X.509

X.509 certificate handling per RFC 5280. The seed surface is parse — turn a DER or PEM certificate into a structured, fully-decoded object: version, serial, signature algorithm, issuer and subject distinguished names, validity window (as real Dates), subject public-key info, and the extension list. The parser composes the strict DER codec and the OID registry, so every field is validated on the way in and every algorithm / attribute / extension is named where the registry knows it.

The raw tbsCertificate bytes are returned alongside the parsed fields so a signature-verification layer can hash exactly the bytes that were signed rather than re-encoding and hoping for round-trip fidelity.

pki.schema.x509.pemDecode

since 0.1.7 stable
pki.schema.x509.pemDecode(text, label?) -> Buffer

Extract the DER bytes from a PEM block. With label given (e.g. "CERTIFICATE") the block type must match; without it, the first block is taken. Throws PemError on a missing / mismatched envelope or a non-base64 body.

Example

var der = pki.schema.x509.pemDecode(pemText, "CERTIFICATE");

References

pki.schema.x509.pemEncode

since 0.1.7 stable
pki.schema.x509.pemEncode(der, label) -> string

Wrap DER bytes in a PEM envelope with 64-column base64 lines.

Example

var pem = pki.schema.x509.pemEncode(der, "CERTIFICATE");

References

pki.schema.x509.parse

since 0.1.7 stable
pki.schema.x509.parse(input) -> certificate

Parse a DER Buffer or a PEM string/Buffer into a structured certificate: { version, serialNumber, serialNumberHex, signatureAlgorithm, issuer, subject, validity, subjectPublicKeyInfo, extensions, tbsBytes, signatureValue }. Distinguished names come back both as a rendered dn string and as structured rdns; the validity window is real Dates; tbsBytes is the exact signed byte range for a downstream verifier.

Throws CertificateError when the bytes are not a well-formed certificate and Asn1Error when the underlying DER is malformed.

Example

var cert = pki.schema.x509.parse(pemString);
cert.subject.dn;                 // "CN=example.com, O=Example"
cert.validity.notAfter;          // Date
cert.signatureAlgorithm.name;    // "sha256WithRSAEncryption"

References

  • spec RFC 5280
  • spec X.509
  • defends malformed-certificate-parse (CWE-20)