zoneadmin-master/node_modules/sshpk/lib/formats/x509.js

// Copyright 2016 Joyent, Inc.

module.exports = {
	read: read,
	verify: verify,
	sign: sign,
	write: write
};

var assert = require('assert-plus');
var asn1 = require('asn1');
var algs = require('../algs');
var utils = require('../utils');
var Key = require('../key');
var PrivateKey = require('../private-key');
var pem = require('./pem');
var Identity = require('../identity');
var Signature = require('../signature');
var Certificate = require('../certificate');
var pkcs8 = require('./pkcs8');

/*
 * This file is based on RFC5280 (X.509).
 */

/* Helper to read in a single mpint */
function readMPInt(der, nm) {
	assert.strictEqual(der.peek(), asn1.Ber.Integer,
	    nm + ' is not an Integer');
	return (utils.mpNormalize(der.readString(asn1.Ber.Integer, true)));
}

function verify(cert, key) {
	var sig = cert.signatures.x509;
	assert.object(sig, 'x509 signature');

	var algParts = sig.algo.split('-');
	if (algParts[0] !== key.type)
		return (false);

	var blob = sig.cache;
	if (blob === undefined) {
		var der = new asn1.BerWriter();
		writeTBSCert(cert, der);
		blob = der.buffer;
	}

	var verifier = key.createVerify(algParts[1]);
	verifier.write(blob);
	return (verifier.verify(sig.signature));
}

function Local(i) {
	return (asn1.Ber.Context | asn1.Ber.Constructor | i);
}

function Context(i) {
	return (asn1.Ber.Context | i);
}

var SIGN_ALGS = {
	'rsa-md5': '1.2.840.113549.1.1.4',
	'rsa-sha1': '1.2.840.113549.1.1.5',
	'rsa-sha256': '1.2.840.113549.1.1.11',
	'rsa-sha384': '1.2.840.113549.1.1.12',
	'rsa-sha512': '1.2.840.113549.1.1.13',
	'dsa-sha1': '1.2.840.10040.4.3',
	'dsa-sha256': '2.16.840.1.101.3.4.3.2',
	'ecdsa-sha1': '1.2.840.10045.4.1',
	'ecdsa-sha256': '1.2.840.10045.4.3.2',
	'ecdsa-sha384': '1.2.840.10045.4.3.3',
	'ecdsa-sha512': '1.2.840.10045.4.3.4'
};
Object.keys(SIGN_ALGS).forEach(function (k) {
	SIGN_ALGS[SIGN_ALGS[k]] = k;
});
SIGN_ALGS['1.3.14.3.2.3'] = 'rsa-md5';
SIGN_ALGS['1.3.14.3.2.29'] = 'rsa-sha1';

var EXTS = {
	'issuerKeyId': '2.5.29.35',
	'altName': '2.5.29.17'
};

function read(buf, options) {
	if (typeof (buf) === 'string') {
		buf = new Buffer(buf, 'binary');
	}
	assert.buffer(buf, 'buf');

	var der = new asn1.BerReader(buf);

	der.readSequence();
	if (Math.abs(der.length - der.remain) > 1) {
		throw (new Error('DER sequence does not contain whole byte ' +
		    'stream'));
	}

	var tbsStart = der.offset;
	der.readSequence();
	var sigOffset = der.offset + der.length;
	var tbsEnd = sigOffset;

	if (der.peek() === Local(0)) {
		der.readSequence(Local(0));
		var version = der.readInt();
		assert.ok(version <= 3,
		    'only x.509 versions up to v3 supported');
	}

	var cert = {};
	cert.signatures = {};
	var sig = (cert.signatures.x509 = {});
	sig.extras = {};

	cert.serial = readMPInt(der, 'serial');

	der.readSequence();
	var after = der.offset + der.length;
	var certAlgOid = der.readOID();
	var certAlg = SIGN_ALGS[certAlgOid];
	if (certAlg === undefined)
		throw (new Error('unknown signature algorithm ' + certAlgOid));

	der._offset = after;
	cert.issuer = Identity.parseAsn1(der);

	der.readSequence();
	cert.validFrom = readDate(der);
	cert.validUntil = readDate(der);

	cert.subjects = [Identity.parseAsn1(der)];

	der.readSequence();
	after = der.offset + der.length;
	cert.subjectKey = pkcs8.readPkcs8(undefined, 'public', der);
	der._offset = after;

