micro509 / x509
x509
Canonical advanced X.509 domain surface. Owns certificate, CSR, extension, name, and parse APIs behind one stable entrypoint.
Interfaces
CpsPolicyQualifierInfo
Defined in: src/x509/extensions.ts:293
CPS (Certification Practice Statement) URI policy qualifier.
Properties
type
readonlytype:"cps"
Defined in: src/x509/extensions.ts:295
Discriminant for the 'cps' qualifier variant.
uri
readonlyuri:string
Defined in: src/x509/extensions.ts:297
URL of the Certification Practice Statement document.
CustomAuthorityInfoAccessMethod
Defined in: src/x509/extensions.ts:597
AIA access method identified by a custom OID not in the well-known set.
Properties
type
readonlytype:"oid"
Defined in: src/x509/extensions.ts:599
Discriminant for the custom-OID access method variant.
value
readonlyvalue:string
Defined in: src/x509/extensions.ts:601
Dotted-decimal OID of the access method.
CustomExtendedKeyUsage
Defined in: src/x509/extensions.ts:633
Extended Key Usage purpose identified by a custom OID.
Properties
type
readonlytype:"oid"
Defined in: src/x509/extensions.ts:635
Discriminant for the custom-OID EKU variant.
value
readonlyvalue:string
Defined in: src/x509/extensions.ts:637
Dotted-decimal OID of the usage purpose.
CustomExtension
Defined in: src/x509/extensions.ts:410
An extension not covered by the typed fields in CertificateExtensionsInput.
Properties
critical?
readonlyoptionalcritical?:boolean
Defined in: src/x509/extensions.ts:416
Whether the extension is critical. Default false.
oid
readonlyoid:string
Defined in: src/x509/extensions.ts:412
Dotted-decimal OID of the extension.
value
readonlyvalue:Uint8Array
Defined in: src/x509/extensions.ts:414
Pre-encoded DER content for the extnValue OCTET STRING.
CustomPolicyQualifierInfo
Defined in: src/x509/extensions.ts:319
Opaque policy qualifier identified by a custom OID, carried as raw DER.
Properties
oid
readonlyoid:string
Defined in: src/x509/extensions.ts:323
Dotted-decimal OID of the qualifier.
qualifierDer
readonlyqualifierDer:Uint8Array
Defined in: src/x509/extensions.ts:325
DER-encoded qualifier payload.
type
readonlytype:"oid"
Defined in: src/x509/extensions.ts:321
Discriminant for the custom-OID qualifier variant.
IssuingDistributionPointBase
Defined in: src/x509/extensions.ts:186
Base shape for Issuing Distribution Point (RFC 5280 §5.2.5) — no scope restriction.
Properties
distributionPoint?
readonlyoptionaldistributionPoint?:DistributionPointName
Defined in: src/x509/extensions.ts:188
Where to fetch this CRL.
indirectCrl?
readonlyoptionalindirectCrl?:boolean
Defined in: src/x509/extensions.ts:192
When true, the CRL may contain entries from other CAs. Default false.
onlyContainsAttributeCerts?
readonlyoptionalonlyContainsAttributeCerts?:boolean
Defined in: src/x509/extensions.ts:198
When true, the CRL only covers attribute certificates. Default false.
onlyContainsCACerts?
readonlyoptionalonlyContainsCACerts?:false
Defined in: src/x509/extensions.ts:196
Must be absent or false in this variant (no CA-cert-only restriction).
onlyContainsUserCerts?
readonlyoptionalonlyContainsUserCerts?:false
Defined in: src/x509/extensions.ts:194
Must be absent or false in this variant (no user-cert-only restriction).
onlySomeReasons?
readonlyoptionalonlySomeReasons?: readonlyDistributionPointReason[]
Defined in: src/x509/extensions.ts:190
Limits the CRL to these revocation reasons. Absent means all reasons.
IssuingDistributionPointForAttributeCerts
Defined in: src/x509/extensions.ts:224
IDP scoped to attribute certificates only. Mutually exclusive with user / CA scopes.
Extends
Omit<IssuingDistributionPointBase,"onlyContainsAttributeCerts">
Properties
distributionPoint?
readonlyoptionaldistributionPoint?:DistributionPointName
Defined in: src/x509/extensions.ts:188
Where to fetch this CRL.
Inherited from
IssuingDistributionPointBase.distributionPoint
indirectCrl?
readonlyoptionalindirectCrl?:boolean
Defined in: src/x509/extensions.ts:192
When true, the CRL may contain entries from other CAs. Default false.
