// Copyright 2017 Joyent, Inc.

module.exports = {

read: read,
verify: verify,
sign: sign,
signAsync: signAsync,
write: write

};

var assert = require('assert-plus'); var asn1 = require('asn1'); var Buffer = require('safer-buffer').Buffer; var algs = require('../algs'); var utils = require('../utils'); var Key = require('../key'); var PrivateKey = require('../private-key'); var pem = require('./pem'); var Identity = require('../identity'); var Signature = require('../signature'); var Certificate = require('../certificate'); var pkcs8 = require('./pkcs8');

/*

* This file is based on RFC5280 (X.509).
*/

/* Helper to read in a single mpint */ function readMPInt(der, nm) {

assert.strictEqual(der.peek(), asn1.Ber.Integer,
    nm + ' is not an Integer');
return (utils.mpNormalize(der.readString(asn1.Ber.Integer, true)));

}

function verify(cert, key) {

var sig = cert.signatures.x509;
assert.object(sig, 'x509 signature');

var algParts = sig.algo.split('-');
if (algParts[0] !== key.type)
        return (false);

var blob = sig.cache;
if (blob === undefined) {
        var der = new asn1.BerWriter();
        writeTBSCert(cert, der);
        blob = der.buffer;
}

var verifier = key.createVerify(algParts[1]);
verifier.write(blob);
return (verifier.verify(sig.signature));

}

function Local(i) {

return (asn1.Ber.Context | asn1.Ber.Constructor | i);

}

function Context(i) {

return (asn1.Ber.Context | i);

}

var SIGN_ALGS = {

'rsa-md5': '1.2.840.113549.1.1.4',
'rsa-sha1': '1.2.840.113549.1.1.5',
'rsa-sha256': '1.2.840.113549.1.1.11',
'rsa-sha384': '1.2.840.113549.1.1.12',
'rsa-sha512': '1.2.840.113549.1.1.13',
'dsa-sha1': '1.2.840.10040.4.3',
'dsa-sha256': '2.16.840.1.101.3.4.3.2',
'ecdsa-sha1': '1.2.840.10045.4.1',
'ecdsa-sha256': '1.2.840.10045.4.3.2',
'ecdsa-sha384': '1.2.840.10045.4.3.3',
'ecdsa-sha512': '1.2.840.10045.4.3.4',
'ed25519-sha512': '1.3.101.112'

}; Object.keys(SIGN_ALGS).forEach(function (k) {

SIGN_ALGS[SIGN_ALGS[k]] = k;

}); SIGN_ALGS = 'rsa-md5'; SIGN_ALGS = 'rsa-sha1';

var EXTS = {

'issuerKeyId': '2.5.29.35',
'altName': '2.5.29.17',
'basicConstraints': '2.5.29.19',
'keyUsage': '2.5.29.15',
'extKeyUsage': '2.5.29.37'

};

function read(buf, options) {

if (typeof (buf) === 'string') {
        buf = Buffer.from(buf, 'binary');
}
assert.buffer(buf, 'buf');

var der = new asn1.BerReader(buf);

der.readSequence();
if (Math.abs(der.length - der.remain) > 1) {
        throw (new Error('DER sequence does not contain whole byte ' +
            'stream'));
}

var tbsStart = der.offset;
der.readSequence();
var sigOffset = der.offset + der.length;
var tbsEnd = sigOffset;

if (der.peek() === Local(0)) {
        der.readSequence(Local(0));
        var version = der.readInt();
        assert.ok(version <= 3,
            'only x.509 versions up to v3 supported');
}

var cert = {};
cert.signatures = {};
var sig = (cert.signatures.x509 = {});
sig.extras = {};

cert.serial = readMPInt(der, 'serial');

der.readSequence();
var after = der.offset + der.length;
var certAlgOid = der.readOID();
var certAlg = SIGN_ALGS[certAlgOid];
if (certAlg === undefined)
        throw (new Error('unknown signature algorithm ' + certAlgOid));

der._offset = after;
cert.issuer = Identity.parseAsn1(der);

der.readSequence();
cert.validFrom = readDate(der);
cert.validUntil = readDate(der);

cert.subjects = [Identity.parseAsn1(der)];

der.readSequence();
after = der.offset + der.length;
cert.subjectKey = pkcs8.readPkcs8(undefined, 'public', der);
der._offset = after;