	/* issuerUniqueID */
	if (der.peek() === Local(1)) {
		der.readSequence(Local(1));
		sig.extras.issuerUniqueID =
		    buf.slice(der.offset, der.offset + der.length);
		der._offset += der.length;
	}

	/* subjectUniqueID */
	if (der.peek() === Local(2)) {
		der.readSequence(Local(2));
		sig.extras.subjectUniqueID =
		    buf.slice(der.offset, der.offset + der.length);
		der._offset += der.length;
	}

	/* extensions */
	if (der.peek() === Local(3)) {
		der.readSequence(Local(3));
		var extEnd = der.offset + der.length;
		der.readSequence();

		while (der.offset < extEnd)
			readExtension(cert, buf, der);

		assert.strictEqual(der.offset, extEnd);
	}

	assert.strictEqual(der.offset, sigOffset);

	der.readSequence();
	after = der.offset + der.length;
	var sigAlgOid = der.readOID();
	var sigAlg = SIGN_ALGS[sigAlgOid];
	if (sigAlg === undefined)
		throw (new Error('unknown signature algorithm ' + sigAlgOid));
	der._offset = after;

	var sigData = der.readString(asn1.Ber.BitString, true);
	if (sigData[0] === 0)
		sigData = sigData.slice(1);
	var algParts = sigAlg.split('-');

	sig.signature = Signature.parse(sigData, algParts[0], 'asn1');
	sig.signature.hashAlgorithm = algParts[1];
	sig.algo = sigAlg;
	sig.cache = buf.slice(tbsStart, tbsEnd);

	return (new Certificate(cert));
}

function readDate(der) {
	if (der.peek() === asn1.Ber.UTCTime) {
		return (utcTimeToDate(der.readString(asn1.Ber.UTCTime)));
	} else if (der.peek() === asn1.Ber.GeneralizedTime) {
		return (gTimeToDate(der.readString(asn1.Ber.GeneralizedTime)));
	} else {
		throw (new Error('Unsupported date format'));
	}
}

/* RFC5280, section 4.2.1.6 (GeneralName type) */
var ALTNAME = {
	OtherName: Local(0),
	RFC822Name: Context(1),
	DNSName: Context(2),
	X400Address: Local(3),
	DirectoryName: Local(4),
	EDIPartyName: Local(5),
	URI: Context(6),
	IPAddress: Context(7),
	OID: Context(8)
};

function readExtension(cert, buf, der) {
	der.readSequence();
	var after = der.offset + der.length;
	var extId = der.readOID();
	var id;
	var sig = cert.signatures.x509;
	sig.extras.exts = [];

	var critical;
	if (der.peek() === asn1.Ber.Boolean)
		critical = der.readBoolean();

	switch (extId) {
	case (EXTS.altName):
		der.readSequence(asn1.Ber.OctetString);
		der.readSequence();
		var aeEnd = der.offset + der.length;
		while (der.offset < aeEnd) {
			switch (der.peek()) {
			case ALTNAME.OtherName:
			case ALTNAME.EDIPartyName:
				der.readSequence();
				der._offset += der.length;
				break;
			case ALTNAME.OID:
				der.readOID(ALTNAME.OID);
				break;
			case ALTNAME.RFC822Name:
				/* RFC822 specifies email addresses */
				var email = der.readString(ALTNAME.RFC822Name);
				id = Identity.forEmail(email);
				if (!cert.subjects[0].equals(id))
					cert.subjects.push(id);
				break;
			case ALTNAME.DirectoryName:
				der.readSequence(ALTNAME.DirectoryName);
				id = Identity.parseAsn1(der);
				if (!cert.subjects[0].equals(id))
					cert.subjects.push(id);
				break;
			case ALTNAME.DNSName:
				var host = der.readString(
				    ALTNAME.DNSName);
				id = Identity.forHost(host);
				if (!cert.subjects[0].equals(id))
					cert.subjects.push(id);
				break;
			default:
				der.readString(der.peek());
				break;
			}
		}
		sig.extras.exts.push({ oid: extId, critical: critical });
		break;
	default:
		sig.extras.exts.push({
			oid: extId,
			critical: critical,
			data: der.readString(asn1.Ber.OctetString, true)
		});
		break;
	}