Inherited from
IssuingDistributionPointBase.indirectCrl
onlyContainsAttributeCerts
readonlyonlyContainsAttributeCerts:true
Defined in: src/x509/extensions.ts:231
This variant only covers attribute certificates.
onlyContainsCACerts?
readonlyoptionalonlyContainsCACerts?:false
Defined in: src/x509/extensions.ts:229
Must be absent or false when the CRL is not CA-only.
Overrides
IssuingDistributionPointBase.onlyContainsCACerts
onlyContainsUserCerts?
readonlyoptionalonlyContainsUserCerts?:false
Defined in: src/x509/extensions.ts:227
Must be absent or false when the CRL is not user-cert-only.
Overrides
IssuingDistributionPointBase.onlyContainsUserCerts
onlySomeReasons?
readonlyoptionalonlySomeReasons?: readonlyDistributionPointReason[]
Defined in: src/x509/extensions.ts:190
Limits the CRL to these revocation reasons. Absent means all reasons.
Inherited from
IssuingDistributionPointBase.onlySomeReasons
IssuingDistributionPointForCaCerts
Defined in: src/x509/extensions.ts:213
IDP scoped to CA certificates only. Mutually exclusive with user / attribute scopes.
Extends
Omit<IssuingDistributionPointBase,"onlyContainsCACerts">
Properties
distributionPoint?
readonlyoptionaldistributionPoint?:DistributionPointName
Defined in: src/x509/extensions.ts:188
Where to fetch this CRL.
Inherited from
IssuingDistributionPointBase.distributionPoint
indirectCrl?
readonlyoptionalindirectCrl?:boolean
Defined in: src/x509/extensions.ts:192
When true, the CRL may contain entries from other CAs. Default false.
Inherited from
IssuingDistributionPointBase.indirectCrl
onlyContainsAttributeCerts?
readonlyoptionalonlyContainsAttributeCerts?:false
Defined in: src/x509/extensions.ts:220
Must be absent or false when the CRL is not attribute-cert-only.
Overrides
IssuingDistributionPointBase.onlyContainsAttributeCerts
onlyContainsCACerts
readonlyonlyContainsCACerts:true
Defined in: src/x509/extensions.ts:218
This variant only covers CA certificates.
onlyContainsUserCerts?
readonlyoptionalonlyContainsUserCerts?:false
Defined in: src/x509/extensions.ts:216
Must be absent or false when the CRL is not user-cert-only.
Overrides
IssuingDistributionPointBase.onlyContainsUserCerts
onlySomeReasons?
readonlyoptionalonlySomeReasons?: readonlyDistributionPointReason[]
Defined in: src/x509/extensions.ts:190
Limits the CRL to these revocation reasons. Absent means all reasons.
Inherited from
IssuingDistributionPointBase.onlySomeReasons
IssuingDistributionPointForUserCerts
Defined in: src/x509/extensions.ts:202
IDP scoped to end-entity (user) certificates only. Mutually exclusive with CA / attribute scopes.
Extends
Omit<IssuingDistributionPointBase,"onlyContainsUserCerts">
Properties
distributionPoint?
readonlyoptionaldistributionPoint?:DistributionPointName
Defined in: src/x509/extensions.ts:188
Where to fetch this CRL.
Inherited from
IssuingDistributionPointBase.distributionPoint
indirectCrl?
readonlyoptionalindirectCrl?:boolean
Defined in: src/x509/extensions.ts:192
When true, the CRL may contain entries from other CAs. Default false.
Inherited from
IssuingDistributionPointBase.indirectCrl
onlyContainsAttributeCerts?
readonlyoptionalonlyContainsAttributeCerts?:false
Defined in: src/x509/extensions.ts:209
Must be absent or false when the CRL is not attribute-cert-only.
Overrides
IssuingDistributionPointBase.onlyContainsAttributeCerts
onlyContainsCACerts?
readonlyoptionalonlyContainsCACerts?:false
Defined in: src/x509/extensions.ts:207
Must be absent or false when the CRL is not CA-only.
Overrides
IssuingDistributionPointBase.onlyContainsCACerts
onlyContainsUserCerts
readonlyonlyContainsUserCerts:true
Defined in: src/x509/extensions.ts:205
This variant only covers end-entity certificates.
onlySomeReasons?
readonlyoptionalonlySomeReasons?: readonlyDistributionPointReason[]
Defined in: src/x509/extensions.ts:190
Limits the CRL to these revocation reasons. Absent means all reasons.
