PKI (Public Key Infrastructure) using javascript? This is now possible using the PKIjs and ASN1js libraries.
I present to your attention two libraries that implement almost the full range of the required functionality for organizing a PKI infrastructure: PKIjs and the auxiliary library ASN1js. Libraries are free available and distributed under a license that allows you to use their code without special restrictions, even in commercial products. The full code for these libraries is available on GitHub: PKIjs + ASN1js .
In order to attract readers right in the introduction I will give a short list of features of the above-mentioned libraries:
More information about libraries and what you can do with them.
')
The ASN1js library is an ASN.1 BER data encoder / decoder (Basic Encoding Rules), that is, it automatically allows you to work with the DER and CER rule sets as well. In addition to data coding / decoding, the library also allows you to create objects that are easy to understand ASN.1 diagrams, and also to compare ASN.1 BER decoded data with previously made diagrams.
I will list the set of features of this library:
There are many examples for the library (see GitHub). In addition, another designed library, PKIjs, can be the biggest “example” of using the ASN1js library.
This library was originally conceived as the basis for creating a full-fledged structure of PKI solutions, from the simplest to the most complex. The user should be comfortable working with it, the data should be easily accessible and easily modified. The library has more than 50 different “helpers” for working with all the necessary PKI related structures (such as GeneralName, various types of X.509 certificate extensions, and more). The library has a multilayer structure and can be easily modified and supplemented. In GitHub, you can see current development plans for this library in the “Issues” section.
I will list the set of features of this library:
And now a bit of what is possible to create using PKIjs + ASN1js:
For questions about these libraries, you can contact me directly as the author. Once again I will remind repositories for these libraries: ASN1js and PKIjs . Open to all comments and suggestions.
PS: Adding from 05/07/2014 - forgot to add information on CMS Signed Data + CSM Enveloped Data, corrected.
In order to attract readers right in the introduction I will give a short list of features of the above-mentioned libraries:
- Object oriented code;
- Working with HTML5 (ArrayBuffer, Promises, WebCrypto (using Google Chrome's “dev nightly build”));
- The ability to create, verify, receive internal data, change data for the following objects:
- X.509 Certificates
- Review Lists (CRL) X.509
- Certificate Requests (PKCS # 10)
- OCSP requests;
- OCSP server responses
- Time-stamping (TSP) requests
- TSP server responses
- CMS Signed Data
- CMS Enveloped Data
- Implementing your own “certificate chain validation engine” in JavaScript;
- … And much more! Look under the cut!
More information about libraries and what you can do with them.
')
ASN1js
The ASN1js library is an ASN.1 BER data encoder / decoder (Basic Encoding Rules), that is, it automatically allows you to work with the DER and CER rule sets as well. In addition to data coding / decoding, the library also allows you to create objects that are easy to understand ASN.1 diagrams, and also to compare ASN.1 BER decoded data with previously made diagrams.
I will list the set of features of this library:
- Fully object-oriented code, the continuous use of the possibilities of inheritance;
- Working with objects from the HTML5 standard (ArrayBuffer)
- Work with all data types ASN.1: 2008
- All data types from this library store information about all sub-blocks: the identification sub-block (tag), the sub-block of length (length) and the sub-block of value (value);
- The user can access any single byte from any subblock at any time;
- All sub-blocks can be of unlimited length, as described in the standard (even the identification sub-block);
- Full-fledged work with all ASN.1 string data types, including types that work with “international” strings: UniversalString, BMPString, UTF8String. As input for the constructor of any string ASN.1 type, a standard JavaScript string can be used. The reverse is also true - when decoding any string data type ASN.1, decoding into a standard JavaScript line automatically occurs (saved as an object field);
- The same is true for date-time ASN.1 data types. For basic data types (UTCTime and GeneralizedTime), it is possible to initialize using a regular JavaScript Date object. The inverse transformation is also true - when decoding, the values ​​of these types are automatically decoded into JavaScript type “Date”;
- Work with easy to understand ASN.1 circuits;
- The library provides the following special types for working with ASN.1 schemas:
- ANY
- CHOICE
- REPEATED
- The user can create named blocks within the ASN.1 schema and then by name get the necessary ASN.1 data;
- All types within the library are dynamic;
- All library types can be initialized both dynamically and by passing static data to the constructor;
There are many examples for the library (see GitHub). In addition, another designed library, PKIjs, can be the biggest “example” of using the ASN1js library.
PKIjs
This library was originally conceived as the basis for creating a full-fledged structure of PKI solutions, from the simplest to the most complex. The user should be comfortable working with it, the data should be easily accessible and easily modified. The library has more than 50 different “helpers” for working with all the necessary PKI related structures (such as GeneralName, various types of X.509 certificate extensions, and more). The library has a multilayer structure and can be easily modified and supplemented. In GitHub, you can see current development plans for this library in the “Issues” section.
I will list the set of features of this library:
- Fully object oriented code;
- Work with data types from the latest standards (ArrayBuffer, Promises, WebCrypto (the latest Google Chrome night build is used));
- It has a complete set of objects for working with auxiliary types, such as:
- GeneralName;
- RelativeDistinguishedName;
- Time;
- AlgorithmIdentifier;
- All standard types of X.509 certificate extensions;
- All auxiliary objects for working with OCSP requests and responses;
- All auxiliary objects for working with Time-stamping protocol (TSP);
- Implemented a custom certificate path checking function completely on JavaScript, using Promises and WebCrypto;
- Implemented work with all major data types related to PKI:
- X.509 Certificates
- Obtaining information on all fields of the certificate, including the attached ones;
- Creation and modification of any internal structures;
- The ability to create a certificate from scratch;
- Built-in "certification chain validation engine";
- Certificate Revocation Lists (CRL) X.509
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create a CRL from scratch;
- The ability to verify the correctness of the digital signature CRL;
- Built-in search function certificate for entry into the CRL;
- PKCS # 10 Certificate Requests
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- The ability to create PKCS # 10 from scratch;
- The ability to verify the correctness of the digital signature PKCS # 10;
- OCSP requests
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- The ability to create an OCSP request from scratch;
- OCSP server responses
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create a response OCSP server from scratch;
- Ability to verify the digital signature of the OCSP server response;
- Time-stamping protocol (TSP) requests
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create a TSP request from scratch;
- Ability to verify the digital signature of the TSP request;
- TSP server responses
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create a response TSP server from scratch;
- Ability to verify the digital signature of the TSP server response;
- CMS Signed Data
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- The ability to create CMS Signed Data from scratch;
- The ability to verify the correctness of the digital signature CMS Signed Data;
- CMS Enveloped Data
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- The possibility of creating a CMS Enveloped Data and key management is planned for development in the near future;
- X.509 Certificates
And now a bit of what is possible to create using PKIjs + ASN1js:
- The certification authority is entirely JavaScript;
- OCSP server is completely JavaScript;
- TSP server is completely JavaScript;
- OCSP and TSP server clients are completely JavaScript based;
- “Cryptographic workbench” like “CryptoARM” is entirely in JavaScript;
- Means of working with S / MIME;
- CAdES Library;
- Various libraries of support for working with digital signatures in documents on Web pages;
- And much more!
For questions about these libraries, you can contact me directly as the author. Once again I will remind repositories for these libraries: ASN1js and PKIjs . Open to all comments and suggestions.
PS: Adding from 05/07/2014 - forgot to add information on CMS Signed Data + CSM Enveloped Data, corrected.
Source: https://habr.com/ru/post/221857/
All Articles