| // Copyright 2017 Joyent, Inc. |
| |
| module.exports = { |
| read: read, |
| verify: verify, |
| sign: sign, |
| signAsync: signAsync, |
| write: write |
| }; |
| |
| var assert = require('assert-plus'); |
| var asn1 = require('asn1'); |
| var Buffer = require('safer-buffer').Buffer; |
| var algs = require('../algs'); |
| var utils = require('../utils'); |
| var Key = require('../key'); |
| var PrivateKey = require('../private-key'); |
| var pem = require('./pem'); |
| var Identity = require('../identity'); |
| var Signature = require('../signature'); |
| var Certificate = require('../certificate'); |
| var pkcs8 = require('./pkcs8'); |
| |
| /* |
| * This file is based on RFC5280 (X.509). |
| */ |
| |
| /* Helper to read in a single mpint */ |
| function readMPInt(der, nm) { |
| assert.strictEqual(der.peek(), asn1.Ber.Integer, |
| nm + ' is not an Integer'); |
| return (utils.mpNormalize(der.readString(asn1.Ber.Integer, true))); |
| } |
| |
| function verify(cert, key) { |
| var sig = cert.signatures.x509; |
| assert.object(sig, 'x509 signature'); |
| |
| var algParts = sig.algo.split('-'); |
| if (algParts[0] !== key.type) |
| return (false); |
| |
| var blob = sig.cache; |
| if (blob === undefined) { |
| var der = new asn1.BerWriter(); |
| writeTBSCert(cert, der); |
| blob = der.buffer; |
| } |
| |
| var verifier = key.createVerify(algParts[1]); |
| verifier.write(blob); |
| return (verifier.verify(sig.signature)); |
| } |
| |
| function Local(i) { |
| return (asn1.Ber.Context | asn1.Ber.Constructor | i); |
| } |
| |
| function Context(i) { |
| return (asn1.Ber.Context | i); |
| } |
| |
| var SIGN_ALGS = { |
| 'rsa-md5': '1.2.840.113549.1.1.4', |
| 'rsa-sha1': '1.2.840.113549.1.1.5', |
| 'rsa-sha256': '1.2.840.113549.1.1.11', |
| 'rsa-sha384': '1.2.840.113549.1.1.12', |
| 'rsa-sha512': '1.2.840.113549.1.1.13', |
| 'dsa-sha1': '1.2.840.10040.4.3', |
| 'dsa-sha256': '2.16.840.1.101.3.4.3.2', |
| 'ecdsa-sha1': '1.2.840.10045.4.1', |
| 'ecdsa-sha256': '1.2.840.10045.4.3.2', |
| 'ecdsa-sha384': '1.2.840.10045.4.3.3', |
| 'ecdsa-sha512': '1.2.840.10045.4.3.4', |
| 'ed25519-sha512': '1.3.101.112' |
| }; |
| Object.keys(SIGN_ALGS).forEach(function (k) { |
| SIGN_ALGS[SIGN_ALGS[k]] = k; |
| }); |
| SIGN_ALGS['1.3.14.3.2.3'] = 'rsa-md5'; |
| SIGN_ALGS['1.3.14.3.2.29'] = 'rsa-sha1'; |
| |
| var EXTS = { |
| 'issuerKeyId': '2.5.29.35', |
| 'altName': '2.5.29.17', |
| 'basicConstraints': '2.5.29.19', |
| 'keyUsage': '2.5.29.15', |
| 'extKeyUsage': '2.5.29.37' |
| }; |
| |
| function read(buf, options) { |
| if (typeof (buf) === 'string') { |
| buf = Buffer.from(buf, 'binary'); |
| } |
| assert.buffer(buf, 'buf'); |
| |
| var der = new asn1.BerReader(buf); |
| |
| der.readSequence(); |
| if (Math.abs(der.length - der.remain) > 1) { |
| throw (new Error('DER sequence does not contain whole byte ' + |
| 'stream')); |
| } |
| |
| var tbsStart = der.offset; |
| der.readSequence(); |
| var sigOffset = der.offset + der.length; |
| var tbsEnd = sigOffset; |
| |