	der._offset = after;
}

var UTCTIME_RE =
    /^([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;
function utcTimeToDate(t) {
	var m = t.match(UTCTIME_RE);
	assert.ok(m, 'timestamps must be in UTC');
	var d = new Date();

	var thisYear = d.getUTCFullYear();
	var century = Math.floor(thisYear / 100) * 100;

	var year = parseInt(m[1], 10);
	if (thisYear % 100 < 50 && year >= 60)
		year += (century - 1);
	else
		year += century;
	d.setUTCFullYear(year, parseInt(m[2], 10) - 1, parseInt(m[3], 10));
	d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));
	if (m[6] && m[6].length > 0)
		d.setUTCSeconds(parseInt(m[6], 10));
	return (d);
}

var GTIME_RE =
    /^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;
function gTimeToDate(t) {
	var m = t.match(GTIME_RE);
	assert.ok(m);
	var d = new Date();

	d.setUTCFullYear(parseInt(m[1], 10), parseInt(m[2], 10) - 1,
	    parseInt(m[3], 10));
	d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));
	if (m[6] && m[6].length > 0)
		d.setUTCSeconds(parseInt(m[6], 10));
	return (d);
}

function zeroPad(n) {
	var s = '' + n;
	while (s.length < 2)
		s = '0' + s;
	return (s);
}

function dateToUTCTime(d) {
	var s = '';
	s += zeroPad(d.getUTCFullYear() % 100);
	s += zeroPad(d.getUTCMonth() + 1);
	s += zeroPad(d.getUTCDate());
	s += zeroPad(d.getUTCHours());
	s += zeroPad(d.getUTCMinutes());
	s += zeroPad(d.getUTCSeconds());
	s += 'Z';
	return (s);
}

function sign(cert, key) {
	if (cert.signatures.x509 === undefined)
		cert.signatures.x509 = {};
	var sig = cert.signatures.x509;

	sig.algo = key.type + '-' + key.defaultHashAlgorithm();
	if (SIGN_ALGS[sig.algo] === undefined)
		return (false);

	var der = new asn1.BerWriter();
	writeTBSCert(cert, der);
	var blob = der.buffer;
	sig.cache = blob;

	var signer = key.createSign();
	signer.write(blob);
	cert.signatures.x509.signature = signer.sign();

	return (true);
}

function write(cert, options) {
	var sig = cert.signatures.x509;
	assert.object(sig, 'x509 signature');

	var der = new asn1.BerWriter();
	der.startSequence();
	if (sig.cache) {
		der._ensure(sig.cache.length);
		sig.cache.copy(der._buf, der._offset);
		der._offset += sig.cache.length;
	} else {
		writeTBSCert(cert, der);
	}

	der.startSequence();
	der.writeOID(SIGN_ALGS[sig.algo]);
	if (sig.algo.match(/^rsa-/))
		der.writeNull();
	der.endSequence();

	var sigData = sig.signature.toBuffer('asn1');
	var data = new Buffer(sigData.length + 1);
	data[0] = 0;
	sigData.copy(data, 1);
	der.writeBuffer(data, asn1.Ber.BitString);
	der.endSequence();