Inherited from
IssuingDistributionPointBase.onlySomeReasons
PolicyNoticeReference
Defined in: src/x509/extensions.ts:301
Reference to a numbered notice within an organization's practice statement.
Properties
noticeNumbers
readonlynoticeNumbers: readonlynumber[]
Defined in: src/x509/extensions.ts:305
One-based notice numbers within that organization's documentation.
organization
readonlyorganization:string
Defined in: src/x509/extensions.ts:303
Organization name that published the notice.
UserNoticePolicyQualifierInfo
Defined in: src/x509/extensions.ts:309
UserNotice policy qualifier — human-readable notice text and/or a notice reference.
Properties
explicitText?
readonlyoptionalexplicitText?:string
Defined in: src/x509/extensions.ts:315
Free-form text to display to relying parties.
noticeRef?
readonlyoptionalnoticeRef?:PolicyNoticeReference
Defined in: src/x509/extensions.ts:313
Pointer to a numbered notice in an organization's practice statement.
type
readonlytype:"userNotice"
Defined in: src/x509/extensions.ts:311
Discriminant for the 'userNotice' qualifier variant.
Type Aliases
AuthorityInfoAccessMethod
AuthorityInfoAccessMethod =
KnownAuthorityInfoAccessMethod|CustomAuthorityInfoAccessMethod
Defined in: src/x509/extensions.ts:605
AIA access method — either a well-known string or a custom OID.
DistributionPointReason
DistributionPointReason =
"keyCompromise"|"cACompromise"|"affiliationChanged"|"superseded"|"cessationOfOperation"|"certificateHold"|"privilegeWithdrawn"|"aACompromise"
Defined in: src/x509/extensions.ts:139
Revocation reason flags for CRL Distribution Points and Issuing Distribution Points (RFC 5280 §4.2.1.13, §5.2.5).
KnownAuthorityInfoAccessMethod
KnownAuthorityInfoAccessMethod =
"ocsp"|"caIssuers"
Defined in: src/x509/extensions.ts:594
Well-known AIA access methods: OCSP responder or CA issuer certificate.
KnownExtendedKeyUsage
KnownExtendedKeyUsage =
"serverAuth"|"clientAuth"|"codeSigning"|"emailProtection"|"timeStamping"|"ocspSigning"
Defined in: src/x509/extensions.ts:624
Well-known Extended Key Usage purpose strings (RFC 5280 §4.2.1.12).
SignatureProfileInput
SignatureProfileInput = {
kind?:"auto"; } | {kind:"rsa-pss";saltLength?:32|48|64; }
Defined in: src/internal/crypto/signing.ts:20
Controls how the signature algorithm is chosen.
'auto' (default) infers the algorithm from the key. 'rsa-pss' forces RSA-PSS padding and requires an RSA-PSS private key.
Union Members
Type Literal
{ kind?: "auto"; }
kind?
readonlyoptionalkind?:"auto"
Infer the signature algorithm from the private key.
Type Literal
{ kind: "rsa-pss"; saltLength?: 32 | 48 | 64; }
kind
readonlykind:"rsa-pss"
Force RSA-PSS padding.
saltLength?
readonlyoptionalsaltLength?:32|48|64
Salt length in bytes. Must match the key's hash digest size.
UnsupportedNameConstraintForm
UnsupportedNameConstraintForm = {
type:"otherName";value:Uint8Array; } | {type:"x400Address";value:Uint8Array; } | {type:"ediPartyName";value:Uint8Array; } | {type:"registeredID";value:string; }
Defined in: src/x509/extensions.ts:466
Name constraint forms parsed from DER but not supported for encoding or validation. Preserved for diagnostic round-tripping.
Union Members
Type Literal
{ type: "otherName"; value: Uint8Array; }
type
readonlytype:"otherName"
otherName [0] — raw bytes.
value
readonlyvalue:Uint8Array
Type Literal
{ type: "x400Address"; value: Uint8Array; }
type
readonlytype:"x400Address"
x400Address [3] — raw bytes.
value
readonlyvalue:Uint8Array
Type Literal
{ type: "ediPartyName"; value: Uint8Array; }
type
readonlytype:"ediPartyName"
ediPartyName [5] — raw bytes.
value
readonlyvalue:Uint8Array
Type Literal
{ type: "registeredID"; value: string; }
type
readonlytype:"registeredID"
registeredID [8] — decoded OID string.
value
readonlyvalue:string
Functions
buildCertificateExtensions()
buildCertificateExtensions(
subjectPublicKeyInfo,issuerPublicKeyInfo,input,subjectIsEmpty?):Uint8Array<ArrayBufferLike>[]
Defined in: src/x509/extensions.ts:683
Build the v3 extensions block for a certificate.