| if (der.peek() === Local(0)) { |
| der.readSequence(Local(0)); |
| var version = der.readInt(); |
| assert.ok(version <= 3, |
| 'only x.509 versions up to v3 supported'); |
| } |
| |
| var cert = {}; |
| cert.signatures = {}; |
| var sig = (cert.signatures.x509 = {}); |
| sig.extras = {}; |
| |
| cert.serial = readMPInt(der, 'serial'); |
| |
| der.readSequence(); |
| var after = der.offset + der.length; |
| var certAlgOid = der.readOID(); |
| var certAlg = SIGN_ALGS[certAlgOid]; |
| if (certAlg === undefined) |
| throw (new Error('unknown signature algorithm ' + certAlgOid)); |
| |
| der._offset = after; |
| cert.issuer = Identity.parseAsn1(der); |
| |
| der.readSequence(); |
| cert.validFrom = readDate(der); |
| cert.validUntil = readDate(der); |
| |
| cert.subjects = [Identity.parseAsn1(der)]; |
| |
| der.readSequence(); |
| after = der.offset + der.length; |
| cert.subjectKey = pkcs8.readPkcs8(undefined, 'public', der); |
| der._offset = after; |
| |
| /* issuerUniqueID */ |
| if (der.peek() === Local(1)) { |
| der.readSequence(Local(1)); |
| sig.extras.issuerUniqueID = |
| buf.slice(der.offset, der.offset + der.length); |
| der._offset += der.length; |
| } |
| |
| /* subjectUniqueID */ |
| if (der.peek() === Local(2)) { |
| der.readSequence(Local(2)); |
| sig.extras.subjectUniqueID = |
| buf.slice(der.offset, der.offset + der.length); |
| der._offset += der.length; |
| } |
| |
| /* extensions */ |
| if (der.peek() === Local(3)) { |
| der.readSequence(Local(3)); |
| var extEnd = der.offset + der.length; |
| der.readSequence(); |
| |
| while (der.offset < extEnd) |
| readExtension(cert, buf, der); |
| |
| assert.strictEqual(der.offset, extEnd); |
| } |
| |
| assert.strictEqual(der.offset, sigOffset); |
| |
| der.readSequence(); |
| after = der.offset + der.length; |
| var sigAlgOid = der.readOID(); |
| var sigAlg = SIGN_ALGS[sigAlgOid]; |
| if (sigAlg === undefined) |
| throw (new Error('unknown signature algorithm ' + sigAlgOid)); |
| der._offset = after; |
| |
| var sigData = der.readString(asn1.Ber.BitString, true); |
| if (sigData[0] === 0) |
| sigData = sigData.slice(1); |
| var algParts = sigAlg.split('-'); |
| |
| sig.signature = Signature.parse(sigData, algParts[0], 'asn1'); |
| sig.signature.hashAlgorithm = algParts[1]; |
| sig.algo = sigAlg; |
| sig.cache = buf.slice(tbsStart, tbsEnd); |
| |
| return (new Certificate(cert)); |
| } |
| |
| function readDate(der) { |
| if (der.peek() === asn1.Ber.UTCTime) { |
| return (utcTimeToDate(der.readString(asn1.Ber.UTCTime))); |
| } else if (der.peek() === asn1.Ber.GeneralizedTime) { |
| return (gTimeToDate(der.readString(asn1.Ber.GeneralizedTime))); |
| } else { |
| throw (new Error('Unsupported date format')); |
| } |
| } |
| |
| function writeDate(der, date) { |
| if (date.getUTCFullYear() >= 2050 || date.getUTCFullYear() < 1950) { |
| der.writeString(dateToGTime(date), asn1.Ber.GeneralizedTime); |
| } else { |
| der.writeString(dateToUTCTime(date), asn1.Ber.UTCTime); |
| } |
| } |
| |