	return (der.buffer);
}

function writeTBSCert(cert, der) {
	var sig = cert.signatures.x509;
	assert.object(sig, 'x509 signature');

	der.startSequence();

	der.startSequence(Local(0));
	der.writeInt(2);
	der.endSequence();

	der.writeBuffer(utils.mpNormalize(cert.serial), asn1.Ber.Integer);

	der.startSequence();
	der.writeOID(SIGN_ALGS[sig.algo]);
	der.endSequence();

	cert.issuer.toAsn1(der);

	der.startSequence();
	der.writeString(dateToUTCTime(cert.validFrom), asn1.Ber.UTCTime);
	der.writeString(dateToUTCTime(cert.validUntil), asn1.Ber.UTCTime);
	der.endSequence();

	var subject = cert.subjects[0];
	var altNames = cert.subjects.slice(1);
	subject.toAsn1(der);

	pkcs8.writePkcs8(der, cert.subjectKey);

	if (sig.extras && sig.extras.issuerUniqueID) {
		der.writeBuffer(sig.extras.issuerUniqueID, Local(1));
	}

	if (sig.extras && sig.extras.subjectUniqueID) {
		der.writeBuffer(sig.extras.subjectUniqueID, Local(2));
	}

	if (altNames.length > 0 || subject.type === 'host' ||
	    (sig.extras && sig.extras.exts)) {
		der.startSequence(Local(3));
		der.startSequence();

		var exts = [
			{ oid: EXTS.altName }
		];
		if (sig.extras && sig.extras.exts)
			exts = sig.extras.exts;

		for (var i = 0; i < exts.length; ++i) {
			der.startSequence();
			der.writeOID(exts[i].oid);

			if (exts[i].critical !== undefined)
				der.writeBoolean(exts[i].critical);

			if (exts[i].oid === EXTS.altName) {
				der.startSequence(asn1.Ber.OctetString);
				der.startSequence();
				if (subject.type === 'host') {
					der.writeString(subject.hostname,
					    Context(2));
				}
				for (var j = 0; j < altNames.length; ++j) {
					if (altNames[j].type === 'host') {
						der.writeString(
						    altNames[j].hostname,
						    ALTNAME.DNSName);
					} else if (altNames[j].type ===
					    'email') {
						der.writeString(
						    altNames[j].email,
						    ALTNAME.RFC822Name);
					} else {
						/*
						 * Encode anything else as a
						 * DN style name for now.
						 */
						der.startSequence(
						    ALTNAME.DirectoryName);
						altNames[j].toAsn1(der);
						der.endSequence();
					}
				}
				der.endSequence();
				der.endSequence();
			} else {
				der.writeBuffer(exts[i].data,
				    asn1.Ber.OctetString);
			}

			der.endSequence();
		}

		der.endSequence();
		der.endSequence();
	}

	der.endSequence();
}
Initial commit. 2017-09-20 23:19:33 +02:00			`// Copyright 2016 Joyent, Inc.`

			`module.exports = {`
			`read: read,`
			`verify: verify,`
			`sign: sign,`
			`write: write`
			`};`

			`var assert = require('assert-plus');`
			`var asn1 = require('asn1');`
			`var algs = require('../algs');`
			`var utils = require('../utils');`
			`var Key = require('../key');`
			`var PrivateKey = require('../private-key');`
			`var pem = require('./pem');`
			`var Identity = require('../identity');`
			`var Signature = require('../signature');`
			`var Certificate = require('../certificate');`
			`var pkcs8 = require('./pkcs8');`

			`/*`
			`* This file is based on RFC5280 (X.509).`
			`*/`

			`/* Helper to read in a single mpint */`
			`function readMPInt(der, nm) {`
			`assert.strictEqual(der.peek(), asn1.Ber.Integer,`
			`nm + ' is not an Integer');`
			`return (utils.mpNormalize(der.readString(asn1.Ber.Integer, true)));`
			`}`

