micro509 / micro509

micro509

Stable root import for micro509.
Re-exports the common certificate, parsing, verification, revocation, key, and PKCS workflows from one package entrypoint.

Reach for this module when you want the default workflow-first package surface. Use domain entrypoints such as micro509/x509, micro509/verify, and micro509/revocation when you need exhaustive advanced types.

The root export is organized around common PKI flows:

• create certificates, CSRs, CRLs, OCSP responses, PKCS#7, and PFX artifacts
• parse DER or PEM inputs into typed certificate and request shapes
• verify certificate chains, service identities, CRLs, OCSP, and signed data
• import, export, generate, and encrypt key material with WebCrypto-safe algorithms
• work with the common extension inputs, revocation evidence, and validation results

Advanced PKCS#12 MAC plumbing, signature profile tuning, and other domain-specific helper types stay in their owner domains instead of being headlined here.

Examples

import {
	createSelfSignedCertificate,
	parseCertificatePem,
	verifyCertificateChain,
} from 'micro509';

const { certificate } = await createSelfSignedCertificate({
	subject: { commonName: 'example.com' },
	algorithm: { kind: 'ecdsa', curve: 'P-256' },
});

const parsed = parseCertificatePem(certificate.pem);
// parsed.subject.values.commonName === 'example.com'

const result = await verifyCertificateChain({
	leaf: certificate.pem,
	roots: [certificate.pem],
	allowSelfSignedLeaf: true,
});
// result.ok === true

import {
	generateKeyPair,
	parseCertificateSigningRequestPem,
	createCertificateSigningRequest,
} from 'micro509';

const keyPair = await generateKeyPair({ kind: 'ecdsa', curve: 'P-256' });
const csr = await createCertificateSigningRequest({
	subject: { commonName: 'example.com' },
	publicKey: keyPair.publicKey,
	signerPrivateKey: keyPair.privateKey,
});

const parsed = parseCertificateSigningRequestPem(csr.pem);
// parsed.subject.values.commonName === 'example.com'

Interfaces

AuthorityInformationAccess

Defined in: src/x509/extensions.ts:610

A single entry in the Authority Information Access extension (RFC 5280 §4.2.2.1).

Properties

method

readonly method: "ocsp" | "caIssuers" | { type: "oid"; value: string; }

Defined in: src/x509/extensions.ts:612

Access method ('ocsp', 'caIssuers', or custom OID).

uri

readonly uri: string

Defined in: src/x509/extensions.ts:620

URI where the resource can be fetched.

---

BasicConstraints

Defined in: src/x509/extensions.ts:251

RFC 5280 §4.2.1.9 Basic Constraints.

A certificate with ca: true may issue other certificates; pathLength limits how many additional CAs may appear below it in the chain.

Properties

ca

readonly ca: boolean

Defined in: src/x509/extensions.ts:253

Whether this certificate belongs to a CA. End-entity certs set this to false.

pathLength?

readonly optional pathLength?: number

Defined in: src/x509/extensions.ts:255

Maximum number of intermediate CA certificates allowed below this CA. Only valid when ca is true.

---

BuildCandidatePathInput

Defined in: src/verify/verify.ts:235

Input for buildCandidatePath.

Extended by

• ValidateForCaInput
• ValidateForCodeSigningInput
• ValidateForTlsClientInput
• ValidateForTlsServerInput

Properties

at?

readonly optional at?: Date

Defined in: src/verify/verify.ts:245

Validation time. Defaults to new Date().

intermediates?

readonly optional intermediates?: readonly CertificateSource[]

Defined in: src/verify/verify.ts:239

Intermediate CA certificates available for path building. Order does not matter.

leaf

readonly leaf: CertificateSource

Defined in: src/verify/verify.ts:237

End-entity certificate to verify.

roots

readonly roots: readonly CertificateSource[]

Defined in: src/verify/verify.ts:241

Trusted root CA certificates. At least one root or trust anchor must be supplied.

trustAnchors?

readonly optional trustAnchors?: readonly TrustAnchor[]

Defined in: src/verify/verify.ts:243

Bare trust anchors to try when no root certificate matches.

---

CandidatePath

Defined in: src/verify/verify.ts:249

A signature-verified certification path from leaf to root, before constraint validation.

Properties

chain

readonly chain: readonly ParsedCertificate<Record<never, never>>[]

Defined in: src/verify/verify.ts:253

Full chain in leaf-to-root order (includes both leaf and root).

leaf

readonly leaf: ParsedCertificate

Defined in: src/verify/verify.ts:251

Parsed end-entity certificate.

root

readonly root: ParsedCertificate

Defined in: src/verify/verify.ts:255

Trusted root that terminates the path.

---

CategorizedPemBlocks

Defined in: src/pem/pem.ts:26

PEM blocks grouped by their label into well-known PKI categories. Blocks that don't match any known label land in others.

Properties

certificateRequests

readonly certificateRequests: readonly PemBlock[]

Defined in: src/pem/pem.ts:30

Blocks with label CERTIFICATE REQUEST.

certificates

readonly certificates: readonly PemBlock[]

Defined in: src/pem/pem.ts:28

Blocks with label CERTIFICATE.

others

readonly others: readonly PemBlock[]

Defined in: src/pem/pem.ts:36

Blocks whose label doesn't match any of the above categories.

privateKeys

readonly privateKeys: readonly PemBlock[]

Defined in: src/pem/pem.ts:32

Blocks with label PRIVATE KEY, RSA PRIVATE KEY, or EC PRIVATE KEY.

publicKeys

readonly publicKeys: readonly PemBlock[]

Defined in: src/pem/pem.ts:34

Blocks with label PUBLIC KEY.

---

CertificateExtensionsInput

Defined in: src/x509/extensions.ts:382

Input for createCertificate, createSelfSignedCertificate, and createCertificateSigningRequest.

Every field is optional. Omitted extensions are not encoded. Built-in extensions (SKI, AKI, basicConstraints defaults) are handled automatically by the builder.

Properties

authorityInfoAccess?

readonly optional authorityInfoAccess?: readonly AuthorityInformationAccess[]

Defined in: src/x509/extensions.ts:402

Authority Information Access — OCSP responder and CA issuer URIs.

basicConstraints?

readonly optional basicConstraints?: BasicConstraints

Defined in: src/x509/extensions.ts:388

Basic Constraints (CA flag + optional pathLength). Defaults to { ca: false } for certs.

certificatePolicies?

readonly optional certificatePolicies?: CertificatePolicies

Defined in: src/x509/extensions.ts:394

Certificate Policies with optional qualifiers.

crlDistributionPoints?

readonly optional crlDistributionPoints?: readonly DistributionPoint[]

Defined in: src/x509/extensions.ts:404

CRL Distribution Points — where to check revocation status.

customExtensions?

readonly optional customExtensions?: readonly CustomExtension[]

Defined in: src/x509/extensions.ts:406

Arbitrary extensions not covered by the built-in fields.

extendedKeyUsage?

readonly optional extendedKeyUsage?: readonly ExtendedKeyUsage[]

Defined in: src/x509/extensions.ts:390

Extended Key Usage purposes (serverAuth, clientAuth, etc.).

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: InhibitAnyPolicy

Defined in: src/x509/extensions.ts:400

Inhibit anyPolicy skip-certs threshold.

keyUsage?

readonly optional keyUsage?: readonly KeyUsage[]

Defined in: src/x509/extensions.ts:386

Key Usage flags (digitalSignature, keyCertSign, etc.).

nameConstraints?

readonly optional nameConstraints?: NameConstraints<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>

Defined in: src/x509/extensions.ts:392

Name Constraints — permitted and/or excluded subtrees.

policyConstraints?

readonly optional policyConstraints?: PolicyConstraints

Defined in: src/x509/extensions.ts:398

Policy Constraints (requireExplicitPolicy / inhibitPolicyMapping thresholds).

policyMappings?

readonly optional policyMappings?: PolicyMappings

Defined in: src/x509/extensions.ts:396

Policy Mappings between issuer and subject policy domains.

subjectAltNames?

readonly optional subjectAltNames?: readonly SubjectAltName[]

Defined in: src/x509/extensions.ts:384

Subject Alternative Names (dns, ip, email, uri, srv, directoryName).

---

CertificateMaterial

Defined in: src/x509/certificate.ts:155

Encoded certificate material in common interchange formats.

Properties

base64

readonly base64: string

Defined in: src/x509/certificate.ts:167

Base64 encoding of der without PEM armor.

der

readonly der: Uint8Array

Defined in: src/x509/certificate.ts:159

DER-encoded certificate bytes.

pem

readonly pem: string

Defined in: src/x509/certificate.ts:163

PEM-encoded certificate.

---

ChainRevocationInput

Defined in: src/verify/verify.ts:317

Input for chain-level revocation checking in verifyCertificateChain.

Properties

crls?

readonly optional crls?: readonly CrlSource[]

Defined in: src/verify/verify.ts:319

CRLs to evaluate.

extraCertificates?

readonly optional extraCertificates?: readonly CertificateSource[]

Defined in: src/verify/verify.ts:323

Extra certs for indirect CRL issuers / delegated OCSP responders.

ocspResponses?

readonly optional ocspResponses?: readonly (string | Uint8Array<ArrayBufferLike>)[]

Defined in: src/verify/verify.ts:321

OCSP responses to evaluate (not yet implemented).

policy?

readonly optional policy?: RevocationPolicy

Defined in: src/verify/verify.ts:325

Revocation policy.

---

CreateCertificateInput

Defined in: src/x509/certificate.ts:67

Input for createCertificate.

Properties

extensions?

readonly optional extensions?: CertificateExtensionsInput

Defined in: src/x509/certificate.ts:104

X.509 extensions to encode into the certificate.

issuer

readonly issuer: NameInput

Defined in: src/x509/certificate.ts:71

Issuer distinguished name.

issuerPublicKey?

readonly optional issuerPublicKey?: CryptoKey

Defined in: src/x509/certificate.ts:90

Issuer public key.

Provide this when extension builders need issuer key material, such as authority key identifier derivation.

publicKey

readonly publicKey: CryptoKey

Defined in: src/x509/certificate.ts:79

Subject public key to encode into the certificate.

serialNumber?

readonly optional serialNumber?: Uint8Array<ArrayBufferLike>

Defined in: src/x509/certificate.ts:100

DER integer bytes for the certificate serial number.

When omitted, a random positive 16-byte serial number is generated.

signature?

readonly optional signature?: SignatureProfileInput

Defined in: src/x509/certificate.ts:111

Signature algorithm override.

When omitted, the library selects a compatible profile from the signing key.

signerPrivateKey

readonly signerPrivateKey: CryptoKey

Defined in: src/x509/certificate.ts:83

Private key used to sign the certificate.

subject

readonly subject: NameInput

Defined in: src/x509/certificate.ts:75

Subject distinguished name.

validity?

readonly optional validity?: ValidityInput

Defined in: src/x509/certificate.ts:94

Validity window configuration.

---

CreateCsrInput

Defined in: src/x509/csr.ts:36

Input for createCertificateSigningRequest.

Properties

extensions?

readonly optional extensions?: CertificateExtensionsInput

Defined in: src/x509/csr.ts:44

Requested X.509v3 extensions to include in the CSR attributes.

publicKey

readonly publicKey: CryptoKey

Defined in: src/x509/csr.ts:40

WebCrypto public key to embed in the CSR's SubjectPublicKeyInfo.

signature?

readonly optional signature?: SignatureProfileInput

Defined in: src/x509/csr.ts:46

Override the signature algorithm profile (hash, salt length, etc.).

signerPrivateKey

readonly signerPrivateKey: CryptoKey

Defined in: src/x509/csr.ts:42

WebCrypto private key used to self-sign the CSR (proves key possession).

subject

readonly subject: NameInput

Defined in: src/x509/csr.ts:38

Distinguished name for the CSR subject (e.g. { commonName: 'example.com' }).

---

CreatePfxFailure

Defined in: src/pkcs/pfx.ts:221

Error payload for a failed PFX creation.

Extends

• Micro509Error<CreatePfxErrorCode>

Properties

code

readonly code: "invalid_certificate"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/pkcs/pfx.ts:223

Always false for failures.

---

CreatePfxInput

Defined in: src/pkcs/pfx.ts:84

Input for createPfx.

Properties

certificates?

readonly optional certificates?: readonly PfxCertificateBagInput[]

Defined in: src/pkcs/pfx.ts:86

Certificates to include as certBag entries.

encryption?

readonly optional encryption?: Pbes2EncryptionOptions

Defined in: src/pkcs/pfx.ts:90

PBES2 encryption settings for the key-bag ContentInfo. Omit for unencrypted.

mac?

readonly optional mac?: Pkcs12MacOptions

Defined in: src/pkcs/pfx.ts:92

PKCS#12 MAC integrity settings. Omit to skip MAC generation.

privateKeys?

readonly optional privateKeys?: readonly PfxPrivateKeyBagInput[]

Defined in: src/pkcs/pfx.ts:88

Private keys to include as keyBag entries.

---

CreatePkcs7CertBagFailure

Defined in: src/pkcs/pkcs7.ts:200

Error payload for a failed PKCS#7 certificate bag creation.

Extends

• Micro509Error<CreatePkcs7CertBagErrorCode>

Properties

code

readonly code: "invalid_certificate"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/pkcs/pkcs7.ts:202

Always false for failures.

---

CreatePkcs7SignedDataFailure

Defined in: src/pkcs/pkcs7.ts:334

Error payload for a failed PKCS#7 SignedData creation.

Extends

• Micro509Error<CreatePkcs7SignedDataErrorCode>

Properties

code

readonly code: CreatePkcs7SignedDataErrorCode

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/pkcs/pkcs7.ts:337

Always false for failures.

---

CreatePkcs7SignedDataInput

Defined in: src/pkcs/pkcs7.ts:300

Input for createPkcs7SignedDataDer / createPkcs7SignedDataPem.

Properties

additionalCertificates?

readonly optional additionalCertificates?: readonly Pkcs7CertificateSource[]

Defined in: src/pkcs/pkcs7.ts:309

Additional certificates to embed (e.g. intermediates). Signer certificates are always embedded; duplicate DER is removed.

content

readonly content: Uint8Array

Defined in: src/pkcs/pkcs7.ts:302

Content to encapsulate and sign (the eContent).

encapsulatedContentTypeOid?

readonly optional encapsulatedContentTypeOid?: string

Defined in: src/pkcs/pkcs7.ts:314

Encapsulated content type OID.

Default

'1.2.840.113549.1.7.1' (pkcs7-data)

signers

readonly signers: readonly Pkcs7Signer[]

Defined in: src/pkcs/pkcs7.ts:304

One or more signers. Each produces a SignerInfo with signed attributes.

---

CreateSelfSignedCertificateInput

Defined in: src/x509/certificate.ts:117

Input for createSelfSignedCertificate.

Properties

algorithm?

readonly optional algorithm?: KeyAlgorithmInput

Defined in: src/x509/certificate.ts:127

Key generation parameters.

Ignored when keyPair is provided.

extensions?

readonly optional extensions?: CertificateExtensionsInput

Defined in: src/x509/certificate.ts:145

X.509 extensions to encode into the certificate.

keyPair?

readonly optional keyPair?: KeyPairMaterial

Defined in: src/x509/certificate.ts:133

Existing key pair to reuse for both subject and issuer.

When omitted, a new key pair is generated.

serialNumber?

readonly optional serialNumber?: Uint8Array<ArrayBufferLike>

Defined in: src/x509/certificate.ts:141

DER integer bytes for the certificate serial number.

signature?

readonly optional signature?: SignatureProfileInput

Defined in: src/x509/certificate.ts:149

Signature algorithm override.

subject

readonly subject: NameInput

Defined in: src/x509/certificate.ts:121

Subject distinguished name used as both subject and issuer.

validity?

readonly optional validity?: ValidityInput

Defined in: src/x509/certificate.ts:137

Validity window configuration.

---

CsrMaterial

Defined in: src/x509/csr.ts:50

DER, PEM, and base64 encodings of a CSR produced by createCertificateSigningRequest.

Properties

base64

readonly base64: string

Defined in: src/x509/csr.ts:56

Base64-encoded DER (no PEM armor).

der

readonly der: Uint8Array

Defined in: src/x509/csr.ts:52

Raw DER-encoded PKCS#10 CertificationRequest.

pem

readonly pem: string

Defined in: src/x509/csr.ts:54

PEM-armored CSR (-----BEGIN CERTIFICATE REQUEST-----).

---

DecodedExtensionValue

Defined in: src/x509/parse.ts:278

A successfully decoded extension value paired with its OID and criticality.

Type Parameters

TValue

TValue

Properties

critical

readonly critical: boolean

Defined in: src/x509/parse.ts:282

Whether the extension was marked critical in the certificate.

oid

readonly oid: string

Defined in: src/x509/parse.ts:280

Dotted-decimal OID of the decoded extension.

value

readonly value: TValue

Defined in: src/x509/parse.ts:284

Typed value produced by the ExtensionDecoder.

---

DistributionPointName

Defined in: src/x509/extensions.ts:154

Name component of a CRL Distribution Point (RFC 5280 §4.2.1.13).

Supply exactly one of fullName or relativeName.

Properties

fullName?

readonly optional fullName?: readonly SubjectAltName[]

Defined in: src/x509/extensions.ts:156

Absolute GeneralName(s) identifying the distribution point (usually a URI).

relativeName?

readonly optional relativeName?: RelativeDistinguishedNameInput

Defined in: src/x509/extensions.ts:158

Name relative to the issuer's DN; mutually exclusive with fullName.

---

DnsServiceIdentityInput

Defined in: src/verify/identity.ts:18

DNS hostname reference identifier.

Properties

allowCommonNameFallback?

readonly optional allowCommonNameFallback?: boolean

Defined in: src/verify/identity.ts:28

When true, falls back to the subject CN if the SAN extension has no dns/uri/srv entries. Suppressed when any supported SAN type is present.

Default

false

type

readonly type: "dns"

Defined in: src/verify/identity.ts:20

Discriminant for DNS hostname matching.

value

readonly value: string

Defined in: src/verify/identity.ts:22

The hostname to match (e.g. "mail.example.com"). Wildcard labels in the certificate are handled internally.

---

EcKeyAlgorithmInput

Defined in: src/keys/keys.ts:84

ECDSA variant of KeyAlgorithmInput.

Properties

curve?

readonly optional curve?: EcNamedCurve

Defined in: src/keys/keys.ts:88

NIST curve. Defaults to 'P-256'.

kind

readonly kind: "ecdsa"

Defined in: src/keys/keys.ts:86

Discriminant selecting ECDSA key generation.

---

Ed25519KeyAlgorithmInput

Defined in: src/keys/keys.ts:92

Ed25519 variant of KeyAlgorithmInput.

Properties

kind

readonly kind: "ed25519"

Defined in: src/keys/keys.ts:94

Discriminant selecting Ed25519 key generation.

---

EkuCheckFailure

Defined in: src/verify/verify.ts:117

Failure from checkExtendedKeyUsage with the chain index of the certificate that failed.

Extends

• Micro509Error<"leaf_eku_missing" | "intermediate_eku_constraint">

Properties

code

readonly code: "intermediate_eku_constraint" | "leaf_eku_missing"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

index

readonly index: number

Defined in: src/verify/verify.ts:122

Zero-based index into the chain of the certificate that lacks the required EKU.

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/verify/verify.ts:120

Always false for failures.

---

ErrorResult

Defined in: src/result/result.ts:29

Failed result with a flattened code/message/details surface for ergonomic matching.

Extended by

• IndexedErrorResult

Type Parameters

TCode

TCode extends string

TDetails

TDetails

TError

TError extends Micro509Error<TCode, TDetails>

Properties

code

readonly code: TCode

Defined in: src/result/result.ts:39

Machine-readable failure reason, mirrored from error.code.

details?

readonly optional details?: TDetails

Defined in: src/result/result.ts:43

Optional structured context for the failure.

error

readonly error: TError

Defined in: src/result/result.ts:37

Structured error payload.

message

readonly message: string

Defined in: src/result/result.ts:41

Human-readable diagnostic, mirrored from error.message.

ok

readonly ok: false

Defined in: src/result/result.ts:35

Always false for failures.

---

ExtensionDecoder

Defined in: src/x509/parse.ts:236

User-supplied decoder for a single extension OID.

Register with ParseOptions.decoders or ParseOptions.decoderMap to decode custom extensions during parsing.

Type Parameters

TValue

TValue

Properties

oid

readonly oid: string

Defined in: src/x509/parse.ts:238

OID this decoder handles.

Methods

decode()

decode(extension): TValue

Defined in: src/x509/parse.ts:240

Decode the raw ParsedExtension into a typed value.

Parameters

extension

ParsedExtension

Returns

TValue

---

GeneralSubtree

Defined in: src/x509/extensions.ts:529

A single subtree entry in a Name Constraints permitted/excluded list.

Type Parameters

TForm

TForm extends ParsedNameConstraintForm = { type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }

Properties

base

readonly base: TForm

Defined in: src/x509/extensions.ts:554

The name form that defines this constraint boundary.

---

ImportEcPublicKeyInput

Defined in: src/keys/keys.ts:134

ECDSA variant of PublicKeyImportInput.

Properties

curve

readonly curve: EcNamedCurve

Defined in: src/keys/keys.ts:138

NIST curve the key belongs to. Required for EC import.

kind

readonly kind: "ecdsa"

Defined in: src/keys/keys.ts:136

Discriminant selecting ECDSA import.

---

ImportEd25519PublicKeyInput

Defined in: src/keys/keys.ts:142

Ed25519 variant of PublicKeyImportInput.

Properties

kind

readonly kind: "ed25519"

Defined in: src/keys/keys.ts:144

Discriminant selecting Ed25519 import.

---

ImportEncryptedKeyFailure

Defined in: src/keys/keys.ts:197

Structured failure payload for encrypted key import.

Extends

• Micro509Error<ImportEncryptedKeyErrorCode>

Properties

code

readonly code: ImportEncryptedKeyErrorCode

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/keys/keys.ts:198

---

ImportKeyFailure

Defined in: src/keys/keys.ts:173

Structured failure payload for key import.

