mirrors/CyberChef
1
0
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2025-04-22 15:56:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
CyberChef/src/core/operations/ParseCSR.mjs
Robin Sandhu fe9f4fa7a9
Fix linting errors
2024-06-12 19:00:35 +01:00

390 lines
13 KiB
JavaScript
Raw Blame History

/**
* @author jkataja
* @copyright Crown Copyright 2023
* @license Apache-2.0
*/
import r from "jsrsasign";
import Operation from "../Operation.mjs";
import { formatDnObj } from "../lib/PublicKey.mjs";
import Utils from "../Utils.mjs";
/**
* Parse CSR operation
*/
class ParseCSR extends Operation {
/**
* ParseCSR constructor
*/
constructor() {
super();
this.name = "Parse CSR";
this.module = "PublicKey";
this.description = "Parse Certificate Signing Request (CSR) for an X.509 certificate";
this.infoURL = "https://wikipedia.org/wiki/Certificate_signing_request";
this.inputType = "string";
this.outputType = "string";
this.args = [
{
"name": "Input format",
"type": "option",
"value": ["PEM"]
}
];
this.checks = [
{
"pattern": "^-+BEGIN CERTIFICATE REQUEST-+\\r?\\n[\\da-z+/\\n\\r]+-+END CERTIFICATE REQUEST-+\\r?\\n?$",
"flags": "i",
"args": ["PEM"]
}
];
}
/**
* @param {string} input
* @param {Object[]} args
* @returns {string} Human-readable description of a Certificate Signing Request (CSR).
*/
run(input, args) {
if (!input.length) {
return "No input";
}
// Parse the CSR into JSON parameters
const csrParam = new r.KJUR.asn1.csr.CSRUtil.getParam(input);
return `Subject\n${formatDnObj(csrParam.subject, 2)}
Public Key${formatSubjectPublicKey(csrParam.sbjpubkey)}
Signature${formatSignature(csrParam.sigalg, csrParam.sighex)}
Requested Extensions${formatRequestedExtensions(csrParam)}`;
}
}
/**
* Format signature of a CSR
* @param {*} sigAlg string
* @param {*} sigHex string
* @returns Multi-line string describing CSR Signature
*/
function formatSignature(sigAlg, sigHex) {
let out = `\n`;
out += ` Algorithm: ${sigAlg}\n`;
if (new RegExp("withdsa", "i").test(sigAlg)) {
const d = new r.KJUR.crypto.DSA();
const sigParam = d.parseASN1Signature(sigHex);
out += ` Signature:
R: ${formatHexOntoMultiLine(absBigIntToHex(sigParam[0]))}
S: ${formatHexOntoMultiLine(absBigIntToHex(sigParam[1]))}\n`;
} else if (new RegExp("withrsa", "i").test(sigAlg)) {
out += ` Signature: ${formatHexOntoMultiLine(sigHex)}\n`;
} else {
out += ` Signature: ${formatHexOntoMultiLine(ensureHexIsPositiveInTwosComplement(sigHex))}\n`;
}
return chop(out);
}
/**
* Format Subject Public Key from PEM encoded public key string
* @param {*} publicKeyPEM string
* @returns Multi-line string describing Subject Public Key Info
*/
function formatSubjectPublicKey(publicKeyPEM) {
let out = "\n";
const publicKey = r.KEYUTIL.getKey(publicKeyPEM);
if (publicKey instanceof r.RSAKey) {
out += ` Algorithm: RSA
Length: ${publicKey.n.bitLength()} bits
Modulus: ${formatHexOntoMultiLine(absBigIntToHex(publicKey.n))}
Exponent: ${publicKey.e} (0x${Utils.hex(publicKey.e)})\n`;
} else if (publicKey instanceof r.KJUR.crypto.ECDSA) {
out += ` Algorithm: ECDSA
Length: ${publicKey.ecparams.keylen} bits
Pub: ${formatHexOntoMultiLine(publicKey.pubKeyHex)}
ASN1 OID: ${r.KJUR.crypto.ECDSA.getName(publicKey.getShortNISTPCurveName())}
NIST CURVE: ${publicKey.getShortNISTPCurveName()}\n`;
} else if (publicKey instanceof r.KJUR.crypto.DSA) {
out += ` Algorithm: DSA
Length: ${publicKey.p.toString(16).length * 4} bits
Pub: ${formatHexOntoMultiLine(absBigIntToHex(publicKey.y))}
P: ${formatHexOntoMultiLine(absBigIntToHex(publicKey.p))}
Q: ${formatHexOntoMultiLine(absBigIntToHex(publicKey.q))}
G: ${formatHexOntoMultiLine(absBigIntToHex(publicKey.g))}\n`;
} else {
out += `unsupported public key algorithm\n`;
}
return chop(out);
}
/**