			`function verify(cert, key) {`
			`var sig = cert.signatures.x509;`
			`assert.object(sig, 'x509 signature');`

			`var algParts = sig.algo.split('-');`
			`if (algParts[0] !== key.type)`
			`return (false);`

			`var blob = sig.cache;`
			`if (blob === undefined) {`
			`var der = new asn1.BerWriter();`
			`writeTBSCert(cert, der);`
			`blob = der.buffer;`
			`}`

			`var verifier = key.createVerify(algParts[1]);`
			`verifier.write(blob);`
			`return (verifier.verify(sig.signature));`
			`}`

			`function Local(i) {`
			`return (asn1.Ber.Context \| asn1.Ber.Constructor \| i);`
			`}`

			`function Context(i) {`
			`return (asn1.Ber.Context \| i);`
			`}`

			`var SIGN_ALGS = {`
			`'rsa-md5': '1.2.840.113549.1.1.4',`
			`'rsa-sha1': '1.2.840.113549.1.1.5',`
			`'rsa-sha256': '1.2.840.113549.1.1.11',`
			`'rsa-sha384': '1.2.840.113549.1.1.12',`
			`'rsa-sha512': '1.2.840.113549.1.1.13',`
			`'dsa-sha1': '1.2.840.10040.4.3',`
			`'dsa-sha256': '2.16.840.1.101.3.4.3.2',`
			`'ecdsa-sha1': '1.2.840.10045.4.1',`
			`'ecdsa-sha256': '1.2.840.10045.4.3.2',`
			`'ecdsa-sha384': '1.2.840.10045.4.3.3',`
			`'ecdsa-sha512': '1.2.840.10045.4.3.4'`
			`};`
			`Object.keys(SIGN_ALGS).forEach(function (k) {`
			`SIGN_ALGS[SIGN_ALGS[k]] = k;`
			`});`
			`SIGN_ALGS['1.3.14.3.2.3'] = 'rsa-md5';`
			`SIGN_ALGS['1.3.14.3.2.29'] = 'rsa-sha1';`

			`var EXTS = {`
			`'issuerKeyId': '2.5.29.35',`
			`'altName': '2.5.29.17'`
			`};`

			`function read(buf, options) {`
			`if (typeof (buf) === 'string') {`
			`buf = new Buffer(buf, 'binary');`
			`}`
			`assert.buffer(buf, 'buf');`

			`var der = new asn1.BerReader(buf);`

			`der.readSequence();`
			`if (Math.abs(der.length - der.remain) > 1) {`
			`throw (new Error('DER sequence does not contain whole byte ' +`
			`'stream'));`
			`}`

			`var tbsStart = der.offset;`
			`der.readSequence();`
			`var sigOffset = der.offset + der.length;`
			`var tbsEnd = sigOffset;`

			`if (der.peek() === Local(0)) {`
			`der.readSequence(Local(0));`
			`var version = der.readInt();`
			`assert.ok(version <= 3,`
			`'only x.509 versions up to v3 supported');`
			`}`

			`var cert = {};`
			`cert.signatures = {};`
			`var sig = (cert.signatures.x509 = {});`
			`sig.extras = {};`

			`cert.serial = readMPInt(der, 'serial');`

			`der.readSequence();`
			`var after = der.offset + der.length;`
			`var certAlgOid = der.readOID();`
			`var certAlg = SIGN_ALGS[certAlgOid];`
			`if (certAlg === undefined)`
			`throw (new Error('unknown signature algorithm ' + certAlgOid));`

			`der._offset = after;`
			`cert.issuer = Identity.parseAsn1(der);`

			`der.readSequence();`
			`cert.validFrom = readDate(der);`
			`cert.validUntil = readDate(der);`

			`cert.subjects = [Identity.parseAsn1(der)];`

			`der.readSequence();`
			`after = der.offset + der.length;`
			`cert.subjectKey = pkcs8.readPkcs8(undefined, 'public', der);`
			`der._offset = after;`

