lib/certs.js

/**
 * Detects iOS developer and distribution certificates and the WWDC certificate.
 *
 * @module certs
 *
 * @copyright
 * Copyright (c) 2014-2016 by Appcelerator, Inc. All Rights Reserved.
 *
 * Copyright (c) 2010-2014 Digital Bazaar, Inc.
 * {@link https://github.com/digitalbazaar/forge}
 *
 * @license
 * Licensed under the terms of the Apache Public License.
 * Please see the LICENSE included with this distribution for details.
 */

const
	appc = require('node-appc'),
	async = require('async'),
	env = require('./env'),
	magik = require('./utilities').magik,
	__ = appc.i18n(__dirname).__;

const certRegExp = /^(?:((?:Apple|iOS) Development)|((?:iOS|Apple|iPhone) Distribution)): (.+)$/;

var cache = null,
	watchers = {},
	watchResults = null,
	watchInterval = 60000,
	watchTimer = null;

exports.detect = detect;
exports.watch = watch;
exports.unwatch = unwatch;

/**
 * Detects installed certificates.
 *
 * @param {Object} [options] - An object containing various settings.
 * @param {Boolean} [options.bypassCache=false] - When true, re-detects all certificates.
 * @param {Boolean} [options.validOnly=true] - When true, only returns non-expired, valid certificates.
 * @param {Function} [callback(err, results)] - A function to call with the certificate information.
 *
 * @emits module:certs#detected
 * @emits module:certs#error
 *
 * @returns {Handle}
 */
function detect(options, callback) {
	return magik(options, callback, function (emitter, options, callback) {
		var validOnly = options.validOnly === undefined || options.validOnly === true;

		if (cache && !options.bypassCache) {
			emitter.emit('detected', cache);
			return callback(null, cache);
		}

		function getCerts(cb) {
			// detect the development environment
			env.detect(options, function (err, env) {
				var results = {
					certs: {
						keychains: {},
						wwdr: false
					},
					issues: []
				};

				// if we don't have the security executable, we cannot detect certs
				if (!env.executables.security) {
					return cb(null, results);
				}

				appc.subprocess.run(env.executables.security, 'list-keychains', function (code, out, err) {
					if (code) {
						return cb(results);
					}

					function parseCerts(src, dest, prefix) {
						var p = 0,
							q = src.indexOf('-----END'),
							pem, cert, validity, expired, invalid, commonName;

						while (p !== -1 && q !== -1) {
							pem = src.substring(p, q + 25);
							cert = pem2cert(pem);
							expired = cert.validity.notAfter < now,
							invalid = expired || cert.validity.notBefore > now;
							commonName = cert.subject.getField('CN').value;
							let certName;

							if (!prefix) {
								const fullname = appc.encoding.decodeOctalUTF8(commonName);
								if (fullname === 'Apple Worldwide Developer Relations Certification Authority') {
									certName = commonName;
								} else {
									const match = fullname.match(certRegExp);
									if (match) {
										certName = match[3]
									}
								}
							} else {
								certName = appc.encoding.decodeOctalUTF8(commonName.substring(prefix.length)).trim();
							}

							if (!validOnly || !invalid) {
								const teamId = cert.subject.attributes.find(attr => attr.name === 'organizationalUnitName');
								dest.push({
									name: certName,
									fullname: appc.encoding.decodeOctalUTF8(commonName).trim(),
									pem: pem,
									before: cert.validity.notBefore,
									after: cert.validity.notAfter,
									expired: expired,
									invalid: invalid,
									teamId: teamId && teamId.value
								});
							}

							p = src.indexOf('-----BEGIN', q + 25);
							q = src.indexOf('-----END', p);
						}
					}

					var now = new Date,
						tasks = [];

					// parse out the keychains and add tasks to find certs for each keychain
					out.split('\n').forEach(function (line) {
						var m = line.match(/[^"]*"([^"]*)"/);
						if (!m) return;

						var keychain = m[1].trim(),
							dest = results.certs.keychains[keychain] = {
								developer: [],
								distribution: []
							};

