open-vault/ui/app/helpers/parse-pki-cert.js

import { helper } from '@ember/component/helper';
import * as asn1js from 'asn1js';
import { fromBase64, stringToArrayBuffer } from 'pvutils';
import { Certificate } from 'pkijs';

export function parsePkiCert([model]) {
  // model has to be the responseJSON from PKI serializer
  // return if no certificate or if the "certificate" is actually a CRL
  if (!model.certificate || model.certificate.includes('BEGIN X509 CRL')) {
    return;
  }
  let cert;
  try {
    let cert_base64 = model.certificate.replace(/(-----(BEGIN|END) CERTIFICATE-----|\n)/g, '');
    let cert_der = fromBase64(cert_base64);
    let cert_asn1 = asn1js.fromBER(stringToArrayBuffer(cert_der));
    cert = new Certificate({ schema: cert_asn1.result });
  } catch (error) {
    console.debug('DEBUG: Parsing Certificate', error); // eslint-disable-line
    return {
      can_parse: false,
    };
  }

  // We wish to get the CN element out of this certificate's subject. A
  // subject is a list of RDNs, where each RDN is a (type, value) tuple
  // and where a type is an OID. The OID for CN can be found here:
  //
  //    http://oid-info.com/get/2.5.4.3
  //    https://datatracker.ietf.org/doc/html/rfc5280#page-112
  //
  // Each value is then encoded as another ASN.1 object; in the case of a
  // CommonName field, this is usually a PrintableString, BMPString, or a
  // UTF8String. Regardless of encoding, it should be present in the
  // valueBlock's value field if it is renderable.
  const commonNameOID = '2.5.4.3';
  const commonNames = cert?.subject?.typesAndValues
    .filter((rdn) => rdn?.type === commonNameOID)
    .map((rdn) => rdn?.value?.valueBlock?.value);

  // Theoretically, there might be multiple (or no) CommonNames -- but Vault
  // presently refuses to issue certificates without CommonNames in most
  // cases. For now, return the first CommonName we find. Alternatively, we
  // might update our callers to handle multiple, or join them using some
  // separator like ','.
  const commonName = commonNames ? (commonNames.length ? commonNames[0] : null) : null;

  // Date instances are stored in the value field as the notAfter/notBefore
  // field themselves are Time values.
  const expiryDate = cert?.notAfter?.value;
  const issueDate = cert?.notBefore?.value;
  return {
    can_parse: true,
    common_name: commonName,
    expiry_date: expiryDate,
    issue_date: issueDate,
  };
}