Extends

• Micro509Error<ImportKeyErrorCode>

Properties

code

readonly code: "malformed"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/keys/keys.ts:174

---

ImportRsaPublicKeyInput

Defined in: src/keys/keys.ts:124

RSA variant of PublicKeyImportInput.

Properties

hash?

readonly optional hash?: RsaHash

Defined in: src/keys/keys.ts:128

Hash algorithm. Defaults to 'SHA-256'.

kind

readonly kind: "rsa"

Defined in: src/keys/keys.ts:126

Discriminant selecting RSA import.

scheme?

readonly optional scheme?: RsaScheme

Defined in: src/keys/keys.ts:130

Signature padding scheme. Defaults to 'pkcs1-v1_5'.

---

IndexedErrorResult

Defined in: src/result/result.ts:47

Like ErrorResult but also carries an index into the collection that was being processed.

Extends

• ErrorResult<TCode, TDetails, TError>

Type Parameters

TCode

TCode extends string

TDetails

TDetails

TError

TError extends IndexedMicro509Error<TCode, TDetails>

Properties

code

readonly code: TCode

Defined in: src/result/result.ts:39

Machine-readable failure reason, mirrored from error.code.

Inherited from

ErrorResult.code

details?

readonly optional details?: TDetails

Defined in: src/result/result.ts:43

Optional structured context for the failure.

Inherited from

ErrorResult.details

error

readonly error: TError

Defined in: src/result/result.ts:37

Structured error payload.

Inherited from

ErrorResult.error

index?

readonly optional index?: number

Defined in: src/result/result.ts:53

Zero-based position of the failing item in the input collection.

message

readonly message: string

Defined in: src/result/result.ts:41

Human-readable diagnostic, mirrored from error.message.

Inherited from

ErrorResult.message

ok

readonly ok: false

Defined in: src/result/result.ts:35

Always false for failures.

Inherited from

ErrorResult.ok

---

IndexedMicro509Error

Defined in: src/result/result.ts:67

Like Micro509Error but includes a positional index for collection-processing APIs.

Extends

• Micro509Error<TCode, TDetails>

Extended by

• VerifyChainFailure

Type Parameters

TCode

TCode extends string

TDetails

TDetails = Record<never, never>

Properties

code

readonly code: TCode

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: TDetails

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

index?

readonly optional index?: number

Defined in: src/result/result.ts:70

Zero-based position of the failing item in the input collection.

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

---

InhibitAnyPolicy

Defined in: src/x509/extensions.ts:369

RFC 5280 §4.2.1.14 Inhibit anyPolicy.

After skipCerts additional certificates in the path, the special anyPolicy OID is no longer considered a match.

Properties

skipCerts

readonly skipCerts: number

Defined in: src/x509/extensions.ts:371

Number of additional certificates before anyPolicy stops being valid.

---

InitialNameConstraintsInput

Defined in: src/verify/name-constraints.ts:18

Input for createNameConstraintValidationState.

Seeds the name-constraint engine with trust-anchor-level subtree restrictions that apply before any certificate in the chain is processed.

Extended by

• ValidateCandidatePathInput
• ValidateForCaInput
• ValidateForCodeSigningInput
• ValidateForTlsClientInput
• ValidateForTlsServerInput
• VerifyCertificateChainInput

Properties

excludedSubtrees?

readonly optional excludedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:22

Subtrees that no subsequent subject name may fall within. Default: none.

permittedSubtrees?

readonly optional permittedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:20

Subtrees within which all subsequent subject names must fall. Default: unconstrained.

---

IpServiceIdentityInput

Defined in: src/verify/identity.ts:32

IP address reference identifier.

Properties

type

readonly type: "ip"

Defined in: src/verify/identity.ts:34

Discriminant for IP address matching.

value

readonly value: string

Defined in: src/verify/identity.ts:36

IPv4 or IPv6 address string. Normalized before comparison.

---

KeyPairMaterial

Defined in: src/keys/keys.ts:104

Key pair with convenience export helpers. Returned by generateKeyPair.

Properties

privateKey

readonly privateKey: CryptoKey

Defined in: src/keys/keys.ts:108

The WebCrypto private key (extractable, sign usage).

publicKey

readonly publicKey: CryptoKey

Defined in: src/keys/keys.ts:106

The WebCrypto public key (extractable, verify usage).

Methods

exportPkcs8Der()

exportPkcs8Der(): Promise<Uint8Array<ArrayBufferLike>>

Defined in: src/keys/keys.ts:114

Export the private key as DER-encoded PKCS#8 PrivateKeyInfo.

Returns

Promise<Uint8Array<ArrayBufferLike>>

exportPkcs8Pem()

exportPkcs8Pem(): Promise<string>

Defined in: src/keys/keys.ts:116

Export the private key as PEM-encoded PKCS#8 PrivateKeyInfo.

Returns

Promise<string>

exportPrivateJwk()

exportPrivateJwk(): Promise<JsonWebKey>

Defined in: src/keys/keys.ts:120

Export the private key as a JSON Web Key.

Returns

Promise<JsonWebKey>

exportPublicJwk()

exportPublicJwk(): Promise<JsonWebKey>

Defined in: src/keys/keys.ts:118

Export the public key as a JSON Web Key.

Returns

Promise<JsonWebKey>

exportSpkiDer()

exportSpkiDer(): Promise<Uint8Array<ArrayBufferLike>>

Defined in: src/keys/keys.ts:110

Export the public key as DER-encoded SubjectPublicKeyInfo.

Returns

Promise<Uint8Array<ArrayBufferLike>>

exportSpkiPem()

exportSpkiPem(): Promise<string>

Defined in: src/keys/keys.ts:112

Export the public key as PEM-encoded SubjectPublicKeyInfo.

Returns

Promise<string>

---

LegacyPemEncryptionOptions

Defined in: src/keys/keys.ts:160

Options for OpenSSL-style Proc-Type: 4,ENCRYPTED PEM encryption (PKCS#1/SEC1).

Properties

cipher?

readonly optional cipher?: "AES-128-CBC" | "AES-192-CBC" | "AES-256-CBC"

Defined in: src/keys/keys.ts:166

AES-CBC cipher. Defaults to 'AES-256-CBC'.

iv?

readonly optional iv?: Uint8Array<ArrayBufferLike>

Defined in: src/keys/keys.ts:164

16-byte initialization vector. Random when omitted.

password

readonly password: string

Defined in: src/keys/keys.ts:162

Passphrase used to derive the encryption key.

---

MatchServiceIdentityFailure

Defined in: src/verify/identity.ts:95

A failed identity-matching attempt.

Extends

• Micro509Error<MatchServiceIdentityErrorCode, MatchServiceIdentityFailureDetails>

Properties

code

readonly code: MatchServiceIdentityErrorCode

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: MatchServiceIdentityFailureDetails

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/verify/identity.ts:98

Always false for failures.

---

MatchServiceIdentityInput

Defined in: src/verify/identity.ts:129

Input for matchServiceIdentity.

Properties

certificate

readonly certificate: ParsedCertificate

Defined in: src/verify/identity.ts:131

The parsed leaf certificate to check.

serviceIdentity

readonly serviceIdentity: ServiceIdentityInput

Defined in: src/verify/identity.ts:133

The reference identifier the client wants to verify.

---

MatchServiceIdentitySuccess

Defined in: src/verify/identity.ts:102

A successful identity match (the certificate covers the requested name).

Properties

ok

readonly ok: true

Defined in: src/verify/identity.ts:104

Always true for success.

value

readonly value: undefined

Defined in: src/verify/identity.ts:106

No payload on success — the match itself is the signal.

---

Micro509Error

Defined in: src/result/result.ts:57

Base error shape carried by all failure results in the library.

Extended by

• VerifyCertificateRevocationListFailure
• ValidateCertificateRevocationListFailure
• CheckCertificateRevocationAgainstCrlFailure
• VerifyOcspResponseFailure
• ValidateOcspResponseFailure
• ImportEncryptedKeyFailure
• ImportKeyFailure
• CreatePfxFailure
• CreatePkcs7CertBagFailure
• CreatePkcs7SignedDataFailure
• ParsePfxFailure
• ParsePkcs7Failure
• VerifyPkcs7SignedDataFailure
• IndexedMicro509Error
• EkuCheckFailure
• MatchServiceIdentityFailure
• VerifyRequestFailure
• ParseCertificateFailure
• ParseCertificateSigningRequestFailure

Type Parameters

TCode

TCode extends string

TDetails

TDetails = Record<never, never>

Properties

code

readonly code: TCode

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

details?

readonly optional details?: TDetails

Defined in: src/result/result.ts:63

Optional structured context for the failure.

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

---

NameAttribute

Defined in: src/x509/name.ts:133

Single name attribute within a distinguished name.

RFC 5280 / X.501 call this structure an AttributeTypeAndValue.

See

RFC 5280 Appendix A.1encodeName places each attribute in its own single-attribute RDN.
encodeRelativeDistinguishedName packs several attributes into one RDN.

Properties

type

readonly type: NameFieldKey

Defined in: src/x509/name.ts:135

Which attribute type this pair represents.

value

readonly value: string

Defined in: src/x509/name.ts:137

The string value for this attribute (encoding chosen per field definition).

---

NameConstraints

Defined in: src/x509/extensions.ts:563

RFC 5280 §4.2.1.10 Name Constraints.

A CA certificate may restrict the namespace of all subject names in subsequent certificates in the path.

Type Parameters

TForm

TForm extends ParsedNameConstraintForm = { type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }

Properties

excludedSubtrees?

readonly optional excludedSubtrees?: readonly GeneralSubtree<TForm>[]

Defined in: src/x509/extensions.ts:590

Names that MUST NOT fall within these subtrees. Takes precedence over permitted.

permittedSubtrees?

readonly optional permittedSubtrees?: readonly GeneralSubtree<TForm>[]

Defined in: src/x509/extensions.ts:588

Names that MUST fall within these subtrees to be valid.

---

NameObject

Defined in: src/x509/name.ts:97

Convenience object form of an X.501 distinguished name.

Populated fields are emitted in the order defined by NAME_OBJECT_ORDER.
Each populated field becomes its own single-attribute RDN.

For caller-controlled ordering, pass a NameAttribute array to encodeName.
For multi-valued RDNs, use encodeRelativeDistinguishedName.

Properties

commonName?

readonly optional commonName?: string

Defined in: src/x509/name.ts:99

Subject or issuer common name (CN).

country?

readonly optional country?: string

Defined in: src/x509/name.ts:105

ISO 3166 two-letter country code (C). Must be exactly 2 characters.

emailAddress?

readonly optional emailAddress?: string

Defined in: src/x509/name.ts:121

RFC 822 email address. Encoded as IA5String, not UTF-8.

givenName?

readonly optional givenName?: string

Defined in: src/x509/name.ts:119

First / given name (GN).

locality?

readonly optional locality?: string

Defined in: src/x509/name.ts:107

City or locality (L).

organization?

readonly optional organization?: string

Defined in: src/x509/name.ts:113

Organization name (O).

organizationalUnit?

readonly optional organizationalUnit?: string

Defined in: src/x509/name.ts:115

Organizational unit (OU). Deprecated in modern CA practice.

serialNumber?

readonly optional serialNumber?: string

Defined in: src/x509/name.ts:103

Device or entity serial number — not the certificate serial.

state?

readonly optional state?: string

Defined in: src/x509/name.ts:109

State or province (ST).

street?

readonly optional street?: string

Defined in: src/x509/name.ts:111

Street address.

surname?

readonly optional surname?: string

Defined in: src/x509/name.ts:101

Subject surname (SN).

title?

readonly optional title?: string

Defined in: src/x509/name.ts:117

Job title or functional designation.

---

ParseCertificateFailure

Defined in: src/x509/parse.ts:98

Structured failure payload for certificate parsing.

Extends

• Micro509Error<ParseCertificateErrorCode>

Properties

code

readonly code: "malformed"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/x509/parse.ts:99

---

ParseCertificateSigningRequestFailure

Defined in: src/x509/parse.ts:111

Structured failure payload for CSR parsing.

Extends

• Micro509Error<ParseCertificateSigningRequestErrorCode>

Properties

code

readonly code: "malformed"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/x509/parse.ts:113

---

ParsedBitFlags

Defined in: src/internal/x509/extension-bits.ts:21

Decoded BIT STRING flags with DER conformance metadata.

flags contains the recognized flag values with any non-zero padding bits masked out. nonZeroPadding is true when the original BIT STRING encoding had non-zero bits in positions that DER (X.690 §11.2.2) requires to be zero. Verification layers can use this signal to reject non-conformant encodings.

Type Parameters

T

T extends string

Properties

flags

readonly flags: readonly T[]

Defined in: src/internal/x509/extension-bits.ts:23

Decoded flag values, padding bits masked.

nonZeroPadding

readonly nonZeroPadding: boolean

Defined in: src/internal/x509/extension-bits.ts:25

true when the original encoding had non-zero padding bits (DER violation).

---

ParsedCertificate

Defined in: src/x509/parse.ts:308

A fully decoded X.509 certificate.

Built-in extensions (basicConstraints, keyUsage, etc.) are decoded into typed fields automatically.
Supply ParseOptions to also decode custom extensions.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

Properties

authorityInfoAccess?

readonly optional authorityInfoAccess?: readonly AuthorityInformationAccess[]

Defined in: src/x509/parse.ts:364

Decoded Authority Information Access — OCSP and CA Issuer URIs (RFC 5280 §4.2.2.1).

authorityKeyIdentifier?

readonly optional authorityKeyIdentifier?: string

Defined in: src/x509/parse.ts:374

Hex-encoded Authority Key Identifier (RFC 5280 §4.2.1.1).

basicConstraints?

readonly optional basicConstraints?: BasicConstraints

Defined in: src/x509/parse.ts:346

Decoded Basic Constraints (RFC 5280 §4.2.1.9).

certificatePolicies?

readonly optional certificatePolicies?: CertificatePolicies

Defined in: src/x509/parse.ts:356

Decoded Certificate Policies (RFC 5280 §4.2.1.4).

crlDistributionPoints?

readonly optional crlDistributionPoints?: readonly ParsedDistributionPoint[]

Defined in: src/x509/parse.ts:366

Decoded CRL Distribution Points (RFC 5280 §4.2.1.13).

decodedExtensionMap?

readonly optional decodedExtensionMap?: DecodedExtensionMap<TMap>

Defined in: src/x509/parse.ts:370

Custom-decoded extensions from ParseOptions.decoderMap, keyed by map key.

decodedExtensions?

readonly optional decodedExtensions?: readonly DecodedExtensionValue<unknown>[]

Defined in: src/x509/parse.ts:368

Custom-decoded extensions from ParseOptions.decoders.

der

readonly der: Uint8Array

Defined in: src/x509/parse.ts:310

Complete DER encoding of the certificate (copied from the input).

extendedKeyUsage?

readonly optional extendedKeyUsage?: readonly ExtendedKeyUsage[]

Defined in: src/x509/parse.ts:350

Decoded Extended Key Usage purposes (RFC 5280 §4.2.1.12).

extensions

readonly extensions: readonly ParsedExtension[]

Defined in: src/x509/parse.ts:344

All extensions as raw ParsedExtensions, in certificate order.

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: InhibitAnyPolicy

Defined in: src/x509/parse.ts:362

Decoded Inhibit anyPolicy (RFC 5280 §4.2.1.14).

issuer

readonly issuer: ParsedName

Defined in: src/x509/parse.ts:322

Distinguished name of the certificate issuer.

keyUsage?

readonly optional keyUsage?: ParsedBitFlags<KeyUsage>

Defined in: src/x509/parse.ts:348

Decoded Key Usage bit flags (RFC 5280 §4.2.1.3).

nameConstraints?

readonly optional nameConstraints?: NameConstraints<ParsedNameConstraintForm>

Defined in: src/x509/parse.ts:354

Decoded Name Constraints (RFC 5280 §4.2.1.10).

notAfter

readonly notAfter: Date

Defined in: src/x509/parse.ts:328

End of the certificate validity period.

notBefore

readonly notBefore: Date

Defined in: src/x509/parse.ts:326

Start of the certificate validity period.

policyConstraints?

readonly optional policyConstraints?: PolicyConstraints

Defined in: src/x509/parse.ts:360

Decoded Policy Constraints (RFC 5280 §4.2.1.11).

policyMappings?

readonly optional policyMappings?: PolicyMappings

Defined in: src/x509/parse.ts:358

Decoded Policy Mappings (RFC 5280 §4.2.1.5).

publicKeyAlgorithmName

readonly publicKeyAlgorithmName: string

Defined in: src/x509/parse.ts:338

Human-readable public key algorithm name (e.g. "EC P-256").

publicKeyAlgorithmOid

readonly publicKeyAlgorithmOid: string

Defined in: src/x509/parse.ts:336

OID of the subject's public key algorithm (e.g. "1.2.840.10045.2.1" for EC).

publicKeyAlgorithmParametersDer?

readonly optional publicKeyAlgorithmParametersDer?: Uint8Array<ArrayBufferLike>

Defined in: src/x509/parse.ts:340

DER-encoded parameters for the public key algorithm. Absent when implicit.

publicKeyParametersOid?

readonly optional publicKeyParametersOid?: string

Defined in: src/x509/parse.ts:342

OID of the named curve or other key sub-parameter, when present.

serialNumberHex

readonly serialNumberHex: string

Defined in: src/x509/parse.ts:314

Hex-encoded serial number assigned by the issuing CA.

signatureAlgorithmName

readonly signatureAlgorithmName: string

Defined in: src/x509/parse.ts:332

Human-readable signature algorithm name (e.g. "ECDSA with SHA-256").

signatureAlgorithmOid

readonly signatureAlgorithmOid: string

Defined in: src/x509/parse.ts:330

OID of the algorithm used to sign this certificate (e.g. "1.2.840.113549.1.1.11" for SHA-256 with RSA).

signatureAlgorithmParametersDer?

readonly optional signatureAlgorithmParametersDer?: Uint8Array<ArrayBufferLike>

Defined in: src/x509/parse.ts:334

DER-encoded parameters for the signature algorithm. Absent for algorithms with no parameters.

signatureValue

readonly signatureValue: Uint8Array

Defined in: src/x509/parse.ts:320

Raw signature bytes (BIT STRING content, padding removed).

subject

readonly subject: ParsedName

Defined in: src/x509/parse.ts:324

Distinguished name of the certificate subject.

subjectAltNames?

readonly optional subjectAltNames?: readonly SubjectAltName[]

Defined in: src/x509/parse.ts:352

Decoded Subject Alternative Names (RFC 5280 §4.2.1.6).

subjectKeyIdentifier?

readonly optional subjectKeyIdentifier?: string

Defined in: src/x509/parse.ts:372

Hex-encoded Subject Key Identifier (RFC 5280 §4.2.1.2).

subjectPublicKeyInfoDer

readonly subjectPublicKeyInfoDer: Uint8Array

Defined in: src/x509/parse.ts:318

DER encoding of the SubjectPublicKeyInfo, used for key import.

tbsCertificateDer

readonly tbsCertificateDer: Uint8Array

Defined in: src/x509/parse.ts:316

DER encoding of the TBSCertificate, used for signature verification.

version

readonly version: number

Defined in: src/x509/parse.ts:312

X.509 version number (1, 2, or 3). Almost always 3.

---

ParsedCertificateSigningRequest

Defined in: src/x509/parse.ts:383

A fully decoded PKCS#10 Certificate Signing Request.

Extension fields mirror ParsedCertificate but come from the CSR's extensionRequest attribute rather than the v3 extensions block.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

Properties

authorityInfoAccess?

readonly optional authorityInfoAccess?: readonly AuthorityInformationAccess[]

Defined in: src/x509/parse.ts:431

Decoded Authority Information Access from the extensionRequest attribute.

basicConstraints?

readonly optional basicConstraints?: BasicConstraints

Defined in: src/x509/parse.ts:413

Decoded Basic Constraints from the extensionRequest attribute.

certificatePolicies?

readonly optional certificatePolicies?: CertificatePolicies

Defined in: src/x509/parse.ts:423

Decoded Certificate Policies from the extensionRequest attribute.

certificationRequestInfoDer

readonly certificationRequestInfoDer: Uint8Array

Defined in: src/x509/parse.ts:389

DER encoding of the CertificationRequestInfo, used for signature verification.

crlDistributionPoints?

readonly optional crlDistributionPoints?: readonly ParsedDistributionPoint[]

Defined in: src/x509/parse.ts:433

Decoded CRL Distribution Points from the extensionRequest attribute.

decodedExtensionMap?

readonly optional decodedExtensionMap?: DecodedExtensionMap<TMap>

Defined in: src/x509/parse.ts:437

Custom-decoded extensions from ParseOptions.decoderMap.

decodedExtensions?

readonly optional decodedExtensions?: readonly DecodedExtensionValue<unknown>[]

Defined in: src/x509/parse.ts:435

Custom-decoded extensions from ParseOptions.decoders.

extendedKeyUsage?

readonly optional extendedKeyUsage?: readonly ExtendedKeyUsage[]

Defined in: src/x509/parse.ts:417

Decoded Extended Key Usage from the extensionRequest attribute.

