Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example for validating a certificate chain #24

Open
csuermann opened this issue Jun 23, 2022 · 5 comments
Open

Example for validating a certificate chain #24

csuermann opened this issue Jun 23, 2022 · 5 comments
Assignees
@microshine

Comments

@csuermann
Copy link

@peculiar/x509 is an easy to use TypeScript/Javascript library based on @peculiar/asn1-schema that makes generating X.509 Certificates and Certificate Requests as well as validating certificate chains easy.

I would like to check whether a given x.509 certificate has been signed by a known root certificate (CA). Can this library be used for that?
@rmhrisk
Copy link

rmhrisk commented Jun 23, 2022

Yes

https://github.com/PeculiarVentures/x509#build-a-certificate-chain

@microshine
Copy link
Contributor

Current version doesn't check certificate revocations.

You can use current API for path building. And check by yourself that the last cert in chain is trusted

const chain = new x509.X509ChainBuilder({
  certificates: certs,
});
const items = await chain.build(cert);

We are going to extend current API for chain validation described in RFC5280

@OR13
Copy link

OR13 commented Jul 16, 2023

Could use some better examples of this, ideally a simple 2 layer example.

@microshine
Copy link
Contributor

Example

import * as x509 from "@peculiar/x509";

// Read certificates
const rootCert = new x509.X509Certificate(rootRaw);
const ca1Cert = new x509.X509Certificate(ca1Raw);
const ca2Cert = new x509.X509Certificate(ca2Raw);
const ca3Cert = new x509.X509Certificate(ca3Raw);
// ...
const leafCert = new x509.X509Certificate(leafRaw);

// Build chain
const certificates = [ca3Cert, ca2Cert, ca1Cert, /* ... */, rootCert];
const chain = new x509.X509ChainBuilder({
  certificates,
});
const items = await chain.build(leafCert);

// Print chain
for (const cert of items) {
  console.log(cert.subject);
}
console.log(items.toString("pem-chain"));

Output

CN=Client #1
CN=Intermediate CA #1.1.1
CN=Intermediate CA #1.1
CN=Intermediate CA #1
CN=Root CA

-----BEGIN CERTIFICATE-----
MIIC8jCCAdqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZJbnRl
...
5L4AqKQK14RU+4lFO5qhlaVSQd0PbWZoE1VOQG/5Chi8zxgMzus=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC/TCCAeWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDExRJbnRl
...
76pvUKAWXKUUPCebfTawHY9q1ASQEsnCIHtQ4/WFlSdFbns2vxrKR1y5EpNanpn7
SA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDExJJbnRl
...
LsK2eGf1WtuvsrNUjmBie9/N+KpClRycBl2uRnOJMB/hb2IYJJXVIu8xsQJL
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290
...
NEubGPJVpBz7zftQ1SbxWPjTXYF2f6QdwpPZ1wwPigg=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICwDCCAaigAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290
...
CtFu2HdSv7/M1NcNnueecn6B4YUCY4mueTXVsV9JJKM1T8XU
-----END CERTIFICATE-----

@OR13
Copy link

OR13 commented Jul 17, 2023

Thank you!

I was able to figure it out after I left this comment, but your code is probably better for future readers than mine would have been.

I suggest closing this issue.

@dangtony98 dangtony98 mentioned this issue May 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@microshine microshine

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rmhrisk @microshine @OR13 @csuermann