| /* RFC5280, section 4.2.1.6 (GeneralName type) */ |
| var ALTNAME = { |
| OtherName: Local(0), |
| RFC822Name: Context(1), |
| DNSName: Context(2), |
| X400Address: Local(3), |
| DirectoryName: Local(4), |
| EDIPartyName: Local(5), |
| URI: Context(6), |
| IPAddress: Context(7), |
| OID: Context(8) |
| }; |
| |
| /* RFC5280, section 4.2.1.12 (KeyPurposeId) */ |
| var EXTPURPOSE = { |
| 'serverAuth': '1.3.6.1.5.5.7.3.1', |
| 'clientAuth': '1.3.6.1.5.5.7.3.2', |
| 'codeSigning': '1.3.6.1.5.5.7.3.3', |
| |
| /* See https://github.com/joyent/oid-docs/blob/master/root.md */ |
| 'joyentDocker': '1.3.6.1.4.1.38678.1.4.1', |
| 'joyentCmon': '1.3.6.1.4.1.38678.1.4.2' |
| }; |
| var EXTPURPOSE_REV = {}; |
| Object.keys(EXTPURPOSE).forEach(function (k) { |
| EXTPURPOSE_REV[EXTPURPOSE[k]] = k; |
| }); |
| |
| var KEYUSEBITS = [ |
| 'signature', 'identity', 'keyEncryption', |
| 'encryption', 'keyAgreement', 'ca', 'crl' |
| ]; |
| |
| function readExtension(cert, buf, der) { |
| der.readSequence(); |
| var after = der.offset + der.length; |
| var extId = der.readOID(); |
| var id; |
| var sig = cert.signatures.x509; |
| if (!sig.extras.exts) |
| sig.extras.exts = []; |
| |
| var critical; |
| if (der.peek() === asn1.Ber.Boolean) |
| critical = der.readBoolean(); |
| |
| switch (extId) { |
| case (EXTS.basicConstraints): |
| der.readSequence(asn1.Ber.OctetString); |
| der.readSequence(); |
| var bcEnd = der.offset + der.length; |
| var ca = false; |
| if (der.peek() === asn1.Ber.Boolean) |
| ca = der.readBoolean(); |
| if (cert.purposes === undefined) |
| cert.purposes = []; |
| if (ca === true) |
| cert.purposes.push('ca'); |
| var bc = { oid: extId, critical: critical }; |
| if (der.offset < bcEnd && der.peek() === asn1.Ber.Integer) |
| bc.pathLen = der.readInt(); |
| sig.extras.exts.push(bc); |
| break; |
| case (EXTS.extKeyUsage): |
| der.readSequence(asn1.Ber.OctetString); |
| der.readSequence(); |
| if (cert.purposes === undefined) |
| cert.purposes = []; |
| var ekEnd = der.offset + der.length; |
| while (der.offset < ekEnd) { |
| var oid = der.readOID(); |
| cert.purposes.push(EXTPURPOSE_REV[oid] || oid); |
| } |
| /* |
| * This is a bit of a hack: in the case where we have a cert |
| * that's only allowed to do serverAuth or clientAuth (and not |
| * the other), we want to make sure all our Subjects are of |
| * the right type. But we already parsed our Subjects and |
| * decided if they were hosts or users earlier (since it appears |
| * first in the cert). |
| * |
| * So we go through and mutate them into the right kind here if |
| * it doesn't match. This might not be hugely beneficial, as it |
| * seems that single-purpose certs are not often seen in the |
| * wild. |
| */ |
| if (cert.purposes.indexOf('serverAuth') !== -1 && |
| cert.purposes.indexOf('clientAuth') === -1) { |
| cert.subjects.forEach(function (ide) { |
| if (ide.type !== 'host') { |
| ide.type = 'host'; |
| ide.hostname = ide.uid || |
| ide.email || |
| ide.components[0].value; |
| } |
| }); |
