@cto.af/ca

import type { AnyKey, RequiredCommonCertOptions } from './types.js'; import { type SecretEntry } from './keychain.js'; import type { Logger } from '@cto.af/log'; import rs from 'jsrsasign'; export declare const KEYCHAIN_SERVICE = "com.github.cto-af.ca"; export declare const SELF_SIGNED: unique symbol; export type { SecretEntry, }; /** * A certificate and its private key. */ export declare class KeyCert { #private; readonly ca: KeyCert | undefined; readonly cert: string; readonly key: string | undefined; readonly name: string; constructor(name: string, key: AnyKey | string | undefined, cert: rs.KJUR.asn1.x509.Certificate | string, ca?: KeyCert | typeof SELF_SIGNED); /** * The PEM-encoded full certificate chain, starting with this cert, then * adding the CA cert if there is a CA. */ get chain(): string; /** * The account name of the key, stored under KEYCHAIN_SERVICE in the * OS-specific keychain. This corresponds to the file name that the key * used to be stored in. This file should no longer exist after the upgrade * procedure runs. * * @returns If known, the filename, otherwise undefined. */ get keyFile(): string | undefined; /** * The file name of the certificate. The file is encoded as PEM. * * @returns The filename, or undefined if unknown. */ get certFile(): string | undefined; /** * Issuer DN string. * * @returns A string of the form '/C=US'. */ get issuer(): string; /** * Certificate not valid after this date. * * @returns Date constructed from X509. */ get notAfter(): Date; /** * Certificate not valid before this date. * * @returns Date constructed from X509. */ get notBefore(): Date; /** * List of subjectAlternativeNames for the cert. * * @returns Array of {dns: 'hostname'} or {ip: 'address'} objects. */ get san(): rs.GeneralName[] | undefined; /** * Serial number of the cert. * * @returns Hex string. */ get serial(): string; /** * Subject name of the cert. * * @returns String of the form '/CN=localhost'. */ get subject(): string; /** * Read the cert file and the key from the keychain. * * @param opts Options. Most important is dir. * @param name Base name of the files, escaped for use as filenames. * No suffix or directory. * @param log Logger. * @param ca If known, the CA. Use SELF_SIGNED for the CA. * @returns KeyCert, or null if not found. */ static read(opts: RequiredCommonCertOptions, name: string, log: Logger, ca?: KeyCert | typeof SELF_SIGNED): Promise<KeyCert | null>; /** * Get all known certs in the given directory. * * @param opts Options, most important is dir. * @param log Logger. * @param ca If known, the CA, or SELF_SIGNED for CAs. * @yields Already-read KeyCert instances. */ static list(opts: RequiredCommonCertOptions, log: Logger, ca?: KeyCert | typeof SELF_SIGNED): AsyncGenerator<KeyCert>; /** * List all known keys. * * @yields Object with account name and pre-populated AsyncEntry for * modifications. */ static listKeys(): AsyncGenerator<SecretEntry>; /** * Delete this key, if it isn't temporary. * * @param opts Options, of which temp is the most important. * @param log Logger. * @returns Promise that completes when done deleting. */ delete(opts?: RequiredCommonCertOptions, log?: Logger): Promise<void>; /** * Save the cert file and key, unless this is temporary. * * @param opts Options, of which temp is the most important. * @param log Logger. * @returns Promise that completes when writing is done. */ write(opts: RequiredCommonCertOptions, log: Logger): Promise<void>; /** * Verify the certificate with its issuer. If no CA, returns false. * * @returns True if valid. */ verify(): boolean; }