Bump up the jsrsasign version from 8.0.24 to 10.4.1

* changed the unit test cases according to the jsrsasign package upgrade
* Updated extensions as per the new jsrsasign package
* made changes in PKCS11_ECDSA_KEY class as per changes in jsrsasign 10.4.1
* certificate request extensions are used and mapped to the new format to ensure backwards compatibility

Co-Authored-by: Rajat Sharma <rajat.sharma@dltlabs.io>
Co-Authored-by: Deepak Singh <deepak.singh2@dltlabs.io>
Signed-off-by: Deepak Singh <91736795+blockguardian@users.noreply.github.com>

Author: 2 people

fabric-ca-client/package.json

@@ -20,9 +20,9 @@
   },
   "types": "./types/index.d.ts",
   "dependencies": {
+    "jsrsasign": "^10.4.1",
     "grpc": "1.24.11",
     "lodash.clone": "4.5.0",
-    "jsrsasign": "^8.0.20",
     "url": "^0.11.0",
     "winston": "^2.4.0"
   },

fabric-client/lib/impl/ecdsa/key.js

@@ -117,13 +117,13 @@ module.exports = class ECDSA_KEY extends api.Key {
 			throw new Error('A CSR cannot be generated from a public key');
 		}
 
-		const csr = asn1.csr.CSRUtil.newCSRPEM({
+		const csr = new asn1.csr.CertificationRequest({
 			subject: {str: asn1.x509.X500Name.ldapToOneline(subjectDN)},
 			sbjpubkey: this.getPublicKey()._key,
 			sigalg: 'SHA256withECDSA',
 			sbjprvkey: this._key
 		});
-		return csr;
+		return csr.getPEM();
 	}
 
 	/**
@@ -156,18 +156,17 @@ module.exports = class ECDSA_KEY extends api.Key {
 			sbjpubkey: this.getPublicKey()._key,
 			ext: [
 				{
-					basicConstraints: {
-						cA: false,
-						critical: true
-					}
+					extname: 'basicConstraints',
+					cA: false,
+					critical: true
 				},
 				{
-					keyUsage: {bin: '11'}
+					extname: 'keyUsage',
+					bin: '11'
 				},
 				{
-					extKeyUsage: {
-						array: [{name: 'clientAuth'}]
-					}
+					extname: 'extKeyUsage',
+					array: [{name: 'clientAuth'}]
 				}
 			],
 			cakey: this._key

fabric-client/lib/impl/ecdsa/pkcs11_key.js

@@ -10,6 +10,7 @@
 const api = require('../../api.js');
 const jsrsa = require('jsrsasign');
 const asn1 = jsrsa.asn1;
+const Utils = require('../../utils');
 
 const elliptic = require('elliptic');
 const EC = elliptic.ec;
@@ -82,12 +83,13 @@ const PKCS11_ECDSA_KEY = class extends api.Key {
 		csr.asn1SignatureAlg =
 			new asn1.x509.AlgorithmIdentifier({'name': sigAlgName});
 
-		const digest = this._cryptoSuite.hash(Buffer.from(csr.asn1CSRInfo.getEncodedHex(), 'hex'));
+		const csri = new asn1.csr.CertificationRequestInfo(csr.params);
+		const digest = this._cryptoSuite.hash(Buffer.from(csri.getEncodedHex(), 'hex'));
 		const sig = this._cryptoSuite.sign(this, Buffer.from(digest, 'hex'));
-		csr.hexSig = sig.toString('hex');
+		csr.params.sighex = sig.toString('hex');
 