/* issuerUniqueID */
if (der.peek() === Local(1)) {
        der.readSequence(Local(1));
        sig.extras.issuerUniqueID =
            buf.slice(der.offset, der.offset + der.length);
        der._offset += der.length;
}

/* subjectUniqueID */
if (der.peek() === Local(2)) {
        der.readSequence(Local(2));
        sig.extras.subjectUniqueID =
            buf.slice(der.offset, der.offset + der.length);
        der._offset += der.length;
}

/* extensions */
if (der.peek() === Local(3)) {
        der.readSequence(Local(3));
        var extEnd = der.offset + der.length;
        der.readSequence();

        while (der.offset < extEnd)
                readExtension(cert, buf, der);

        assert.strictEqual(der.offset, extEnd);
}

assert.strictEqual(der.offset, sigOffset);

der.readSequence();
after = der.offset + der.length;
var sigAlgOid = der.readOID();
var sigAlg = SIGN_ALGS[sigAlgOid];
if (sigAlg === undefined)
        throw (new Error('unknown signature algorithm ' + sigAlgOid));
der._offset = after;

var sigData = der.readString(asn1.Ber.BitString, true);
if (sigData[0] === 0)
        sigData = sigData.slice(1);
var algParts = sigAlg.split('-');

sig.signature = Signature.parse(sigData, algParts[0], 'asn1');
sig.signature.hashAlgorithm = algParts[1];
sig.algo = sigAlg;
sig.cache = buf.slice(tbsStart, tbsEnd);

return (new Certificate(cert));

}

function readDate(der) {

if (der.peek() === asn1.Ber.UTCTime) {
        return (utcTimeToDate(der.readString(asn1.Ber.UTCTime)));
} else if (der.peek() === asn1.Ber.GeneralizedTime) {
        return (gTimeToDate(der.readString(asn1.Ber.GeneralizedTime)));
} else {
        throw (new Error('Unsupported date format'));
}

}

function writeDate(der, date) {

if (date.getUTCFullYear() >= 2050 || date.getUTCFullYear() < 1950) {
        der.writeString(dateToGTime(date), asn1.Ber.GeneralizedTime);
} else {
        der.writeString(dateToUTCTime(date), asn1.Ber.UTCTime);
}

}

/* RFC5280, section 4.2.1.6 (GeneralName type) */ var ALTNAME = {

OtherName: Local(0),
RFC822Name: Context(1),
DNSName: Context(2),
X400Address: Local(3),
DirectoryName: Local(4),
EDIPartyName: Local(5),
URI: Context(6),
IPAddress: Context(7),
OID: Context(8)

};

/* RFC5280, section 4.2.1.12 (KeyPurposeId) */ var EXTPURPOSE = {

'serverAuth': '1.3.6.1.5.5.7.3.1',
'clientAuth': '1.3.6.1.5.5.7.3.2',
'codeSigning': '1.3.6.1.5.5.7.3.3',

/* See https://github.com/joyent/oid-docs/blob/master/root.md */
'joyentDocker': '1.3.6.1.4.1.38678.1.4.1',
'joyentCmon': '1.3.6.1.4.1.38678.1.4.2'

}; var EXTPURPOSE_REV = {}; Object.keys(EXTPURPOSE).forEach(function (k) {

EXTPURPOSE_REV[EXTPURPOSE[k]] = k;

});

var KEYUSEBITS = [

'signature', 'identity', 'keyEncryption',
'encryption', 'keyAgreement', 'ca', 'crl'