			`/* issuerUniqueID */`
			`if (der.peek() === Local(1)) {`
			`der.readSequence(Local(1));`
			`sig.extras.issuerUniqueID =`
			`buf.slice(der.offset, der.offset + der.length);`
			`der._offset += der.length;`
			`}`

			`/* subjectUniqueID */`
			`if (der.peek() === Local(2)) {`
			`der.readSequence(Local(2));`
			`sig.extras.subjectUniqueID =`
			`buf.slice(der.offset, der.offset + der.length);`
			`der._offset += der.length;`
			`}`

			`/* extensions */`
			`if (der.peek() === Local(3)) {`
			`der.readSequence(Local(3));`
			`var extEnd = der.offset + der.length;`
			`der.readSequence();`

			`while (der.offset < extEnd)`
			`readExtension(cert, buf, der);`

			`assert.strictEqual(der.offset, extEnd);`
			`}`

			`assert.strictEqual(der.offset, sigOffset);`

			`der.readSequence();`
			`after = der.offset + der.length;`
			`var sigAlgOid = der.readOID();`
			`var sigAlg = SIGN_ALGS[sigAlgOid];`
			`if (sigAlg === undefined)`
			`throw (new Error('unknown signature algorithm ' + sigAlgOid));`
			`der._offset = after;`

			`var sigData = der.readString(asn1.Ber.BitString, true);`
			`if (sigData[0] === 0)`
			`sigData = sigData.slice(1);`
			`var algParts = sigAlg.split('-');`

			`sig.signature = Signature.parse(sigData, algParts[0], 'asn1');`
			`sig.signature.hashAlgorithm = algParts[1];`
			`sig.algo = sigAlg;`
			`sig.cache = buf.slice(tbsStart, tbsEnd);`

			`return (new Certificate(cert));`
			`}`

			`function readDate(der) {`
			`if (der.peek() === asn1.Ber.UTCTime) {`
			`return (utcTimeToDate(der.readString(asn1.Ber.UTCTime)));`
			`} else if (der.peek() === asn1.Ber.GeneralizedTime) {`
			`return (gTimeToDate(der.readString(asn1.Ber.GeneralizedTime)));`
			`} else {`
			`throw (new Error('Unsupported date format'));`
			`}`
			`}`

			`/* RFC5280, section 4.2.1.6 (GeneralName type) */`
			`var ALTNAME = {`
			`OtherName: Local(0),`
			`RFC822Name: Context(1),`
			`DNSName: Context(2),`
			`X400Address: Local(3),`
			`DirectoryName: Local(4),`
			`EDIPartyName: Local(5),`
			`URI: Context(6),`
			`IPAddress: Context(7),`
			`OID: Context(8)`
			`};`

			`function readExtension(cert, buf, der) {`
			`der.readSequence();`
			`var after = der.offset + der.length;`
			`var extId = der.readOID();`
			`var id;`
			`var sig = cert.signatures.x509;`
			`sig.extras.exts = [];`

			`var critical;`
			`if (der.peek() === asn1.Ber.Boolean)`
			`critical = der.readBoolean();`