						// find all the developer certificates in this keychain
						tasks.push(function (next) {
							appc.subprocess.run(env.executables.security, ['find-certificate', '-c', 'iPhone Developer:', '-a', '-p', keychain], function (code, out, err) {
								if (!code) {
									parseCerts(out, dest.developer, 'iPhone Developer:');
								}
								next();
							});
						});

						// find all the developer certificates in this keychain
						tasks.push(function (next) {
							appc.subprocess.run(env.executables.security, ['find-certificate', '-c', 'Development:', '-a', '-p', keychain], function (code, out, err) {
								if (!code) {
									parseCerts(out, dest.developer);
								}
								next();
							});
						});

						// find all the distribution certificates in this keychain
						tasks.push(function (next) {
							appc.subprocess.run(env.executables.security, ['find-certificate', '-c', 'Distribution:', '-a', '-p', keychain], function (code, out, err) {
								if (!code) {
									parseCerts(out, dest.distribution);
								}
								next();
							});
						});

						// find all the wwdr certificates in this keychain
						tasks.push(function (next) {
							// if we already found it, then skip the remaining keychains
							if (results.certs.wwdr) return next();

							appc.subprocess.run(env.executables.security, ['find-certificate', '-c', 'Apple Worldwide Developer Relations Certification Authority', '-a', '-p', keychain], function (code, out, err) {
								if (!code) {
									var tmp = [];
									parseCerts(out, tmp);
									results.certs.wwdr = results.certs.wwdr || (tmp.length && tmp[0].invalid === false);
								}
								next();
							});
						});
					});

					// process all cert tasks
					async.parallel(tasks, function () {
						cb(results);
					});
				});
			});
		}

		// get all keychains and certs
		getCerts(function (results) {
			detectIssues(results);
			cache = results;
			emitter.emit('detected', results);
			callback(null, results);
		});
	});
};

function detectIssues(dest) {
	dest.issues = [];

	if (!dest.certs.wwdr) {
		dest.issues.push({
			id: 'IOS_NO_WWDR_CERT_FOUND',
			type: 'error',
			message: __('Apple’s World Wide Developer Relations (WWDR) intermediate certificate is not installed.') + '\n' +
				__('This will prevent you from building apps for iOS devices or package for distribution.')
		});
	}

	if (!Object.keys(dest.certs.keychains).length) {
		// I don't think this is even possible
		dest.issues.push({
			id: 'IOS_NO_KEYCHAINS_FOUND',
			type: 'warning',
			message: __('Unable to find any keychains found.')
		});
	}

	var validDevCerts = 0,
		validDistCerts = 0;

	Object.keys(dest.certs.keychains).forEach(function (keychain) {
		validDevCerts += (dest.certs.keychains[keychain].developer || []).filter(function (c) {
			return !c.invalid;
		}).length;

		validDistCerts += (dest.certs.keychains[keychain].distribution || []).filter(function (c) {
			return !c.invalid;
		}).length;
	});

	if (!validDevCerts) {
		dest.issues.push({
			id: 'IOS_NO_VALID_DEV_CERTS_FOUND',
			type: 'warning',
			message: __('Unable to find any valid iOS developer certificates.') + '\n' +
				__('This will prevent you from building apps for iOS devices.')
		});
	}

	if (!validDistCerts) {
		dest.issues.push({
			id: 'IOS_NO_VALID_DIST_CERTS_FOUND',
			type: 'warning',
			message: __('Unable to find any valid iOS production distribution certificates.') + '\n' +
				__('This will prevent you from packaging apps for distribution.')
		});
	}
}

/**
 * Watches for new and changed certificates.
 *
 * @param {Object} [options] - An object containing various settings
 * @param {Boolean} [options.watchInterval=60000] - The number of milliseconds to wait before checking for cert updates
 * @param {Function} [callback(err, results)] - A function to call with the certificate information
 *
 * @returns {Function} A function that unwatches changes.
 */
function watch(options, callback) {
	if (typeof options === 'function') {
		callback = options;
		options = {};
	} else if (!options) {
		options = {};
	}

	watchers[callback] = (watchers[callback] || 0) + 1;
	watchInterval = ~~options.watchInterval || 60000;