];

function readExtension(cert, buf, der) {

der.readSequence();
var after = der.offset + der.length;
var extId = der.readOID();
var id;
var sig = cert.signatures.x509;
if (!sig.extras.exts)
        sig.extras.exts = [];

var critical;
if (der.peek() === asn1.Ber.Boolean)
        critical = der.readBoolean();

switch (extId) {
case (EXTS.basicConstraints):
        der.readSequence(asn1.Ber.OctetString);
        der.readSequence();
        var bcEnd = der.offset + der.length;
        var ca = false;
        if (der.peek() === asn1.Ber.Boolean)
                ca = der.readBoolean();
        if (cert.purposes === undefined)
                cert.purposes = [];
        if (ca === true)
                cert.purposes.push('ca');
        var bc = { oid: extId, critical: critical };
        if (der.offset < bcEnd && der.peek() === asn1.Ber.Integer)
                bc.pathLen = der.readInt();
        sig.extras.exts.push(bc);
        break;
case (EXTS.extKeyUsage):
        der.readSequence(asn1.Ber.OctetString);
        der.readSequence();
        if (cert.purposes === undefined)
                cert.purposes = [];
        var ekEnd = der.offset + der.length;
        while (der.offset < ekEnd) {
                var oid = der.readOID();
                cert.purposes.push(EXTPURPOSE_REV[oid] || oid);
        }
        /*
         * This is a bit of a hack: in the case where we have a cert
         * that's only allowed to do serverAuth or clientAuth (and not
         * the other), we want to make sure all our Subjects are of
         * the right type. But we already parsed our Subjects and
         * decided if they were hosts or users earlier (since it appears
         * first in the cert).
         *
         * So we go through and mutate them into the right kind here if
         * it doesn't match. This might not be hugely beneficial, as it
         * seems that single-purpose certs are not often seen in the
         * wild.
         */
        if (cert.purposes.indexOf('serverAuth') !== -1 &&
            cert.purposes.indexOf('clientAuth') === -1) {
                cert.subjects.forEach(function (ide) {
                        if (ide.type !== 'host') {
                                ide.type = 'host';
                                ide.hostname = ide.uid ||
                                    ide.email ||
                                    ide.components[0].value;
                        }
                });
        } else if (cert.purposes.indexOf('clientAuth') !== -1 &&
            cert.purposes.indexOf('serverAuth') === -1) {
                cert.subjects.forEach(function (ide) {
                        if (ide.type !== 'user') {
                                ide.type = 'user';
                                ide.uid = ide.hostname ||
                                    ide.email ||
                                    ide.components[0].value;
                        }
                });
        }
        sig.extras.exts.push({ oid: extId, critical: critical });
        break;
case (EXTS.keyUsage):
        der.readSequence(asn1.Ber.OctetString);
        var bits = der.readString(asn1.Ber.BitString, true);
        var setBits = readBitField(bits, KEYUSEBITS);
        setBits.forEach(function (bit) {
                if (cert.purposes === undefined)
                        cert.purposes = [];
                if (cert.purposes.indexOf(bit) === -1)
                        cert.purposes.push(bit);
        });
        sig.extras.exts.push({ oid: extId, critical: critical,
            bits: bits });
        break;
case (EXTS.altName):
        der.readSequence(asn1.Ber.OctetString);
        der.readSequence();
        var aeEnd = der.offset + der.length;
        while (der.offset < aeEnd) {
                switch (der.peek()) {
                case ALTNAME.OtherName:
                case ALTNAME.EDIPartyName:
                        der.readSequence();
                        der._offset += der.length;
                        break;
                case ALTNAME.OID:
                        der.readOID(ALTNAME.OID);
                        break;
                case ALTNAME.RFC822Name:
                        /* RFC822 specifies email addresses */
                        var email = der.readString(ALTNAME.RFC822Name);
                        id = Identity.forEmail(email);
                        if (!cert.subjects[0].equals(id))
                                cert.subjects.push(id);
                        break;
                case ALTNAME.DirectoryName:
                        der.readSequence(ALTNAME.DirectoryName);
                        id = Identity.parseAsn1(der);
                        if (!cert.subjects[0].equals(id))
                                cert.subjects.push(id);
                        break;
                case ALTNAME.DNSName:
                        var host = der.readString(
                            ALTNAME.DNSName);
                        id = Identity.forHost(host);
                        if (!cert.subjects[0].equals(id))
                                cert.subjects.push(id);
                        break;
                default:
                        der.readString(der.peek());
                        break;
                }
        }
        sig.extras.exts.push({ oid: extId, critical: critical });
        break;
default:
        sig.extras.exts.push({
                oid: extId,
                critical: critical,
                data: der.readString(asn1.Ber.OctetString, true)
        });
        break;
}

