UNPKG

node-posh

Version:

PKIX Over Secure HTTP (POSH) tools for node.js

github.com/hildjj/node-posh

165 lines (125 loc) 7.03 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
node-posh ========= PKIX Over Secure HTTP (POSH) tools for node.js. See http://tools.ietf.org/html/draft-miller-posh-00 for more information. # Usage Usage: genposh [options] [cert filename...] Options: --help, -h Show this message and exit --out, -o Directory in which to output files [default: "."] --days, -d Days of validity for the generated certificate [default: 365] --service, -s SRV-style service name for the POSH file [default: "_xmpp._tcp"] --maxcerts, -m The maximum number of certs to output in the x5c field. 0 means all. [default: 0] --commonname, -c Create a new certificate, with this common name (multiple ok) # Installation npm install node-posh # Example Generate a new certificate that is good for 30 days. Keep the old certificate in the the POSH output to support the roll-over period: genposh -d 30 -s _imap._tcp -c localhost old-cert.pem This will generate a file called `posh._imap._tcp.json` that contains POSH JSON that looks like this: ```json { "keys": [ { "kty": "RSA", "kid": "localhost:Jb9DgTJyJQQuMo0lgEU0FijVaF0", "n": "tgN-hrmVCeAz4dCRnsNDaIyYOFIHaRK1zqCURvsiY-NopMFq38qBwOecRso0Xy8qHbUMw7xwvfn2cOAkG4G8k-_Fo55hV_kMZQVIZMOpXVmEsNZ34N9Bj91e_UI_-UK-ejeUwkSxyH9fpPf5L4bZZtGi2_vZl2y-Ik39OV5c5Uc", "e": "AQAB", "x5c": [ "MIIBnzCCAQgCCQCLHVds8mHyBDANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTMwNzI4MDU0MzI3WhcNMTMwODI3MDU0MzI3WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYDfoa5lQngM+HQkZ7DQ2iMmDhSB2kStc6glEb7ImPjaKTBat/KgcDnnEbKNF8vKh21DMO8cL359nDgJBuBvJPvxaOeYVf5DGUFSGTDqV1ZhLDWd+DfQY/dXv1CP/lCvno3lMJEsch/X6T3+S+G2WbRotv72ZdsviJN/TleXOVHAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAi2QwxfUp2xrdBftEsuAxg2LrEaoO+WwvSCPbyUUGU+98/d8+gYqeIybDWDltzGt/ZSZvZstgNsgGPEPeK4M29m6BIZzOhztqZ5GEsnhvSI2Yhg2ZBxP7hmiDkBqPoq6HoX3FVec0ilnLmRU1WDWXwOVLY6Wn7F6hTys9pKSU9aw=" ] }, { "kty": "RSA", "kid": "localhost:xpqT5yQpLvdwCeBB6Fydah1rQkE", "n": "1l4_n_wO2zOL3BNcAaw_aeVmryoVVRI429mSQ00AcwArW6U02lxM7fuIR-RJe0xl7KtDZBsgZbgK_Y5lCpRHUAuk9ZAsl-gsZIBWQXnyFKVNSV6yxlv3OgE__K9Wfqih1j8SKfPLffnvsXisb979DR-DgvrwxtBj0oJYwI4yUqc", "e": "AQAB", "x5c": [ "MIIBnzCCAQgCCQDdbgfPWRJHHTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTMwNzI4MDU0MzExWhcNMTMwODI3MDU0MzExWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANZeP5/8Dtszi9wTXAGsP2nlZq8qFVUSONvZkkNNAHMAK1ulNNpcTO37iEfkSXtMZeyrQ2QbIGW4Cv2OZQqUR1ALpPWQLJfoLGSAVkF58hSlTUlessZb9zoBP/yvVn6oodY/Einzy33577F4rG/e/Q0fg4L68MbQY9KCWMCOMlKnAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEACbIaGqXdRUkrlmjXTyo4Rikh1sYrxtZQL/XSmNw1uwzNPtlwaEziAtLI9HsCfryZ7vwshEy81xcoBCsIu7WJ1xX/iLaVzFOt2bkN3de6UECqPsEaUEXksg2wTCV4ItpAlMNh4Ix/yF5cHwJ91dSvkcEZm2ERr1TPs/BeAHUIHKs=" ] } ] } ``` # API ## Functions ### <a name="create">create(certs, maxdepth)</a> Create a POSH document from a list of certificates. * `certs` an array of PEM-encoded certificate chains. The first certificate in each chain will be extracted into the POSH public key information. * `maxdepth` the maxiumum number of certificates to use from each chain. * returns a [Q](https://github.com/kriskowal/q) promise that will be fulfilled with a JavaScript representation (not a JSON string!) of the POSH document. ### <a name="write">write(dir, service, posh)</a> Write a