invoke node-forge to generator certs

2025-08-04 21:39:04 +00:00 · 2016-05-02 00:18:35 +08:00
parent 424be80b8e
commit e0ecd528cb
7 changed files with 146 additions and 147 deletions
--- a/lib/certGenerator.js
+++ b/lib/certGenerator.js
@@ -0,0 +1,85 @@
+var forge = require('node-forge');
+
+var defaultAttrs = [
+    { name: 'countryName', value: 'CN' },
+    { name: 'organizationName', value: 'AnyProxy' },
+    { shortName: 'ST', value: 'SH' },
+    { shortName: 'OU', value: 'AnyProxy SSL Proxy'}
+];
+
+function getKeysAndCert(){
+  var keys = forge.pki.rsa.generateKeyPair(1024);
+  var cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = '01';
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 10); // 10 years
+  return {
+    keys: keys,
+    cert: cert
+  };
+}
+
+function generateRootCA(){
+  var keysAndCert = getKeysAndCert();
+  keys = keysAndCert.keys;
+  cert = keysAndCert.cert;
+
+  var attrs = defaultAttrs.concat([
+    {
+      name: 'commonName',
+      value: 'AnyProxy'
+    }
+  ]);
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([
+    { name: 'basicConstraints', cA: true },
+    { name: 'keyUsage', keyCertSign: true, digitalSignature: true, nonRepudiation: true, keyEncipherment: true, dataEncipherment: true },
+    { name: 'extKeyUsage', serverAuth: true, clientAuth: true, codeSigning: true, emailProtection: true, timeStamping: true },
+    { name: 'nsCertType', client: true, server: true, email: true, objsign: true, sslCA: true, emailCA: true, objCA: true },
+    { name: 'subjectAltName', altNames: [ { type: 6, /* URI */ value: 'http://example.org/webid#me' }, { type: 7, /* IP */ ip: '127.0.0.1' } ] },
+    { name: 'subjectKeyIdentifier' }
+  ]);
+
+  cert.sign(keys.privateKey, forge.md.sha256.create());
+
+  return {
+    privateKey: forge.pki.privateKeyToPem(keys.privateKey),
+    publicKey: forge.pki.publicKeyToPem(keys.publicKey),
+    certificate: forge.pki.certificateToPem(cert)
+  };
+
+  return pem;
+}
+
+function generateCertsForHostname(domain, rootCAConfig){
+  var keysAndCert = getKeysAndCert();
+  keys = keysAndCert.keys;
+  cert = keysAndCert.cert;
+
+  var caCert    = forge.pki.certificateFromPem(rootCAConfig.cert)
+  var caKey     = forge.pki.privateKeyFromPem(rootCAConfig.key)
+
+  // issuer from CA
+  cert.setIssuer(caCert.subject.attributes)
+
+  var attrs = defaultAttrs.concat([
+    {
+      name: 'commonName',
+      value: domain
+    }
+  ]);
+  cert.setSubject(attrs);
+  cert.sign(caKey, forge.md.sha256.create());
+
+  return {
+    privateKey: forge.pki.privateKeyToPem(keys.privateKey),
+    publicKey: forge.pki.publicKeyToPem(keys.publicKey),
+    certificate: forge.pki.certificateToPem(cert)
+  };
+}
+
+module.exports.generateRootCA = generateRootCA;
+module.exports.generateCertsForHostname = generateCertsForHostname;