der._offset = after;

}

var UTCTIME_RE =

/^([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;

function utcTimeToDate(t) {

var m = t.match(UTCTIME_RE);
assert.ok(m, 'timestamps must be in UTC');
var d = new Date();

var thisYear = d.getUTCFullYear();
var century = Math.floor(thisYear / 100) * 100;

var year = parseInt(m[1], 10);
if (thisYear % 100 < 50 && year >= 60)
        year += (century - 1);
else
        year += century;
d.setUTCFullYear(year, parseInt(m[2], 10) - 1, parseInt(m[3], 10));
d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));
if (m[6] && m[6].length > 0)
        d.setUTCSeconds(parseInt(m[6], 10));
return (d);

}

var GTIME_RE =

/^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;

function gTimeToDate(t) {

var m = t.match(GTIME_RE);
assert.ok(m);
var d = new Date();

d.setUTCFullYear(parseInt(m[1], 10), parseInt(m[2], 10) - 1,
    parseInt(m[3], 10));
d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));
if (m[6] && m[6].length > 0)
        d.setUTCSeconds(parseInt(m[6], 10));
return (d);

}

function zeroPad(n, m) {

if (m === undefined)
        m = 2;
var s = '' + n;
while (s.length < m)
        s = '0' + s;
return (s);

}

function dateToUTCTime(d) {

var s = '';
s += zeroPad(d.getUTCFullYear() % 100);
s += zeroPad(d.getUTCMonth() + 1);
s += zeroPad(d.getUTCDate());
s += zeroPad(d.getUTCHours());
s += zeroPad(d.getUTCMinutes());
s += zeroPad(d.getUTCSeconds());
s += 'Z';
return (s);

}

function dateToGTime(d) {

var s = '';
s += zeroPad(d.getUTCFullYear(), 4);
s += zeroPad(d.getUTCMonth() + 1);
s += zeroPad(d.getUTCDate());
s += zeroPad(d.getUTCHours());
s += zeroPad(d.getUTCMinutes());
s += zeroPad(d.getUTCSeconds());
s += 'Z';
return (s);

}

function sign(cert, key) {

if (cert.signatures.x509 === undefined)
        cert.signatures.x509 = {};
var sig = cert.signatures.x509;

sig.algo = key.type + '-' + key.defaultHashAlgorithm();
if (SIGN_ALGS[sig.algo] === undefined)
        return (false);

var der = new asn1.BerWriter();
writeTBSCert(cert, der);
var blob = der.buffer;
sig.cache = blob;

var signer = key.createSign();
signer.write(blob);
cert.signatures.x509.signature = signer.sign();

return (true);

}

function signAsync(cert, signer, done) {

if (cert.signatures.x509 === undefined)
        cert.signatures.x509 = {};
var sig = cert.signatures.x509;

var der = new asn1.BerWriter();
writeTBSCert(cert, der);
var blob = der.buffer;
sig.cache = blob;

signer(blob, function (err, signature) {
        if (err) {
                done(err);
                return;
        }
        sig.algo = signature.type + '-' + signature.hashAlgorithm;
        if (SIGN_ALGS[sig.algo] === undefined) {
                done(new Error('Invalid signing algorithm "' +
                    sig.algo + '"'));
                return;
        }
        sig.signature = signature;
        done();
});

