forked from alibaba/anyproxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcertGenerator.js
91 lines (76 loc) · 2.88 KB
/
certGenerator.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
var forge = require('node-forge');
var defaultAttrs = [
{ name: 'countryName', value: 'CN' },
{ name: 'organizationName', value: 'AnyProxy' },
{ shortName: 'ST', value: 'SH' },
{ shortName: 'OU', value: 'AnyProxy SSL Proxy'}
];
function getKeysAndCert(serialNumber){
var keys = forge.pki.rsa.generateKeyPair(1024);
var cert = forge.pki.createCertificate();
cert.publicKey = keys.publicKey;
cert.serialNumber = serialNumber || (Math.floor(Math.random() * 100000) + '');
cert.validity.notBefore = new Date();
cert.validity.notBefore.setFullYear(cert.validity.notBefore.getFullYear() - 10); // 10 years
cert.validity.notAfter = new Date();
cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 10); // 10 years
return {
keys: keys,
cert: cert
};
}
function generateRootCA(){
var keysAndCert = getKeysAndCert();
keys = keysAndCert.keys;
cert = keysAndCert.cert;
var attrs = defaultAttrs.concat([
{
name: 'commonName',
value: 'AnyProxy'
}
]);
cert.setSubject(attrs);
cert.setIssuer(attrs);
cert.setExtensions([
{ name: 'basicConstraints', cA: true }
// { name: 'keyUsage', keyCertSign: true, digitalSignature: true, nonRepudiation: true, keyEncipherment: true, dataEncipherment: true },
// { name: 'extKeyUsage', serverAuth: true, clientAuth: true, codeSigning: true, emailProtection: true, timeStamping: true },
// { name: 'nsCertType', client: true, server: true, email: true, objsign: true, sslCA: true, emailCA: true, objCA: true },
// { name: 'subjectAltName', altNames: [ { type: 6, /* URI */ value: 'http://example.org/webid#me' }, { type: 7, /* IP */ ip: '127.0.0.1' } ] },
// { name: 'subjectKeyIdentifier' }
]);
cert.sign(keys.privateKey, forge.md.sha256.create());
return {
privateKey: forge.pki.privateKeyToPem(keys.privateKey),
publicKey: forge.pki.publicKeyToPem(keys.publicKey),
certificate: forge.pki.certificateToPem(cert)
};
return pem;
}
function generateCertsForHostname(domain, rootCAConfig){
//generate a serialNumber for domain
var md = forge.md.md5.create();
md.update(domain);
var keysAndCert = getKeysAndCert(md.digest().toHex());
keys = keysAndCert.keys;
cert = keysAndCert.cert;
var caCert = forge.pki.certificateFromPem(rootCAConfig.cert);
var caKey = forge.pki.privateKeyFromPem(rootCAConfig.key);
// issuer from CA
cert.setIssuer(caCert.subject.attributes);
var attrs = defaultAttrs.concat([
{
name: 'commonName',
value: domain
}
]);
cert.setSubject(attrs);
cert.sign(caKey, forge.md.sha256.create());
return {
privateKey: forge.pki.privateKeyToPem(keys.privateKey),
publicKey: forge.pki.publicKeyToPem(keys.publicKey),
certificate: forge.pki.certificateToPem(cert)
};
}
module.exports.generateRootCA = generateRootCA;
module.exports.generateCertsForHostname = generateCertsForHostname;