.validUntil');
	var validFrom = options.validFrom;
	var validUntil = options.validUntil;
	if (validFrom === undefined)
	validFrom = new Date();
	if (validUntil === undefined) {
	assert.optionalNumber(options.lifetime, 'options.lifetime');
	var lifetime = options.lifetime;
	if (lifetime === undefined)
	lifetime = 1036524*3600;
	validUntil = new Date();
	validUntil.setTime(validUntil.getTime() + lifetime*1000);
	}
	assert.optionalBuffer(options.serial, 'options.serial');
	var serial = options.serial;
	if (serial === undefined)
	serial = Buffer.from('0000000000000001', 'hex');

	var purposes = options.purposes;
	if (purposes === undefined)
	purposes = [];

	if (purposes.indexOf('signature') === -1)
	purposes.push('signature');

	if (options.ca === true) {
	if (purposes.indexOf('ca') === -1)
	purposes.push('ca');
	if (purposes.indexOf('crl') === -1)
	purposes.push('crl');
	}

	var hostSubjects = subjects.filter(function (subject) {
	return (subject.type === 'host');
	});
	var userSubjects = subjects.filter(function (subject) {
	return (subject.type === 'user');
	});
	if (hostSubjects.length > 0) {
	if (purposes.indexOf('serverAuth') === -1)
	purposes.push('serverAuth');
	}
	if (userSubjects.length > 0) {
	if (purposes.indexOf('clientAuth') === -1)
	purposes.push('clientAuth');
	}
	if (userSubjects.length > 0 \|\| hostSubjects.length > 0) {
	if (purposes.indexOf('keyAgreement') === -1)
	purposes.push('keyAgreement');
	if (key.type === 'rsa' &&
	purposes.indexOf('encryption') === -1)
	purposes.push('encryption');
	}

	var cert = new Certificate({
	subjects: subjects,
	issuer: issuer,
	subjectKey: key,
	issuerKey: issuerKey.toPublic(),
	signatures: {},
	serial: serial,
	validFrom: validFrom,
	validUntil: validUntil,
	purposes: purposes
	});
	cert.signWith(issuerKey);

	return (cert);
	};

	Certificate.parse = function (data, format, options) {
	if (typeof (data) !== 'string')
	assert.buffer(data, 'data');
	if (format === undefined)
	format = 'auto';
	assert.string(format, 'format');
	if (typeof (options) === 'string')
	options = { filename: options };
	assert.optionalObject(options, 'options');
	if (options === undefined)
	options = {};
	assert.optionalString(options.filename, 'options.filename');
	if (options.filename === undefined)
	options.filename = '(unnamed)';

	assert.object(formats[format], 'formats[format]');

	try {
	var k = formats[format].read(data, options);
	return (k);
	} catch (e) {
	throw (new CertificateParseError(options.filename, format, e));
	}
	};

	Certificate.isCertificate = function (obj, ver) {
	return (utils.isCompatible(obj, Certificate, ver));
	};

	/*
	* API versions for Certificate:
	* [1,0] -- initial ver
	* [1,1] -- openssh format now unpacks extensions
	*/
	Certificate.prototype._sshpkApiVersion = [1, 1];

	Certificate._oldVersionDetect = function (obj) {
	return ([1, 0]);
	};