}

function write(cert, options) {

var sig = cert.signatures.x509;
assert.object(sig, 'x509 signature');

var der = new asn1.BerWriter();
der.startSequence();
if (sig.cache) {
        der._ensure(sig.cache.length);
        sig.cache.copy(der._buf, der._offset);
        der._offset += sig.cache.length;
} else {
        writeTBSCert(cert, der);
}

der.startSequence();
der.writeOID(SIGN_ALGS[sig.algo]);
if (sig.algo.match(/^rsa-/))
        der.writeNull();
der.endSequence();

var sigData = sig.signature.toBuffer('asn1');
var data = Buffer.alloc(sigData.length + 1);
data[0] = 0;
sigData.copy(data, 1);
der.writeBuffer(data, asn1.Ber.BitString);
der.endSequence();

return (der.buffer);

}

function writeTBSCert(cert, der) {

var sig = cert.signatures.x509;
assert.object(sig, 'x509 signature');

der.startSequence();

der.startSequence(Local(0));
der.writeInt(2);
der.endSequence();

der.writeBuffer(utils.mpNormalize(cert.serial), asn1.Ber.Integer);

der.startSequence();
der.writeOID(SIGN_ALGS[sig.algo]);
if (sig.algo.match(/^rsa-/))
        der.writeNull();
der.endSequence();

cert.issuer.toAsn1(der);

der.startSequence();
writeDate(der, cert.validFrom);
writeDate(der, cert.validUntil);
der.endSequence();

var subject = cert.subjects[0];
var altNames = cert.subjects.slice(1);
subject.toAsn1(der);

pkcs8.writePkcs8(der, cert.subjectKey);

if (sig.extras && sig.extras.issuerUniqueID) {
        der.writeBuffer(sig.extras.issuerUniqueID, Local(1));
}

if (sig.extras && sig.extras.subjectUniqueID) {
        der.writeBuffer(sig.extras.subjectUniqueID, Local(2));
}

if (altNames.length > 0 || subject.type === 'host' ||
    (cert.purposes !== undefined && cert.purposes.length > 0) ||
    (sig.extras && sig.extras.exts)) {
        der.startSequence(Local(3));
        der.startSequence();

        var exts = [];
        if (cert.purposes !== undefined && cert.purposes.length > 0) {
                exts.push({
                        oid: EXTS.basicConstraints,
                        critical: true
                });
                exts.push({
                        oid: EXTS.keyUsage,
                        critical: true
                });
                exts.push({
                        oid: EXTS.extKeyUsage,
                        critical: true
                });
        }
        exts.push({ oid: EXTS.altName });
        if (sig.extras && sig.extras.exts)
                exts = sig.extras.exts;

        for (var i = 0; i < exts.length; ++i) {
                der.startSequence();
                der.writeOID(exts[i].oid);

                if (exts[i].critical !== undefined)
                        der.writeBoolean(exts[i].critical);