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: InhibitAnyPolicy

Defined in: src/x509/parse.ts:429

Decoded Inhibit anyPolicy from the extensionRequest attribute.

keyUsage?

readonly optional keyUsage?: ParsedBitFlags<KeyUsage>

Defined in: src/x509/parse.ts:415

Decoded Key Usage from the extensionRequest attribute.

nameConstraints?

readonly optional nameConstraints?: NameConstraints<ParsedNameConstraintForm>

Defined in: src/x509/parse.ts:421

Decoded Name Constraints from the extensionRequest attribute.

policyConstraints?

readonly optional policyConstraints?: PolicyConstraints

Defined in: src/x509/parse.ts:427

Decoded Policy Constraints from the extensionRequest attribute.

policyMappings?

readonly optional policyMappings?: PolicyMappings

Defined in: src/x509/parse.ts:425

Decoded Policy Mappings from the extensionRequest attribute.

publicKeyAlgorithmName

readonly publicKeyAlgorithmName: string

Defined in: src/x509/parse.ts:405

Human-readable public key algorithm name (e.g. "EC P-256").

publicKeyAlgorithmOid

readonly publicKeyAlgorithmOid: string

Defined in: src/x509/parse.ts:403

OID of the subject's public key algorithm.

publicKeyAlgorithmParametersDer?

readonly optional publicKeyAlgorithmParametersDer?: Uint8Array<ArrayBufferLike>

Defined in: src/x509/parse.ts:407

DER-encoded parameters for the public key algorithm.

publicKeyParametersOid?

readonly optional publicKeyParametersOid?: string

Defined in: src/x509/parse.ts:409

OID of the named curve or other key sub-parameter, when present.

requestedExtensions

readonly requestedExtensions: readonly ParsedExtension[]

Defined in: src/x509/parse.ts:411

All requested extensions as raw ParsedExtensions.

signatureAlgorithmName

readonly signatureAlgorithmName: string

Defined in: src/x509/parse.ts:399

Human-readable signature algorithm name (e.g. "ECDSA with SHA-256").

signatureAlgorithmOid

readonly signatureAlgorithmOid: string

Defined in: src/x509/parse.ts:397

OID of the algorithm used to sign this CSR.

signatureAlgorithmParametersDer?

readonly optional signatureAlgorithmParametersDer?: Uint8Array<ArrayBufferLike>

Defined in: src/x509/parse.ts:401

DER-encoded parameters for the signature algorithm. Absent for algorithms with no parameters.

signatureValue

readonly signatureValue: Uint8Array

Defined in: src/x509/parse.ts:393

Raw signature bytes (BIT STRING content, padding removed).

subject

readonly subject: ParsedName

Defined in: src/x509/parse.ts:395

Distinguished name the requester wants on the certificate.

subjectAltNames?

readonly optional subjectAltNames?: readonly SubjectAltName[]

Defined in: src/x509/parse.ts:419

Decoded Subject Alternative Names from the extensionRequest attribute.

subjectPublicKeyInfoDer

readonly subjectPublicKeyInfoDer: Uint8Array

Defined in: src/x509/parse.ts:391

DER encoding of the SubjectPublicKeyInfo.

version

readonly version: number

Defined in: src/x509/parse.ts:387

PKCS#10 version number (always 1).

---

ParsedDistributionPoint

Defined in: src/x509/parse.ts:190

A decoded DistributionPoint from the CRL Distribution Points extension.

Properties

crlIssuer?

readonly optional crlIssuer?: readonly SubjectAltName[]

Defined in: src/x509/parse.ts:196

Entity that signed the CRL, when different from the certificate issuer.

distributionPoint?

readonly optional distributionPoint?: ParsedDistributionPointName

Defined in: src/x509/parse.ts:192

Where to fetch the CRL — a fullName URI or relativeName.

reasons?

readonly optional reasons?: ParsedBitFlags<DistributionPointReason>

Defined in: src/x509/parse.ts:194

Revocation reason subset this distribution point covers. Absent means all reasons.

---

ParsedDistributionPointName

Defined in: src/x509/parse.ts:182

The name component of a CRL Distribution Point (RFC 5280 §4.2.1.13). Exactly one of fullName or relativeName will be present.

Properties

fullName?

readonly optional fullName?: readonly SubjectAltName[]

Defined in: src/x509/parse.ts:184

Absolute GeneralName(s) identifying the distribution point.

relativeName?

readonly optional relativeName?: ParsedRelativeDistinguishedName

Defined in: src/x509/parse.ts:186

Name relative to the CRL issuer's distinguished name.

---

ParsedExtension

Defined in: src/x509/parse.ts:219

A raw X.509v3 extension before type-specific decoding.

Properties

critical

readonly critical: boolean

Defined in: src/x509/parse.ts:223

Whether a validator MUST reject the certificate if it cannot process this extension.

oid

readonly oid: string

Defined in: src/x509/parse.ts:221

Dotted-decimal OID identifying this extension.

valueDer

readonly valueDer: Uint8Array

Defined in: src/x509/parse.ts:225

DER-encoded OCTET STRING payload (extnValue).

valueHex

readonly valueHex: string

Defined in: src/x509/parse.ts:227

Hex-encoded form of valueDer for display and comparison.

---

ParsedIssuingDistributionPoint

Defined in: src/x509/parse.ts:203

Decoded Issuing Distribution Point CRL extension (RFC 5280 §5.2.5). Constrains which certificates a CRL covers (scope, reasons, indirection).

Properties

distributionPoint?

readonly optional distributionPoint?: ParsedDistributionPointName

Defined in: src/x509/parse.ts:205

Where to fetch this CRL, if specified.

indirectCrl?

readonly optional indirectCrl?: boolean

Defined in: src/x509/parse.ts:213

When true, this CRL may contain entries from CAs other than the issuer. Default false.

onlyContainsAttributeCerts?

readonly optional onlyContainsAttributeCerts?: boolean

Defined in: src/x509/parse.ts:215

When true, this CRL only covers attribute certificates. Default false.

onlyContainsCACerts?

readonly optional onlyContainsCACerts?: boolean

Defined in: src/x509/parse.ts:209

When true, this CRL only covers CA certificates. Default false.

onlyContainsUserCerts?

readonly optional onlyContainsUserCerts?: boolean

Defined in: src/x509/parse.ts:207

When true, this CRL only covers end-entity certificates. Default false.

onlySomeReasons?

readonly optional onlySomeReasons?: ParsedBitFlags<DistributionPointReason>

Defined in: src/x509/parse.ts:211

Limits the CRL to these revocation reasons. Absent means all reasons.

---

ParsedName

Defined in: src/x509/parse.ts:157

An X.501 Distinguished Name decoded from an issuer or subject field.

Provides three views of the same data: ordered RDNs, a flat attribute list, and a convenience key-value map for well-known fields.

Properties

attributes

readonly attributes: readonly ParsedNameAttribute[]

Defined in: src/x509/parse.ts:163

Flat list of every attribute across all RDNs, in encounter order.

derHex

readonly derHex: string

Defined in: src/x509/parse.ts:159

Hex-encoded DER of the complete Name SEQUENCE, usable for byte-exact comparisons.

rdns

readonly rdns: readonly ParsedRelativeDistinguishedName[]

Defined in: src/x509/parse.ts:161

Ordered list of RelativeDistinguishedNames, preserving multi-valued RDN structure.

values

readonly values: Partial<Record<NameFieldKey, string>>

Defined in: src/x509/parse.ts:165

First-occurrence map of well-known fields (CN, O, OU, etc.) for quick lookups.

---

ParsedNameAttribute

Defined in: src/x509/parse.ts:140

A single decoded name attribute from an X.501 RelativeDistinguishedName.

RFC 5280 / X.501 call this structure an AttributeTypeAndValue.

See

RFC 5280 Appendix A.1

Properties

key?

readonly optional key?: NameFieldKey

Defined in: src/x509/parse.ts:144

Friendly key when the OID maps to a well-known field (CN, O, etc.).

oid

readonly oid: string

Defined in: src/x509/parse.ts:142

Dotted-decimal OID of the attribute type (e.g. "2.5.4.3" for CN).

value

readonly value: string

Defined in: src/x509/parse.ts:148

Decoded string content of the attribute value.

valueTag

readonly valueTag: number

Defined in: src/x509/parse.ts:146

ASN.1 tag of the value encoding (UTF8String = 0x0c, PrintableString = 0x13, etc.).

---

ParsedPfx

Defined in: src/pkcs/pfx.ts:172

Fully decoded PFX container returned by parsePfxDer / parsePfxPem.

Properties

bags

readonly bags: readonly ParsedPfxBag[]

Defined in: src/pkcs/pfx.ts:174

All SafeBags in the PFX, including unknown types.

certificates

readonly certificates: readonly ParsedCertificate<Record<never, never>>[]

Defined in: src/pkcs/pfx.ts:176

Convenience: only the parsed certificates extracted from certBag entries.

macData?

readonly optional macData?: ParsedPkcs12MacData

Defined in: src/pkcs/pfx.ts:180

MAC verification metadata, present when the PFX includes a MacData block.

privateKeys

readonly privateKeys: readonly Uint8Array<ArrayBufferLike>[]

Defined in: src/pkcs/pfx.ts:178

Convenience: raw PKCS#8 DER of each private key extracted from keyBag entries.

---

ParsedPfxAttribute

Defined in: src/pkcs/pfx.ts:117

A single PKCS#12 bag attribute as decoded by parsePfxDer.

Properties

oid

readonly oid: string

Defined in: src/pkcs/pfx.ts:119

Dotted-decimal OID identifying this attribute type.

valuesHex

readonly valuesHex: readonly string[]

Defined in: src/pkcs/pfx.ts:121

Hex-encoded DER of each attribute value.

---

ParsedPfxBagAttributes

Defined in: src/pkcs/pfx.ts:125

Decoded bag attributes for a single SafeBag inside a PFX.

Properties

entries

readonly entries: readonly ParsedPfxAttribute[]

Defined in: src/pkcs/pfx.ts:127

All raw attributes as OID + hex-encoded values.

friendlyName?

readonly optional friendlyName?: string

Defined in: src/pkcs/pfx.ts:129

Decoded BMPString friendly-name attribute, if present.

localKeyId?

readonly optional localKeyId?: string

Defined in: src/pkcs/pfx.ts:131

Hex-encoded localKeyId attribute, if present.

---

ParsedPkcs7SignedData

Defined in: src/pkcs/pkcs7.ts:107

Decoded PKCS#7 SignedData content, including certificates and signer info.

Properties

certificates

readonly certificates: readonly ParsedCertificate<Record<never, never>>[]

Defined in: src/pkcs/pkcs7.ts:123

Certificates included in the SignedData certificate set.

contentTypeOid

readonly contentTypeOid: string

Defined in: src/pkcs/pkcs7.ts:111

Outer ContentInfo type OID (always pkcs7-signedData).

der?

readonly optional der?: Uint8Array<ArrayBufferLike>

Defined in: src/pkcs/pkcs7.ts:109

Original DER bytes when this object came from parsePkcs7SignedDataDer or PEM parsing.

digestAlgorithmNames

readonly digestAlgorithmNames: readonly string[]

Defined in: src/pkcs/pkcs7.ts:117

Human-readable digest algorithm names declared in digestAlgorithms.

digestAlgorithmOids

readonly digestAlgorithmOids: readonly string[]

Defined in: src/pkcs/pkcs7.ts:115

OIDs of digest algorithms declared in digestAlgorithms.

encapsulatedContent?

readonly optional encapsulatedContent?: Uint8Array<ArrayBufferLike>

Defined in: src/pkcs/pkcs7.ts:121

Raw encapsulated content bytes. Absent in degenerate (certs-only) bags.

encapsulatedContentTypeOid

readonly encapsulatedContentTypeOid: string

Defined in: src/pkcs/pkcs7.ts:119

OID of the encapsulated content type (e.g. pkcs7-data).

signerInfos

readonly signerInfos: readonly ParsedPkcs7SignerInfo[]

Defined in: src/pkcs/pkcs7.ts:125

Decoded signer info entries. Empty for degenerate cert bags.

version

readonly version: number

Defined in: src/pkcs/pkcs7.ts:113

SignedData version number.

---

ParsedPkcs7SignerInfo

Defined in: src/pkcs/pkcs7.ts:77

A single SignerInfo decoded from a PKCS#7 SignedData structure.

Properties

digestAlgorithmName

readonly digestAlgorithmName: string

Defined in: src/pkcs/pkcs7.ts:89

Human-readable digest algorithm name (e.g. "SHA-256").

digestAlgorithmOid

readonly digestAlgorithmOid: string

Defined in: src/pkcs/pkcs7.ts:87

OID of the digest algorithm used to hash the content.

hasSignedAttrs

readonly hasSignedAttrs: boolean

Defined in: src/pkcs/pkcs7.ts:101

Whether this SignerInfo includes authenticated (signed) attributes.

issuer?

readonly optional issuer?: ParsedName

Defined in: src/pkcs/pkcs7.ts:81

Parsed issuer distinguished name, if present (issuerAndSerialNumber signer identifier).

serialNumberHex?

readonly optional serialNumberHex?: string

Defined in: src/pkcs/pkcs7.ts:83

Hex-encoded serial number used to locate the signer certificate, if present.

signature

readonly signature: Uint8Array

Defined in: src/pkcs/pkcs7.ts:99

Raw signature bytes.

signatureAlgorithmName

readonly signatureAlgorithmName: string

Defined in: src/pkcs/pkcs7.ts:93

Human-readable signature algorithm name.

signatureAlgorithmOid

readonly signatureAlgorithmOid: string

Defined in: src/pkcs/pkcs7.ts:91

OID of the algorithm used to produce the signature.

signatureAlgorithmParametersDer?

readonly optional signatureAlgorithmParametersDer?: Uint8Array<ArrayBufferLike>

Defined in: src/pkcs/pkcs7.ts:95

Raw DER of the signature AlgorithmIdentifier parameters, if present.

signatureHex

readonly signatureHex: string

Defined in: src/pkcs/pkcs7.ts:97

Hex-encoded raw signature bytes.

signedAttrsDer?

readonly optional signedAttrsDer?: Uint8Array<ArrayBufferLike>

Defined in: src/pkcs/pkcs7.ts:103

Raw DER of signedAttrs with original IMPLICIT [0] tag (0xa0). Present only when hasSignedAttrs is true.

subjectKeyIdentifier?

readonly optional subjectKeyIdentifier?: string

Defined in: src/pkcs/pkcs7.ts:85

Hex-encoded SubjectKeyIdentifier used to locate the signer certificate, if present.

version

readonly version: number

Defined in: src/pkcs/pkcs7.ts:79

CMS SignerInfo version (typically 1 for issuerAndSerialNumber).

---

ParsedRelativeDistinguishedName

Defined in: src/x509/parse.ts:169

A single RelativeDistinguishedName SET from an X.501 Name.

Properties

attributes

readonly attributes: readonly ParsedNameAttribute[]

Defined in: src/x509/parse.ts:173

Attributes within this RDN (usually one, but multi-valued RDNs are legal).

derHex

readonly derHex: string

Defined in: src/x509/parse.ts:171

Hex-encoded DER of this RDN SET element.

values

readonly values: Partial<Record<NameFieldKey, string>>

Defined in: src/x509/parse.ts:175

First-occurrence map of well-known fields within this RDN.

---

ParseOptions

Defined in: src/x509/parse.ts:294

Options for parseCertificateDer, parseCertificatePem, and CSR parse functions.

Supply custom extension decoders to have their results included in the parsed output alongside the built-in extensions.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

Properties

decoderMap?

readonly optional decoderMap?: TMap

Defined in: src/x509/parse.ts:298

Named decoder map; decoded values appear in decodedExtensionMap keyed by map key.

decoders?

readonly optional decoders?: readonly ExtensionDecoder<unknown>[]

Defined in: src/x509/parse.ts:296

Array of decoders; decoded values appear in decodedExtensions.

---

ParsePfxFailure

Defined in: src/pkcs/pfx.ts:191

Error payload for a failed PFX parse.

Extends

• Micro509Error<ParsePfxErrorCode>

Properties

code

readonly code: ParsePfxErrorCode

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/pkcs/pfx.ts:193

Always false for failures.

---

ParsePfxOptions

Defined in: src/pkcs/pfx.ts:99

Options for parsePfxDer and parsePfxPem.

Properties

macPassword?

readonly optional macPassword?: string

Defined in: src/pkcs/pfx.ts:103

Separate password for MAC verification. Falls back to password when omitted.

password?

readonly optional password?: string

Defined in: src/pkcs/pfx.ts:101

Password used to decrypt PBES2-encrypted ContentInfo entries. Also used for MAC verification when macPassword is omitted.

---

ParsePkcs7Failure

Defined in: src/pkcs/pkcs7.ts:136

Error payload for a failed PKCS#7 parse.

Extends

• Micro509Error<ParsePkcs7ErrorCode>

Properties

code

readonly code: ParsePkcs7ErrorCode

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/pkcs/pkcs7.ts:138

Always false for failures.

---

Pbes2EncryptionOptions

Defined in: src/internal/crypto/pbes2.ts:54

Input for encryptPbes2.

Properties

encryption?

readonly optional encryption?: Pbes2EncryptionScheme

Defined in: src/internal/crypto/pbes2.ts:64

AES key size. Default: 'aes256-cbc'.

iterations?

readonly optional iterations?: number

Defined in: src/internal/crypto/pbes2.ts:58

PBKDF2 iteration count. Default: 100_000.

iv?

readonly optional iv?: Uint8Array<ArrayBufferLike>

Defined in: src/internal/crypto/pbes2.ts:62

AES-CBC initialization vector. Default: 16 cryptographically random bytes.

password

readonly password: string

Defined in: src/internal/crypto/pbes2.ts:56

Password fed to PBKDF2 for key derivation.

prf?

readonly optional prf?: Pbes2Prf

Defined in: src/internal/crypto/pbes2.ts:66

PBKDF2 PRF. Default: 'hmac-sha256'.

salt?

readonly optional salt?: Uint8Array<ArrayBufferLike>

Defined in: src/internal/crypto/pbes2.ts:60

PBKDF2 salt. Default: 16 cryptographically random bytes.

---

PemBlock

Defined in: src/pem/pem.ts:13

A single decoded PEM block with its label, decoded DER bytes, and original PEM text.

Properties

bytes

readonly bytes: Uint8Array

Defined in: src/pem/pem.ts:17

Decoded DER content of this block.

label

readonly label: string

Defined in: src/pem/pem.ts:15

RFC 7468 label between the BEGIN / END markers (e.g. "CERTIFICATE").

pem

readonly pem: string

Defined in: src/pem/pem.ts:19

The original PEM text including BEGIN/END lines.

---

PfxBagAttributesInput

Defined in: src/pkcs/pfx.ts:60

Optional metadata attached to a certificate or key bag inside a PFX.

Properties

friendlyName?

readonly optional friendlyName?: string

Defined in: src/pkcs/pfx.ts:62

Human-readable label stored as a BMPString attribute.

localKeyId?

readonly optional localKeyId?: Uint8Array<ArrayBufferLike>

Defined in: src/pkcs/pfx.ts:64

Opaque identifier linking a certificate bag to its corresponding key bag.

---

PfxCertificateBagInput

Defined in: src/pkcs/pfx.ts:68

A certificate to embed in a PFX container. Input for createPfx.

Properties

attributes?

readonly optional attributes?: PfxBagAttributesInput

Defined in: src/pkcs/pfx.ts:72

Optional bag-level attributes (friendly name, local key ID).

certificate

readonly certificate: PfxCertificateSource

Defined in: src/pkcs/pfx.ts:70

Certificate as PEM text or DER bytes.

---

PfxMaterial

Defined in: src/pkcs/pfx.ts:107

DER, PEM, and base64 encodings of a PFX container produced by createPfx.

Properties

base64

readonly base64: string

Defined in: src/pkcs/pfx.ts:113

Base64-encoded DER (no PEM armor).

der

readonly der: Uint8Array

Defined in: src/pkcs/pfx.ts:109

Raw DER-encoded PFX bytes.

pem

readonly pem: string

Defined in: src/pkcs/pfx.ts:111

PEM-armored PFX (-----BEGIN PKCS12-----).

---

PfxPrivateKeyBagInput

Defined in: src/pkcs/pfx.ts:76

A private key to embed in a PFX container. Input for createPfx.

Properties

attributes?

readonly optional attributes?: PfxBagAttributesInput

Defined in: src/pkcs/pfx.ts:80

Optional bag-level attributes (friendly name, local key ID).

privateKey

readonly privateKey: PfxPrivateKeySource

Defined in: src/pkcs/pfx.ts:78

Private key as a WebCrypto CryptoKey or raw PKCS#8 DER bytes.

---

Pkcs7CertBag

Defined in: src/pkcs/pkcs7.ts:67

DER, PEM, and base64 encodings of a PKCS#7 certificate bag.

Properties

base64

readonly base64: string

Defined in: src/pkcs/pkcs7.ts:73

Base64-encoded DER (no PEM armor).

der

readonly der: Uint8Array

Defined in: src/pkcs/pkcs7.ts:69

Raw DER-encoded PKCS#7 structure.

pem

readonly pem: string

Defined in: src/pkcs/pkcs7.ts:71

PEM-armored PKCS#7 (-----BEGIN PKCS7-----).

---

Pkcs7SignedDataMaterial

Defined in: src/pkcs/pkcs7.ts:318

DER, PEM, and base64 encodings of a PKCS#7 SignedData structure.

Properties

base64

readonly base64: string

Defined in: src/pkcs/pkcs7.ts:324

Base64-encoded DER (no PEM armor).

der

readonly der: Uint8Array

Defined in: src/pkcs/pkcs7.ts:320

Raw DER-encoded PKCS#7 SignedData.

pem

readonly pem: string

Defined in: src/pkcs/pkcs7.ts:322

PEM-armored PKCS#7 (-----BEGIN PKCS7-----).

---

Pkcs7Signer

Defined in: src/pkcs/pkcs7.ts:282

A single signer for createPkcs7SignedDataDer / createPkcs7SignedDataPem.

Properties

certificate

readonly certificate: Pkcs7CertificateSource

Defined in: src/pkcs/pkcs7.ts:288

Signer certificate (PEM text with one CERTIFICATE block, or raw DER). Embedded in the SignedData certificate set and referenced by the SignerInfo via issuerAndSerialNumber.

privateKey

readonly privateKey: CryptoKey

Defined in: src/pkcs/pkcs7.ts:290

Private key matching the certificate's public key, used to sign.

signature?

readonly optional signature?: SignatureProfileInput

Defined in: src/pkcs/pkcs7.ts:296

Signature profile. Defaults to inferring the algorithm from the key (e.g. ECDSA→ecdsa-with-SHA*, RSA→sha*WithRSAEncryption, Ed25519). Pass { kind: 'rsa-pss' } to force RSA-PSS padding for an RSA-PSS key.

---

PolicyConstraints

Defined in: src/x509/extensions.ts:356

RFC 5280 §4.2.1.11 Policy Constraints.

