feat(x509): Update certificate creation API (#2197)

Signed-off-by: Berend Sliedrecht <[email protected]>
openwallet-foundation · Feb 18, 2025 · dca4fdf · dca4fdf
1 parent c6369e4
commit dca4fdf
Show file tree

Hide file tree

Showing 19 changed files with 644 additions and 335 deletions.
diff --git a/.changeset/great-cases-wear.md b/.changeset/great-cases-wear.md
@@ -0,0 +1,6 @@
+---
+'@credo-ts/core': minor
+---
+
+- X.509 self-signed certificate creation is now done via the `agent.x509.createCertificate` API where the `subjectPublicKey` is not supplied or equal to the `authorityKey`
+- allow to create more complex X.509 certificates
diff --git a/demo-openid/src/Issuer.ts b/demo-openid/src/Issuer.ts
@@ -267,18 +267,24 @@ export class Issuer extends BaseAgent<{
     const issuer = new Issuer(ISSUER_HOST, 2000, 'OpenId4VcIssuer ' + Math.random().toString())
     await issuer.initializeAgent('96213c3d7fc8d4d6754c7a0fd969598f')
 
-    const selfSignedCertificate = await X509Service.createSelfSignedCertificate(issuer.agent.context, {
-      key: await issuer.agent.context.wallet.createKey({
+    const certificate = await X509Service.createCertificate(issuer.agent.context, {
+      authorityKey: await issuer.agent.context.wallet.createKey({
         keyType: KeyType.P256,
         seed: TypedArrayEncoder.fromString('e5f18b10cd15cdb76818bc6ae8b71eb475e6eac76875ed085d3962239bbcf42f'),
       }),
-      notBefore: new Date('2000-01-01'),
-      notAfter: new Date('2050-01-01'),
-      extensions: [[{ type: 'dns', value: ISSUER_HOST.replace('https://', '').replace('http://', '') }]],
-      name: 'C=DE',
+      validity: {
+        notBefore: new Date('2000-01-01'),
+        notAfter: new Date('2050-01-01'),
+      },
+      extensions: {
+        subjectAlternativeName: {
+          name: [{ type: 'dns', value: ISSUER_HOST.replace('https://', '').replace('http://', '') }],
+        },
+      },
+      issuer: 'C=DE',
     })
 
-    const issuerCertficicate = selfSignedCertificate.toString('base64url')
+    const issuerCertficicate = certificate.toString('base64url')
     await issuer.agent.x509.setTrustedCertificates([issuerCertficicate])
     console.log('Set the following certficate for the holder to verify mdoc credentials.')
     console.log(issuerCertficicate)

diff --git a/packages/core/src/modules/mdoc/MdocContext.ts b/packages/core/src/modules/mdoc/MdocContext.ts
@@ -107,7 +107,7 @@ export const getMdocContext = (agentContext: AgentContext): MdocContext => {
         const x509Certificate = X509Certificate.fromRawCertificate(certificate)
         return {
           ...x509Certificate.data,
-          thumbprint: await x509Certificate.getThumprint(agentContext),
+          thumbprint: await x509Certificate.getThumprintInHex(agentContext),
         }
       },
     } satisfies X509Context,

diff --git a/packages/core/src/modules/mdoc/__tests__/mdocDeviceResponse.test.ts b/packages/core/src/modules/mdoc/__tests__/mdocDeviceResponse.test.ts
@@ -26,14 +26,16 @@ describe('mdoc device-response test', () => {
     const nextDay = new Date(currentDate)
     nextDay.setDate(currentDate.getDate() + 2)
 
-    const selfSignedCertificate = await X509Service.createSelfSignedCertificate(agent.context, {
-      key: issuerKey,
-      notBefore: currentDate,
-      notAfter: nextDay,
-      extensions: [],
+    const certificate = await X509Service.createCertificate(agent.context, {
+      issuer: 'CN=credo',
+      authorityKey: issuerKey,
+      validity: {
+        notBefore: currentDate,
+        notAfter: nextDay,
+      },
     })
 