                if (exts[i].oid === EXTS.altName) {
                        der.startSequence(asn1.Ber.OctetString);
                        der.startSequence();
                        if (subject.type === 'host') {
                                der.writeString(subject.hostname,
                                    Context(2));
                        }
                        for (var j = 0; j < altNames.length; ++j) {
                                if (altNames[j].type === 'host') {
                                        der.writeString(
                                            altNames[j].hostname,
                                            ALTNAME.DNSName);
                                } else if (altNames[j].type ===
                                    'email') {
                                        der.writeString(
                                            altNames[j].email,
                                            ALTNAME.RFC822Name);
                                } else {
                                        /*
                                         * Encode anything else as a
                                         * DN style name for now.
                                         */
                                        der.startSequence(
                                            ALTNAME.DirectoryName);
                                        altNames[j].toAsn1(der);
                                        der.endSequence();
                                }
                        }
                        der.endSequence();
                        der.endSequence();
                } else if (exts[i].oid === EXTS.basicConstraints) {
                        der.startSequence(asn1.Ber.OctetString);
                        der.startSequence();
                        var ca = (cert.purposes.indexOf('ca') !== -1);
                        var pathLen = exts[i].pathLen;
                        der.writeBoolean(ca);
                        if (pathLen !== undefined)
                                der.writeInt(pathLen);
                        der.endSequence();
                        der.endSequence();
                } else if (exts[i].oid === EXTS.extKeyUsage) {
                        der.startSequence(asn1.Ber.OctetString);
                        der.startSequence();
                        cert.purposes.forEach(function (purpose) {
                                if (purpose === 'ca')
                                        return;
                                if (KEYUSEBITS.indexOf(purpose) !== -1)
                                        return;
                                var oid = purpose;
                                if (EXTPURPOSE[purpose] !== undefined)
                                        oid = EXTPURPOSE[purpose];
                                der.writeOID(oid);
                        });
                        der.endSequence();
                        der.endSequence();
                } else if (exts[i].oid === EXTS.keyUsage) {
                        der.startSequence(asn1.Ber.OctetString);
                        /*
                         * If we parsed this certificate from a byte
                         * stream (i.e. we didn't generate it in sshpk)
                         * then we'll have a ".bits" property on the
                         * ext with the original raw byte contents.
                         *
                         * If we have this, use it here instead of
                         * regenerating it. This guarantees we output
                         * the same data we parsed, so signatures still
                         * validate.
                         */
                        if (exts[i].bits !== undefined) {
                                der.writeBuffer(exts[i].bits,
                                    asn1.Ber.BitString);
                        } else {
                                var bits = writeBitField(cert.purposes,
                                    KEYUSEBITS);
                                der.writeBuffer(bits,
                                    asn1.Ber.BitString);
                        }
                        der.endSequence();
                } else {
                        der.writeBuffer(exts[i].data,
                            asn1.Ber.OctetString);
                }

                der.endSequence();
        }

        der.endSequence();
        der.endSequence();
}

der.endSequence();

}

/*

* Reads an ASN.1 BER bitfield out of the Buffer produced by doing
* `BerReader#readString(asn1.Ber.BitString)`. That function gives us the raw
* contents of the BitString tag, which is a count of unused bits followed by
* the bits as a right-padded byte string.
*
* `bits` is the Buffer, `bitIndex` should contain an array of string names
* for the bits in the string, ordered starting with bit #0 in the ASN.1 spec.
*
* Returns an array of Strings, the names of the bits that were set to 1.
*/

function readBitField(bits, bitIndex) {

var bitLen = 8 * (bits.length - 1) - bits[0];
var setBits = {};
for (var i = 0; i < bitLen; ++i) {
        var byteN = 1 + Math.floor(i / 8);
        var bit = 7 - (i % 8);
        var mask = 1 << bit;
        var bitVal = ((bits[byteN] & mask) !== 0);
        var name = bitIndex[i];
        if (bitVal && typeof (name) === 'string') {
                setBits[name] = true;
        }
}
return (Object.keys(setBits));

}

/*

* `setBits` is an array of strings, containing the names for each bit that
* sould be set to 1. `bitIndex` is same as in `readBitField()`.
*
* Returns a Buffer, ready to be written out with `BerWriter#writeString()`.
*/

function writeBitField(setBits, bitIndex) {

var bitLen = bitIndex.length;
var blen = Math.ceil(bitLen / 8);
var unused = blen * 8 - bitLen;
var bits = Buffer.alloc(1 + blen); // zero-filled
bits[0] = unused;
for (var i = 0; i < bitLen; ++i) {
        var byteN = 1 + Math.floor(i / 8);
        var bit = 7 - (i % 8);
        var mask = 1 << bit;
        var name = bitIndex[i];
        if (name === undefined)
                continue;
        var bitVal = (setBits.indexOf(name) !== -1);
        if (bitVal) {
                bits[byteN] |= mask;
        }
}
return (bits);

}