| } else if (cert.purposes.indexOf('clientAuth') !== -1 && |
| cert.purposes.indexOf('serverAuth') === -1) { |
| cert.subjects.forEach(function (ide) { |
| if (ide.type !== 'user') { |
| ide.type = 'user'; |
| ide.uid = ide.hostname || |
| ide.email || |
| ide.components[0].value; |
| } |
| }); |
| } |
| sig.extras.exts.push({ oid: extId, critical: critical }); |
| break; |
| case (EXTS.keyUsage): |
| der.readSequence(asn1.Ber.OctetString); |
| var bits = der.readString(asn1.Ber.BitString, true); |
| var setBits = readBitField(bits, KEYUSEBITS); |
| setBits.forEach(function (bit) { |
| if (cert.purposes === undefined) |
| cert.purposes = []; |
| if (cert.purposes.indexOf(bit) === -1) |
| cert.purposes.push(bit); |
| }); |
| sig.extras.exts.push({ oid: extId, critical: critical, |
| bits: bits }); |
| break; |
| case (EXTS.altName): |
| der.readSequence(asn1.Ber.OctetString); |
| der.readSequence(); |
| var aeEnd = der.offset + der.length; |
| while (der.offset < aeEnd) { |
| switch (der.peek()) { |
| case ALTNAME.OtherName: |
| case ALTNAME.EDIPartyName: |
| der.readSequence(); |
| der._offset += der.length; |
| break; |
| case ALTNAME.OID: |
| der.readOID(ALTNAME.OID); |
| break; |
| case ALTNAME.RFC822Name: |
| /* RFC822 specifies email addresses */ |
| var email = der.readString(ALTNAME.RFC822Name); |
| id = Identity.forEmail(email); |
| if (!cert.subjects[0].equals(id)) |
| cert.subjects.push(id); |
| break; |
| case ALTNAME.DirectoryName: |
| der.readSequence(ALTNAME.DirectoryName); |
| id = Identity.parseAsn1(der); |
| if (!cert.subjects[0].equals(id)) |
| cert.subjects.push(id); |
| break; |
| case ALTNAME.DNSName: |
| var host = der.readString( |
| ALTNAME.DNSName); |
| id = Identity.forHost(host); |
| if (!cert.subjects[0].equals(id)) |
| cert.subjects.push(id); |
| break; |
| default: |
| der.readString(der.peek()); |
| break; |
| } |
| } |
| sig.extras.exts.push({ oid: extId, critical: critical }); |
| break; |
| default: |
| sig.extras.exts.push({ |
| oid: extId, |
| critical: critical, |
| data: der.readString(asn1.Ber.OctetString, true) |
| }); |
| break; |
| } |
| |
| der._offset = after; |
| } |
| |
| var UTCTIME_RE = |
| /^([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/; |
| function utcTimeToDate(t) { |
| var m = t.match(UTCTIME_RE); |
| assert.ok(m, 'timestamps must be in UTC'); |
| var d = new Date(); |
| |
| var thisYear = d.getUTCFullYear(); |
| var century = Math.floor(thisYear / 100) * 100; |
| |
| var year = parseInt(m[1], 10); |
| if (thisYear % 100 < 50 && year >= 60) |
| year += (century - 1); |
| else |
| year += century; |
| d.setUTCFullYear(year, parseInt(m[2], 10) - 1, parseInt(m[3], 10)); |
| d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10)); |
| if (m[6] && m[6].length > 0) |
| d.setUTCSeconds(parseInt(m[6], 10)); |
| return (d); |
| } |
| |
| var GTIME_RE = |
| /^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/; |
| function gTimeToDate(t) { |
| var m = t.match(GTIME_RE); |
| assert.ok(m); |
| var d = new Date(); |
