You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
374 lines
9.8 KiB
374 lines
9.8 KiB
5 years ago
|
// Copyright 2017 Joyent, Inc.
|
||
|
|
||
|
module.exports = Identity;
|
||
|
|
||
|
var assert = require('assert-plus');
|
||
|
var algs = require('./algs');
|
||
|
var crypto = require('crypto');
|
||
|
var Fingerprint = require('./fingerprint');
|
||
|
var Signature = require('./signature');
|
||
|
var errs = require('./errors');
|
||
|
var util = require('util');
|
||
|
var utils = require('./utils');
|
||
|
var asn1 = require('asn1');
|
||
|
var Buffer = require('safer-buffer').Buffer;
|
||
|
|
||
|
/*JSSTYLED*/
|
||
|
var DNS_NAME_RE = /^([*]|[a-z0-9][a-z0-9\-]{0,62})(?:\.([*]|[a-z0-9][a-z0-9\-]{0,62}))*$/i;
|
||
|
|
||
|
var oids = {};
|
||
|
oids.cn = '2.5.4.3';
|
||
|
oids.o = '2.5.4.10';
|
||
|
oids.ou = '2.5.4.11';
|
||
|
oids.l = '2.5.4.7';
|
||
|
oids.s = '2.5.4.8';
|
||
|
oids.c = '2.5.4.6';
|
||
|
oids.sn = '2.5.4.4';
|
||
|
oids.postalCode = '2.5.4.17';
|
||
|
oids.serialNumber = '2.5.4.5';
|
||
|
oids.street = '2.5.4.9';
|
||
|
oids.x500UniqueIdentifier = '2.5.4.45';
|
||
|
oids.role = '2.5.4.72';
|
||
|
oids.telephoneNumber = '2.5.4.20';
|
||
|
oids.description = '2.5.4.13';
|
||
|
oids.dc = '0.9.2342.19200300.100.1.25';
|
||
|
oids.uid = '0.9.2342.19200300.100.1.1';
|
||
|
oids.mail = '0.9.2342.19200300.100.1.3';
|
||
|
oids.title = '2.5.4.12';
|
||
|
oids.gn = '2.5.4.42';
|
||
|
oids.initials = '2.5.4.43';
|
||
|
oids.pseudonym = '2.5.4.65';
|
||
|
oids.emailAddress = '1.2.840.113549.1.9.1';
|
||
|
|
||
|
var unoids = {};
|
||
|
Object.keys(oids).forEach(function (k) {
|
||
|
unoids[oids[k]] = k;
|
||
|
});
|
||
|
|
||
|
function Identity(opts) {
|
||
|
var self = this;
|
||
|
assert.object(opts, 'options');
|
||
|
assert.arrayOfObject(opts.components, 'options.components');
|
||
|
this.components = opts.components;
|
||
|
this.componentLookup = {};
|
||
|
this.components.forEach(function (c) {
|
||
|
if (c.name && !c.oid)
|
||
|
c.oid = oids[c.name];
|
||
|
if (c.oid && !c.name)
|
||
|
c.name = unoids[c.oid];
|
||
|
if (self.componentLookup[c.name] === undefined)
|
||
|
self.componentLookup[c.name] = [];
|
||
|
self.componentLookup[c.name].push(c);
|
||
|
});
|
||
|
if (this.componentLookup.cn && this.componentLookup.cn.length > 0) {
|
||
|
this.cn = this.componentLookup.cn[0].value;
|
||
|
}
|
||
|
assert.optionalString(opts.type, 'options.type');
|
||
|
if (opts.type === undefined) {
|
||
|
if (this.components.length === 1 &&
|
||
|
this.componentLookup.cn &&
|
||
|
this.componentLookup.cn.length === 1 &&
|
||
|
this.componentLookup.cn[0].value.match(DNS_NAME_RE)) {
|
||
|
this.type = 'host';
|
||
|
this.hostname = this.componentLookup.cn[0].value;
|
||
|
|
||
|
} else if (this.componentLookup.dc &&
|
||
|
this.components.length === this.componentLookup.dc.length) {
|
||
|
this.type = 'host';
|
||
|
this.hostname = this.componentLookup.dc.map(
|
||
|
function (c) {
|
||
|
return (c.value);
|
||
|
}).join('.');
|
||
|
|
||
|
} else if (this.componentLookup.uid &&
|
||
|
this.components.length ===
|
||
|
this.componentLookup.uid.length) {
|