	// check if already watching or already watching
	if (watchers[callback] === 1 && !watchTimer) {
		options.bypassCache = true;

		function check() {
			detect(options, function (err, results) {
				if (!err && (!watchResults || JSON.stringify(watchResults) !== JSON.stringify(results))) {
					watchResults = results;
					return callback(null, results);
				}
				watchTimer = setTimeout(check, watchInterval);
			});
		}

		watchTimer = setTimeout(check, watchInterval);
	}

	return function () {
		unwatch(callback);
	};
};

/**
 * Stops watching for certificate changes.
 */
function unwatch(callback) {
	if (!watchers[callback]) return;

	if (--watchers[callback] <= 0) {
		delete watchers[callback];
	}

	if (!Object.keys(watchers).length) {
		clearTimeout(watchTimer);
		watchTimer = null;
	}
};

/*
 * Everything from this point onward is from the forge project (aka node-forge).
 * https://github.com/digitalbazaar/forge
 *
 * New BSD License (3-clause)
 * Copyright (c) 2010, Digital Bazaar, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *     * Redistributions in binary form must reproduce the above copyright
 *       notice, this list of conditions and the following disclaimer in the
 *       documentation and/or other materials provided with the distribution.
 *     * Neither the name of Digital Bazaar, Inc. nor the
 *       names of its contributors may be used to endorse or promote products
 *       derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL DIGITAL BAZAAR BE LIABLE FOR ANY
 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