| |
| d.setUTCFullYear(parseInt(m[1], 10), parseInt(m[2], 10) - 1, |
| parseInt(m[3], 10)); |
| d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10)); |
| if (m[6] && m[6].length > 0) |
| d.setUTCSeconds(parseInt(m[6], 10)); |
| return (d); |
| } |
| |
| function zeroPad(n, m) { |
| if (m === undefined) |
| m = 2; |
| var s = '' + n; |
| while (s.length < m) |
| s = '0' + s; |
| return (s); |
| } |
| |
| function dateToUTCTime(d) { |
| var s = ''; |
| s += zeroPad(d.getUTCFullYear() % 100); |
| s += zeroPad(d.getUTCMonth() + 1); |
| s += zeroPad(d.getUTCDate()); |
| s += zeroPad(d.getUTCHours()); |
| s += zeroPad(d.getUTCMinutes()); |
| s += zeroPad(d.getUTCSeconds()); |
| s += 'Z'; |
| return (s); |
| } |
| |
| function dateToGTime(d) { |
| var s = ''; |
| s += zeroPad(d.getUTCFullYear(), 4); |
| s += zeroPad(d.getUTCMonth() + 1); |
| s += zeroPad(d.getUTCDate()); |
| s += zeroPad(d.getUTCHours()); |
| s += zeroPad(d.getUTCMinutes()); |
| s += zeroPad(d.getUTCSeconds()); |
| s += 'Z'; |
| return (s); |
| } |
| |
| function sign(cert, key) { |
| if (cert.signatures.x509 === undefined) |
| cert.signatures.x509 = {}; |
| var sig = cert.signatures.x509; |
| |
| sig.algo = key.type + '-' + key.defaultHashAlgorithm(); |
| if (SIGN_ALGS[sig.algo] === undefined) |
| return (false); |
| |
| var der = new asn1.BerWriter(); |
| writeTBSCert(cert, der); |
| var blob = der.buffer; |
| sig.cache = blob; |
| |
| var signer = key.createSign(); |
| signer.write(blob); |
| cert.signatures.x509.signature = signer.sign(); |
| |
| return (true); |
| } |
| |
| function signAsync(cert, signer, done) { |
| if (cert.signatures.x509 === undefined) |
| cert.signatures.x509 = {}; |
| var sig = cert.signatures.x509; |
| |
| var der = new asn1.BerWriter(); |
| writeTBSCert(cert, der); |
| var blob = der.buffer; |
| sig.cache = blob; |
| |
| signer(blob, function (err, signature) { |
| if (err) { |
| done(err); |
| return; |
| } |
| sig.algo = signature.type + '-' + signature.hashAlgorithm; |
| if (SIGN_ALGS[sig.algo] === undefined) { |
| done(new Error('Invalid signing algorithm "' + |
| sig.algo + '"')); |
| return; |
| } |
| sig.signature = signature; |
| done(); |
| }); |
| } |
| |
| function write(cert, options) { |
| var sig = cert.signatures.x509; |
| assert.object(sig, 'x509 signature'); |
| |
| var der = new asn1.BerWriter(); |
| der.startSequence(); |
| if (sig.cache) { |
| der._ensure(sig.cache.length); |
| sig.cache.copy(der._buf, der._offset); |
| der._offset += sig.cache.length; |
| } else { |
| writeTBSCert(cert, der); |
| } |
| |
| der.startSequence(); |
| der.writeOID(SIGN_ALGS[sig.algo]); |
| if (sig.algo.match(/^rsa-/)) |
| der.writeNull(); |
| der.endSequence(); |
| |
| var sigData = sig.signature.toBuffer('asn1'); |
| var data = Buffer.alloc(sigData.length + 1); |
| data[0] = 0; |
| sigData.copy(data, 1); |
| der.writeBuffer(data, asn1.Ber.BitString); |
| der.endSequence(); |
| |
| return (der.buffer); |
| } |
| |
| function writeTBSCert(cert, der) { |