At least one field must be present. Values are certificate-count thresholds measured from the current certificate toward the end entity.

Properties

inhibitPolicyMapping?

readonly optional inhibitPolicyMapping?: number

Defined in: src/x509/extensions.ts:360

After this many certificates, policy mapping is no longer allowed.

requireExplicitPolicy?

readonly optional requireExplicitPolicy?: number

Defined in: src/x509/extensions.ts:358

After this many certificates, an acceptable policy must be in the path.

---

PolicyInformation

Defined in: src/x509/extensions.ts:259

A single certificate policy: an OID plus optional qualifiers.

Properties

policyIdentifier

readonly policyIdentifier: string

Defined in: src/x509/extensions.ts:261

Dotted-decimal OID of the policy (e.g. "2.23.140.1.2.1" for DV).

policyQualifiers?

readonly optional policyQualifiers?: readonly PolicyQualifierInfo[]

Defined in: src/x509/extensions.ts:263

Optional CPS URIs or user notices attached to this policy.

---

PolicyMapping

Defined in: src/x509/extensions.ts:335

Maps a policy OID in the issuer's domain to an equivalent OID in the subject's domain.

Properties

issuerDomainPolicy

readonly issuerDomainPolicy: string

Defined in: src/x509/extensions.ts:337

Policy OID as defined by the issuing CA. Must not be anyPolicy.

subjectDomainPolicy

readonly subjectDomainPolicy: string

Defined in: src/x509/extensions.ts:339

Equivalent policy OID in the subject CA's domain. Must not be anyPolicy.

---

PolicyValidationInput

Defined in: src/verify/policy.ts:18

Input for the policy-validation engine.

All fields are optional — omitted values produce the most permissive behavior (accept any policy, allow mappings, allow anyPolicy).

Extended by

• ValidateCandidatePathInput
• ValidateForCaInput
• ValidateForCodeSigningInput
• ValidateForTlsClientInput
• ValidateForTlsServerInput
• VerifyCertificateChainInput

Properties

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: boolean

Defined in: src/verify/policy.ts:29

When true, the anyPolicy OID is not treated as matching all policies. Default: false.

inhibitPolicyMapping?

readonly optional inhibitPolicyMapping?: boolean

Defined in: src/verify/policy.ts:27

When true, policy mappings in CA certificates are ignored. Default: false.

initialPolicySet?

readonly optional initialPolicySet?: readonly string[] | "any"

Defined in: src/verify/policy.ts:23

OIDs the relying party considers acceptable, or 'any' to accept whatever the chain asserts. Default: 'any'.

requireExplicitPolicy?

readonly optional requireExplicitPolicy?: boolean

Defined in: src/verify/policy.ts:25

When true, the chain must assert at least one acceptable policy. Default: false.

---

ResultError

Defined in: src/result/result.ts:87

Error thrown by unwrap when a result is a failure.

Carries the structured Micro509Error payload so callers using the throwing escape hatch still get the machine-readable code and any details.

Extends

• Error

Type Parameters

TError

TError extends Micro509Error<string, unknown> = Micro509Error<string, unknown>

Properties

cause?

optional cause?: unknown

Defined in: node_modules/typescript/lib/lib.es2022.error.d.ts:24

Inherited from

Error.cause

code

readonly code: TError["code"]

Defined in: src/result/result.ts:91

Machine-readable failure reason, mirrored from error.code.

error

readonly error: TError

Defined in: src/result/result.ts:93

The structured error payload that produced this exception.

message

message: string

Defined in: node_modules/typescript/lib/lib.es5.d.ts:1075

Inherited from

Error.message

name

name: string

Defined in: node_modules/typescript/lib/lib.es5.d.ts:1074

Inherited from

Error.name

stack?

optional stack?: string

Defined in: node_modules/typescript/lib/lib.es5.d.ts:1076

Inherited from

Error.stack

---

RsaKeyAlgorithmInput

Defined in: src/keys/keys.ts:72

RSA variant of KeyAlgorithmInput.

Properties

hash?

readonly optional hash?: RsaHash

Defined in: src/keys/keys.ts:78

Hash algorithm for the key. Defaults to 'SHA-256'.

kind

readonly kind: "rsa"

Defined in: src/keys/keys.ts:74

Discriminant selecting RSA key generation.

modulusLength?

readonly optional modulusLength?: 2048 | 3072 | 4096

Defined in: src/keys/keys.ts:76

RSA modulus size in bits. Defaults to 2048.

scheme?

readonly optional scheme?: RsaScheme

Defined in: src/keys/keys.ts:80

Signature padding scheme. Defaults to 'pkcs1-v1_5'.

---

SelfSignedCertificateResult

Defined in: src/x509/certificate.ts:173

Result returned by createSelfSignedCertificate.

Properties

certificate

readonly certificate: CertificateMaterial

Defined in: src/x509/certificate.ts:177

Encoded certificate outputs.

keyPair

readonly keyPair: KeyPairMaterial

Defined in: src/x509/certificate.ts:181

Key pair used to issue the certificate.

---

SrvServiceIdentityInput

Defined in: src/verify/identity.ts:48

SRV-ID reference identifier (RFC 4985).

Properties

type

readonly type: "srv"

Defined in: src/verify/identity.ts:50

Discriminant for SRV-ID matching.

value

readonly value: string

Defined in: src/verify/identity.ts:52

SRV name in _service.domain form (e.g. "_imap.example.com").

---

TrustAnchor

Defined in: src/verify/verify.ts:134

Bare trust anchor — subject identity and public key material without a full certificate. Used when the root CA certificate is unavailable but its key is known. Build from a certificate with trustAnchorFromCertificate.

Properties

publicKeyAlgorithmOid

readonly publicKeyAlgorithmOid: string

Defined in: src/verify/verify.ts:140

OID of the public key algorithm (e.g. 1.2.840.10045.2.1 for EC).

publicKeyParametersOid?

readonly optional publicKeyParametersOid?: string

Defined in: src/verify/verify.ts:142

OID of the key parameters, when algorithm-specific (e.g. named curve OID for EC).

subject

readonly subject: ParsedName

Defined in: src/verify/verify.ts:136

Parsed subject distinguished name. Used for semantic issuer matching (RFC 5280 §7.1).

subjectKeyIdentifier?

readonly optional subjectKeyIdentifier?: string

Defined in: src/verify/verify.ts:144

Hex-encoded subject key identifier for AKI matching.

subjectPublicKeyInfoDer

readonly subjectPublicKeyInfoDer: Uint8Array

Defined in: src/verify/verify.ts:138

DER-encoded SubjectPublicKeyInfo used to verify signatures from this anchor.

---

UriServiceIdentityInput

Defined in: src/verify/identity.ts:40

URI-ID reference identifier (RFC 6125 §6.5). Scheme and host are matched.

Properties

type

readonly type: "uri"

Defined in: src/verify/identity.ts:42

Discriminant for URI-ID matching.

value

readonly value: string

Defined in: src/verify/identity.ts:44

Full URI whose scheme and reg-name will be compared.

---

ValidateCandidatePathInput

Defined in: src/verify/verify.ts:271

Input for validateCandidatePath.

Extends

• PolicyValidationInput.InitialNameConstraintsInput

Properties

allowSelfSignedLeaf?

readonly optional allowSelfSignedLeaf?: boolean

Defined in: src/verify/verify.ts:285

When true, allows a self-signed leaf that is also the root. Defaults to false.

at?

readonly optional at?: Date

Defined in: src/verify/verify.ts:281

Validation time. Defaults to new Date().

chain

readonly chain: readonly ParsedCertificate<Record<never, never>>[]

Defined in: src/verify/verify.ts:279

Pre-built certificate chain in leaf-to-root order.

excludedSubtrees?

readonly optional excludedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:22

Subtrees that no subsequent subject name may fall within. Default: none.

Inherited from

InitialNameConstraintsInput.excludedSubtrees

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: boolean

Defined in: src/verify/policy.ts:29

When true, the anyPolicy OID is not treated as matching all policies. Default: false.

Inherited from

PolicyValidationInput.inhibitAnyPolicy

inhibitPolicyMapping?

readonly optional inhibitPolicyMapping?: boolean

Defined in: src/verify/policy.ts:27

When true, policy mappings in CA certificates are ignored. Default: false.

Inherited from

PolicyValidationInput.inhibitPolicyMapping

initialPolicySet?

readonly optional initialPolicySet?: readonly string[] | "any"

Defined in: src/verify/policy.ts:23

OIDs the relying party considers acceptable, or 'any' to accept whatever the chain asserts. Default: 'any'.

Inherited from

PolicyValidationInput.initialPolicySet

nameConstraints?

readonly optional nameConstraints?: InitialNameConstraintsInput

Defined in: src/verify/verify.ts:277

Nested name constraint overrides (takes precedence over flat fields).

permittedSubtrees?

readonly optional permittedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:20

Subtrees within which all subsequent subject names must fall. Default: unconstrained.

Inherited from

InitialNameConstraintsInput.permittedSubtrees

policy?

readonly optional policy?: PolicyValidationInput

Defined in: src/verify/verify.ts:275

Nested policy validation overrides (takes precedence over flat fields).

purpose?

readonly optional purpose?: VerifyPurpose

Defined in: src/verify/verify.ts:283

Leaf purpose constraint to enforce.

requireExplicitPolicy?

readonly optional requireExplicitPolicy?: boolean

Defined in: src/verify/policy.ts:25

When true, the chain must assert at least one acceptable policy. Default: false.

Inherited from

PolicyValidationInput.requireExplicitPolicy

---

ValidateCandidatePathSuccess

Defined in: src/verify/verify.ts:289

Success payload from validateCandidatePath.

Properties

policyValidation

readonly policyValidation: PolicyValidationOutcome

Defined in: src/verify/verify.ts:291

Final RFC 9618-constrained policy outputs for this validated path.

---

ValidateForCaInput

Defined in: src/verify/verify.ts:450

Input for validateForCa. Enforces basicConstraints.ca on the leaf.

Extends

• BuildCandidatePathInput.PolicyValidationInput.InitialNameConstraintsInput

Properties

at?

readonly optional at?: Date

Defined in: src/verify/verify.ts:245

Validation time. Defaults to new Date().

Inherited from

BuildCandidatePathInput.at

excludedSubtrees?

readonly optional excludedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:22

Subtrees that no subsequent subject name may fall within. Default: none.

Inherited from

InitialNameConstraintsInput.excludedSubtrees

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: boolean

Defined in: src/verify/policy.ts:29

When true, the anyPolicy OID is not treated as matching all policies. Default: false.

Inherited from

PolicyValidationInput.inhibitAnyPolicy

inhibitPolicyMapping?

readonly optional inhibitPolicyMapping?: boolean

Defined in: src/verify/policy.ts:27

When true, policy mappings in CA certificates are ignored. Default: false.

Inherited from

PolicyValidationInput.inhibitPolicyMapping

initialPolicySet?

readonly optional initialPolicySet?: readonly string[] | "any"

Defined in: src/verify/policy.ts:23

OIDs the relying party considers acceptable, or 'any' to accept whatever the chain asserts. Default: 'any'.

Inherited from

PolicyValidationInput.initialPolicySet

intermediates?

readonly optional intermediates?: readonly CertificateSource[]

Defined in: src/verify/verify.ts:239

Intermediate CA certificates available for path building. Order does not matter.

Inherited from

BuildCandidatePathInput.intermediates

leaf

readonly leaf: CertificateSource

Defined in: src/verify/verify.ts:237

End-entity certificate to verify.

Inherited from

BuildCandidatePathInput.leaf

nameConstraints?

readonly optional nameConstraints?: InitialNameConstraintsInput

Defined in: src/verify/verify.ts:457

Nested name constraint overrides.

permittedSubtrees?

readonly optional permittedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:20

Subtrees within which all subsequent subject names must fall. Default: unconstrained.

Inherited from

InitialNameConstraintsInput.permittedSubtrees

policy?

readonly optional policy?: PolicyValidationInput

Defined in: src/verify/verify.ts:455

Nested policy validation overrides.

requireExplicitPolicy?

readonly optional requireExplicitPolicy?: boolean

Defined in: src/verify/policy.ts:25

When true, the chain must assert at least one acceptable policy. Default: false.

Inherited from

PolicyValidationInput.requireExplicitPolicy

roots

readonly roots: readonly CertificateSource[]

Defined in: src/verify/verify.ts:241

Trusted root CA certificates. At least one root or trust anchor must be supplied.

Inherited from

BuildCandidatePathInput.roots

trustAnchors?

readonly optional trustAnchors?: readonly TrustAnchor[]

Defined in: src/verify/verify.ts:243

Bare trust anchors to try when no root certificate matches.

Inherited from

BuildCandidatePathInput.trustAnchors

---

ValidateForCodeSigningInput

Defined in: src/verify/verify.ts:440

Input for validateForCodeSigning. Enforces codeSigning EKU.

Extends

• BuildCandidatePathInput.PolicyValidationInput.InitialNameConstraintsInput

Properties

at?

readonly optional at?: Date

Defined in: src/verify/verify.ts:245

Validation time. Defaults to new Date().

Inherited from

BuildCandidatePathInput.at

excludedSubtrees?

readonly optional excludedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:22

Subtrees that no subsequent subject name may fall within. Default: none.

Inherited from

InitialNameConstraintsInput.excludedSubtrees

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: boolean

Defined in: src/verify/policy.ts:29

When true, the anyPolicy OID is not treated as matching all policies. Default: false.

Inherited from

PolicyValidationInput.inhibitAnyPolicy

inhibitPolicyMapping?

readonly optional inhibitPolicyMapping?: boolean

Defined in: src/verify/policy.ts:27

When true, policy mappings in CA certificates are ignored. Default: false.

Inherited from

PolicyValidationInput.inhibitPolicyMapping

initialPolicySet?

readonly optional initialPolicySet?: readonly string[] | "any"

Defined in: src/verify/policy.ts:23

OIDs the relying party considers acceptable, or 'any' to accept whatever the chain asserts. Default: 'any'.

Inherited from

PolicyValidationInput.initialPolicySet

intermediates?

readonly optional intermediates?: readonly CertificateSource[]

Defined in: src/verify/verify.ts:239

Intermediate CA certificates available for path building. Order does not matter.

Inherited from

BuildCandidatePathInput.intermediates

leaf

readonly leaf: CertificateSource

Defined in: src/verify/verify.ts:237

End-entity certificate to verify.

Inherited from

BuildCandidatePathInput.leaf

nameConstraints?

readonly optional nameConstraints?: InitialNameConstraintsInput

Defined in: src/verify/verify.ts:447

Nested name constraint overrides.

permittedSubtrees?

readonly optional permittedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:20

Subtrees within which all subsequent subject names must fall. Default: unconstrained.

Inherited from

InitialNameConstraintsInput.permittedSubtrees

policy?

readonly optional policy?: PolicyValidationInput

Defined in: src/verify/verify.ts:445

Nested policy validation overrides.

requireExplicitPolicy?

readonly optional requireExplicitPolicy?: boolean

Defined in: src/verify/policy.ts:25

When true, the chain must assert at least one acceptable policy. Default: false.

Inherited from

PolicyValidationInput.requireExplicitPolicy

roots

readonly roots: readonly CertificateSource[]

Defined in: src/verify/verify.ts:241

Trusted root CA certificates. At least one root or trust anchor must be supplied.

Inherited from

BuildCandidatePathInput.roots

trustAnchors?

readonly optional trustAnchors?: readonly TrustAnchor[]

Defined in: src/verify/verify.ts:243

Bare trust anchors to try when no root certificate matches.

Inherited from

BuildCandidatePathInput.trustAnchors

---

ValidateForTlsClientInput

Defined in: src/verify/verify.ts:430

Input for validateForTlsClient. Enforces clientAuth EKU.

Extends

• BuildCandidatePathInput.PolicyValidationInput.InitialNameConstraintsInput

Properties

at?

readonly optional at?: Date

Defined in: src/verify/verify.ts:245

Validation time. Defaults to new Date().

Inherited from

BuildCandidatePathInput.at

excludedSubtrees?

readonly optional excludedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:22

Subtrees that no subsequent subject name may fall within. Default: none.

Inherited from

InitialNameConstraintsInput.excludedSubtrees

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: boolean

Defined in: src/verify/policy.ts:29

When true, the anyPolicy OID is not treated as matching all policies. Default: false.

Inherited from

PolicyValidationInput.inhibitAnyPolicy

inhibitPolicyMapping?

readonly optional inhibitPolicyMapping?: boolean

Defined in: src/verify/policy.ts:27

When true, policy mappings in CA certificates are ignored. Default: false.

Inherited from

PolicyValidationInput.inhibitPolicyMapping

initialPolicySet?

readonly optional initialPolicySet?: readonly string[] | "any"

Defined in: src/verify/policy.ts:23

OIDs the relying party considers acceptable, or 'any' to accept whatever the chain asserts. Default: 'any'.

Inherited from

PolicyValidationInput.initialPolicySet

intermediates?

readonly optional intermediates?: readonly CertificateSource[]

Defined in: src/verify/verify.ts:239

Intermediate CA certificates available for path building. Order does not matter.

Inherited from

BuildCandidatePathInput.intermediates

leaf

readonly leaf: CertificateSource

Defined in: src/verify/verify.ts:237

End-entity certificate to verify.

Inherited from

BuildCandidatePathInput.leaf

nameConstraints?

readonly optional nameConstraints?: InitialNameConstraintsInput

Defined in: src/verify/verify.ts:437

Nested name constraint overrides.

permittedSubtrees?

readonly optional permittedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:20

Subtrees within which all subsequent subject names must fall. Default: unconstrained.

Inherited from

InitialNameConstraintsInput.permittedSubtrees

policy?

readonly optional policy?: PolicyValidationInput

Defined in: src/verify/verify.ts:435

Nested policy validation overrides.

requireExplicitPolicy?

readonly optional requireExplicitPolicy?: boolean

Defined in: src/verify/policy.ts:25

When true, the chain must assert at least one acceptable policy. Default: false.

Inherited from

PolicyValidationInput.requireExplicitPolicy

roots

readonly roots: readonly CertificateSource[]

Defined in: src/verify/verify.ts:241

Trusted root CA certificates. At least one root or trust anchor must be supplied.

Inherited from

BuildCandidatePathInput.roots

trustAnchors?

readonly optional trustAnchors?: readonly TrustAnchor[]

Defined in: src/verify/verify.ts:243

Bare trust anchors to try when no root certificate matches.

Inherited from

BuildCandidatePathInput.trustAnchors

---

ValidateForTlsServerInput

Defined in: src/verify/verify.ts:407

Input for validateForTlsServer. Enforces serverAuth EKU and optional DNS/IP identity matching.

Extends

• BuildCandidatePathInput.PolicyValidationInput.InitialNameConstraintsInput

Properties

at?

readonly optional at?: Date

Defined in: src/verify/verify.ts:424

Validation time. Defaults to new Date().

Overrides

BuildCandidatePathInput.at

excludedSubtrees?

readonly optional excludedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:22

Subtrees that no subsequent subject name may fall within. Default: none.

Inherited from

InitialNameConstraintsInput.excludedSubtrees

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: boolean

Defined in: src/verify/policy.ts:29

When true, the anyPolicy OID is not treated as matching all policies. Default: false.

Inherited from

PolicyValidationInput.inhibitAnyPolicy

inhibitPolicyMapping?

readonly optional inhibitPolicyMapping?: boolean

Defined in: src/verify/policy.ts:27

When true, policy mappings in CA certificates are ignored. Default: false.

Inherited from

PolicyValidationInput.inhibitPolicyMapping

initialPolicySet?

readonly optional initialPolicySet?: readonly string[] | "any"

Defined in: src/verify/policy.ts:23

OIDs the relying party considers acceptable, or 'any' to accept whatever the chain asserts. Default: 'any'.

Inherited from

PolicyValidationInput.initialPolicySet

intermediates?

readonly optional intermediates?: readonly CertificateSource[]

Defined in: src/verify/verify.ts:418

Intermediate CA certificates.

Overrides

BuildCandidatePathInput.intermediates

leaf

readonly leaf: CertificateSource

Defined in: src/verify/verify.ts:416

End-entity certificate to verify.

Overrides

BuildCandidatePathInput.leaf

nameConstraints?

readonly optional nameConstraints?: InitialNameConstraintsInput

Defined in: src/verify/verify.ts:414

Nested name constraint overrides.

permittedSubtrees?

readonly optional permittedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:20

Subtrees within which all subsequent subject names must fall. Default: unconstrained.

Inherited from

InitialNameConstraintsInput.permittedSubtrees

policy?

readonly optional policy?: PolicyValidationInput

Defined in: src/verify/verify.ts:412

Nested policy validation overrides.

requireExplicitPolicy?

readonly optional requireExplicitPolicy?: boolean

Defined in: src/verify/policy.ts:25

When true, the chain must assert at least one acceptable policy. Default: false.

Inherited from

PolicyValidationInput.requireExplicitPolicy

roots

readonly roots: readonly CertificateSource[]

Defined in: src/verify/verify.ts:420

Trusted root CA certificates.

Overrides

BuildCandidatePathInput.roots

serviceIdentity?

readonly optional serviceIdentity?: VerifyServiceIdentityInput

Defined in: src/verify/verify.ts:426

DNS/IP identity to match against the leaf's SAN.

trustAnchors?

readonly optional trustAnchors?: readonly TrustAnchor[]

Defined in: src/verify/verify.ts:422

Bare trust anchors.

Overrides

BuildCandidatePathInput.trustAnchors

---

ValidityInput

Defined in: src/x509/certificate.ts:45

Configures the certificate validity window.

If notAfter is omitted, it is derived from notBefore plus days. If both notAfter and days are omitted, the certificate is valid for 30 days.

Properties

days?

readonly optional days?: number

Defined in: src/x509/certificate.ts:61

Number of days to add to notBefore when notAfter is omitted.

notAfter?

readonly optional notAfter?: Date

Defined in: src/x509/certificate.ts:57

End of the validity window.

Must be later than notBefore.

notBefore?

readonly optional notBefore?: Date

Defined in: src/x509/certificate.ts:51

Start of the validity window.