||
|
this.type = 'user';
|
||
|
this.uid = this.componentLookup.uid[0].value;
|
||
|
|
||
|
} else if (this.componentLookup.cn &&
|
||
|
this.componentLookup.cn.length === 1 &&
|
||
|
this.componentLookup.cn[0].value.match(DNS_NAME_RE)) {
|
||
|
this.type = 'host';
|
||
|
this.hostname = this.componentLookup.cn[0].value;
|
||
|
|
||
|
} else if (this.componentLookup.uid &&
|
||
|
this.componentLookup.uid.length === 1) {
|
||
|
this.type = 'user';
|
||
|
this.uid = this.componentLookup.uid[0].value;
|
||
|
|
||
|
} else if (this.componentLookup.mail &&
|
||
|
this.componentLookup.mail.length === 1) {
|
||
|
this.type = 'email';
|
||
|
this.email = this.componentLookup.mail[0].value;
|
||
|
|
||
|
} else if (this.componentLookup.cn &&
|
||
|
this.componentLookup.cn.length === 1) {
|
||
|
this.type = 'user';
|
||
|
this.uid = this.componentLookup.cn[0].value;
|
||
|
|
||
|
} else {
|
||
|
this.type = 'unknown';
|
||
|
}
|
||
|
} else {
|
||
|
this.type = opts.type;
|
||
|
if (this.type === 'host')
|
||
|
this.hostname = opts.hostname;
|
||
|
else if (this.type === 'user')
|
||
|
this.uid = opts.uid;
|
||
|
else if (this.type === 'email')
|
||
|
this.email = opts.email;
|
||
|
else
|
||
|
throw (new Error('Unknown type ' + this.type));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
Identity.prototype.toString = function () {
|
||
|
return (this.components.map(function (c) {
|
||
|
var n = c.name.toUpperCase();
|
||
|
/*JSSTYLED*/
|
||
|
n = n.replace(/=/g, '\\=');
|
||
|
var v = c.value;
|
||
|
/*JSSTYLED*/
|
||
|
v = v.replace(/,/g, '\\,');
|
||
|
return (n + '=' + v);
|
||
|
}).join(', '));
|
||
|
};
|
||
|
|
||
|
Identity.prototype.get = function (name, asArray) {
|
||
|
assert.string(name, 'name');
|
||
|
var arr = this.componentLookup[name];
|
||
|
if (arr === undefined || arr.length === 0)
|
||
|
return (undefined);
|
||
|
if (!asArray && arr.length > 1)
|
||
|
throw (new Error('Multiple values for attribute ' + name));
|
||
|
if (!asArray)
|
||
|
return (arr[0].value);
|
||
|
return (arr.map(function (c) {
|
||
|
return (c.value);
|
||
|
}));
|
||
|
};
|
||
|
|
||
|
Identity.prototype.toArray = function (idx) {
|
||
|
return (this.components.map(function (c) {
|
||
|
return ({
|
||
|
name: c.name,
|
||
|
value: c.value
|
||
|
});
|
||
|
}));
|
||
|
};
|
||
|
|
||
|
/*
|
||
|
* These are from X.680 -- PrintableString allowed chars are in section 37.4
|
||
|
* table 8. Spec for IA5Strings is "1,6 + SPACE + DEL" where 1 refers to
|
||
|
* ISO IR #001 (standard ASCII control characters) and 6 refers to ISO IR #006
|
||
|
* (the basic ASCII character set).
|
||
|
*/
|
||
|
/* JSSTYLED */
|
||
|
var NOT_PRINTABLE = /[^a-zA-Z0-9 '(),+.\/:=?-]/;
|
||
|
/* JSSTYLED */
|
||
|
var NOT_IA5 = /[^\x00-\x7f]/;
|
||
|
|
||
|
Identity.prototype.toAsn1 = function (der, tag) {
|
||
|
der.startSequence(tag);
|
||
|
this.components.forEach(function (c) {
|
||
|
der.startSequence(asn1.Ber.Constructor | asn1.Ber.Set);
|
||
|
der.startSequence();
|
||
|
der.writeOID(c.oid);
|
||
|
/*
|
||
|
* If we fit in a PrintableString, use that. Otherwise use an
|
||
|
* IA5String or UTF8String.
