node-webcrypto-p11 get certificate and CSR id from algorithm object

Nov 01 '22 13:11 MhmodTayel

@MhmodTayel could you describe for which task you need the id field?

Nov 02 '22 09:11 microshine

@microshine There was a problem with the id value for cases when key pairs were generated by another application like graphene-pk11 with a specific id value and this module imports the certificate with auto-generated id value so I need the id filed to set the certificate id with the same id as key pairs

Nov 03 '22 08:11 MhmodTayel

@MhmodTayel thank you. I understand your problem

Here is the simple script where I'm trying to generate a key pair with a custom ID and use it for X509 certificate generation. But it doesn't work 😊. Because it uses node-webcrypto-p11 from NPM.

import { Crypto, Pkcs11ImportAlgorithms } from "node-webcrypto-p11";
import * as x509 from "@peculiar/x509";

async function main() {
  const crypto = new Crypto({
    library: "/usr/local/lib/softhsm/libsofthsm2.so",
    slot: 0,
    pin: "12345",
    readWrite: true,
  });
  try {
    await crypto.keyStorage.clear();
    await crypto.certStorage.clear();

    const alg = {
      name: "RSASSA-PKCS1-v1_5",
      hash: "SHA-256",
      publicExponent: new Uint8Array([1, 0, 1]),
      modulusLength: 2048,
    };
    // custom id
    const id = "0102030405";

    // generate RSA key pair and custom ID
    const keys = await crypto.subtle.generateKey({ ...alg, id } as RsaHashedKeyGenParams, false, ["sign", "verify"]);

    // generate self-signed certificate
    const x509Cert = await x509.X509CertificateGenerator.createSelfSigned({
      serialNumber: "01",
      notBefore: new Date(Date.now()),
      notAfter: new Date(Date.now() + (24 * 60 * 60 * 1000)),
      name: "CN=Test",
      keys,
      signingAlgorithm: alg,
    }, crypto);
    console.log(x509Cert.toString("pem"));

    // import PEM certificate
    const cert = await crypto.certStorage.importCert("pem", x509Cert.toString("pem"), { ...alg, id } as Pkcs11ImportAlgorithms, ["sign", "verify"]);

    // add keys and cert into the token
    const privateKeyIndex = await crypto.keyStorage.setItem(keys.privateKey);
    const certificateIndex = await crypto.certStorage.setItem(cert);

    // receive ID information
    console.log("private key index: %s", privateKeyIndex);
    const tokenPrivateKey = await crypto.keyStorage.getItem(privateKeyIndex);
    console.log("private key CKA_ID: %s", tokenPrivateKey.p11Object.id.toString("hex"));
    console.log("certificate index: %s", certificateIndex);
    const tokenCertificate = await crypto.certStorage.getItem(certificateIndex);
    console.log("certificate CKA_ID: %s", (tokenCertificate as any).p11Object.id.toString("hex"));
  } finally {
    crypto.close();
  }
}

main().catch(e => {
  console.error(e);
  process.exit(1);
});

Output

I think app should support:

using custom ID value for generateKey, importKey, deriveKey, and unwrapKey methods
the importCert method should use ID value if it presents in algorithm object, if it doesn't, try to find the existing key (which belongs to the certificate) and use its ID, otherwise compute ID from the public key (like it does)

What do you think?

Nov 03 '22 09:11 microshine

@MhmodTayel could you add test for your task?

Nov 03 '22 09:11 microshine

node-webcrypto-p11 node-webcrypto-p11 copied to clipboard

get certificate and CSR id from algorithm object

node-webcrypto-p11
node-webcrypto-p11 copied to clipboard