			`switch (extId) {`
			`case (EXTS.altName):`
			`der.readSequence(asn1.Ber.OctetString);`
			`der.readSequence();`
			`var aeEnd = der.offset + der.length;`
			`while (der.offset < aeEnd) {`
			`switch (der.peek()) {`
			`case ALTNAME.OtherName:`
			`case ALTNAME.EDIPartyName:`
			`der.readSequence();`
			`der._offset += der.length;`
			`break;`
			`case ALTNAME.OID:`
			`der.readOID(ALTNAME.OID);`
			`break;`
			`case ALTNAME.RFC822Name:`
			`/* RFC822 specifies email addresses */`
			`var email = der.readString(ALTNAME.RFC822Name);`
			`id = Identity.forEmail(email);`
			`if (!cert.subjects[0].equals(id))`
			`cert.subjects.push(id);`
			`break;`
			`case ALTNAME.DirectoryName:`
			`der.readSequence(ALTNAME.DirectoryName);`
			`id = Identity.parseAsn1(der);`
			`if (!cert.subjects[0].equals(id))`
			`cert.subjects.push(id);`
			`break;`
			`case ALTNAME.DNSName:`
			`var host = der.readString(`
			`ALTNAME.DNSName);`
			`id = Identity.forHost(host);`
			`if (!cert.subjects[0].equals(id))`
			`cert.subjects.push(id);`
			`break;`
			`default:`
			`der.readString(der.peek());`
			`break;`
			`}`
			`}`
			`sig.extras.exts.push({ oid: extId, critical: critical });`
			`break;`
			`default:`
			`sig.extras.exts.push({`
			`oid: extId,`
			`critical: critical,`
			`data: der.readString(asn1.Ber.OctetString, true)`
			`});`
			`break;`
			`}`

			`der._offset = after;`
			`}`

			`var UTCTIME_RE =`
			`/^([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;`
			`function utcTimeToDate(t) {`
			`var m = t.match(UTCTIME_RE);`
			`assert.ok(m, 'timestamps must be in UTC');`
			`var d = new Date();`

			`var thisYear = d.getUTCFullYear();`
			`var century = Math.floor(thisYear / 100) * 100;`

			`var year = parseInt(m[1], 10);`
			`if (thisYear % 100 < 50 && year >= 60)`
			`year += (century - 1);`
			`else`
			`year += century;`
			`d.setUTCFullYear(year, parseInt(m[2], 10) - 1, parseInt(m[3], 10));`
			`d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));`
			`if (m[6] && m[6].length > 0)`
			`d.setUTCSeconds(parseInt(m[6], 10));`
			`return (d);`
			`}`

			`var GTIME_RE =`
			`/^([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})?Z$/;`
			`function gTimeToDate(t) {`
			`var m = t.match(GTIME_RE);`
			`assert.ok(m);`
			`var d = new Date();`

			`d.setUTCFullYear(parseInt(m[1], 10), parseInt(m[2], 10) - 1,`
			`parseInt(m[3], 10));`
			`d.setUTCHours(parseInt(m[4], 10), parseInt(m[5], 10));`
			`if (m[6] && m[6].length > 0)`
			`d.setUTCSeconds(parseInt(m[6], 10));`
			`return (d);`
			`}`

			`function zeroPad(n) {`
			`var s = '' + n;`
			`while (s.length < 2)`
			`s = '0' + s;`
			`return (s);`
			`}`

			`function dateToUTCTime(d) {`
			`var s = '';`
			`s += zeroPad(d.getUTCFullYear() % 100);`
			`s += zeroPad(d.getUTCMonth() + 1);`
			`s += zeroPad(d.getUTCDate());`
			`s += zeroPad(d.getUTCHours());`
			`s += zeroPad(d.getUTCMinutes());`
			`s += zeroPad(d.getUTCSeconds());`
			`s += 'Z';`
			`return (s);`
			`}`

			`function sign(cert, key) {`
			`if (cert.signatures.x509 === undefined)`
			`cert.signatures.x509 = {};`
			`var sig = cert.signatures.x509;`

			`sig.algo = key.type + '-' + key.defaultHashAlgorithm();`
			`if (SIGN_ALGS[sig.algo] === undefined)`
			`return (false);`

			`var der = new asn1.BerWriter();`
			`writeTBSCert(cert, der);`
			`var blob = der.buffer;`
			`sig.cache = blob;`

			`var signer = key.createSign();`
			`signer.write(blob);`
			`cert.signatures.x509.signature = signer.sign();`

			`return (true);`
			`}`

			`function write(cert, options) {`
			`var sig = cert.signatures.x509;`
			`assert.object(sig, 'x509 signature');`