Defaults to the current time.

---

VerifiedCertificateChain

Defined in: src/verify/verify.ts:357

Fully verified certificate chain returned on success from verifyCertificateChain.

Properties

chain

readonly chain: readonly ParsedCertificate<Record<never, never>>[]

Defined in: src/verify/verify.ts:361

Full chain in leaf-to-root order.

leaf

readonly leaf: ParsedCertificate

Defined in: src/verify/verify.ts:359

Parsed end-entity certificate.

policyValidation

readonly policyValidation: PolicyValidationOutcome

Defined in: src/verify/verify.ts:365

Final RFC 5280 §6 / RFC 9618 constrained policy outputs for this validated path.

root

readonly root: ParsedCertificate

Defined in: src/verify/verify.ts:363

Trusted root that terminates the path.

---

VerifyCertificateChainInput

Defined in: src/verify/verify.ts:329

Input for verifyCertificateChain. Combines path-building, validation, and identity options.

Extends

• PolicyValidationInput.InitialNameConstraintsInput

Properties

allowSelfSignedLeaf?

readonly optional allowSelfSignedLeaf?: boolean

Defined in: src/verify/verify.ts:351

When true, allows a self-signed leaf. Defaults to false.

at?

readonly optional at?: Date

Defined in: src/verify/verify.ts:345

Validation time. Defaults to new Date().

excludedSubtrees?

readonly optional excludedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:22

Subtrees that no subsequent subject name may fall within. Default: none.

Inherited from

InitialNameConstraintsInput.excludedSubtrees

inhibitAnyPolicy?

readonly optional inhibitAnyPolicy?: boolean

Defined in: src/verify/policy.ts:29

When true, the anyPolicy OID is not treated as matching all policies. Default: false.

Inherited from

PolicyValidationInput.inhibitAnyPolicy

inhibitPolicyMapping?

readonly optional inhibitPolicyMapping?: boolean

Defined in: src/verify/policy.ts:27

When true, policy mappings in CA certificates are ignored. Default: false.

Inherited from

PolicyValidationInput.inhibitPolicyMapping

initialPolicySet?

readonly optional initialPolicySet?: readonly string[] | "any"

Defined in: src/verify/policy.ts:23

OIDs the relying party considers acceptable, or 'any' to accept whatever the chain asserts. Default: 'any'.

Inherited from

PolicyValidationInput.initialPolicySet

intermediates?

readonly optional intermediates?: readonly CertificateSource[]

Defined in: src/verify/verify.ts:339

Intermediate CA certificates available for path building.

leaf

readonly leaf: CertificateSource

Defined in: src/verify/verify.ts:337

End-entity certificate to verify.

nameConstraints?

readonly optional nameConstraints?: InitialNameConstraintsInput

Defined in: src/verify/verify.ts:335

Nested name constraint overrides.

permittedSubtrees?

readonly optional permittedSubtrees?: readonly GeneralSubtree<{ type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }>[]

Defined in: src/verify/name-constraints.ts:20

Subtrees within which all subsequent subject names must fall. Default: unconstrained.

Inherited from

InitialNameConstraintsInput.permittedSubtrees

policy?

readonly optional policy?: PolicyValidationInput

Defined in: src/verify/verify.ts:333

Nested policy validation overrides.

purpose?

readonly optional purpose?: VerifyPurpose

Defined in: src/verify/verify.ts:347

Leaf purpose constraint to enforce during validation.

requireExplicitPolicy?

readonly optional requireExplicitPolicy?: boolean

Defined in: src/verify/policy.ts:25

When true, the chain must assert at least one acceptable policy. Default: false.

Inherited from

PolicyValidationInput.requireExplicitPolicy

revocation?

readonly optional revocation?: ChainRevocationInput

Defined in: src/verify/verify.ts:353

Optional revocation checking.

roots

readonly roots: readonly CertificateSource[]

Defined in: src/verify/verify.ts:341

Trusted root CA certificates.

serviceIdentity?

readonly optional serviceIdentity?: VerifyServiceIdentityInput

Defined in: src/verify/verify.ts:349

DNS/IP/URI/SRV identity to match against the leaf's SAN.

trustAnchors?

readonly optional trustAnchors?: readonly TrustAnchor[]

Defined in: src/verify/verify.ts:343

Bare trust anchors to try when no root certificate matches.

---

VerifyChainFailure

Defined in: src/verify/verify.ts:224

A chain verification failure with its error code, human message, chain index, and diagnostic details.

Extends

• IndexedMicro509Error<VerifyErrorCode, VerifyFailureDetails>

Properties

code

readonly code: VerifyErrorCode

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

IndexedMicro509Error.code

details?

readonly optional details?: VerifyFailureDetails

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

IndexedMicro509Error.details

index?

readonly optional index?: number

Defined in: src/result/result.ts:70

Zero-based position of the failing item in the input collection.

Inherited from

IndexedMicro509Error.index

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

IndexedMicro509Error.message

ok

readonly ok: false

Defined in: src/verify/verify.ts:227

Always false for failures.

---

VerifyFailureDetails

Defined in: src/verify/verify.ts:202

Diagnostic context attached to every VerifyChainFailure. All fields are optional; presence depends on the error code.

Properties

actual?

readonly optional actual?: string

Defined in: src/verify/verify.ts:210

The value actually found.

chainCommonNames?

readonly optional chainCommonNames?: readonly string[]

Defined in: src/verify/verify.ts:212

CNs of every certificate in the chain, leaf-first. Present on no_trusted_root.

commonNameFallbackReason?

readonly optional commonNameFallbackReason?: "disabled" | "suppressed_by_presented_identifier" | "common_name_missing" | "common_name_mismatch"

Defined in: src/verify/verify.ts:216

Why the CN-fallback path was not taken. Set on common_name_fallback_suppressed.

expected?

readonly optional expected?: string

Defined in: src/verify/verify.ts:208

The value the verifier expected (e.g. a validity window bound or SKI).

issuerCommonName?

readonly optional issuerCommonName?: string

Defined in: src/verify/verify.ts:206

CN of the issuer of the offending certificate.

presentedIdentifierTypes?

readonly optional presentedIdentifierTypes?: readonly ("uri" | "dns" | "srv")[]

Defined in: src/verify/verify.ts:214

SAN identifier types the leaf actually presents. Set on identity-match failures.

subjectCommonName?

readonly optional subjectCommonName?: string

Defined in: src/verify/verify.ts:204

CN of the certificate that triggered the failure.

---

VerifyPkcs7SignedDataFailure

Defined in: src/pkcs/pkcs7.ts:162

Error payload for a failed verifyPkcs7SignedData call.

Extends

• Micro509Error<"signer_not_found" | "signature_invalid" | "message_digest_mismatch" | "content_missing" | ParsePkcs7ErrorCode>

Properties

code

readonly code: ParsePkcs7ErrorCode | "signer_not_found" | "signature_invalid" | "message_digest_mismatch" | "content_missing"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/pkcs/pkcs7.ts:171

Always false for failures.

---

VerifyRequestFailure

Defined in: src/verify/verify.ts:381

Failure from verifyCertificateSigningRequest.

Extends

• Micro509Error<"signature_invalid" | "unsupported_signature_algorithm_parameters", VerifyFailureDetails>

Properties

code

readonly code: "unsupported_signature_algorithm_parameters" | "signature_invalid"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: VerifyFailureDetails

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/verify/verify.ts:387

Always false for failures.

Type Aliases

BuildCandidatePathResult

BuildCandidatePathResult = { ok: true; value: CandidatePath; } | IndexedErrorResult<VerifyErrorCode, VerifyFailureDetails, VerifyChainFailure>

Defined in: src/verify/verify.ts:259

Result of buildCandidatePath. On success, contains the CandidatePath.

---

CertificatePolicies

CertificatePolicies = readonly object[]

Defined in: src/x509/extensions.ts:267

RFC 5280 §4.2.1.4 — array of policy OIDs with optional qualifiers.

---

CertificateSource

CertificateSource = string | Uint8Array

Defined in: src/verify/verify.ts:84

PEM string or DER bytes for a certificate. PEM may contain multiple blocks.

---

CreatePfxErrorCode

CreatePfxErrorCode = "invalid_certificate"

Defined in: src/pkcs/pfx.ts:218

Caller-correctable failure code from createPfx.

The only parse boundary in creation is the certificate source: it is normalized from untrusted PEM/DER. Private keys are either a WebCrypto CryptoKey (platform errors stay throws) or raw PKCS#8 bytes passed through unvalidated, so there is no distinct invalid_private_key failure to model.

---

CreatePfxResult

CreatePfxResult = { ok: true; value: PfxMaterial; } | ErrorResult<CreatePfxErrorCode, Record<never, never>, CreatePfxFailure>

Defined in: src/pkcs/pfx.ts:227

Success-or-failure result from createPfx.

Union Members

Type Literal

{ ok: true; value: PfxMaterial; }

ok

readonly ok: true

Creation succeeded.

value

readonly value: PfxMaterial

DER, PEM, and base64 forms of the PFX container.

---

ErrorResult<CreatePfxErrorCode, Record<never, never>, CreatePfxFailure>

---

CreatePkcs7CertBagDerResult

CreatePkcs7CertBagDerResult = { ok: true; value: Uint8Array; } | ErrorResult<CreatePkcs7CertBagErrorCode, Record<never, never>, CreatePkcs7CertBagFailure>

Defined in: src/pkcs/pkcs7.ts:206

Success-or-failure result from createPkcs7CertBagDer.

Union Members

Type Literal

{ ok: true; value: Uint8Array; }

ok

readonly ok: true

Creation succeeded.

value

readonly value: Uint8Array

Raw DER-encoded certificate bag.

---

ErrorResult<CreatePkcs7CertBagErrorCode, Record<never, never>, CreatePkcs7CertBagFailure>

---

CreatePkcs7CertBagErrorCode

CreatePkcs7CertBagErrorCode = "invalid_certificate"

Defined in: src/pkcs/pkcs7.ts:197

Caller-correctable failure code from createPkcs7CertBagDer / createPkcs7CertBagPem.

---

CreatePkcs7CertBagResult

CreatePkcs7CertBagResult = { ok: true; value: Pkcs7CertBag; } | ErrorResult<CreatePkcs7CertBagErrorCode, Record<never, never>, CreatePkcs7CertBagFailure>

Defined in: src/pkcs/pkcs7.ts:216

Success-or-failure result from createPkcs7CertBagPem.

Union Members

Type Literal

{ ok: true; value: Pkcs7CertBag; }

ok

readonly ok: true

Creation succeeded.

value

readonly value: Pkcs7CertBag

DER, PEM, and base64 forms of the certificate bag.

---

ErrorResult<CreatePkcs7CertBagErrorCode, Record<never, never>, CreatePkcs7CertBagFailure>

---

CreatePkcs7SignedDataDerResult

CreatePkcs7SignedDataDerResult = { ok: true; value: Uint8Array; } | ErrorResult<CreatePkcs7SignedDataErrorCode, Record<never, never>, CreatePkcs7SignedDataFailure>

Defined in: src/pkcs/pkcs7.ts:341

Success-or-failure result from createPkcs7SignedDataDer.

Union Members

Type Literal

{ ok: true; value: Uint8Array; }

ok

readonly ok: true

Creation succeeded.

value

readonly value: Uint8Array

Raw DER-encoded SignedData.

---

ErrorResult<CreatePkcs7SignedDataErrorCode, Record<never, never>, CreatePkcs7SignedDataFailure>

---

CreatePkcs7SignedDataErrorCode

CreatePkcs7SignedDataErrorCode = "no_signers" | "invalid_signer_certificate" | "unsupported_signer_key"

Defined in: src/pkcs/pkcs7.ts:328

Caller-correctable failure codes from createPkcs7SignedDataDer / createPkcs7SignedDataPem.

---

CreatePkcs7SignedDataResult

CreatePkcs7SignedDataResult = { ok: true; value: Pkcs7SignedDataMaterial; } | ErrorResult<CreatePkcs7SignedDataErrorCode, Record<never, never>, CreatePkcs7SignedDataFailure>

Defined in: src/pkcs/pkcs7.ts:351

Success-or-failure result from createPkcs7SignedDataPem.

Union Members

Type Literal

{ ok: true; value: Pkcs7SignedDataMaterial; }

ok

readonly ok: true

Creation succeeded.

value

readonly value: Pkcs7SignedDataMaterial

DER, PEM, and base64 forms of the SignedData.

---

ErrorResult<CreatePkcs7SignedDataErrorCode, Record<never, never>, CreatePkcs7SignedDataFailure>

---

CsrSource

CsrSource = string | Uint8Array

Defined in: src/verify/verify.ts:86

PEM string or DER bytes for a certificate signing request.

---

DecodedExtensionMap

DecodedExtensionMap<TMap> = { [TKey in keyof TMap]?: TMap[TKey] extends ExtensionDecoder<infer TValue> ? DecodedExtensionValue<TValue> : never }

Defined in: src/x509/parse.ts:271

Inferred result type when decoding extensions via an ExtensionDecoderMap.

Type Parameters

TMap

TMap extends ExtensionDecoderMap

---

DistributionPoint

DistributionPoint = { crlIssuer?: readonly GeneralName[]; distributionPoint: DistributionPointName; reasons?: readonly DistributionPointReason[]; } | { crlIssuer: readonly GeneralName[]; distributionPoint?: DistributionPointName; reasons?: readonly DistributionPointReason[]; }

Defined in: src/x509/extensions.ts:167

Input for a single CRL Distribution Point (RFC 5280 §4.2.1.13).

At least one of distributionPoint or crlIssuer must be provided. The union enforces this constraint at the type level.

Union Members

Type Literal

{ crlIssuer?: readonly GeneralName[]; distributionPoint: DistributionPointName; reasons?: readonly DistributionPointReason[]; }

crlIssuer?

readonly optional crlIssuer?: readonly GeneralName[]

Entity that signed the CRL, when different from the cert issuer.

distributionPoint

readonly distributionPoint: DistributionPointName

Where to fetch the CRL (fullName or relativeName).

reasons?

readonly optional reasons?: readonly DistributionPointReason[]

Revocation reason subset. Absent means all reasons.

---

Type Literal

{ crlIssuer: readonly GeneralName[]; distributionPoint?: DistributionPointName; reasons?: readonly DistributionPointReason[]; }

crlIssuer

readonly crlIssuer: readonly GeneralName[]

Entity that signed the CRL. Required when distributionPoint is absent.

distributionPoint?

readonly optional distributionPoint?: DistributionPointName

Where to fetch the CRL. Optional when crlIssuer is present.

reasons?

readonly optional reasons?: readonly DistributionPointReason[]

Revocation reason subset. Absent means all reasons.

---

EcNamedCurve

EcNamedCurve = "P-256" | "P-384" | "P-521"

Defined in: src/keys/keys.ts:69

NIST elliptic curve for ECDSA keys.

---

EkuCheckPurpose

EkuCheckPurpose = "serverAuth" | "clientAuth" | "codeSigning" | "emailProtection" | "timeStamping" | "ocspSigning"

Defined in: src/verify/verify.ts:96

Extended key usage purpose checked by checkExtendedKeyUsage.

---

EkuCheckResult

EkuCheckResult = { ok: true; value: undefined; } | IndexedErrorResult<"leaf_eku_missing" | "intermediate_eku_constraint", Record<never, never>, EkuCheckFailure>

Defined in: src/verify/verify.ts:105

Result of checkExtendedKeyUsage. Success carries no value; failure identifies the offending certificate.

---

EncryptedPkcs8Options

EncryptedPkcs8Options = Pbes2EncryptionOptions

Defined in: src/keys/keys.ts:157

PBES2 encryption options for exportEncryptedPkcs8Der and exportEncryptedPkcs8Pem.

---

ExtendedKeyUsage

ExtendedKeyUsage = "serverAuth" | "clientAuth" | "codeSigning" | "emailProtection" | "timeStamping" | "ocspSigning" | { type: "oid"; value: string; }

Defined in: src/x509/extensions.ts:641

Extended Key Usage — either a well-known purpose string or a custom OID.

---

ExtensionDecoderMap

ExtensionDecoderMap = Record<string, ExtensionDecoder<unknown>>

Defined in: src/x509/parse.ts:268

String-keyed map of ExtensionDecoders, used with ParseOptions.decoderMap.

---

GeneralName

GeneralName = SubjectAltName

Defined in: src/x509/extensions.ts:133

Alias for SubjectAltName — used where RFC 5280 says "GeneralName".

---

ImportEncryptedKeyErrorCode

ImportEncryptedKeyErrorCode = "malformed" | "invalid_password"

Defined in: src/keys/keys.ts:194

Machine-readable failure reason for the importEncrypted* key functions.

Distinguishes a wrong decryption password ('invalid_password') from structurally invalid input or algorithm mismatches ('malformed').

---

ImportEncryptedKeyResult

ImportEncryptedKeyResult<T> = { ok: true; value: T; } | ErrorResult<ImportEncryptedKeyErrorCode, Record<never, never>, ImportEncryptedKeyFailure>

Defined in: src/keys/keys.ts:207

Success-or-failure result returned by the public importEncrypted* key functions.

On failure, code is 'invalid_password' when decryption failed (wrong password or corrupted ciphertext) and 'malformed' for everything else.

Type Parameters

T

T

---

ImportKeyErrorCode

ImportKeyErrorCode = "malformed"

Defined in: src/keys/keys.ts:170

Machine-readable failure reason for the import* key functions.

---

ImportKeyResult

ImportKeyResult<T> = { ok: true; value: T; } | ErrorResult<ImportKeyErrorCode, Record<never, never>, ImportKeyFailure>

Defined in: src/keys/keys.ts:184

Success-or-failure result returned by the public import* key functions.

On failure, code is always 'malformed': structurally invalid input, algorithm mismatches, and wrong-password decryption failures all surface the same way (see the throwing *OrThrow variants for raw error messages).

Type Parameters

T

T

---

IssuingDistributionPoint

IssuingDistributionPoint = IssuingDistributionPointBase | IssuingDistributionPointForUserCerts | IssuingDistributionPointForCaCerts | IssuingDistributionPointForAttributeCerts

Defined in: src/x509/extensions.ts:239

Input for the Issuing Distribution Point CRL extension (RFC 5280 §5.2.5).

The union enforces that at most one of the onlyContains* flags is true.

---

KeyAlgorithmInput

KeyAlgorithmInput = RsaKeyAlgorithmInput | EcKeyAlgorithmInput | Ed25519KeyAlgorithmInput

Defined in: src/keys/keys.ts:98

Input for generateKeyPair. Selects algorithm family and parameters.

---

KeyUsage

KeyUsage = "digitalSignature" | "nonRepudiation" | "keyEncipherment" | "dataEncipherment" | "keyAgreement" | "keyCertSign" | "cRLSign" | "encipherOnly" | "decipherOnly"

Defined in: src/x509/extensions.ts:68

RFC 5280 §4.2.1.3 Key Usage bit flag.

Each value corresponds to one bit in the KeyUsage BIT STRING.

See

RFC 5280 §4.2.1.3

---

MatchServiceIdentityErrorCode

MatchServiceIdentityErrorCode = "subject_alt_name_mismatch" | "common_name_fallback_suppressed" | "service_identity_service_mismatch" | "service_identity_type_unsupported"

Defined in: src/verify/identity.ts:70

Discriminant codes for identity-matching failures.

---

MatchServiceIdentityResult

MatchServiceIdentityResult = MatchServiceIdentitySuccess | ErrorResult<MatchServiceIdentityErrorCode, MatchServiceIdentityFailureDetails, MatchServiceIdentityFailure>

Defined in: src/verify/identity.ts:117

Result of matching a reference identifier against a certificate's presented identifiers.

---

NameConstraintForm

NameConstraintForm = { type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; }

Defined in: src/x509/extensions.ts:428

A name form used as a constraint base in namEConstraints. Distinct from SubjectAltName because IP constraints carry address + mask bytes (8 for IPv4, 32 for IPv6) rather than bare addresses.

Union Members

Type Literal

{ type: "dns"; value: string; }

type

readonly type: "dns"

DNS domain constraint (dNSName [2]).

value

readonly value: string

Domain suffix, e.g. ".example.com" or "example.com".

---

Type Literal

{ type: "email"; value: string; }

type

readonly type: "email"

Email constraint (rfc822Name [1]).

value

readonly value: string

Email domain or full address pattern.

---

Type Literal

{ type: "uri"; value: string; }

type

readonly type: "uri"

URI constraint (uniformResourceIdentifier [6]).

value

readonly value: string

Host or domain component of a URI.

---

Type Literal

{ addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; }

addressBytes

readonly addressBytes: Uint8Array

Network address bytes (4 for IPv4, 16 for IPv6).

maskBytes

readonly maskBytes: Uint8Array

Subnet mask bytes (same length as addressBytes).

type

readonly type: "ip"

IP range constraint (iPAddress [7]).

---

Type Literal

{ derHex: string; type: "directoryName"; }

derHex

readonly derHex: string

Hex-encoded DER of the Name SEQUENCE.

type

readonly type: "directoryName"

Directory name constraint (directoryName [4]).

---

NameFieldKey

NameFieldKey = "commonName" | "surname" | "serialNumber" | "country" | "locality" | "state" | "street" | "organization" | "organizationalUnit" | "title" | "givenName" | "emailAddress"

Defined in: src/x509/name.ts:73

Union of recognized X.501 attribute type shorthand names.

Each key maps to an OID + ASN.1 string encoding in NAME_FIELD_DEFINITIONS.

---

NameInput

NameInput = NameObject | readonly NameAttribute[]

Defined in: src/x509/name.ts:146

Input for encodeName.

Accepts either a NameObject convenience shape or an ordered array of NameAttribute pairs.
Both forms encode one attribute per RDN.

---

ParseCertificateErrorCode

ParseCertificateErrorCode = "malformed"

Defined in: src/x509/parse.ts:95

Machine-readable failure reason for parseCertificateDer / parseCertificatePem.