Automatically adds SKI, AKI (when issuer key is available), and basicConstraints (defaults to { ca: false }). Additional extensions come from the caller's CertificateExtensionsInput.
Parameters
subjectPublicKeyInfo
Uint8Array
DER-encoded SPKI of the subject.
issuerPublicKeyInfo
Uint8Array<ArrayBufferLike> | undefined
DER-encoded SPKI of the issuer, or undefined for self-signed.
input
CertificateExtensionsInput | undefined
Optional extension configuration.
subjectIsEmpty?
boolean = false
Whether the certificate subject DN is empty. When true, the subjectAltName extension is marked critical per RFC 5280 §4.2.1.6.
Returns
Uint8Array<ArrayBufferLike>[]
Array of DER-encoded Extension SEQUENCEs.
buildRequestedExtensions()
buildRequestedExtensions(
input):Uint8Array<ArrayBufferLike>[]
Defined in: src/x509/extensions.ts:722
Build the extensions for a CSR's extensionRequest attribute.
Unlike buildCertificateExtensions, SKI/AKI are not auto-generated.
Parameters
input
CertificateExtensionsInput | undefined
Optional extension configuration.
Returns
Uint8Array<ArrayBufferLike>[]
Array of DER-encoded Extension SEQUENCEs.
encodeAuthorityInfoAccess()
encodeAuthorityInfoAccess(
entries):Uint8Array
Defined in: src/x509/extensions.ts:940
DER-encode an Authority Information Access SEQUENCE.
Parameters
entries
readonly AuthorityInformationAccess[]
AIA entries (OCSP, caIssuers, or custom) to encode.
Returns
Uint8Array
encodeBasicConstraints()
encodeBasicConstraints(
input):Uint8Array
Defined in: src/x509/extensions.ts:872
DER-encode a BasicConstraints value.
Parameters
input
CA flag and optional pathLength.
Returns
Uint8Array
DER SEQUENCE suitable for wrapping in an Extension OCTET STRING.
encodeCertificatePolicies()
encodeCertificatePolicies(
policies):Uint8Array
Defined in: src/x509/extensions.ts:993
DER-encode a Certificate Policies extension value.
Parameters
policies
Non-empty array of policy information entries.
Returns
Uint8Array
encodeCrlDistributionPoints()
encodeCrlDistributionPoints(
points):Uint8Array
Defined in: src/x509/extensions.ts:958
DER-encode a CRL Distribution Points SEQUENCE.
Parameters
points
readonly DistributionPoint[]
Distribution points to encode.
Returns
Uint8Array
encodeExtendedKeyUsage()
encodeExtendedKeyUsage(
usages):Uint8Array
Defined in: src/x509/extensions.ts:931
DER-encode an Extended Key Usage SEQUENCE OF OIDs.
Parameters
usages
readonly ExtendedKeyUsage[]
EKU purposes to encode.
Returns
Uint8Array
encodeExtension()
encodeExtension(
oid,extnValue,critical?):Uint8Array
Defined in: src/x509/extensions.ts:857
Encode a single X.509 Extension SEQUENCE (OID + optional critical BOOLEAN + OCTET STRING).
Parameters
oid
string
Dotted-decimal extension OID.
extnValue
Uint8Array
DER-encoded extension payload.
critical?
boolean = false
Whether to mark the extension as critical. Default false.
Returns
Uint8Array
encodeInhibitAnyPolicy()
encodeInhibitAnyPolicy(
input):Uint8Array
Defined in: src/x509/extensions.ts:1055
DER-encode an Inhibit anyPolicy extension value (single INTEGER).
Parameters
input
The skipCerts threshold.
Returns
Uint8Array
encodeKeyUsage()
encodeKeyUsage(
usages):Uint8Array
Defined in: src/x509/extensions.ts:891
DER-encode a Key Usage BIT STRING from an array of KeyUsage flags.
Parameters
usages
readonly KeyUsage[]
Flags to set in the bit string.
Returns
Uint8Array
encodeName()
encodeName(
input):Uint8Array
Defined in: src/x509/name.ts:196
DER-encodes an X.509 Name.