|
||
|
*
|
||
|
* If this identity was parsed from a DN, use the ASN.1 types
|
||
|
* from the original representation (otherwise this might not
|
||
|
* be a full match for the original in some validators).
|
||
|
*/
|
||
|
if (c.asn1type === asn1.Ber.Utf8String ||
|
||
|
c.value.match(NOT_IA5)) {
|
||
|
var v = Buffer.from(c.value, 'utf8');
|
||
|
der.writeBuffer(v, asn1.Ber.Utf8String);
|
||
|
|
||
|
} else if (c.asn1type === asn1.Ber.IA5String ||
|
||
|
c.value.match(NOT_PRINTABLE)) {
|
||
|
der.writeString(c.value, asn1.Ber.IA5String);
|
||
|
|
||
|
} else {
|
||
|
var type = asn1.Ber.PrintableString;
|
||
|
if (c.asn1type !== undefined)
|
||
|
type = c.asn1type;
|
||
|
der.writeString(c.value, type);
|
||
|
}
|
||
|
der.endSequence();
|
||
|
der.endSequence();
|
||
|
});
|
||
|
der.endSequence();
|
||
|
};
|
||
|
|
||
|
function globMatch(a, b) {
|
||
|
if (a === '**' || b === '**')
|
||
|
return (true);
|
||
|
var aParts = a.split('.');
|
||
|
var bParts = b.split('.');
|
||
|
if (aParts.length !== bParts.length)
|
||
|
return (false);
|
||
|
for (var i = 0; i < aParts.length; ++i) {
|
||
|
if (aParts[i] === '*' || bParts[i] === '*')
|
||
|
continue;
|
||
|
if (aParts[i] !== bParts[i])
|
||
|
return (false);
|
||
|
}
|
||
|
return (true);
|
||
|
}
|
||
|
|
||
|
Identity.prototype.equals = function (other) {
|
||
|
if (!Identity.isIdentity(other, [1, 0]))
|
||
|
return (false);
|
||
|
if (other.components.length !== this.components.length)
|
||
|
return (false);
|
||
|
for (var i = 0; i < this.components.length; ++i) {
|
||
|
if (this.components[i].oid !== other.components[i].oid)
|
||
|
return (false);
|
||
|
if (!globMatch(this.components[i].value,
|
||
|
other.components[i].value)) {
|
||
|
return (false);
|
||
|
}
|
||
|
}
|
||
|
return (true);
|
||
|
};
|
||
|
|
||
|
Identity.forHost = function (hostname) {
|
||
|
assert.string(hostname, 'hostname');
|
||
|
return (new Identity({
|
||
|
type: 'host',
|
||
|
hostname: hostname,
|
||
|
components: [ { name: 'cn', value: hostname } ]
|
||
|
}));
|
||
|
};
|
||
|
|
||
|
Identity.forUser = function (uid) {
|
||
|
assert.string(uid, 'uid');
|
||
|
return (new Identity({
|
||
|
type: 'user',
|
||
|
uid: uid,
|
||
|
components: [ { name: 'uid', value: uid } ]
|
||
|
}));
|
||
|
};
|
||
|
|
||
|
Identity.forEmail = function (email) {
|
||
|
assert.string(email, 'email');
|
||
|
return (new Identity({
|
||
|
type: 'email',
|
||
|
email: email,
|
||
|
components: [ { name: 'mail', value: email } ]
|
||
|
}));
|
||
|
};
|
||
|
|
||
|
Identity.parseDN = function (dn) {
|
||
|
assert.string(dn, 'dn');
|
||
|
var parts = [''];
|
||
|
var idx = 0;
|
||
|
var rem = dn;
|
||
|
while (rem.length > 0) {
|
||
|
var m;
|
||
|
/*JSSTYLED*/
|
||
|
if ((m = /^,/.exec(rem)) !== null) {
|
||
|
parts[++idx] = '';
|
||
|
rem = rem.slice(m[0].length);
|
||
|
/*JSSTYLED*/
|
||
|
} else if ((m = /^\\,/.exec(rem)) !== null) {
|
||
|
parts[idx] += ',';
|
||
|