---

ParseCertificateResult

ParseCertificateResult<TMap> = { ok: true; value: ParsedCertificate<TMap>; } | ErrorResult<ParseCertificateErrorCode, Record<never, never>, ParseCertificateFailure>

Defined in: src/x509/parse.ts:103

Success-or-failure result from parseCertificateDer / parseCertificatePem.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

---

ParseCertificateSigningRequestErrorCode

ParseCertificateSigningRequestErrorCode = "malformed"

Defined in: src/x509/parse.ts:108

Machine-readable failure reason for the CSR parsers.

---

ParseCertificateSigningRequestResult

ParseCertificateSigningRequestResult<TMap> = { ok: true; value: ParsedCertificateSigningRequest<TMap>; } | ErrorResult<ParseCertificateSigningRequestErrorCode, Record<never, never>, ParseCertificateSigningRequestFailure>

Defined in: src/x509/parse.ts:120

Success-or-failure result from parseCertificateSigningRequestDer / parseCertificateSigningRequestPem.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

---

ParsedNameConstraintForm

ParsedNameConstraintForm = { type: "dns"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { addressBytes: Uint8Array; maskBytes: Uint8Array; type: "ip"; } | { derHex: string; type: "directoryName"; } | { type: "otherName"; value: Uint8Array; } | { type: "x400Address"; value: Uint8Array; } | { type: "ediPartyName"; value: Uint8Array; } | { type: "registeredID"; value: string; }

Defined in: src/x509/extensions.ts:489

Union of supported and unsupported name constraint forms as produced by parsing.

---

ParsedPfxBag

ParsedPfxBag = { attributes: ParsedPfxBagAttributes; bagId: string; certificate: ParsedCertificate; kind: "certificate"; } | { attributes: ParsedPfxBagAttributes; bagId: string; kind: "privateKey"; pkcs8Der: Uint8Array; } | { attributes: ParsedPfxBagAttributes; bagId: string; kind: "unknown"; valueDer: Uint8Array; }

Defined in: src/pkcs/pfx.ts:139

Discriminated union of SafeBag types decoded from a PFX container.

Use kind to narrow: 'certificate' | 'privateKey' | 'unknown'.

Union Members

Type Literal

{ attributes: ParsedPfxBagAttributes; bagId: string; certificate: ParsedCertificate; kind: "certificate"; }

attributes

readonly attributes: ParsedPfxBagAttributes

Decoded bag-level attributes.

bagId

readonly bagId: string

Dotted-decimal OID of the bag type.

certificate

readonly certificate: ParsedCertificate

Parsed certificate from the certBag.

kind

readonly kind: "certificate"

Bag contains an X.509 certificate.

---

Type Literal

{ attributes: ParsedPfxBagAttributes; bagId: string; kind: "privateKey"; pkcs8Der: Uint8Array; }

attributes

readonly attributes: ParsedPfxBagAttributes

Decoded bag-level attributes.

bagId

readonly bagId: string

Dotted-decimal OID of the bag type.

kind

readonly kind: "privateKey"

Bag contains a PKCS#8 private key.

pkcs8Der

readonly pkcs8Der: Uint8Array

Raw DER-encoded PKCS#8 PrivateKeyInfo.

---

Type Literal

{ attributes: ParsedPfxBagAttributes; bagId: string; kind: "unknown"; valueDer: Uint8Array; }

attributes

readonly attributes: ParsedPfxBagAttributes

Decoded bag-level attributes.

bagId

readonly bagId: string

Dotted-decimal OID of the bag type.

kind

readonly kind: "unknown"

Bag type not recognized by this library.

valueDer

readonly valueDer: Uint8Array

Raw DER of the unrecognized bag value.

---

ParsePfxErrorCode

ParsePfxErrorCode = "malformed" | "invalid_password" | "password_required"

Defined in: src/pkcs/pfx.ts:188

Error codes returned by parsePfxDer and parsePfxPem.

---

ParsePfxResult

ParsePfxResult = { ok: true; value: ParsedPfx; } | ErrorResult<ParsePfxErrorCode, Record<never, never>, ParsePfxFailure>

Defined in: src/pkcs/pfx.ts:197

Success-or-failure result from parsePfxDer / parsePfxPem.

Union Members

Type Literal

{ ok: true; value: ParsedPfx; }

ok

readonly ok: true

Parse succeeded.

value

readonly value: ParsedPfx

Decoded PFX container.

---

ErrorResult<ParsePfxErrorCode, Record<never, never>, ParsePfxFailure>

---

ParsePkcs7CertBagResult

ParsePkcs7CertBagResult = { ok: true; value: readonly ParsedCertificate[]; } | ErrorResult<ParsePkcs7ErrorCode, Record<never, never>, ParsePkcs7Failure>

Defined in: src/pkcs/pkcs7.ts:152

Success-or-failure result from parsePkcs7CertBagDer / parsePkcs7CertBagPem.

Union Members

Type Literal

{ ok: true; value: readonly ParsedCertificate[]; }

ok

readonly ok: true

Parse succeeded.

value

readonly value: readonly ParsedCertificate[]

Parsed certificates from the cert bag.

---

ErrorResult<ParsePkcs7ErrorCode, Record<never, never>, ParsePkcs7Failure>

---

ParsePkcs7ErrorCode

ParsePkcs7ErrorCode = "malformed" | "not_signed_data"

Defined in: src/pkcs/pkcs7.ts:133

Error codes for PKCS#7 parse failures.

---

ParsePkcs7SignedDataResult

ParsePkcs7SignedDataResult = { ok: true; value: ParsedPkcs7SignedData; } | ErrorResult<ParsePkcs7ErrorCode, Record<never, never>, ParsePkcs7Failure>

Defined in: src/pkcs/pkcs7.ts:142

Success-or-failure result from parsePkcs7SignedDataDer / parsePkcs7SignedDataPem.

Union Members

Type Literal

{ ok: true; value: ParsedPkcs7SignedData; }

ok

readonly ok: true

Parse succeeded.

value

readonly value: ParsedPkcs7SignedData

Decoded SignedData.

---

ErrorResult<ParsePkcs7ErrorCode, Record<never, never>, ParsePkcs7Failure>

---

Pbes2EncryptionScheme

Pbes2EncryptionScheme = "aes128-cbc" | "aes192-cbc" | "aes256-cbc"

Defined in: src/internal/crypto/pbes2.ts:48

AES-CBC key sizes supported by this PBES2 implementation.

---

Pbes2Prf

Pbes2Prf = "hmac-sha1" | "hmac-sha256"

Defined in: src/internal/crypto/pbes2.ts:51

PBKDF2 pseudo-random function choices. hmac-sha1 is the RFC default; hmac-sha256 is preferred.

---

PfxCertificateSource

PfxCertificateSource = string | Uint8Array

Defined in: src/pkcs/pfx.ts:55

PEM string or DER bytes for a certificate to include in a PFX bag.

---

PfxEncryptionOptions

PfxEncryptionOptions = Pbes2EncryptionOptions

Defined in: src/pkcs/pfx.ts:96

PBES2 encryption settings for PFX key-bag protection. Alias of Pbes2EncryptionOptions.

---

PfxPrivateKeySource

PfxPrivateKeySource = CryptoKey | Uint8Array

Defined in: src/pkcs/pfx.ts:57

A WebCrypto private key or raw PKCS#8 DER bytes for a PFX key bag.

---

Pkcs7CertificateSource

Pkcs7CertificateSource = string | Uint8Array

Defined in: src/pkcs/pkcs7.ts:64

PEM text (may contain multiple CERTIFICATE blocks) or raw DER bytes.

---

PolicyMappings

PolicyMappings = readonly object[]

Defined in: src/x509/extensions.ts:343

RFC 5280 §4.2.1.5 — array of issuer-to-subject policy OID pairs.

---

PolicyQualifierInfo

PolicyQualifierInfo = CpsPolicyQualifierInfo | UserNoticePolicyQualifierInfo | CustomPolicyQualifierInfo

Defined in: src/x509/extensions.ts:329

Discriminated union of all supported policy qualifier types.

---

PrivateKeyImportInput

PrivateKeyImportInput = PublicKeyImportInput

Defined in: src/keys/keys.ts:154

Algorithm descriptor for private key import functions. Same shape as PublicKeyImportInput.

---

PublicKeyImportInput

PublicKeyImportInput = ImportRsaPublicKeyInput | ImportEcPublicKeyInput | ImportEd25519PublicKeyInput

Defined in: src/keys/keys.ts:148

Algorithm descriptor for public key import functions.

---

RelativeDistinguishedNameInput

RelativeDistinguishedNameInput = readonly NameAttribute[]

Defined in: src/x509/name.ts:156

Input for encodeRelativeDistinguishedName.

Each entry becomes one name attribute inside the RDN's SET OF.
Use this shape for multi-valued RDNs.

See

RFC 5280 Appendix A.1

---

Result

Result<TValue, TError> = { ok: true; value: TValue; } | { error: TError; ok: false; }

Defined in: src/result/result.ts:14

Discriminated ok union: either { ok: true; value } or { ok: false; error }.

Every fallible public API in micro509 returns a specialization of this type.

Type Parameters

TValue

TValue

TError

TError

Union Members

Type Literal

{ ok: true; value: TValue; }

ok

readonly ok: true

Operation succeeded.

value

readonly value: TValue

Successful payload.

---

Type Literal

{ error: TError; ok: false; }

error

readonly error: TError

Structured error payload.

ok

readonly ok: false

Operation failed.

---

RsaHash

RsaHash = "SHA-256" | "SHA-384" | "SHA-512"

Defined in: src/keys/keys.ts:63

Hash algorithm paired with an RSA key.

---

RsaScheme

RsaScheme = "pkcs1-v1_5" | "pss"

Defined in: src/keys/keys.ts:66

RSA signature padding scheme.

---

ServiceIdentityInput

ServiceIdentityInput = DnsServiceIdentityInput | IpServiceIdentityInput | UriServiceIdentityInput | SrvServiceIdentityInput

Defined in: src/verify/identity.ts:56

Discriminated union of all supported reference identifier types.

---

ServiceIdentityType

ServiceIdentityType = ServiceIdentityInput["type"]

Defined in: src/verify/identity.ts:63

The type discriminant values of ServiceIdentityInput.

---

SubjectAltName

SubjectAltName = { type: "dns"; value: string; } | { type: "ip"; value: string; } | { type: "email"; value: string; } | { type: "uri"; value: string; } | { type: "srv"; value: string; } | { derHex: string; type: "directoryName"; } | { tag: number; type: "unknown"; value: Uint8Array; }

Defined in: src/x509/extensions.ts:86

RFC 5280 §4.2.1.6 Subject Alternative Name / GeneralName.

Discriminated union keyed on type.

The 'unknown' variant preserves unrecognized GeneralName tags for round-trip fidelity.

Union Members

Type Literal

{ type: "dns"; value: string; }

type

readonly type: "dns"

DNS hostname (dNSName [2]).

value

readonly value: string

Fully-qualified domain name, e.g. "example.com".

---

Type Literal

{ type: "ip"; value: string; }

type

readonly type: "ip"

IP address (iPAddress [7]).

value

readonly value: string

Dotted-decimal IPv4 or colon-hex IPv6 string.

---

Type Literal

{ type: "email"; value: string; }

type

readonly type: "email"

Email address (rfc822Name [1]).

value

readonly value: string

RFC 822 mailbox, e.g. "admin@example.com".

---

Type Literal

{ type: "uri"; value: string; }

type

readonly type: "uri"

URI (uniformResourceIdentifier [6]).

value

readonly value: string

Absolute URI string.

---

Type Literal

{ type: "srv"; value: string; }

type

readonly type: "srv"

SRV-ID otherName (id-on-dnsSRV).

value

readonly value: string

SRV service name, e.g. "_imaps.example.com".

---

Type Literal

{ derHex: string; type: "directoryName"; }

derHex

readonly derHex: string

Hex-encoded DER of the Name SEQUENCE.

type

readonly type: "directoryName"

X.500 directory name (directoryName [4]).

---

Type Literal

{ tag: number; type: "unknown"; value: Uint8Array; }

tag

readonly tag: number

ASN.1 context tag number.

type

readonly type: "unknown"

Unrecognized GeneralName tag, preserved as raw bytes.

value

readonly value: Uint8Array

Raw content bytes of the element.

---

ValidateCandidatePathResult

ValidateCandidatePathResult = { ok: true; policyValidation: PolicyValidationOutcome; value: ValidateCandidatePathSuccess; } | IndexedErrorResult<VerifyErrorCode, VerifyFailureDetails, VerifyChainFailure>

Defined in: src/verify/verify.ts:303

Result of validateCandidatePath.

Union Members

Type Literal

{ ok: true; policyValidation: PolicyValidationOutcome; value: ValidateCandidatePathSuccess; }

ok

readonly ok: true

policyValidation

readonly policyValidation: PolicyValidationOutcome

Shorthand duplicate of value.policyValidation for internal forwarding.

value

readonly value: ValidateCandidatePathSuccess

---

IndexedErrorResult<VerifyErrorCode, VerifyFailureDetails, VerifyChainFailure>

---

VerifyChainResult

VerifyChainResult = { ok: true; value: VerifiedCertificateChain; } | IndexedErrorResult<VerifyErrorCode, VerifyFailureDetails, VerifyChainFailure>

Defined in: src/verify/verify.ts:369

Result of verifyCertificateChain. On success, contains the VerifiedCertificateChain.

---

VerifyErrorCode

VerifyErrorCode = "no_trusted_root" | "issuer_not_found" | "signature_invalid" | "certificate_expired" | "ca_required" | "key_cert_sign_required" | "path_length_exceeded" | "authority_key_identifier_mismatch" | "extended_key_usage_invalid" | "subject_alt_name_mismatch" | "common_name_fallback_suppressed" | "self_signed_leaf_not_allowed" | "unrecognized_critical_extension" | "intermediate_eku_constraint" | "policy_processing_not_implemented" | "explicit_policy_required" | "initial_policy_set_not_satisfied" | "initial_name_constraints_not_implemented" | "unsupported_name_constraints" | "name_constraints_violated" | "unsupported_signature_algorithm_parameters" | "certificate_revoked" | "revocation_indeterminate"

Defined in: src/verify/verify.ts:176

Discriminant for every failure a verify operation can produce.

• no_trusted_root — chain could not be anchored to any root or TrustAnchor.
• issuer_not_found — an intermediate's issuer was not in the candidate set.
• signature_invalid — a certificate's signature failed cryptographic verification.
• certificate_expired — a certificate's notBefore/notAfter window excludes the validation time.
• ca_required — an issuer lacks basicConstraints.ca = true.
• key_cert_sign_required — an issuer has keyUsage but omits keyCertSign.
• path_length_exceeded — the number of CA certificates below an issuer exceeds its pathLength.
• authority_key_identifier_mismatch — a certificate's AKI does not match the issuer's SKI.
• extended_key_usage_invalid — the leaf certificate lacks the required EKU for the requested purpose.
• subject_alt_name_mismatch — no SAN entry matches the requested service identity.
• common_name_fallback_suppressed — CN fallback was attempted but suppressed (SAN present or disabled).
• self_signed_leaf_not_allowed — the leaf is self-signed and allowSelfSignedLeaf was not set.
• unrecognized_critical_extension — a certificate contains a critical extension the verifier cannot process.
• intermediate_eku_constraint — an intermediate CA's EKU set does not include the required purpose.
• policy_processing_not_implemented — policy processing encountered an unsupported construct.
• explicit_policy_required — requireExplicitPolicy was set but no acceptable policy was found.
• initial_policy_set_not_satisfied — the chain's policies do not intersect initialPolicySet.
• initial_name_constraints_not_implemented — caller-supplied initial name constraints are unsupported.
• unsupported_name_constraints — a certificate's nameConstraints use an unsupported form.
• name_constraints_violated — a subject name violates a permitted/excluded subtree.
• unsupported_signature_algorithm_parameters — the signature algorithm uses unrecognized parameters.

---

VerifyPkcs7SignedDataResult

VerifyPkcs7SignedDataResult = { ok: true; value: ParsedPkcs7SignedData; } | ErrorResult<"signer_not_found" | "signature_invalid" | "message_digest_mismatch" | "content_missing" | ParsePkcs7ErrorCode, Record<never, never>, VerifyPkcs7SignedDataFailure>

Defined in: src/pkcs/pkcs7.ts:175

Success-or-failure result from verifyPkcs7SignedData.

Union Members

Type Literal

{ ok: true; value: ParsedPkcs7SignedData; }

ok

readonly ok: true

Verification succeeded.

value

readonly value: ParsedPkcs7SignedData

The verified SignedData structure.

---

ErrorResult<"signer_not_found" | "signature_invalid" | "message_digest_mismatch" | "content_missing" | ParsePkcs7ErrorCode, Record<never, never>, VerifyPkcs7SignedDataFailure>

---

VerifyPurpose

VerifyPurpose = "serverAuth" | "clientAuth" | "ca"

Defined in: src/verify/verify.ts:93

High-level purpose applied during path validation to enforce leaf constraints.

---

VerifyRequestResult

VerifyRequestResult = { ok: true; value: ParsedCertificateSigningRequest; } | ErrorResult<"signature_invalid" | "unsupported_signature_algorithm_parameters", VerifyFailureDetails, VerifyRequestFailure>

Defined in: src/verify/verify.ts:391

Result of verifyCertificateSigningRequest. On success, contains the parsed CSR.

---

VerifyServiceIdentityInput

VerifyServiceIdentityInput = DnsServiceIdentityInput | IpServiceIdentityInput

Defined in: src/verify/identity.ts:67

Subset of identities usable for TLS server verification (DNS and IP only).

Functions

buildCandidatePath()

buildCandidatePath(input): Promise<BuildCandidatePathResult>

Defined in: src/verify/verify.ts:635

Builds a signature-verified path from a leaf certificate to a trusted root.

Parses the supplied certificates, walks the issuer chain, signature-checks each link, and returns the first valid path. Does not enforce time, constraints, or leaf purpose — call validateCandidatePath or use the all-in-one verifyCertificateChain for full validation.

Parameters

input

BuildCandidatePathInput

Returns

Promise<BuildCandidatePathResult>

Example

import { buildCandidatePath } from 'micro509';

const result = await buildCandidatePath({
  leaf: leafPem,
  intermediates: [intermediatePem],
  roots: [rootPem],
});
if (result.ok) {
  console.log('path length:', result.value.chain.length);
}

---

categorizePemBlocks()

categorizePemBlocks(input): CategorizedPemBlocks

Defined in: src/pem/pem.ts:146

Groups PEM blocks by label into well-known PKI categories (certificates, CSRs, private keys, public keys, and everything else). Accepts either raw PEM text or pre-split PemBlock entries.

Parameters

input

string | readonly PemBlock[]

Returns

CategorizedPemBlocks

---

checkCertificateRevocation()

checkCertificateRevocation(input): Promise<CheckCertificateRevocationResult>

Defined in: src/revocation/revocation.ts:278

Evaluates all provided CRL and OCSP evidence to determine the certificate's revocation status. Returns the first revoked if any, else the first good, else unknown with diagnostic details about each indeterminate evidence.

Parameters

input

CheckCertificateRevocationInput

Returns

Promise<CheckCertificateRevocationResult>

Example

import { checkCertificateRevocation } from 'micro509';

const result = await checkCertificateRevocation({
  certificate: leafPem,
  issuerCertificate: caPem,
  evidence: [{ kind: 'crl', crl: crlPem }],
});
if (result.ok && result.value.status === 'revoked') {
  console.log('revoked at', result.value.revokedAt);
}

---

checkCertificateRevocationAgainstCrl()

checkCertificateRevocationAgainstCrl(input): Promise<CheckCertificateRevocationAgainstCrlResult>

Defined in: src/revocation/crl.ts:723

End-to-end revocation check: validates the CRL (and optional delta CRL), verifies applicability via distribution-point and scope matching, then resolves the certificate's revocation status.

Returns good if the serial is absent, revoked with date/reason if present, or an error if the CRL cannot be validated or is non-applicable.

Parameters

input

CheckCertificateRevocationAgainstCrlInput

Returns

Promise<CheckCertificateRevocationAgainstCrlResult>

Example

import { checkCertificateRevocationAgainstCrl } from 'micro509';

const result = await checkCertificateRevocationAgainstCrl({
  certificate: leafPem,
  issuerCertificate: caPem,
  crl: crlPem,
});
if (result.ok && result.value.status === 'revoked') {
  console.log('revoked on', result.value.revocationDate);
}

---

checkChainRevocation()

checkChainRevocation(input): Promise<CheckChainRevocationResult>

Defined in: src/revocation/chain.ts:730

Checks revocation status for all certificates in a validated chain.

Evaluates CRL and OCSP evidence against each certificate (except the trust anchor), applies the revocation policy, and returns a unified decision.

Parameters

input

CheckChainRevocationInput

Returns

Promise<CheckChainRevocationResult>

Example

const result = await checkChainRevocation({
  chain: validatedChain,
  crls: [crl1, crl2],
  policy: { mode: 'hard-fail' },
});
if (result.value.decision === 'deny') {
  console.log('Revocation check failed');
}

---

checkExtendedKeyUsage()

checkExtendedKeyUsage(chain, purpose): EkuCheckResult

Defined in: src/verify/verify.ts:1076

Standalone EKU check against a verified certificate chain. Validates that the leaf has the requested purpose and that intermediate CA EKU constraints (if present) permit it.

Parameters

chain

readonly ParsedCertificate<Record<never, never>>[]

purpose

EkuCheckPurpose

Returns

EkuCheckResult

Example

import { checkExtendedKeyUsage } from 'micro509';

const result = checkExtendedKeyUsage(chain, 'serverAuth');
if (!result.ok) {
  console.error(result.error.code, result.error.message);
}

---

createCertificate()

createCertificate(input): Promise<CertificateMaterial>

Defined in: src/x509/certificate.ts:244

Create an X.509 certificate signed by input.signerPrivateKey.

The certificate encodes input.subject, input.publicKey, and any supplied extensions. When serialNumber is omitted, a random positive serial number is generated. When validity is omitted, the certificate is valid from now for 30 days.

Parameters

input

CreateCertificateInput

Issuer, subject, key, validity, and extension settings.