file with the given POSH object in a file with the correct name for the given service. * `dir` the directory to write into * `service` the SRV record name for the target service. Example: "_xmpp-server._tcp" * returns a [Q](https://github.com/kriskowal/q) promise that will be fulfilled when the file is finished writing ## Classes ### <a name="POSH">[POSH](POSH)</a> #### *[extends events.EventEmitter](#events.EventEmitter)* Make a POSH-verified connection to a given domain on a given service. Events: * `'posh request', url` about to request a POSH document at the given URL * `'no posh', er` No POSH document could be retrieved. Not really an error. * `'connecting', host, port, tls` Connecting on the given host and port. If `tls` is true, a TLS handshake will start as soon as the connection finishes. * `'error', er` an error was detected. * `'connect', socket` the given socket was connected * `'secure', service_cert, posh_document` the connection is secure either by RFC 6125 or POSH. The posh_document is null if the service_cert was valid via RFC 6125. * `'insecure', service_cert, posh_document` the connection could not be determined to be secure. The posh_document is null if it could not be retrieved. #### Instance Methods ##### <a name="constructor">constructor(@domain, @srv, options)</a> Create a POSH connection object * `domain` connect to the given domain * `srv` the DNS SRV protocol name to connect with. For example, "_xmpp-server._tcp" * `options` a configuration object * `fallback_port` The port to fall back on if SRV fails. If -1, use the port for the given SRV protocol name from /etc/services. Defaults to -1. * `start_tls` Don't do TLS immediately after connecting. Instead, wait for a listener for the `connect` event to call `start_tls()`. * `ca` An array of zero or more certificate authority (CA) certs to trust when making HTTPS calls for POSH certs. ##### <a name="get_posh">get\_posh()</a> Attempt to get the POSH assertion for the domain and SRV protocol given in the constructor * __returns__ a [Q](https://github.com/kriskowal/q) promise that will be fulfilled with the POSH object when/if it is retrieved. Rejections of this promise usually shouldn't be treated as an error. ##### <a name="resolve">resolve()</a> Do the SRV resolution. * __returns__ a [Q](https://github.com/kriskowal/q) promise that will be fulfilled with `host`, `port` when complete. Ignores DNS errors, returning the original domain and fallback port. ##### <a name="connect_plain">connect\_plain()</a> Connect without starting TLS. Wait for the `connect` event, then call `start_tls`. * __returns__ a [Q](https://github.com/kriskowal/q) promise that will be fulfilled with the connected socket. ##### <a name="connect_tls">connect\_tls()</a> Connect to the given serice, and start TLS immediately. * __returns__ a [Q](https://github.com/kriskowal/q) promise that will be fulfilled with the connected socket. ##### <a name="start_tls">start\_tls()</a> On the already-connected socket, start a TLS handshake. This MUST occur after the 'connect' event has been called. ##### <a name="connect">connect()</a> Connect to the domain on the specified service, using either an initially- plaintext approach (options.start_tls=true), or an initially-encrypted approach (options.start_tls=false). * __returns__ a [Q](https://github.com/kriskowal/q) promise that will be fulfilled with the connected socket.