rem = rem.slice(m[0].length);
|
||
|
/*JSSTYLED*/
|
||
|
} else if ((m = /^\\./.exec(rem)) !== null) {
|
||
|
parts[idx] += m[0];
|
||
|
rem = rem.slice(m[0].length);
|
||
|
/*JSSTYLED*/
|
||
|
} else if ((m = /^[^\\,]+/.exec(rem)) !== null) {
|
||
|
parts[idx] += m[0];
|
||
|
rem = rem.slice(m[0].length);
|
||
|
} else {
|
||
|
throw (new Error('Failed to parse DN'));
|
||
|
}
|
||
|
}
|
||
|
var cmps = parts.map(function (c) {
|
||
|
c = c.trim();
|
||
|
var eqPos = c.indexOf('=');
|
||
|
while (eqPos > 0 && c.charAt(eqPos - 1) === '\\')
|
||
|
eqPos = c.indexOf('=', eqPos + 1);
|
||
|
if (eqPos === -1) {
|
||
|
throw (new Error('Failed to parse DN'));
|
||
|
}
|
||
|
/*JSSTYLED*/
|
||
|
var name = c.slice(0, eqPos).toLowerCase().replace(/\\=/g, '=');
|
||
|
var value = c.slice(eqPos + 1);
|
||
|
return ({ name: name, value: value });
|
||
|
});
|
||
|
return (new Identity({ components: cmps }));
|
||
|
};
|
||
|
|
||
|
Identity.fromArray = function (components) {
|
||
|
assert.arrayOfObject(components, 'components');
|
||
|
components.forEach(function (cmp) {
|
||
|
assert.object(cmp, 'component');
|
||
|
assert.string(cmp.name, 'component.name');
|
||
|
if (!Buffer.isBuffer(cmp.value) &&
|
||
|
!(typeof (cmp.value) === 'string')) {
|
||
|
throw (new Error('Invalid component value'));
|
||
|
}
|
||
|
});
|
||
|
return (new Identity({ components: components }));
|
||
|
};
|
||
|
|
||
|
Identity.parseAsn1 = function (der, top) {
|
||
|
var components = [];
|
||
|
der.readSequence(top);
|
||
|
var end = der.offset + der.length;
|
||
|
while (der.offset < end) {
|
||
|
der.readSequence(asn1.Ber.Constructor | asn1.Ber.Set);
|
||
|
var after = der.offset + der.length;
|
||
|
der.readSequence();
|
||
|
var oid = der.readOID();
|
||
|
var type = der.peek();
|
||
|
var value;
|
||
|
switch (type) {
|
||
|
case asn1.Ber.PrintableString:
|
||
|
case asn1.Ber.IA5String:
|
||
|
case asn1.Ber.OctetString:
|
||
|
case asn1.Ber.T61String:
|
||
|
value = der.readString(type);
|
||
|
break;
|
||
|
case asn1.Ber.Utf8String:
|
||
|
value = der.readString(type, true);
|
||
|
value = value.toString('utf8');
|
||
|
break;
|
||
|
case asn1.Ber.CharacterString:
|
||
|
case asn1.Ber.BMPString:
|
||
|
value = der.readString(type, true);
|
||
|
value = value.toString('utf16le');
|
||
|
break;
|
||
|
default:
|
||
|
throw (new Error('Unknown asn1 type ' + type));
|
||
|
}
|
||
|
components.push({ oid: oid, asn1type: type, value: value });
|
||
|
der._offset = after;
|
||
|
}
|
||
|
der._offset = end;
|
||
|
return (new Identity({
|
||
|
components: components
|
||
|
}));
|
||
|
};
|
||
|
|
||
|
Identity.isIdentity = function (obj, ver) {
|
||
|
return (utils.isCompatible(obj, Identity, ver));
|
||
|
};
|
||
|
|
||
|
/*
|
||
|
* API versions for Identity:
|
||
|
* [1,0] -- initial ver
|
||
|
*/
|
||
|
Identity.prototype._sshpkApiVersion = [1, 0];
|
||
|
|
||
|
Identity._oldVersionDetect = function (obj) {
|
||
|
return ([1, 0]);
|
||
|
};
|