-		csr.asn1Sig = new asn1.DERBitString({'hex': '00' + csr.hexSig});
-		const seq = new asn1.DERSequence({'array': [csr.asn1CSRInfo, csr.asn1SignatureAlg, csr.asn1Sig]});
+		csr.asn1Sig = new asn1.DERBitString({'hex': '00' + csr.params.sighex});
+		const seq = new asn1.DERSequence({'array': [csri, csr.asn1SignatureAlg, csr.asn1Sig]});
 		csr.hTLV = seq.getEncodedHex();
 		csr.isModified = false;
 	}
@@ -108,21 +110,17 @@ const PKCS11_ECDSA_KEY = class extends api.Key {
 		}
 		const ecdsa = new EC(this._cryptoSuite._ecdsaCurve);
 		const pubKey = ecdsa.keyFromPublic(this._pub._ecpt);
-		const csri = new _KJUR_asn1_csr.CertificationRequestInfo();
-		csri.setSubjectByParam(param.subject);
-		csri.setSubjectPublicKeyByGetKey({xy: pubKey.getPublic('hex'), curve: 'secp256r1'});
-		if (param.ext !== undefined && param.ext.length !== undefined) {
-			for (const ext of param.ext) {
-				for (const key in ext) {
-					csri.appendExtensionByName(key, ext[key]);
-				}
-			}
-		}
-
-		const csr = new _KJUR_asn1_csr.CertificationRequest({'csrinfo': csri});
-		this.signCSR(csr, param.sigalg);
+		const extreq = Utils.mapCSRExtensions(param.ext);
+		const sigAlgName = param.sigalg;
+		const csr = new _KJUR_asn1_csr.CertificationRequest({
+			subject: param.subject,
+			sbjpubkey: {xy: pubKey.getPublic('hex'), curve: 'secp256r1'},
+			sigalg: sigAlgName,
+			extreq: extreq
+		});
+		this.signCSR(csr, sigAlgName);
 
-		const pem = csr.getPEMString();
+		const pem = csr.getPEM();
 		return pem;
 
 	}

fabric-client/lib/utils.js

@@ -573,3 +573,42 @@ module.exports.convertBytetoString = (buffer_array, encoding) => {
 
 	return result;
 };
+/**
+ * Map CSRUtil.newCSRPEM style extensions:
+ * ```
+ * {
+ *     subjectAltName: {
+ *         array: [...],
+ *     },
+ * }
+ * ```
+ *
+ * to CertificationRequest style extensions:
+ * ```
+ * {
+ *     extname: 'subjectAltName',
+ *     array: [...],
+ * }
+ * ```
+ * @private
+ */
+module.exports.mapCSRExtensions = (extensions) => {
+	if (!Array.isArray(extensions)) {
+		return extensions;
+	}
+
+	const results = [];
+	extensions.forEach(extension => {
+		const isCertificationRequestExtension = typeof extension.extname === 'string';
+		if (isCertificationRequestExtension) {
+			results.push(extension);
+		} else {
+			Object.entries(extension).forEach(([extname, props]) => {
+				const extensionRequest = Object.assign({}, props, {extname});
+				results.push(extensionRequest);
+			});
+		}
+	});
+
+	return results;
+};

fabric-client/package.json

@@ -31,7 +31,7 @@
     "ignore-walk": "^3.0.0",
     "js-sha3": "^0.7.0",
     "js-yaml": "^3.9.0",
-    "jsrsasign": "^8.0.20",
+    "jsrsasign": "^10.4.1",
     "klaw": "^4.0.1",
     "lodash.clone": "4.5.0",
     "long": "^4.0.0",

package.json

@@ -60,7 +60,7 @@
     "ink-docstrap": "^1.3.2",
     "intercept-stdout": "^0.1.2",
     "jsdoc": "^3.6.3",
-    "jsrsasign": "^8.0.20",
+    "jsrsasign": "^10.4.1",
     "log4js": "^6.1.1",
     "mocha": "^7.1.2",
     "mock-couch": "^0.1.11",

test/unit/ecdsa-key.js

@@ -133,15 +133,14 @@ test('\n\n ** ECDSA Key Impl tests **\n\n', (t) => {
 	const subjectDN = 'CN=dummy';
 	try {
 		csrPEM = key3.generateCSR(subjectDN);
-		csrObject = asn1.csr.CSRUtil.getInfo(csrPEM);
+		csrObject = asn1.csr.CSRUtil.getParam(csrPEM);
 	} catch (err) {
 		t.fail('Failed to generate a CSR: ' + err.stack ? err.stack : err);
 	}
-
-	t.equal(asn1.x509.X500Name.onelineToLDAP(csrObject.subject.name), subjectDN,
+	t.equal(asn1.x509.X500Name.onelineToLDAP(csrObject.subject.str), subjectDN,
 		'Checking CSR subject matches subject from request');
 
-	t.equal(csrObject.pubkey.obj.pubKeyHex, key3.getPublicKey()._key.pubKeyHex,
+	t.equal(KEYUTIL.getKeyFromCSRPEM(csrPEM).pubKeyHex, key3.getPublicKey()._key.pubKeyHex,
 		'Checking CSR public key matches requested public key');
 
 	// test X509 generation