-    const issuerCertificate = selfSignedCertificate.toString('pem')
+    const issuerCertificate = certificate.toString('pem')
 
     const mdoc = await Mdoc.sign(agent.context, {
       docType: 'org.iso.18013.5.1.mDL',

diff --git a/packages/core/src/modules/mdoc/__tests__/mdocOpenId4VcDeviceResponse.test.ts b/packages/core/src/modules/mdoc/__tests__/mdocOpenId4VcDeviceResponse.test.ts
@@ -305,11 +305,13 @@ describe('mdoc device-response openid4vp test', () => {
         keyType: KeyType.Ed25519,
       })
 
-      const issuerCertificate = await agent.x509.createSelfSignedCertificate({
-        key: issuerKey,
-        name: 'C=US,ST=New York',
-        notBefore: new Date('2020-01-01'),
-        notAfter: new Date(Date.now() + 1000 * 3600),
+      const issuerCertificate = await agent.x509.createCertificate({
+        authorityKey: issuerKey,
+        issuer: 'C=US,ST=New York',
+        validity: {
+          notBefore: new Date('2020-01-01'),
+          notAfter: new Date(Date.now() + 1000 * 3600),
+        },
       })
 
       const mdoc = await Mdoc.sign(agent.context, {

diff --git a/packages/core/src/modules/mdoc/__tests__/mdocServer.test.ts b/packages/core/src/modules/mdoc/__tests__/mdocServer.test.ts
@@ -44,15 +44,16 @@ describe('mdoc service test', () => {
     const nextDay = new Date(currentDate)
     nextDay.setDate(currentDate.getDate() + 2)
 
-    const selfSignedCertificate = await X509Service.createSelfSignedCertificate(agentContext, {
-      key: issuerKey,
-      notBefore: currentDate,
-      notAfter: nextDay,
-      extensions: [],
-      name: 'C=DE',
+    const certificate = await X509Service.createCertificate(agentContext, {
+      authorityKey: issuerKey,
+      validity: {
+        notBefore: currentDate,
+        notAfter: nextDay,
+      },
+      issuer: 'C=DE',
     })
 
-    const issuerCertificate = selfSignedCertificate.toString('pem')
+    const issuerCertificate = certificate.toString('pem')
 
     const mdoc = await Mdoc.sign(agentContext, {
       docType: 'org.iso.18013.5.1.mDL',
@@ -78,7 +79,7 @@ describe('mdoc service test', () => {
     expect(() => mdoc.deviceSignedNamespaces).toThrow()
 
     const { isValid } = await mdoc.verify(agentContext, {
-      trustedCertificates: [selfSignedCertificate.toString('base64')],
+      trustedCertificates: [certificate.toString('base64')],
     })
     expect(isValid).toBeTruthy()
   })

diff --git a/packages/core/src/modules/x509/X509Api.ts b/packages/core/src/modules/x509/X509Api.ts
@@ -3,7 +3,7 @@ import { injectable } from '../../plugins'
 
 import { X509ModuleConfig } from './X509ModuleConfig'
 import { X509Service } from './X509Service'
-import { X509CreateSelfSignedCertificateOptions, X509ValidateCertificateChainOptions } from './X509ServiceOptions'
+import { X509CreateCertificateOptions, X509ValidateCertificateChainOptions } from './X509ServiceOptions'
 
 /**
  * @public
@@ -31,12 +31,12 @@ export class X509Api {
   }
 
   /**
-   * Creates a self-signed certificate.
+   * Creates a X.509 certificate.
    *
-   * @param options X509CreateSelfSignedCertificateOptions
+   * @param options X509CreateCertificateOptions
    */
-  public async createSelfSignedCertificate(options: X509CreateSelfSignedCertificateOptions) {
-    return await X509Service.createSelfSignedCertificate(this.agentContext, options)
+  public async createCertificate(options: X509CreateCertificateOptions) {
+    return await X509Service.createCertificate(this.agentContext, options)
   }
 
   /**