* Format known extensions of a CSR
* @param {*} csrParam object
* @returns Multi-line string describing CSR Requested Extensions
*/
function formatRequestedExtensions(csrParam) {
const formattedExtensions = new Array(4).fill("");
if (Object.hasOwn(csrParam, "extreq")) {
for (const extension of csrParam.extreq) {
let parts = [];
switch (extension.extname) {
case "basicConstraints" :
parts = describeBasicConstraints(extension);
formattedExtensions[0] = ` Basic Constraints:${formatExtensionCriticalTag(extension)}\n${indent(4, parts)}`;
break;
case "keyUsage" :
parts = describeKeyUsage(extension);
formattedExtensions[1] = ` Key Usage:${formatExtensionCriticalTag(extension)}\n${indent(4, parts)}`;
break;
case "extKeyUsage" :
parts = describeExtendedKeyUsage(extension);
formattedExtensions[2] = ` Extended Key Usage:${formatExtensionCriticalTag(extension)}\n${indent(4, parts)}`;
break;
case "subjectAltName" :
parts = describeSubjectAlternativeName(extension);
formattedExtensions[3] = ` Subject Alternative Name:${formatExtensionCriticalTag(extension)}\n${indent(4, parts)}`;
break;
default :
parts = ["(unsuported extension)"];
formattedExtensions.push(` ${extension.extname}:${formatExtensionCriticalTag(extension)}\n${indent(4, parts)}`);
}
}
}
let out = "\n";
formattedExtensions.forEach((formattedExtension) => {
if (formattedExtension !== undefined && formattedExtension !== null && formattedExtension.length !== 0) {
out += formattedExtension;
}
});
return chop(out);
}
/**
* Format extension critical tag
* @param {*} extension Object
* @returns String describing whether the extension is critical or not
*/
function formatExtensionCriticalTag(extension) {
return Object.hasOwn(extension, "critical") && extension.critical ? " critical" : "";
}
/**
* Format string input as a comma separated hex string on multiple lines
* @param {*} hex String
* @returns Multi-line string describing the Hex input
*/
function formatHexOntoMultiLine(hex) {
if (hex.length % 2 !== 0) {
hex = "0" + hex;
}
return formatMultiLine(chop(hex.replace(/(..)/g, "$&:")));
}
/**
* Convert BigInt to abs value in Hex
* @param {*} int BigInt
* @returns String representing absolute value in Hex
*/
function absBigIntToHex(int) {
int = int < 0n ? -int : int;
return ensureHexIsPositiveInTwosComplement(int.toString(16));
}
/**
* Ensure Hex String remains positive in 2's complement
* @param {*} hex String
* @returns Hex String ensuring value remains positive in 2's complement
*/
function ensureHexIsPositiveInTwosComplement(hex) {
if (hex.length % 2 !== 0) {
return "0" + hex;
}
// prepend 00 if most significant bit is 1 (sign bit)
if (hex.length >=2 && (parseInt(hex.substring(0, 2), 16) & 128)) {
hex = "00" + hex;
}
return hex;
}
/**
* Format string onto multiple lines
* @param {*} longStr
* @returns String as a multi-line string
*/
function formatMultiLine(longStr) {
const lines = [];
for (let remain = longStr ; remain !== "" ; remain = remain.substring(48)) {
lines.push(remain.substring(0, 48));
}
return lines.join("\n ");
}
/**
* Describe Basic Constraints
* @see RFC 5280 4.2.1.9. Basic Constraints https://www.ietf.org/rfc/rfc5280.txt
* @param {*} extension CSR extension with the name `basicConstraints`
* @returns Array of strings describing Basic Constraints
*/
function describeBasicConstraints(extension) {
const constraints = [];
constraints.push(`CA = ${Object.hasOwn(extension, "cA") && extension.cA ? "true" : "false"}`);
if (Object.hasOwn(extension, "pathLen")) constraints.push(`PathLenConstraint = ${extension.pathLen}`);
return constraints;
}
/**
* Describe Key Usage extension permitted use cases
* @see RFC 5280 4.2.1.3. Key Usage https://www.ietf.org/rfc/rfc5280.txt
* @param {*} extension CSR extension with the name `keyUsage`