Returns

Promise<CertificateMaterial>

The encoded certificate material.

Example

const certificate = await createCertificate({
	issuer: { commonName: 'Example Root CA' },
	subject: { commonName: 'example.com' },
	publicKey: leafKeys.publicKey,
	signerPrivateKey: issuerKeys.privateKey,
	issuerPublicKey: issuerKeys.publicKey,
});

---

createCertificateRevocationList()

createCertificateRevocationList(input): Promise<CertificateRevocationListMaterial>

Defined in: src/revocation/crl.ts:432

Signs and encodes an X.509 v2 CRL.

Embeds Authority Key Identifier, CRLNumber, delta CRL indicator, issuing distribution point, and freshest-CRL extensions as configured.

Parameters

input

CreateCertificateRevocationListInput

Returns

Promise<CertificateRevocationListMaterial>

Example

import { createCertificateRevocationList } from 'micro509';

const crl = await createCertificateRevocationList({
  issuer: { commonName: 'Example CA' },
  signerPrivateKey: caPrivateKey,
  issuerPublicKey: caPublicKey,
  thisUpdate: new Date('2025-01-01'),
  nextUpdate: new Date('2025-02-01'),
  crlNumber: 42,
  revokedCertificates: [
    { serialNumber: revokedSerial, reasonCode: 'keyCompromise' },
  ],
});
// crl.pem, crl.der, crl.base64

---

createCertificateSigningRequest()

createCertificateSigningRequest(input): Promise<CsrMaterial>

Defined in: src/x509/csr.ts:83

Creates a PKCS#10 Certificate Signing Request signed with the given private key.

The CSR embeds the public key's SPKI, the subject name, and any requested extensions as attributes. The signature proves possession of the private key.

Parameters

input

CreateCsrInput

Returns

Promise<CsrMaterial>

Example

import { createCertificateSigningRequest } from 'micro509';

const keyPair = await crypto.subtle.generateKey(
  { name: 'ECDSA', namedCurve: 'P-256' },
  true,
  ['sign', 'verify'],
);
const csr = await createCertificateSigningRequest({
  subject: { commonName: 'example.com' },
  publicKey: keyPair.publicKey,
  signerPrivateKey: keyPair.privateKey,
  extensions: { subjectAltNames: [{ type: 'dns', value: 'example.com' }] },
});
console.log(csr.pem);

---

createOcspRequest()

createOcspRequest(input): Promise<OcspRequestMaterial>

Defined in: src/revocation/ocsp.ts:370

Builds a DER-encoded OCSP request containing one or more CertID entries and an optional nonce extension.

Parameters

input

CreateOcspRequestInput

Returns

Promise<OcspRequestMaterial>

Example

import { createOcspRequest } from 'micro509';

const req = await createOcspRequest({
  requests: [{ certificate: leafPem, issuerCertificate: caPem }],
  hashAlgorithm: 'SHA-256',
  nonce: crypto.getRandomValues(new Uint8Array(16)),
});
// POST req.der to the OCSP responder URI

---

createOcspResponse()

createOcspResponse(input): Promise<OcspResponseMaterial>

Defined in: src/revocation/ocsp.ts:606

Signs and encodes an OCSP BasicResponse with a successful status.

The responder is identified by key hash (SHA-1 of the signer's SubjectPublicKey). Use includedCertificates to embed the responder's chain for relying parties.

Parameters

input

CreateOcspResponseInput

Returns

Promise<OcspResponseMaterial>

Example

import { createOcspResponse } from 'micro509';

const resp = await createOcspResponse({
  signerPrivateKey: responderPrivateKey,
  signerCertificate: responderCertPem,
  responses: [
    {
      certificate: leafPem,
      issuerCertificate: caPem,
      certStatus: 'good',
      thisUpdate: new Date('2025-01-01'),
      nextUpdate: new Date('2025-01-08'),
    },
  ],
  nonce: requestNonce,
});
// resp.der, resp.pem, resp.base64

---

createPfx()

createPfx(input): Promise<CreatePfxResult>

Defined in: src/pkcs/pfx.ts:266

Builds a PKCS#12/PFX archive containing certificates and/or private keys.

When encryption is provided, the key-bag ContentInfo is PBES2-encrypted. When mac is provided, a PKCS#12 MAC integrity block is appended.

Returns a CreatePfxResult: the container material on success, or a typed invalid_certificate failure when a certificate source is not a single PEM/DER certificate.

Parameters

input

CreatePfxInput

Returns

Promise<CreatePfxResult>

Example

import { createPfx, unwrap } from 'micro509';

const result = await createPfx({
  certificates: [{ certificate: certPem }],
  privateKeys: [{ privateKey: keyPair.privateKey }],
  encryption: { password: 's3cret' },
  mac: { password: 's3cret' },
});
if (result.ok) {
  const pfx = result.value; // pfx.der, pfx.pem, pfx.base64
}
// or, when inputs are already validated: const pfx = unwrap(result);

---

createPkcs7CertBagDer()

createPkcs7CertBagDer(certificates): CreatePkcs7CertBagDerResult

Defined in: src/pkcs/pkcs7.ts:232

Creates a degenerate PKCS#7 SignedData structure containing only certificates (no signers).

Returns a CreatePkcs7CertBagDerResult: the raw DER on success, or a typed invalid_certificate failure when a certificate source is not valid PEM/DER. Use createPkcs7CertBagPem for PEM + base64.

Parameters

certificates

readonly Pkcs7CertificateSource[]

Returns

CreatePkcs7CertBagDerResult

---

createPkcs7CertBagPem()

createPkcs7CertBagPem(certificates): CreatePkcs7CertBagResult

Defined in: src/pkcs/pkcs7.ts:264

Creates a degenerate PKCS#7 SignedData certificate bag and returns DER, PEM, and base64 forms, or a typed CreatePkcs7CertBagFailure when a certificate source is not valid PEM/DER.

Parameters

certificates

readonly Pkcs7CertificateSource[]

Returns

CreatePkcs7CertBagResult

---

createPkcs7SignedDataDer()

createPkcs7SignedDataDer(input): Promise<CreatePkcs7SignedDataDerResult>

Defined in: src/pkcs/pkcs7.ts:377

Creates a PKCS#7/CMS SignedData with one or more signers over content.

Each signer uses the RFC 5652 Section 5.4 signed-attributes flow: the signature covers a SET OF authenticated attributes carrying contentType and messageDigest (the digest of the encapsulated content). The content is embedded (attached signature), so the result verifies with verifyPkcs7SignedData without any external data.

The content digest is derived from each signer's key (P-256/RSA-SHA256 → SHA-256, P-384 → SHA-384, P-521 → SHA-512, Ed25519 → SHA-512 per RFC 8419).

Returns a CreatePkcs7SignedDataDerResult: the raw DER on success, or a typed failure for caller-correctable input (no signers, a signer source that is not exactly one certificate, or an unsupported signer key). Use createPkcs7SignedDataPem for PEM + base64.

Parameters

input

CreatePkcs7SignedDataInput

Returns

Promise<CreatePkcs7SignedDataDerResult>

---

createPkcs7SignedDataPem()

createPkcs7SignedDataPem(input): Promise<CreatePkcs7SignedDataResult>

Defined in: src/pkcs/pkcs7.ts:501

Creates a PKCS#7/CMS SignedData over content and returns DER, PEM, and base64 forms, or a typed CreatePkcs7SignedDataFailure for caller-correctable input.

Parameters

input

CreatePkcs7SignedDataInput

Returns

Promise<CreatePkcs7SignedDataResult>

---

createSelfSignedCertificate()

createSelfSignedCertificate(input): Promise<SelfSignedCertificateResult>

Defined in: src/x509/certificate.ts:202

Create a self-signed certificate.

Reuses input.keyPair when provided; otherwise generates a new key pair from input.algorithm. The returned certificate uses input.subject as both issuer and subject.

Parameters

input

CreateSelfSignedCertificateInput

Certificate subject, key, validity, and extension settings.

Returns

Promise<SelfSignedCertificateResult>

The certificate plus the key pair used to sign it.

Example

const { certificate, keyPair } = await createSelfSignedCertificate({
	subject: { commonName: 'example.com' },
	algorithm: { kind: 'ecdsa', curve: 'P-256' },
});

---

decodeExtension()

decodeExtension<TValue>(extensions, decoder): TValue | undefined

Defined in: src/x509/parse.ts:930

Decode a single extension using a custom ExtensionDecoder.

Type Parameters

TValue

TValue

Parameters

extensions

readonly ParsedExtension[]

Extension list to search.

decoder

ExtensionDecoder<TValue>

Decoder whose OID will be matched.

Returns

TValue | undefined

The decoded value, or undefined if the extension is absent.

---

decodeExtensionMap()

decodeExtensionMap<TMap>(extensions, decoderMap): DecodedExtensionMap<TMap>

Defined in: src/x509/parse.ts:972

Decode all matching extensions using a named ExtensionDecoderMap.

Type Parameters

TMap

TMap extends ExtensionDecoderMap

Parameters

extensions

readonly ParsedExtension[]

Extension list to search.

decoderMap

TMap

Named decoders. Results are keyed by the same map keys.

Returns

DecodedExtensionMap<TMap>

---

decodeExtensions()

decodeExtensions(extensions, decoders): readonly DecodedExtensionValue<unknown>[]

Defined in: src/x509/parse.ts:947

Decode all matching extensions using an array of ExtensionDecoders.

Parameters

extensions

readonly ParsedExtension[]

Extension list to search.

decoders

readonly ExtensionDecoder<unknown>[]

Decoders to apply. Only matching OIDs produce output.

Returns

readonly DecodedExtensionValue<unknown>[]

---

defineExtensionDecoder()

defineExtensionDecoder<TValue>(decoder): ExtensionDecoder<TValue>

Defined in: src/x509/parse.ts:249

Identity helper that narrows the type of a custom ExtensionDecoder literal.

Type Parameters

TValue

TValue

Parameters

decoder

ExtensionDecoder<TValue>

Decoder definition to return unchanged.

Returns

ExtensionDecoder<TValue>

The same decoder, properly typed.

---

defineExtensionDecoderMap()

defineExtensionDecoderMap<TMap>(decoderMap): TMap

Defined in: src/x509/parse.ts:261

Identity helper that narrows the type of a custom ExtensionDecoderMap literal.

Type Parameters

TMap

TMap extends ExtensionDecoderMap

Parameters

decoderMap

TMap

Map of named decoders to return unchanged.

Returns

TMap

The same map, properly typed.

---

exportBinaryBase64()

exportBinaryBase64(key): Promise<string>

Defined in: src/keys/keys.ts:492

Export a key as raw base64 (no PEM headers).

Returns SPKI-encoded base64 for public keys, PKCS#8-encoded base64 for private keys. Useful for compact storage or transmission where PEM overhead is undesirable.

Parameters

key

CryptoKey

Returns

Promise<string>

Throws

If the key is a symmetric/secret key

See

• importSpkiBase64 for public key import
• importPkcs8Base64 for private key import

---

exportEncryptedPkcs1Pem()

exportEncryptedPkcs1Pem(privateKey, options): Promise<string>

Defined in: src/keys/keys.ts:412

Export an RSA private key as legacy Proc-Type: 4,ENCRYPTED PEM (PKCS#1).

Uses OpenSSL's traditional PEM encryption with MD5-based key derivation. For modern encryption, prefer exportEncryptedPkcs8Pem.

Parameters

privateKey

CryptoKey

options

LegacyPemEncryptionOptions

Returns

Promise<string>

Throws

If the key is not an RSA key

See

importEncryptedPkcs1Pem for the inverse operation

---

exportEncryptedPkcs8Der()

exportEncryptedPkcs8Der(privateKey, options): Promise<Uint8Array<ArrayBufferLike>>

Defined in: src/keys/keys.ts:340

Export a private key as DER-encoded PBES2-encrypted PKCS#8 EncryptedPrivateKeyInfo.

Uses PBES2 (PKCS#5 v2.1) with AES-CBC and PBKDF2. Compatible with OpenSSL.

Parameters

privateKey

CryptoKey

The private key to export

options

Pbes2EncryptionOptions

Encryption options including password and optional algorithm settings

Returns

Promise<Uint8Array<ArrayBufferLike>>

See

• importEncryptedPkcs8Der for the inverse operation
• exportEncryptedPkcs8Pem for PEM output

---

exportEncryptedPkcs8Pem()

exportEncryptedPkcs8Pem(privateKey, options): Promise<string>

Defined in: src/keys/keys.ts:363

Export a private key as PEM-encoded PBES2-encrypted PKCS#8 EncryptedPrivateKeyInfo.

Parameters

privateKey

CryptoKey

options

Pbes2EncryptionOptions

Returns

Promise<string>

Example

const keys = await generateKeyPair();
const pem = await exportEncryptedPkcs8Pem(keys.privateKey, { password: 'secret' });
// -----BEGIN ENCRYPTED PRIVATE KEY-----
// MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAc...
// -----END ENCRYPTED PRIVATE KEY-----

See

importEncryptedPkcs8Pem for the inverse operation

---

exportEncryptedSec1Pem()

exportEncryptedSec1Pem(privateKey, options): Promise<string>

Defined in: src/keys/keys.ts:461

Export an EC private key as legacy Proc-Type: 4,ENCRYPTED PEM (SEC 1).

Uses OpenSSL's traditional PEM encryption with MD5-based key derivation. For modern encryption, prefer exportEncryptedPkcs8Pem.

Parameters

privateKey

CryptoKey

options

LegacyPemEncryptionOptions

Returns

Promise<string>

Throws

If the key is not an EC key

See

importEncryptedSec1Pem for the inverse operation

---

exportPkcs1Der()

exportPkcs1Der(privateKey): Promise<Uint8Array<ArrayBufferLike>>

Defined in: src/keys/keys.ts:381

Export an RSA private key as DER-encoded PKCS#1 RSAPrivateKey.

PKCS#1 is the legacy RSA-only format. For algorithm-agnostic export, use exportPkcs8Der.

Parameters

privateKey

CryptoKey

Returns

Promise<Uint8Array<ArrayBufferLike>>

Throws

If the key is not an RSA key

See

• importPkcs1Der for the inverse operation
• exportPkcs1Pem for PEM output

---

exportPkcs1Pem()

exportPkcs1Pem(privateKey): Promise<string>

Defined in: src/keys/keys.ts:398

Export an RSA private key as PEM-encoded PKCS#1 RSAPrivateKey.

Parameters

privateKey

CryptoKey

Returns

Promise<string>

Throws

If the key is not an RSA key

See

• importPkcs1Pem for the inverse operation
• exportEncryptedPkcs1Pem for password-protected export

---

exportPkcs8Der()

exportPkcs8Der(privateKey): Promise<Uint8Array<ArrayBufferLike>>

Defined in: src/keys/keys.ts:283

Export a private key as DER-encoded PKCS#8 PrivateKeyInfo.

Parameters

privateKey

CryptoKey

Returns

Promise<Uint8Array<ArrayBufferLike>>

See

• importPkcs8Der for the inverse operation
• exportPkcs8Pem for PEM output
• exportEncryptedPkcs8Der for password-protected export

---

exportPkcs8Pem()

exportPkcs8Pem(privateKey): Promise<string>

Defined in: src/keys/keys.ts:325

Export a private key as PEM-encoded PKCS#8 PrivateKeyInfo.

Parameters

privateKey

CryptoKey

Returns

Promise<string>

Example

const keys = await generateKeyPair();
const pem = await exportPkcs8Pem(keys.privateKey);
// -----BEGIN PRIVATE KEY-----
// MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEH...
// -----END PRIVATE KEY-----

See

• importPkcs8Pem for the inverse operation
• exportEncryptedPkcs8Pem for password-protected export

---

exportPrivateJwk()

exportPrivateJwk(privateKey): Promise<JsonWebKey>

Defined in: src/keys/keys.ts:306

Export a private key as a JSON Web Key.

Parameters

privateKey

CryptoKey

Returns

Promise<JsonWebKey>

See

• importPrivateJwk for the inverse operation
• exportPublicJwk for public key export

---

exportPublicJwk()

exportPublicJwk(publicKey): Promise<JsonWebKey>

Defined in: src/keys/keys.ts:296

Export a public key as a JSON Web Key.

Parameters

publicKey

CryptoKey

Returns

Promise<JsonWebKey>

Example

const keys = await generateKeyPair({ kind: 'ecdsa', curve: 'P-256' });
const jwk = await exportPublicJwk(keys.publicKey);

---

exportSec1Der()

exportSec1Der(privateKey): Promise<Uint8Array<ArrayBufferLike>>

Defined in: src/keys/keys.ts:430

Export an EC private key as DER-encoded SEC 1 ECPrivateKey.

SEC 1 is the legacy EC-only format. For algorithm-agnostic export, use exportPkcs8Der.

Parameters

privateKey

CryptoKey

Returns

Promise<Uint8Array<ArrayBufferLike>>

Throws

If the key is not an EC key

See

• importSec1Der for the inverse operation
• exportSec1Pem for PEM output

---

exportSec1Pem()

exportSec1Pem(privateKey): Promise<string>

Defined in: src/keys/keys.ts:447

Export an EC private key as PEM-encoded SEC 1 ECPrivateKey.

Parameters

privateKey

CryptoKey

Returns

Promise<string>

Throws

If the key is not an EC key

See

• importSec1Pem for the inverse operation
• exportEncryptedSec1Pem for password-protected export

---

exportSpkiDer()

exportSpkiDer(publicKey): Promise<Uint8Array<ArrayBufferLike>>

Defined in: src/keys/keys.ts:272

Export a public key as DER-encoded SubjectPublicKeyInfo.

Parameters

publicKey

CryptoKey

Returns

Promise<Uint8Array<ArrayBufferLike>>

See

• importSpkiDer for the inverse operation
• exportSpkiPem for PEM output

---

exportSpkiPem()

exportSpkiPem(publicKey): Promise<string>

Defined in: src/keys/keys.ts:477

Export a public key as PEM-encoded SubjectPublicKeyInfo.

Parameters

publicKey

CryptoKey

Returns

Promise<string>

Example

const keys = await generateKeyPair();
const pem = await exportSpkiPem(keys.publicKey);

---

findExtension()

findExtension(extensions, oid): ParsedExtension | undefined

Defined in: src/x509/parse.ts:916

Find a raw extension by OID within a parsed extension list.

Parameters

extensions

readonly ParsedExtension[]

Extension list from a ParsedCertificate or CSR.

oid

string

Dotted-decimal OID to look up.

Returns

ParsedExtension | undefined

The matching extension, or undefined if not present.

---

generateKeyPair()

generateKeyPair(algorithm?): Promise<KeyPairMaterial>

Defined in: src/keys/keys.ts:225

Generate an asymmetric key pair for signing and verification.

Parameters

algorithm?

KeyAlgorithmInput = ...

Returns

Promise<KeyPairMaterial>

Example

const ecKeys = await generateKeyPair({ kind: 'ecdsa', curve: 'P-384' });
const rsaKeys = await generateKeyPair({ kind: 'rsa', modulusLength: 4096 });
const edKeys = await generateKeyPair({ kind: 'ed25519' });

// Default: ECDSA P-256
const keys = await generateKeyPair();
const pem = await keys.exportPkcs8Pem();

---

getCertificateOcspResponderUris()

getCertificateOcspResponderUris(certificate): readonly string[]

Defined in: src/revocation/revocation.ts:195

Extracts OCSP responder URIs from the certificate's Authority Information Access extension.

Parameters

certificate

RevocationCertificateSource

Returns

readonly string[]

---

importEncryptedPkcs1Pem()

importEncryptedPkcs1Pem(pem, password, algorithm?): Promise<ImportEncryptedKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:879

Import an RSA private key from legacy Proc-Type: 4,ENCRYPTED PEM (PKCS#1).

Parameters

pem

string

password

string

algorithm?

ImportRsaPublicKeyInput = ...

Returns

Promise<ImportEncryptedKeyResult<CryptoKey>>

See

importEncryptedPkcs1PemOrThrow for the throwing variant

---

importEncryptedPkcs8Der()

importEncryptedPkcs8Der(der, password, algorithm): Promise<ImportEncryptedKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:762

Import a private key from DER-encoded PBES2-encrypted PKCS#8 EncryptedPrivateKeyInfo.

Parameters

der

Uint8Array

password

string

algorithm

PublicKeyImportInput

Returns

Promise<ImportEncryptedKeyResult<CryptoKey>>

See

importEncryptedPkcs8DerOrThrow for the throwing variant

---

importEncryptedPkcs8Pem()

importEncryptedPkcs8Pem(pem, password, algorithm): Promise<ImportEncryptedKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:795

Import a private key from PEM-encoded PBES2-encrypted PKCS#8 EncryptedPrivateKeyInfo.

Parameters

pem

string

password

string

algorithm

PublicKeyImportInput

Returns

Promise<ImportEncryptedKeyResult<CryptoKey>>

See

importEncryptedPkcs8PemOrThrow for the throwing variant

---

importEncryptedSec1Pem()

importEncryptedSec1Pem(pem, password, algorithm): Promise<ImportEncryptedKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:994

Import an EC private key from legacy Proc-Type: 4,ENCRYPTED PEM (SEC 1).

Parameters

pem

string

password

string

algorithm

ImportEcPublicKeyInput

Returns

Promise<ImportEncryptedKeyResult<CryptoKey>>

See

importEncryptedSec1PemOrThrow for the throwing variant

---

importPkcs1Der()

importPkcs1Der(der, algorithm?): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:823

Import an RSA private key from DER-encoded PKCS#1 RSAPrivateKey.

Parameters

der

Uint8Array

algorithm?

ImportRsaPublicKeyInput = ...

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importPkcs1DerOrThrow for the throwing variant

---

importPkcs1Pem()

importPkcs1Pem(pem, algorithm?): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:850

Import an RSA private key from PEM-encoded PKCS#1 RSAPrivateKey.

Parameters

pem

string

algorithm?

ImportRsaPublicKeyInput = ...

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importPkcs1PemOrThrow for the throwing variant

---

importPkcs8Base64()

importPkcs8Base64(base64, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:911

Import a private key from base64-encoded PKCS#8 PrivateKeyInfo (no PEM headers).