export default helper(parsePkiCert);
UI/ PKI UI Redesign (#12541) * installs node-forge * correctly displays and formats cert metadata * removes labels * uses helper in hbs file * adds named arg to helper * pki-ca-cert displays common name, issue & expiry date * alphabetizes some attrs * adds test for date helper 2021-10-04 21:31:36 +00:00			`import { helper } from '@ember/component/helper';`
Switch from node-forge to PKI.js (#13894) * Switch parse-pki-cert from node-forge to PKI.js This replaces the implementation of parse-pki-cert to use PKI.js rather than node-forge for two reasons: - PKI.js uses Web Crypto rather than maintaining a built-in implementation of several algorithms. - node-forge presently lacks support for ECDSA and Ed25519 certificates. Related: #13680 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add dependency on PKI.js $ yarn add -D asn1js pvutils pkijs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove dependency on node-forge $ yarn remove node-forge Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-02-04 17:52:28 +00:00			`import * as asn1js from 'asn1js';`
			`import { fromBase64, stringToArrayBuffer } from 'pvutils';`
			`import { Certificate } from 'pkijs';`
UI/ PKI UI Redesign (#12541) * installs node-forge * correctly displays and formats cert metadata * removes labels * uses helper in hbs file * adds named arg to helper * pki-ca-cert displays common name, issue & expiry date * alphabetizes some attrs * adds test for date helper 2021-10-04 21:31:36 +00:00
			`export function parsePkiCert([model]) {`
			`// model has to be the responseJSON from PKI serializer`
UI/Fix parsing CRL in PKI engine (#13913) * fix parsing of CRLs * removes tests * update comment 2022-02-05 02:26:29 +00:00			`// return if no certificate or if the "certificate" is actually a CRL`
			`if (!model.certificate \|\| model.certificate.includes('BEGIN X509 CRL')) {`
UI/ PKI UI Redesign (#12541) * installs node-forge * correctly displays and formats cert metadata * removes labels * uses helper in hbs file * adds named arg to helper * pki-ca-cert displays common name, issue & expiry date * alphabetizes some attrs * adds test for date helper 2021-10-04 21:31:36 +00:00			`return;`
			`}`
UI/Fix node-forge EC error (#13238) * add catch for node-forge error handling * update comment * adds changelog * alphabetize attrs and add canParse attr * show alert banner if unable to parse metadata * add test to check info banner renders 2021-11-23 18:51:02 +00:00			`let cert;`
			`try {`
Switch from node-forge to PKI.js (#13894) * Switch parse-pki-cert from node-forge to PKI.js This replaces the implementation of parse-pki-cert to use PKI.js rather than node-forge for two reasons: - PKI.js uses Web Crypto rather than maintaining a built-in implementation of several algorithms. - node-forge presently lacks support for ECDSA and Ed25519 certificates. Related: #13680 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add dependency on PKI.js $ yarn add -D asn1js pvutils pkijs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove dependency on node-forge $ yarn remove node-forge Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-02-04 17:52:28 +00:00			`let cert_base64 = model.certificate.replace(/(-----(BEGIN\|END) CERTIFICATE-----\|\n)/g, '');`
			`let cert_der = fromBase64(cert_base64);`
			`let cert_asn1 = asn1js.fromBER(stringToArrayBuffer(cert_der));`
			`cert = new Certificate({ schema: cert_asn1.result });`
UI/Fix node-forge EC error (#13238) * add catch for node-forge error handling * update comment * adds changelog * alphabetize attrs and add canParse attr * show alert banner if unable to parse metadata * add test to check info banner renders 2021-11-23 18:51:02 +00:00			`} catch (error) {`
Ember Upgrade to 4.4 (#17086) * runs ember-cli-update to 4.4.0 * updates yarn.lock * updates dependencies causing runtime errors (#17135) * Inject Store Service When Accessed Implicitly (#17345) * adds codemod for injecting store service * adds custom babylon parser with decorators-legacy plugin for jscodeshift transforms * updates inject-store-service codemod to only look for .extend object expressions and adds recast options * runs inject-store-service codemod on js files * replace query-params helper with hash (#17404) * Updates/removes dependencies throwing errors in Ember 4.4 (#17396) * updates ember-responsive to latest * updates ember-composable-helpers to latest and uses includes helper since contains was removed * updates ember-concurrency to latest * updates ember-cli-clipboard to latest * temporary workaround for toolbar-link component throwing errors for using params arg with LinkTo * adds missing store injection to auth configure route * fixes issue with string-list component throwing error for accessing prop in same computation * fixes non-iterable query params issue in mfa methods controller * refactors field-to-attrs to handle belongsTo rather than fragments * converts mount-config fragment to belongsTo on auth-method model * removes ember-api-actions and adds tune method to auth-method adapter * converts cluster replication attributes from fragment to relationship * updates ember-data, removes ember-data-fragments and updates yarn to latest * removes fragments from secret-engine model * removes fragment from test-form-model * removes commented out code * minor change to inject-store-service codemod and runs again on js files * Remove LinkTo positional params (#17421) * updates ember-cli-page-object to latest version * update toolbar-link to support link-to args and not positional params * adds replace arg to toolbar-link component * Clean up js lint errors (#17426) * replaces assert.equal to assert.strictEqual * update eslint no-console to error and disables invididual intended uses of console * cleans up hbs lint warnings (#17432) * Upgrade bug and test fixes (#17500) * updates inject-service codemod to take arg for service name and runs for flashMessages service * fixes hbs lint error after merging main * fixes flash messages * updates more deps * bug fixes * test fixes * updates ember-cli-content-security-policy and prevents default form submission throwing errors * more bug and test fixes * removes commented out code * fixes issue with code-mirror modifier sending change event on setup causing same computation error * Upgrade Clean Up (#17543) * updates deprecation workflow and filter * cleans up build errors, removes unused ivy-codemirror and sass and updates ember-cli-sass and node-sass to latest * fixes control groups test that was skipped after upgrade * updates control group service tests * addresses review feedback * updates control group service handleError method to use router.currentURL rather that transition.intent.url * adds changelog entry 2022-10-18 15:46:02 +00:00			`console.debug('DEBUG: Parsing Certificate', error); // eslint-disable-line`
UI/Fix node-forge EC error (#13238) * add catch for node-forge error handling * update comment * adds changelog * alphabetize attrs and add canParse attr * show alert banner if unable to parse metadata * add test to check info banner renders 2021-11-23 18:51:02 +00:00			`return {`
			`can_parse: false,`
			`};`
			`}`
Switch from node-forge to PKI.js (#13894) * Switch parse-pki-cert from node-forge to PKI.js This replaces the implementation of parse-pki-cert to use PKI.js rather than node-forge for two reasons: - PKI.js uses Web Crypto rather than maintaining a built-in implementation of several algorithms. - node-forge presently lacks support for ECDSA and Ed25519 certificates. Related: #13680 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add dependency on PKI.js $ yarn add -D asn1js pvutils pkijs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove dependency on node-forge $ yarn remove node-forge Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-02-04 17:52:28 +00:00
			`// We wish to get the CN element out of this certificate's subject. A`
			`// subject is a list of RDNs, where each RDN is a (type, value) tuple`
			`// and where a type is an OID. The OID for CN can be found here:`
			`//`
			`// http://oid-info.com/get/2.5.4.3`
			`// https://datatracker.ietf.org/doc/html/rfc5280#page-112`
			`//`
			`// Each value is then encoded as another ASN.1 object; in the case of a`
			`// CommonName field, this is usually a PrintableString, BMPString, or a`
			`// UTF8String. Regardless of encoding, it should be present in the`
			`// valueBlock's value field if it is renderable.`
			`const commonNameOID = '2.5.4.3';`
			`const commonNames = cert?.subject?.typesAndValues`
			`.filter((rdn) => rdn?.type === commonNameOID)`
			`.map((rdn) => rdn?.value?.valueBlock?.value);`