| var sig = cert.signatures.x509; |
| assert.object(sig, 'x509 signature'); |
| |
| der.startSequence(); |
| |
| der.startSequence(Local(0)); |
| der.writeInt(2); |
| der.endSequence(); |
| |
| der.writeBuffer(utils.mpNormalize(cert.serial), asn1.Ber.Integer); |
| |
| der.startSequence(); |
| der.writeOID(SIGN_ALGS[sig.algo]); |
| if (sig.algo.match(/^rsa-/)) |
| der.writeNull(); |
| der.endSequence(); |
| |
| cert.issuer.toAsn1(der); |
| |
| der.startSequence(); |
| writeDate(der, cert.validFrom); |
| writeDate(der, cert.validUntil); |
| der.endSequence(); |
| |
| var subject = cert.subjects[0]; |
| var altNames = cert.subjects.slice(1); |
| subject.toAsn1(der); |
| |
| pkcs8.writePkcs8(der, cert.subjectKey); |
| |
| if (sig.extras && sig.extras.issuerUniqueID) { |
| der.writeBuffer(sig.extras.issuerUniqueID, Local(1)); |
| } |
| |
| if (sig.extras && sig.extras.subjectUniqueID) { |
| der.writeBuffer(sig.extras.subjectUniqueID, Local(2)); |
| } |
| |
| if (altNames.length > 0 || subject.type === 'host' || |
| (cert.purposes !== undefined && cert.purposes.length > 0) || |
| (sig.extras && sig.extras.exts)) { |
| der.startSequence(Local(3)); |
| der.startSequence(); |
| |
| var exts = []; |
| if (cert.purposes !== undefined && cert.purposes.length > 0) { |
| exts.push({ |
| oid: EXTS.basicConstraints, |
| critical: true |
| }); |
| exts.push({ |
| oid: EXTS.keyUsage, |
| critical: true |
| }); |
| exts.push({ |
| oid: EXTS.extKeyUsage, |
| critical: true |
| }); |
| } |
| exts.push({ oid: EXTS.altName }); |
| if (sig.extras && sig.extras.exts) |
| exts = sig.extras.exts; |
| |
| for (var i = 0; i < exts.length; ++i) { |
| der.startSequence(); |
| der.writeOID(exts[i].oid); |
| |
| if (exts[i].critical !== undefined) |
| der.writeBoolean(exts[i].critical); |
| |
| if (exts[i].oid === EXTS.altName) { |
| der.startSequence(asn1.Ber.OctetString); |
| der.startSequence(); |
| if (subject.type === 'host') { |
| der.writeString(subject.hostname, |
| Context(2)); |
| } |
| for (var j = 0; j < altNames.length; ++j) { |
| if (altNames[j].type === 'host') { |
| der.writeString( |
| altNames[j].hostname, |
| ALTNAME.DNSName); |
| } else if (altNames[j].type === |
| 'email') { |
| der.writeString( |
| altNames[j].email, |
| ALTNAME.RFC822Name); |
| } else { |
| /* |
| * Encode anything else as a |
| * DN style name for now. |
| */ |
| der.startSequence( |
| ALTNAME.DirectoryName); |
| altNames[j].toAsn1(der); |
| der.endSequence(); |
| } |
| } |
| der.endSequence(); |
| der.endSequence(); |
| } else if (exts[i].oid === EXTS.basicConstraints) { |
| der.startSequence(asn1.Ber.OctetString); |
| der.startSequence(); |
| var ca = (cert.purposes.indexOf('ca') !== -1); |
| var pathLen = exts[i].pathLen; |
| der.writeBoolean(ca); |
| if (pathLen !== undefined) |
| der.writeInt(pathLen); |
| der.endSequence(); |
| der.endSequence(); |
| } else if (exts[i].oid === EXTS.extKeyUsage) { |
| der.startSequence(asn1.Ber.OctetString); |
| der.startSequence(); |
| cert.purposes.forEach(function (purpose) { |