			`var der = new asn1.BerWriter();`
			`der.startSequence();`
			`if (sig.cache) {`
			`der._ensure(sig.cache.length);`
			`sig.cache.copy(der._buf, der._offset);`
			`der._offset += sig.cache.length;`
			`} else {`
			`writeTBSCert(cert, der);`
			`}`

			`der.startSequence();`
			`der.writeOID(SIGN_ALGS[sig.algo]);`
			`if (sig.algo.match(/^rsa-/))`
			`der.writeNull();`
			`der.endSequence();`

			`var sigData = sig.signature.toBuffer('asn1');`
			`var data = new Buffer(sigData.length + 1);`
			`data[0] = 0;`
			`sigData.copy(data, 1);`
			`der.writeBuffer(data, asn1.Ber.BitString);`
			`der.endSequence();`

			`return (der.buffer);`
			`}`

			`function writeTBSCert(cert, der) {`
			`var sig = cert.signatures.x509;`
			`assert.object(sig, 'x509 signature');`

			`der.startSequence();`

			`der.startSequence(Local(0));`
			`der.writeInt(2);`
			`der.endSequence();`

			`der.writeBuffer(utils.mpNormalize(cert.serial), asn1.Ber.Integer);`

			`der.startSequence();`
			`der.writeOID(SIGN_ALGS[sig.algo]);`
			`der.endSequence();`

			`cert.issuer.toAsn1(der);`

			`der.startSequence();`
			`der.writeString(dateToUTCTime(cert.validFrom), asn1.Ber.UTCTime);`
			`der.writeString(dateToUTCTime(cert.validUntil), asn1.Ber.UTCTime);`
			`der.endSequence();`

			`var subject = cert.subjects[0];`
			`var altNames = cert.subjects.slice(1);`
			`subject.toAsn1(der);`

			`pkcs8.writePkcs8(der, cert.subjectKey);`

			`if (sig.extras && sig.extras.issuerUniqueID) {`
			`der.writeBuffer(sig.extras.issuerUniqueID, Local(1));`
			`}`

			`if (sig.extras && sig.extras.subjectUniqueID) {`
			`der.writeBuffer(sig.extras.subjectUniqueID, Local(2));`
			`}`

			`if (altNames.length > 0 \|\| subject.type === 'host' \|\|`
			`(sig.extras && sig.extras.exts)) {`
			`der.startSequence(Local(3));`
			`der.startSequence();`

			`var exts = [`
			`{ oid: EXTS.altName }`
			`];`
			`if (sig.extras && sig.extras.exts)`
			`exts = sig.extras.exts;`

			`for (var i = 0; i < exts.length; ++i) {`
			`der.startSequence();`
			`der.writeOID(exts[i].oid);`

			`if (exts[i].critical !== undefined)`
			`der.writeBoolean(exts[i].critical);`

			`if (exts[i].oid === EXTS.altName) {`
			`der.startSequence(asn1.Ber.OctetString);`
			`der.startSequence();`
			`if (subject.type === 'host') {`
			`der.writeString(subject.hostname,`
			`Context(2));`
			`}`
			`for (var j = 0; j < altNames.length; ++j) {`
			`if (altNames[j].type === 'host') {`
			`der.writeString(`
			`altNames[j].hostname,`
			`ALTNAME.DNSName);`
			`} else if (altNames[j].type ===`
			`'email') {`
			`der.writeString(`
			`altNames[j].email,`
			`ALTNAME.RFC822Name);`
			`} else {`
			`/*`
			`* Encode anything else as a`
			`* DN style name for now.`
			`*/`
			`der.startSequence(`
			`ALTNAME.DirectoryName);`
			`altNames[j].toAsn1(der);`
			`der.endSequence();`
			`}`
			`}`
			`der.endSequence();`
			`der.endSequence();`
			`} else {`
			`der.writeBuffer(exts[i].data,`
			`asn1.Ber.OctetString);`
			`}`

			`der.endSequence();`
			`}`

			`der.endSequence();`
			`der.endSequence();`
			`}`

			`der.endSequence();`
			`}`