* @returns Array of strings describing Key Usage extension permitted use cases
*/
function describeKeyUsage(extension) {
const usage = [];
const kuIdentifierToName = {
digitalSignature: "Digital Signature",
nonRepudiation: "Non-repudiation",
keyEncipherment: "Key encipherment",
dataEncipherment: "Data encipherment",
keyAgreement: "Key agreement",
keyCertSign: "Key certificate signing",
cRLSign: "CRL signing",
encipherOnly: "Encipher Only",
decipherOnly: "Decipher Only",
};
if (Object.hasOwn(extension, "names")) {
extension.names.forEach((ku) => {
if (Object.hasOwn(kuIdentifierToName, ku)) {
usage.push(kuIdentifierToName[ku]);
} else {
usage.push(`unknown key usage (${ku})`);
}
});
}
if (usage.length === 0) usage.push("(none)");
return usage;
}
/**
* Describe Extended Key Usage extension permitted use cases
* @see RFC 5280 4.2.1.12. Extended Key Usage https://www.ietf.org/rfc/rfc5280.txt
* @param {*} extension CSR extension with the name `extendedKeyUsage`
* @returns Array of strings describing Extended Key Usage extension permitted use cases
*/
function describeExtendedKeyUsage(extension) {
const usage = [];
const ekuIdentifierToName = {
"serverAuth": "TLS Web Server Authentication",
"clientAuth": "TLS Web Client Authentication",
"codeSigning": "Code signing",
"emailProtection": "E-mail Protection (S/MIME)",
"timeStamping": "Trusted Timestamping",
"1.3.6.1.4.1.311.2.1.21": "Microsoft Individual Code Signing", // msCodeInd
"1.3.6.1.4.1.311.2.1.22": "Microsoft Commercial Code Signing", // msCodeCom
"1.3.6.1.4.1.311.10.3.1": "Microsoft Trust List Signing", // msCTLSign
"1.3.6.1.4.1.311.10.3.3": "Microsoft Server Gated Crypto", // msSGC
"1.3.6.1.4.1.311.10.3.4": "Microsoft Encrypted File System", // msEFS
"1.3.6.1.4.1.311.20.2.2": "Microsoft Smartcard Login", // msSmartcardLogin
"2.16.840.1.113730.4.1": "Netscape Server Gated Crypto", // nsSGC
};
if (Object.hasOwn(extension, "array")) {
extension.array.forEach((eku) => {
if (Object.hasOwn(ekuIdentifierToName, eku)) {
usage.push(ekuIdentifierToName[eku]);
} else {
usage.push(eku);
}
});
}
if (usage.length === 0) usage.push("(none)");
return usage;
}
/**
* Format Subject Alternative Names from the name `subjectAltName` extension
* @see RFC 5280 4.2.1.6. Subject Alternative Name https://www.ietf.org/rfc/rfc5280.txt
* @param {*} extension object
* @returns Array of strings describing Subject Alternative Name extension
*/
function describeSubjectAlternativeName(extension) {
const names = [];
if (Object.hasOwn(extension, "extname") && extension.extname === "subjectAltName") {
if (Object.hasOwn(extension, "array")) {
for (const altName of extension.array) {
Object.keys(altName).forEach((key) => {
switch (key) {
case "rfc822":
names.push(`EMAIL: ${altName[key]}`);
break;
case "dns":
names.push(`DNS: ${altName[key]}`);
break;
case "uri":
names.push(`URI: ${altName[key]}`);
break;
case "ip":
names.push(`IP: ${altName[key]}`);
break;
case "dn":
names.push(`DIR: ${altName[key].str}`);
break;
case "other" :
names.push(`Other: ${altName[key].oid}::${altName[key].value.utf8str.str}`);
break;
default:
names.push(`(unable to format SAN '${key}':${altName[key]})\n`);
}
});
}
}
}
return names;
}
/**
* Join an array of strings and add leading spaces to each line.
* @param {*} n How many leading spaces
* @param {*} parts Array of strings
* @returns Joined and indented string.
*/
function indent(n, parts) {
const fluff = " ".repeat(n);
return fluff + parts.join("\n" + fluff) + "\n";
}
/**
* Remove last character from a string.
* @param {*} s String
* @returns Chopped string.
*/
function chop(s) {
return s.substring(0, s.length - 1);
}
export default ParseCSR;
Reference in a new issue View git blame Copy permalink