var typeRegExp = /^(?:X509 |TRUSTED )?CERTIFICATE$/,
	rMessage = /\s*-----BEGIN ([A-Z0-9- ]+)-----\r?\n?([\x21-\x7e\s]+?(?:\r?\n\r?\n))?([:A-Za-z0-9+\/=\s]+?)-----END \1-----/g,
	rHeader = /([\x21-\x7e]+):\s*([\x21-\x7e\s^:]+)/,
	rCRLF = /\r?\n/,
	whitespaceRegExp = /\s/,
	leadingSpaceRegExp = /^\s+/,
	asn1Class = {
		UNIVERSAL:        0x00,
		APPLICATION:      0x40,
		CONTEXT_SPECIFIC: 0x80,
		PRIVATE:          0xC0
	},
	asn1Type = {
		NONE:             0,
		BOOLEAN:          1,
		INTEGER:          2,
		BITSTRING:        3,
		OCTETSTRING:      4,
		NULL:             5,
		OID:              6,
		ODESC:            7,
		EXTERNAL:         8,
		REAL:             9,
		ENUMERATED:      10,
		EMBEDDED:        11,
		UTF8:            12,
		ROID:            13,
		SEQUENCE:        16,
		SET:             17,
		PRINTABLESTRING: 19,
		IA5STRING:       22,
		UTCTIME:         23,
		GENERALIZEDTIME: 24,
		BMPSTRING:       30
	},
	x509CertificateValidator = {
		name: 'Certificate',
		tagClass: asn1Class.UNIVERSAL,
		type: asn1Type.SEQUENCE,
		constructed: true,
		value: [ {
			name: 'Certificate.TBSCertificate',
			tagClass: asn1Class.UNIVERSAL,
			type: asn1Type.SEQUENCE,
			constructed: true,
			captureAsn1: 'tbsCertificate',
			value: [ {
				name: 'Certificate.TBSCertificate.version',
				tagClass: asn1Class.CONTEXT_SPECIFIC,
				type: 0,
				constructed: true,
				optional: true,
				value: [ {
					name: 'Certificate.TBSCertificate.version.integer',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.INTEGER,
					constructed: false,
					capture: 'certVersion'
				} ]
			}, {
				name: 'Certificate.TBSCertificate.serialNumber',
				tagClass: asn1Class.UNIVERSAL,
				type: asn1Type.INTEGER,
				constructed: false,
				capture: 'certSerialNumber'
			}, {
				name: 'Certificate.TBSCertificate.signature',
				tagClass: asn1Class.UNIVERSAL,
				type: asn1Type.SEQUENCE,
				constructed: true,
				value: [ {
					name: 'Certificate.TBSCertificate.signature.algorithm',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.OID,
					constructed: false,
					capture: 'certinfoSignatureOid'
				}, {
					name: 'Certificate.TBSCertificate.signature.parameters',
					tagClass: asn1Class.UNIVERSAL,
					optional: true,
					captureAsn1: 'certinfoSignatureParams'
				} ]
			}, {
				name: 'Certificate.TBSCertificate.issuer',
				tagClass: asn1Class.UNIVERSAL,
				type: asn1Type.SEQUENCE,
				constructed: true,
				captureAsn1: 'certIssuer'
			}, {
				name: 'Certificate.TBSCertificate.validity',
				tagClass: asn1Class.UNIVERSAL,
				type: asn1Type.SEQUENCE,
				constructed: true,
				// Note: UTC and generalized times may both appear so the capture
				// names are based on their detected order, the names used below
				// are only for the common case, which validity time really means
				// "notBefore" and which means "notAfter" will be determined by order
				value: [ {
					// notBefore (Time) (UTC time case)
					name: 'Certificate.TBSCertificate.validity.notBefore (utc)',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.UTCTIME,
					constructed: false,
					optional: true,
					capture: 'certValidity1UTCTime'
				}, {
					// notBefore (Time) (generalized time case)
					name: 'Certificate.TBSCertificate.validity.notBefore (generalized)',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.GENERALIZEDTIME,
					constructed: false,
					optional: true,
					capture: 'certValidity2GeneralizedTime'
				}, {
					// notAfter (Time) (only UTC time is supported)
					name: 'Certificate.TBSCertificate.validity.notAfter (utc)',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.UTCTIME,
					constructed: false,
					optional: true,
					capture: 'certValidity3UTCTime'
				}, {
					// notAfter (Time) (only UTC time is supported)
					name: 'Certificate.TBSCertificate.validity.notAfter (generalized)',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.GENERALIZEDTIME,
					constructed: false,
					optional: true,
					capture: 'certValidity4GeneralizedTime'
				} ]
			}, {
				// Name (subject) (RDNSequence)