Returns a DER SEQUENCE of RelativeDistinguishedNames (RDNs).
Each RDN emitted by this helper contains exactly one name attribute.
Parameters
input
Name fields in convenience-object form or caller-ordered attribute form.
Returns
Uint8Array
DER-encoded X.509 Name bytes.
See
NameObject input emits populated fields in the canonical order from NAME_OBJECT_ORDER.NameAttribute array input preserves caller-supplied ordering, but each entry still becomes its own single-attribute RDN.
Attribute OIDs and ASN.1 string encodings come from NAME_FIELD_DEFINITIONS.
Empty strings and undefined fields are ignored when the input is a NameObject.
Examples
const der = encodeName({ country: 'US', commonName: 'example.com' });
// emits two single-attribute RDNs: C=US, then CN=example.comconst der = encodeName([
{ type: 'country', value: 'US' },
{ type: 'commonName', value: 'example.com' },
]);
// preserves caller order: C first, then CNThrows
If the input produces no attributes, contains an unsupported field key, or uses an invalid country code.
encodeNameConstraints()
encodeNameConstraints(
constraints):Uint8Array
Defined in: src/x509/extensions.ts:967
DER-encode a Name Constraints extension value.
Parameters
constraints
Permitted and/or excluded subtrees.
Returns
Uint8Array
encodePolicyConstraints()
encodePolicyConstraints(
constraints):Uint8Array
Defined in: src/x509/extensions.ts:1032
DER-encode a Policy Constraints extension value.
Parameters
constraints
At least one of requireExplicitPolicy or inhibitPolicyMapping must be set.
Returns
Uint8Array
encodePolicyMappings()
encodePolicyMappings(
mappings):Uint8Array
Defined in: src/x509/extensions.ts:1005
DER-encode a Policy Mappings extension value.
Parameters
mappings
Non-empty array of issuer-to-subject policy pairs. Neither OID may be anyPolicy.
Returns
Uint8Array
encodeRelativeDistinguishedName()
encodeRelativeDistinguishedName(
attributes):Uint8Array
Defined in: src/x509/name.ts:236
DER-encodes a single RelativeDistinguishedName (RDN).
Returns a DER SET OF name attributes for one X.509 name segment.
Use this when you need a multi-valued RDN.
Parameters
attributes
RelativeDistinguishedNameInput
Attribute list to encode inside one RDN.
Returns
Uint8Array
DER-encoded RelativeDistinguishedName bytes.
See
Attribute OIDs and ASN.1 string encodings come from NAME_FIELD_DEFINITIONS.
Example
const rdn = encodeRelativeDistinguishedName([
{ type: 'commonName', value: 'example.com' },
{ type: 'serialNumber', value: 'device-7' },
]);
// emits one RDN with both attributes in the same SETThrows
If the attribute list is empty, contains an unsupported field key, or uses an invalid country code.
encodeSubjectAltName()
encodeSubjectAltName(
value):Uint8Array
Defined in: src/x509/extensions.ts:900
DER-encode a single SubjectAltName GeneralName element.
Parameters
value
The SAN entry to encode.
Returns
Uint8Array
getAuthorityInfoAccessMethodOid()
getAuthorityInfoAccessMethodOid(
method):string
Defined in: src/x509/extensions.ts:1238
Resolve an AuthorityInfoAccessMethod to its dotted-decimal OID.
Parameters
method
Well-known string or custom OID object.
Returns
string
getExtendedKeyUsageOid()
getExtendedKeyUsageOid(
usage):string
Defined in: src/x509/extensions.ts:1202
Resolve an ExtendedKeyUsage to its dotted-decimal OID.
Parameters
usage
Well-known string or custom OID object.
Returns
string
parseAuthorityInfoAccessMethodOid()
parseAuthorityInfoAccessMethodOid(
oid):AuthorityInfoAccessMethod
Defined in: src/x509/extensions.ts:1251
Map a dotted-decimal OID to an AuthorityInfoAccessMethod value.
Returns 'ocsp' or 'caIssuers' for recognized OIDs, or { type: 'oid', value } otherwise.
Parameters
oid
string
Returns
parseExtendedKeyUsageOid()
parseExtendedKeyUsageOid(
oid):ExtendedKeyUsage
Defined in: src/x509/extensions.ts:1215
Map a dotted-decimal OID to an ExtendedKeyUsage value.
Returns a well-known string for recognized OIDs, or { type: 'oid', value } otherwise.
Parameters
oid
string