Parameters

base64

string

algorithm

PublicKeyImportInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importPkcs8Base64OrThrow for the throwing variant

---

importPkcs8Der()

importPkcs8Der(der, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:678

Import a private key from DER-encoded PKCS#8 PrivateKeyInfo.

Parameters

der

Uint8Array

algorithm

PublicKeyImportInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importPkcs8DerOrThrow for the throwing variant

---

importPkcs8Pem()

importPkcs8Pem(pem, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:705

Import a private key from PEM-encoded PKCS#8 PrivateKeyInfo.

Parameters

pem

string

algorithm

PublicKeyImportInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importPkcs8PemOrThrow for the throwing variant

---

importPrivateJwk()

importPrivateJwk(jwk, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:1060

Import a private signing key from a JSON Web Key.

Parameters

jwk

JsonWebKey

algorithm

PublicKeyImportInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importPrivateJwkOrThrow for the throwing variant

---

importPublicJwk()

importPublicJwk(jwk, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:1032

Import a public verification key from a JSON Web Key.

Parameters

jwk

JsonWebKey

algorithm

PublicKeyImportInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importPublicJwkOrThrow for the throwing variant

---

importSec1Der()

importSec1Der(der, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:938

Import an EC private key from DER-encoded SEC 1 ECPrivateKey.

Parameters

der

Uint8Array

algorithm

ImportEcPublicKeyInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importSec1DerOrThrow for the throwing variant

---

importSec1Pem()

importSec1Pem(pem, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:965

Import an EC private key from PEM-encoded SEC 1 ECPrivateKey.

Parameters

pem

string

algorithm

ImportEcPublicKeyInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importSec1PemOrThrow for the throwing variant

---

importSpkiBase64()

importSpkiBase64(base64, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:629

Import a public key from base64-encoded SubjectPublicKeyInfo (no PEM headers).

Parameters

base64

string

algorithm

PublicKeyImportInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importSpkiBase64OrThrow for the throwing variant

---

importSpkiDer()

importSpkiDer(der, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:566

Import a public key from DER-encoded SubjectPublicKeyInfo.

Parameters

der

Uint8Array

algorithm

PublicKeyImportInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importSpkiDerOrThrow for the throwing variant

---

importSpkiPem()

importSpkiPem(pem, algorithm): Promise<ImportKeyResult<CryptoKey>>

Defined in: src/keys/keys.ts:598

Import a public key from PEM-encoded SubjectPublicKeyInfo.

Parameters

pem

string

algorithm

PublicKeyImportInput

Returns

Promise<ImportKeyResult<CryptoKey>>

See

importSpkiPemOrThrow for the throwing variant

---

isCertificateRevoked()

isCertificateRevoked(certificateSerialNumber, crl): boolean

Defined in: src/revocation/crl.ts:839

Quick serial-number lookup — returns true if the serial appears in the CRL's revoked entries. Does not validate the CRL or check applicability.

Parameters

certificateSerialNumber

string | Uint8Array<ArrayBufferLike>

crl

ParsedCertificateRevocationList

Returns

boolean

---

isResultError()

isResultError(value): value is ResultError<Micro509Error<string, unknown>>

Defined in: src/result/result.ts:112

Type guard: was value thrown by unwrap? Narrows to ResultError.

Parameters

value

unknown

Returns

value is ResultError<Micro509Error<string, unknown>>

---

matchCertificateServiceIdentity()

matchCertificateServiceIdentity(rawCertificate, serviceIdentity): MatchServiceIdentityResult

Defined in: src/verify/identity.ts:178

Compares a reference identifier against a certificate's SAN entries.

Supports DNS (with wildcard matching), IP, URI-ID, and SRV-ID. For DNS, optionally falls back to subject CN when no SAN of a supported type is present.

Parameters

rawCertificate

ParsedCertificate

serviceIdentity

ServiceIdentityInput

Returns

MatchServiceIdentityResult

Examples

const result = matchCertificateServiceIdentity(parsed, {
  type: 'ip',
  value: '192.168.1.1',
});

const result = matchCertificateServiceIdentity(parsed, {
  type: 'dns',
  value: 'mail.example.com',
  allowCommonNameFallback: true,
});

---

matchServiceIdentity()

matchServiceIdentity(input): MatchServiceIdentityResult

Defined in: src/verify/identity.ts:151

Checks whether a certificate covers the requested service identity.

Delegates to matchCertificateServiceIdentity — this overload accepts a single options object.

Parameters

input

MatchServiceIdentityInput

Returns

MatchServiceIdentityResult

Example

const result = matchServiceIdentity({
  certificate: parsed,
  serviceIdentity: { type: 'dns', value: 'example.com' },
});
if (!result.ok) console.error(result.error.message);

---

parseCertificateChainPem()

parseCertificateChainPem<TMap>(pemBundle, options?): readonly ParsedCertificate<TMap>[]

Defined in: src/x509/parse.ts:724

Decode a PEM bundle containing one or more certificates.

Non-CERTIFICATE blocks (e.g. private keys) are silently skipped.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

Parameters

pemBundle

string

PEM text that may contain multiple CERTIFICATE blocks.

options?

ParseOptions<TMap>

Custom extension decoders to apply during parsing.

Returns

readonly ParsedCertificate<TMap>[]

---

parseCertificateDer()

parseCertificateDer<TMap>(der, options?): ParseCertificateResult<TMap>

Defined in: src/x509/parse.ts:628

Decode a DER-encoded X.509 certificate into a ParsedCertificate.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

Parameters

der

Uint8Array

Raw DER bytes of an X.509 certificate.

options?

ParseOptions<TMap>

Custom extension decoders to apply during parsing.

Returns

ParseCertificateResult<TMap>

Example

import { parseCertificateDer } from 'micro509';

const result = parseCertificateDer(derBytes);
if (result.ok) {
	console.log(result.value.subject.values.commonName); // "example.com"
}

---

parseCertificatePem()

parseCertificatePem<TMap>(pem, options?): ParseCertificateResult<TMap>

Defined in: src/x509/parse.ts:677

Decode a PEM-encoded X.509 certificate into a ParsedCertificate.

Expects a single -----BEGIN CERTIFICATE----- block. For bundles containing multiple certificates, use parseCertificateChainPem.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

Parameters

pem

string

PEM string with a CERTIFICATE block.

options?

ParseOptions<TMap>

Custom extension decoders to apply during parsing.

Returns

ParseCertificateResult<TMap>

---

parseCertificateRevocationListDer()

parseCertificateRevocationListDer(der): ParsedCertificateRevocationList

Defined in: src/revocation/crl.ts:478

Decodes a DER-encoded X.509 CRL into a structured ParsedCertificateRevocationList.

Does not verify the signature — call verifyCertificateRevocationList or validateCertificateRevocationList for that.

Parameters

der

Uint8Array

Returns

ParsedCertificateRevocationList

---

parseCertificateRevocationListPem()

parseCertificateRevocationListPem(pem): ParsedCertificateRevocationList

Defined in: src/revocation/crl.ts:536

Decodes a PEM-encoded X.509 CRL (-----BEGIN X509 CRL-----).

Parameters

pem

string

Returns

ParsedCertificateRevocationList

Example

import { parseCertificateRevocationListPem } from 'micro509';

const crl = parseCertificateRevocationListPem(pemString);
console.log(crl.issuer.values.commonName, crl.revokedCertificates.length);

---

parseCertificateSigningRequestDer()

parseCertificateSigningRequestDer<TMap>(der, options?): ParseCertificateSigningRequestResult<TMap>

Defined in: src/x509/parse.ts:848

Decode a DER-encoded PKCS#10 CSR into a ParsedCertificateSigningRequest.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

Parameters

der

Uint8Array

Raw DER bytes of a PKCS#10 certificate signing request.

options?

ParseOptions<TMap>

Custom extension decoders to apply during parsing.

Returns

ParseCertificateSigningRequestResult<TMap>

---

parseCertificateSigningRequestPem()

parseCertificateSigningRequestPem<TMap>(pem, options?): ParseCertificateSigningRequestResult<TMap>

Defined in: src/x509/parse.ts:895

Decode a PEM-encoded PKCS#10 CSR into a ParsedCertificateSigningRequest.

Type Parameters

TMap

TMap extends ExtensionDecoderMap = Record<never, never>

Parameters

pem

string

PEM string with a CERTIFICATE REQUEST block.

options?

ParseOptions<TMap>

Custom extension decoders to apply during parsing.

Returns

ParseCertificateSigningRequestResult<TMap>

---

parseOcspRequestDer()

parseOcspRequestDer(der): ParsedOcspRequest

Defined in: src/revocation/ocsp.ts:400

Decodes a DER-encoded OCSP request into a structured ParsedOcspRequest.

Parameters

der

Uint8Array

Returns

ParsedOcspRequest

---

parseOcspRequestPem()

parseOcspRequestPem(pem): ParsedOcspRequest

Defined in: src/revocation/ocsp.ts:468

Decodes a PEM-encoded OCSP request (-----BEGIN OCSP REQUEST-----).

Parameters

pem

string

Returns

ParsedOcspRequest

---

parseOcspResponseDer()

parseOcspResponseDer(der): ParsedOcspResponse

Defined in: src/revocation/ocsp.ts:473

Decodes a DER-encoded OCSP response into a structured ParsedOcspResponse. Does not verify the signature.

Parameters

der

Uint8Array

Returns

ParsedOcspResponse

---

parseOcspResponsePem()

parseOcspResponsePem(pem): ParsedOcspResponse

Defined in: src/revocation/ocsp.ts:575

Decodes a PEM-encoded OCSP response (-----BEGIN OCSP RESPONSE-----).

Parameters

pem

string

Returns

ParsedOcspResponse

Example

import { parseOcspResponsePem } from 'micro509';

const resp = parseOcspResponsePem(pemString);
if (resp.responseStatus === 'successful') {
  for (const entry of resp.responses ?? []) {
    console.log(entry.certId.serialNumberHex, entry.certStatus);
  }
}

---

parsePfxDer()

parsePfxDer(der, options?): Promise<ParsePfxResult>

Defined in: src/pkcs/pfx.ts:347

Decodes a DER-encoded PKCS#12/PFX container into its constituent bags.

Returns a result union — check ok before accessing value. Encrypted containers require options.password. MAC verification uses options.macPassword (falls back to options.password).

Parameters

der

Uint8Array

options?

ParsePfxOptions

Returns

Promise<ParsePfxResult>

Example

import { parsePfxDer } from 'micro509';

const result = await parsePfxDer(pfxBytes, { password: 's3cret' });
if (result.ok) {
  console.log(result.value.certificates.length);
}

---

parsePfxPem()

parsePfxPem(pem, options?): Promise<ParsePfxResult>

Defined in: src/pkcs/pfx.ts:428

Decodes a PEM-armored PKCS#12/PFX container. Expects exactly one PKCS12 block.

Delegates to parsePfxDer after PEM decoding.

Parameters

pem

string

options?

ParsePfxOptions

Returns

Promise<ParsePfxResult>

Example

import { parsePfxPem } from 'micro509';

const result = await parsePfxPem(pfxPemString, { password: 's3cret' });
if (result.ok) {
  console.log(result.value.privateKeys.length);
}

---

parsePkcs7CertBagDer()

parsePkcs7CertBagDer(der): ParsePkcs7CertBagResult

Defined in: src/pkcs/pkcs7.ts:519

Parses a DER-encoded PKCS#7 cert bag, returning the contained certificates.

Parameters

der

Uint8Array

Returns

ParsePkcs7CertBagResult

---

parsePkcs7CertBagPem()

parsePkcs7CertBagPem(pem): ParsePkcs7CertBagResult

Defined in: src/pkcs/pkcs7.ts:528

Parses a PEM-armored PKCS#7 cert bag. Expects exactly one PKCS7 PEM block.

Parameters

pem

string

Returns

ParsePkcs7CertBagResult

---

parsePkcs7SignedDataDer()

parsePkcs7SignedDataDer(der): ParsePkcs7SignedDataResult

Defined in: src/pkcs/pkcs7.ts:549

Decodes a DER-encoded PKCS#7 ContentInfo expecting signedData content type.

Parameters

der

Uint8Array

Returns

ParsePkcs7SignedDataResult

---

parsePkcs7SignedDataPem()

parsePkcs7SignedDataPem(pem): ParsePkcs7SignedDataResult

Defined in: src/pkcs/pkcs7.ts:643

Decodes a PEM-armored PKCS#7 SignedData. Expects exactly one PKCS7 PEM block.

Parameters

pem

string

Returns

ParsePkcs7SignedDataResult

---

pemDecode()

pemDecode(label, pem): Uint8Array

Defined in: src/pem/pem.ts:58

Extracts and base64-decodes the DER content from a PEM string. Throws if the BEGIN/END markers don't match label.

Parameters

label

string

Expected PEM type label.

pem

string

PEM-encoded text (may contain \r).

Returns

Uint8Array

---

pemEncode()

pemEncode(label, der): string

Defined in: src/pem/pem.ts:45

Wraps DER bytes in a PEM envelope with 64-character base64 lines.

Parameters

label

string

PEM type label (e.g. "CERTIFICATE", "PRIVATE KEY").

der

Uint8Array

Raw DER-encoded content.

Returns

string

---

resolveOcspResponderCandidates()

resolveOcspResponderCandidates(input): readonly OcspResponderCandidate[]

Defined in: src/revocation/revocation.ts:220

Merges configured OCSP responders with those discovered from the certificate's AIA extension. Configured responders take priority; duplicates are deduplicated by URI.

Parameters

input

ResolveOcspResponderCandidatesInput

Returns

readonly OcspResponderCandidate[]

---

splitPemBlocks()

splitPemBlocks(input): readonly PemBlock[]

Defined in: src/pem/pem.ts:82

Finds all BEGIN/END-delimited PEM blocks in a string and returns them as parsed PemBlock entries. Handles concatenated PEM files and ignores non-PEM text between blocks.

Parameters

input

string

Returns

readonly PemBlock[]

---

trustAnchorFromCertificate()

trustAnchorFromCertificate(certificate): TrustAnchor

Defined in: src/verify/verify.ts:1121

Extracts a TrustAnchor from a parsed certificate, copying the subject, SPKI, and key identifiers.

Parameters

certificate

ParsedCertificate

Returns

TrustAnchor

---

unwrap()

unwrap<TValue, TError>(result): TValue

Defined in: src/result/result.ts:128

Explicit escape hatch: returns the success value, or throws a ResultError carrying the structured failure.

Use when you have already validated the input (or prefer exceptions) and the Result ceremony is noise. Accepts any of the library's *Result types.

Type Parameters

TValue

TValue

TError

TError extends Micro509Error<string, unknown>

Parameters

result

UnwrappableResult<TValue, TError>

Returns

TValue

---

unwrapOr()

unwrapOr<TValue>(result, fallback): TValue

Defined in: src/result/result.ts:138

Returns the success value, or fallback when the result is a failure.

Type Parameters

TValue

TValue

Parameters

result

UnwrappableResult<TValue, unknown>

fallback

TValue

Returns

TValue

---

validateCandidatePath()

validateCandidatePath(input): Promise<ValidateCandidatePathResult>

Defined in: src/verify/verify.ts:830

Validates a pre-built certificate chain for time, constraints, policy, and optionally leaf purpose. Wrap the result of buildCandidatePath.

Parameters

input

ValidateCandidatePathInput

Returns

Promise<ValidateCandidatePathResult>

---

validateCertificateRevocationList()

validateCertificateRevocationList(input): Promise<ValidateCertificateRevocationListResult>

Defined in: src/revocation/crl.ts:609

Full CRL validation: issuer name match, authority key identifier match, cRLSign key-usage check, signature verification, and thisUpdate/nextUpdate freshness check (with optional clock-skew tolerance).

Parameters

input

ValidateCertificateRevocationListInput

Returns

Promise<ValidateCertificateRevocationListResult>

---

validateForCa()

validateForCa(input): Promise<VerifyChainResult>

Defined in: src/verify/verify.ts:1255

Validates a certificate chain for CA use: chain verification + basicConstraints.ca check on the leaf.

Parameters

input

ValidateForCaInput

Returns

Promise<VerifyChainResult>

Example

import { validateForCa } from 'micro509';

const result = await validateForCa({
  leaf: intermediateCertPem,
  roots: [rootCaPem],
});

---

validateForCodeSigning()

validateForCodeSigning(input): Promise<VerifyChainResult>

Defined in: src/verify/verify.ts:1235

Validates a certificate chain for code signing: chain verification + codeSigning EKU (leaf + intermediate propagation).

Parameters

input

ValidateForCodeSigningInput

Returns

Promise<VerifyChainResult>

Example

import { validateForCodeSigning } from 'micro509';

const result = await validateForCodeSigning({
  leaf: codeSigningCertPem,
  roots: [rootCaPem],
});

---

validateForTlsClient()

validateForTlsClient(input): Promise<VerifyChainResult>

Defined in: src/verify/verify.ts:1215

Validates a certificate chain for TLS client use: chain verification + clientAuth EKU (leaf + intermediate propagation).

Parameters

input

ValidateForTlsClientInput

Returns

Promise<VerifyChainResult>

Example

import { validateForTlsClient } from 'micro509';

const result = await validateForTlsClient({
  leaf: clientCertPem,
  roots: [rootCaPem],
});

---

validateForTlsServer()

validateForTlsServer(input): Promise<VerifyChainResult>

Defined in: src/verify/verify.ts:1185

Validates a certificate chain for TLS server use: chain verification + serverAuth EKU (leaf + intermediate propagation)

• DNS/IP identity matching.

Parameters

input

ValidateForTlsServerInput

Returns

Promise<VerifyChainResult>

Example

import { validateForTlsServer } from 'micro509';

const result = await validateForTlsServer({
  leaf: serverCertPem,
  roots: [rootCaPem],
  serviceIdentity: { type: 'dns', value: 'example.com' },
});
if (result.ok) {
  console.log('valid for', result.value.leaf.subject.values.commonName);
}

---

validateOcspResponse()

validateOcspResponse(input): Promise<ValidateOcspResponseResult>

Defined in: src/revocation/ocsp.ts:762

Full OCSP response validation: response status check, signature verification, responder ID binding (byName or byKeyHash), delegated-responder chain and ocspSigning EKU checks, producedAt/thisUpdate/nextUpdate freshness, nonce match, and request-coverage completeness.

Parameters

input

ValidateOcspResponseInput

Returns

Promise<ValidateOcspResponseResult>

Example

import { validateOcspResponse } from 'micro509';

const result = await validateOcspResponse({
  response: ocspResponseDer,
  issuerCertificate: caPem,
  request: ocspRequestDer,
});
if (result.ok) {
  const entry = result.value.responses?.[0];
  console.log(entry?.certStatus); // 'good' | 'revoked' | 'unknown'
}

---

verifyCertificateChain()

verifyCertificateChain(input): Promise<VerifyChainResult>

Defined in: src/verify/verify.ts:881

All-in-one certificate chain verification: builds a candidate path then validates time, constraints, policy, purpose, and optional service identity.

Equivalent to calling buildCandidatePath followed by validateCandidatePath (plus identity matching when configured).

Parameters

input

VerifyCertificateChainInput

Returns

Promise<VerifyChainResult>

Example

import { verifyCertificateChain } from 'micro509';

const result = await verifyCertificateChain({
  leaf: serverCertPem,
  intermediates: [intermediatePem],
  roots: [rootCaPem],
  purpose: 'serverAuth',
  serviceIdentity: { type: 'dns', value: 'example.com' },
});
if (!result.ok) {
  console.error(result.error.code, result.error.message);
}

---

verifyCertificateRevocationList()

verifyCertificateRevocationList(crl, issuerCertificate): Promise<VerifyCertificateRevocationListResult>

Defined in: src/revocation/crl.ts:546

Verifies the CRL signature against the issuer certificate's public key.

Does not check issuer name match, key-usage, or freshness — use validateCertificateRevocationList for full validation.

Parameters

crl

string | Uint8Array<ArrayBufferLike>

issuerCertificate

string | Uint8Array<ArrayBufferLike>

Returns

Promise<VerifyCertificateRevocationListResult>

---

verifyCertificateSigningRequest()

verifyCertificateSigningRequest(input): Promise<VerifyRequestResult>

Defined in: src/verify/verify.ts:996

Verifies the self-signature of a PKCS#10 certificate signing request.

Parses the CSR from PEM or DER, then checks that its signature is valid against its own embedded public key.

Parameters

input

CsrSource

Returns

Promise<VerifyRequestResult>

Example

import { verifyCertificateSigningRequest } from 'micro509';

const result = await verifyCertificateSigningRequest(csrPem);
if (result.ok) {
  console.log('subject:', result.value.subject.values.commonName);
}

---

verifyOcspResponse()

verifyOcspResponse(response, signerCertificate): Promise<VerifyOcspResponseResult>

Defined in: src/revocation/ocsp.ts:675

Verifies the OCSP response signature against the given signer certificate.

Does not check responder binding, freshness, or nonce — use validateOcspResponse for full validation.

Parameters

response

string | Uint8Array<ArrayBufferLike> | ParsedOcspResponse

signerCertificate

OcspCertificateSource

Returns

Promise<VerifyOcspResponseResult>

---

verifyPkcs7SignedData()

verifyPkcs7SignedData(input): Promise<VerifyPkcs7SignedDataResult>

Defined in: src/pkcs/pkcs7.ts:677

Verifies all signer signatures in a PKCS#7 SignedData structure.

Accepts PEM text, raw DER, or an already-parsed ParsedPkcs7SignedData. For each signer, locates the matching certificate in the embedded set and verifies the signature (including signed-attribute digest checks per RFC 5652 Section 5.4).

Parameters

input

string | Uint8Array<ArrayBufferLike> | ParsedPkcs7SignedData

Returns

Promise<VerifyPkcs7SignedDataResult>

Example

import { verifyPkcs7SignedData } from 'micro509';

const result = await verifyPkcs7SignedData(pkcs7Pem);
if (result.ok) {
  console.log('all signers verified');
}