			`// Theoretically, there might be multiple (or no) CommonNames -- but Vault`
			`// presently refuses to issue certificates without CommonNames in most`
			`// cases. For now, return the first CommonName we find. Alternatively, we`
			`// might update our callers to handle multiple, or join them using some`
			`// separator like ','.`
			`const commonName = commonNames ? (commonNames.length ? commonNames[0] : null) : null;`

			`// Date instances are stored in the value field as the notAfter/notBefore`
			`// field themselves are Time values.`
			`const expiryDate = cert?.notAfter?.value;`
			`const issueDate = cert?.notBefore?.value;`
UI/ PKI UI Redesign (#12541) * installs node-forge * correctly displays and formats cert metadata * removes labels * uses helper in hbs file * adds named arg to helper * pki-ca-cert displays common name, issue & expiry date * alphabetizes some attrs * adds test for date helper 2021-10-04 21:31:36 +00:00			`return {`
UI/Fix node-forge EC error (#13238) * add catch for node-forge error handling * update comment * adds changelog * alphabetize attrs and add canParse attr * show alert banner if unable to parse metadata * add test to check info banner renders 2021-11-23 18:51:02 +00:00			`can_parse: true,`
UI/ PKI UI Redesign (#12541) * installs node-forge * correctly displays and formats cert metadata * removes labels * uses helper in hbs file * adds named arg to helper * pki-ca-cert displays common name, issue & expiry date * alphabetizes some attrs * adds test for date helper 2021-10-04 21:31:36 +00:00			`common_name: commonName,`
			`expiry_date: expiryDate,`
UI/Fix node-forge EC error (#13238) * add catch for node-forge error handling * update comment * adds changelog * alphabetize attrs and add canParse attr * show alert banner if unable to parse metadata * add test to check info banner renders 2021-11-23 18:51:02 +00:00			`issue_date: issueDate,`
UI/ PKI UI Redesign (#12541) * installs node-forge * correctly displays and formats cert metadata * removes labels * uses helper in hbs file * adds named arg to helper * pki-ca-cert displays common name, issue & expiry date * alphabetizes some attrs * adds test for date helper 2021-10-04 21:31:36 +00:00			`};`
			`}`

			`export default helper(parsePkiCert);`