				name: 'Certificate.TBSCertificate.subject',
				tagClass: asn1Class.UNIVERSAL,
				type: asn1Type.SEQUENCE,
				constructed: true,
				captureAsn1: 'certSubject'
			}, {
				name: 'SubjectPublicKeyInfo',
				tagClass: asn1Class.UNIVERSAL,
				type: asn1Type.SEQUENCE,
				constructed: true,
				captureAsn1: 'subjectPublicKeyInfo',
				value: [ {
					name: 'SubjectPublicKeyInfo.AlgorithmIdentifier',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.SEQUENCE,
					constructed: true,
					value: [ {
						name: 'AlgorithmIdentifier.algorithm',
						tagClass: asn1Class.UNIVERSAL,
						type: asn1Type.OID,
						constructed: false,
						capture: 'publicKeyOid'
					} ]
				}, {
					// subjectPublicKey
					name: 'SubjectPublicKeyInfo.subjectPublicKey',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.BITSTRING,
					constructed: false,
					value: [ {
						// RSAPublicKey
						name: 'SubjectPublicKeyInfo.subjectPublicKey.RSAPublicKey',
						tagClass: asn1Class.UNIVERSAL,
						type: asn1Type.SEQUENCE,
						constructed: true,
						optional: true,
						captureAsn1: 'rsaPublicKey'
					} ]
				} ]
			}, {
				// issuerUniqueID (optional)
				name: 'Certificate.TBSCertificate.issuerUniqueID',
				tagClass: asn1Class.CONTEXT_SPECIFIC,
				type: 1,
				constructed: true,
				optional: true,
				value: [ {
					name: 'Certificate.TBSCertificate.issuerUniqueID.id',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.BITSTRING,
					constructed: false,
					capture: 'certIssuerUniqueId'
				} ]
			}, {
				// subjectUniqueID (optional)
				name: 'Certificate.TBSCertificate.subjectUniqueID',
				tagClass: asn1Class.CONTEXT_SPECIFIC,
				type: 2,
				constructed: true,
				optional: true,
				value: [ {
					name: 'Certificate.TBSCertificate.subjectUniqueID.id',
					tagClass: asn1Class.UNIVERSAL,
					type: asn1Type.BITSTRING,
					constructed: false,
					capture: 'certSubjectUniqueId'
				} ]
			}, {
				// Extensions (optional)
				name: 'Certificate.TBSCertificate.extensions',
				tagClass: asn1Class.CONTEXT_SPECIFIC,
				type: 3,
				constructed: true,
				captureAsn1: 'certExtensions',
				optional: true
			} ]
		}, {
			// AlgorithmIdentifier (signature algorithm)
			name: 'Certificate.signatureAlgorithm',
			tagClass: asn1Class.UNIVERSAL,
			type: asn1Type.SEQUENCE,
			constructed: true,
			value: [ {
				// algorithm
				name: 'Certificate.signatureAlgorithm.algorithm',
				tagClass: asn1Class.UNIVERSAL,
				type: asn1Type.OID,
				constructed: false,
				capture: 'certSignatureOid'
			}, {
				name: 'Certificate.TBSCertificate.signature.parameters',
				tagClass: asn1Class.UNIVERSAL,
				optional: true,
				captureAsn1: 'certSignatureParams'
			} ]
		}, {
			// SignatureValue
			name: 'Certificate.signatureValue',
			tagClass: asn1Class.UNIVERSAL,
			type: asn1Type.BITSTRING,
			constructed: false,
			capture: 'certSignature'
		} ]
	},
	oids = {
		// algorithm OIDs
		'1.2.840.113549.1.1.1': 'rsaEncryption',
		'rsaEncryption': '1.2.840.113549.1.1.1',
		// Note: md2 & md4 not implemented
		//'1.2.840.113549.1.1.2': 'md2WithRSAEncryption',
		//'md2WithRSAEncryption': '1.2.840.113549.1.1.2',
		//'1.2.840.113549.1.1.3': 'md4WithRSAEncryption',
		//'md4WithRSAEncryption': '1.2.840.113549.1.1.3',
		'1.2.840.113549.1.1.4': 'md5WithRSAEncryption',
		'md5WithRSAEncryption': '1.2.840.113549.1.1.4',
		'1.2.840.113549.1.1.5': 'sha1WithRSAEncryption',
		'sha1WithRSAEncryption': '1.2.840.113549.1.1.5',
		'1.2.840.113549.1.1.7': 'RSAES-OAEP',
		'RSAES-OAEP': '1.2.840.113549.1.1.7',
		'1.2.840.113549.1.1.8': 'mgf1',
		'mgf1': '1.2.840.113549.1.1.8',
		'1.2.840.113549.1.1.9': 'pSpecified',
		'pSpecified': '1.2.840.113549.1.1.9',
		'1.2.840.113549.1.1.10': 'RSASSA-PSS',
		'RSASSA-PSS': '1.2.840.113549.1.1.10',
		'1.2.840.113549.1.1.11': 'sha256WithRSAEncryption',
		'sha256WithRSAEncryption': '1.2.840.113549.1.1.11',
		'1.2.840.113549.1.1.12': 'sha384WithRSAEncryption',
		'sha384WithRSAEncryption': '1.2.840.113549.1.1.12',
		'1.2.840.113549.1.1.13': 'sha512WithRSAEncryption',
		'sha512WithRSAEncryption': '1.2.840.113549.1.1.13',