| if (purpose === 'ca') |
| return; |
| if (KEYUSEBITS.indexOf(purpose) !== -1) |
| return; |
| var oid = purpose; |
| if (EXTPURPOSE[purpose] !== undefined) |
| oid = EXTPURPOSE[purpose]; |
| der.writeOID(oid); |
| }); |
| der.endSequence(); |
| der.endSequence(); |
| } else if (exts[i].oid === EXTS.keyUsage) { |
| der.startSequence(asn1.Ber.OctetString); |
| /* |
| * If we parsed this certificate from a byte |
| * stream (i.e. we didn't generate it in sshpk) |
| * then we'll have a ".bits" property on the |
| * ext with the original raw byte contents. |
| * |
| * If we have this, use it here instead of |
| * regenerating it. This guarantees we output |
| * the same data we parsed, so signatures still |
| * validate. |
| */ |
| if (exts[i].bits !== undefined) { |
| der.writeBuffer(exts[i].bits, |
| asn1.Ber.BitString); |
| } else { |
| var bits = writeBitField(cert.purposes, |
| KEYUSEBITS); |
| der.writeBuffer(bits, |
| asn1.Ber.BitString); |
| } |
| der.endSequence(); |
| } else { |
| der.writeBuffer(exts[i].data, |
| asn1.Ber.OctetString); |
| } |
| |
| der.endSequence(); |
| } |
| |
| der.endSequence(); |
| der.endSequence(); |
| } |
| |
| der.endSequence(); |
| } |
| |
| /* |
| * Reads an ASN.1 BER bitfield out of the Buffer produced by doing |
| * `BerReader#readString(asn1.Ber.BitString)`. That function gives us the raw |
| * contents of the BitString tag, which is a count of unused bits followed by |
| * the bits as a right-padded byte string. |
| * |
| * `bits` is the Buffer, `bitIndex` should contain an array of string names |
| * for the bits in the string, ordered starting with bit #0 in the ASN.1 spec. |
| * |
| * Returns an array of Strings, the names of the bits that were set to 1. |
| */ |
| function readBitField(bits, bitIndex) { |
| var bitLen = 8 * (bits.length - 1) - bits[0]; |
| var setBits = {}; |
| for (var i = 0; i < bitLen; ++i) { |
| var byteN = 1 + Math.floor(i / 8); |
| var bit = 7 - (i % 8); |
| var mask = 1 << bit; |
| var bitVal = ((bits[byteN] & mask) !== 0); |
| var name = bitIndex[i]; |
| if (bitVal && typeof (name) === 'string') { |
| setBits[name] = true; |
| } |
| } |
| return (Object.keys(setBits)); |
| } |
| |
| /* |
| * `setBits` is an array of strings, containing the names for each bit that |
| * sould be set to 1. `bitIndex` is same as in `readBitField()`. |
| * |
| * Returns a Buffer, ready to be written out with `BerWriter#writeString()`. |
| */ |
| function writeBitField(setBits, bitIndex) { |
| var bitLen = bitIndex.length; |
| var blen = Math.ceil(bitLen / 8); |
| var unused = blen * 8 - bitLen; |
| var bits = Buffer.alloc(1 + blen); // zero-filled |
| bits[0] = unused; |
| for (var i = 0; i < bitLen; ++i) { |
| var byteN = 1 + Math.floor(i / 8); |
| var bit = 7 - (i % 8); |
| var mask = 1 << bit; |
| var name = bitIndex[i]; |
| if (name === undefined) |
| continue; |
| var bitVal = (setBits.indexOf(name) !== -1); |
| if (bitVal) { |
| bits[byteN] |= mask; |
| } |
| } |
| return (bits); |
| } |
