node-signed-mailer/dist/sign.js

Send emails signed with your S/MIME certificate

"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    var desc = Object.getOwnPropertyDescriptor(m, k);
    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
      desc = { enumerable: true, get: function() { return m[k]; } };
    }
    Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
    o["default"] = v;
});
var __importStar = (this && this.__importStar) || (function () {
    var ownKeys = function(o) {
        ownKeys = Object.getOwnPropertyNames || function (o) {
            var ar = [];
            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
            return ar;
        };
        return ownKeys(o);
    };
    return function (mod) {
        if (mod && mod.__esModule) return mod;
        var result = {};
        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
        __setModuleDefault(result, mod);
        return result;
    };
})();
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.sign = void 0;
const fs = __importStar(require("node:fs"));
const uuid_1 = require("uuid");
const const_1 = require("./const");
const node_forge_1 = __importDefault(require("node-forge"));
const extractPem = (p12file, passphrase) => {
    const p12Der = fs.readFileSync(p12file, 'binary');
    const p12Asn1 = node_forge_1.default.asn1.fromDer(p12Der);
    const p12 = node_forge_1.default.pkcs12.pkcs12FromAsn1(p12Asn1, passphrase);
    const keyBags = p12.getBags({
        bagType: node_forge_1.default.pki.oids.pkcs8ShroudedKeyBag,
    })[node_forge_1.default.pki.oids.pkcs8ShroudedKeyBag];
    if (typeof keyBags === 'undefined') {
        throw new Error('Failed to retrieve key bags');
    }
    const privateKey = keyBags[0].key;
    if (typeof privateKey === 'undefined') {
        throw new Error('Failed to retrieve private key');
    }
    const certBags = p12.getBags({
        bagType: node_forge_1.default.pki.oids.certBag,
    })[node_forge_1.default.pki.oids.certBag];
    if (typeof certBags === 'undefined') {
        throw new Error('Failed to retrieve certBags');
    }
    return {
        key: privateKey,
        certs: certBags.map(c => c.cert).filter((c) => c != null),
    };
};
const packMessage = (content) => {
    if (!content.html) {
        return packPlainMessage(content.text);
    }
    const id = (0, uuid_1.v4)();
    const boundary = `${const_1.BOUNDARY_NAME}-${id.toUpperCase()}`;
    return `Content-Type: multipart/alternative; boundary="${boundary}"
	
--${boundary}
${packPlainMessage(content.text)}
--${boundary}
${packHTMLMessage(content.html)}
--${boundary}--`;
};
const packPlainMessage = (message) => {
    return `Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

${message}`;
};
const packHTMLMessage = (message) => {
    return `Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

${message}`;
};
const createSignedAttachment = (pem) => {
    const header = `Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Disposition: attachment; filename=smime.p7s
Content-Transfer-Encoding: base64`;
    const trimmed = pem
        .replace('-----BEGIN PKCS7-----', '')
        .replace('-----END PKCS7-----', '')
        .trim();
    return `${header}

${trimmed}`;
};
const sign = (header, content, p12file, passphrase) => {
    const { key, certs } = extractPem(p12file, passphrase);
    const p7 = node_forge_1.default.pkcs7.createSignedData();
    const message = packMessage(content);
    p7.content = node_forge_1.default.util.createBuffer(message);
    const [cert, ...additionalCerts] = certs;
    p7.addSigner({
        // @ts-ignore
        key: key,
        certificate: cert,
        digestAlgorithm: node_forge_1.default.pki.oids.sha256,
        authenticatedAttributes: [
            { type: node_forge_1.default.pki.oids.contentType, value: node_forge_1.default.pki.oids.data },
            { type: node_forge_1.default.pki.oids.messageDigest },
            { type: node_forge_1.default.pki.oids.signingTime, value: new Date().toISOString() },
        ],
    });
    additionalCerts.forEach(cert => p7.addCertificate(cert));
    p7.sign();
    const signaturePem = node_forge_1.default.pkcs7.messageToPem(p7);
    const id = (0, uuid_1.v4)();
    const boundary = `${const_1.BOUNDARY_NAME}-${id.toUpperCase()}`;
    const signedHeader = header.replace(/^Content-Type:.*$/m, `Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary=${boundary}`);
    const attachment = createSignedAttachment(signaturePem);
    return `${signedHeader.trim()}


--${boundary}
${message.trim()}

--${boundary}
${attachment}
	
--${boundary}`;
};
exports.sign = sign;