		'1.3.14.3.2.7': 'desCBC',
		'desCBC': '1.3.14.3.2.7',

		'1.3.14.3.2.26': 'sha1',
		'sha1': '1.3.14.3.2.26',
		'2.16.840.1.101.3.4.2.1': 'sha256',
		'sha256': '2.16.840.1.101.3.4.2.1',
		'2.16.840.1.101.3.4.2.2': 'sha384',
		'sha384': '2.16.840.1.101.3.4.2.2',
		'2.16.840.1.101.3.4.2.3': 'sha512',
		'sha512': '2.16.840.1.101.3.4.2.3',
		'1.2.840.113549.2.5': 'md5',
		'md5': '1.2.840.113549.2.5',

		// pkcs#7 content types
		'1.2.840.113549.1.7.1': 'data',
		'data': '1.2.840.113549.1.7.1',
		'1.2.840.113549.1.7.2': 'signedData',
		'signedData': '1.2.840.113549.1.7.2',
		'1.2.840.113549.1.7.3': 'envelopedData',
		'envelopedData': '1.2.840.113549.1.7.3',
		'1.2.840.113549.1.7.4': 'signedAndEnvelopedData',
		'signedAndEnvelopedData': '1.2.840.113549.1.7.4',
		'1.2.840.113549.1.7.5': 'digestedData',
		'digestedData': '1.2.840.113549.1.7.5',
		'1.2.840.113549.1.7.6': 'encryptedData',
		'encryptedData': '1.2.840.113549.1.7.6',

		// pkcs#9 oids
		'1.2.840.113549.1.9.1': 'emailAddress',
		'emailAddress': '1.2.840.113549.1.9.1',
		'1.2.840.113549.1.9.2': 'unstructuredName',
		'unstructuredName': '1.2.840.113549.1.9.2',
		'1.2.840.113549.1.9.3': 'contentType',
		'contentType': '1.2.840.113549.1.9.3',
		'1.2.840.113549.1.9.4': 'messageDigest',
		'messageDigest': '1.2.840.113549.1.9.4',
		'1.2.840.113549.1.9.5': 'signingTime',
		'signingTime': '1.2.840.113549.1.9.5',
		'1.2.840.113549.1.9.6': 'counterSignature',
		'counterSignature': '1.2.840.113549.1.9.6',
		'1.2.840.113549.1.9.7': 'challengePassword',
		'challengePassword': '1.2.840.113549.1.9.7',
		'1.2.840.113549.1.9.8': 'unstructuredAddress',
		'unstructuredAddress': '1.2.840.113549.1.9.8',

		'1.2.840.113549.1.9.20': 'friendlyName',
		'friendlyName': '1.2.840.113549.1.9.20',
		'1.2.840.113549.1.9.21': 'localKeyId',
		'localKeyId': '1.2.840.113549.1.9.21',
		'1.2.840.113549.1.9.22.1': 'x509Certificate',
		'x509Certificate': '1.2.840.113549.1.9.22.1',

		// pkcs#12 safe bags
		'1.2.840.113549.1.12.10.1.1': 'keyBag',
		'keyBag': '1.2.840.113549.1.12.10.1.1',
		'1.2.840.113549.1.12.10.1.2': 'pkcs8ShroudedKeyBag',
		'pkcs8ShroudedKeyBag': '1.2.840.113549.1.12.10.1.2',
		'1.2.840.113549.1.12.10.1.3': 'certBag',
		'certBag': '1.2.840.113549.1.12.10.1.3',
		'1.2.840.113549.1.12.10.1.4': 'crlBag',
		'crlBag': '1.2.840.113549.1.12.10.1.4',
		'1.2.840.113549.1.12.10.1.5': 'secretBag',
		'secretBag': '1.2.840.113549.1.12.10.1.5',
		'1.2.840.113549.1.12.10.1.6': 'safeContentsBag',
		'safeContentsBag': '1.2.840.113549.1.12.10.1.6',

		// password-based-encryption for pkcs#12
		'1.2.840.113549.1.5.13': 'pkcs5PBES2',
		'pkcs5PBES2': '1.2.840.113549.1.5.13',
		'1.2.840.113549.1.5.12': 'pkcs5PBKDF2',
		'pkcs5PBKDF2': '1.2.840.113549.1.5.12',

		'1.2.840.113549.1.12.1.1': 'pbeWithSHAAnd128BitRC4',
		'pbeWithSHAAnd128BitRC4': '1.2.840.113549.1.12.1.1',
		'1.2.840.113549.1.12.1.2': 'pbeWithSHAAnd40BitRC4',
		'pbeWithSHAAnd40BitRC4': '1.2.840.113549.1.12.1.2',
		'1.2.840.113549.1.12.1.3': 'pbeWithSHAAnd3-KeyTripleDES-CBC',
		'pbeWithSHAAnd3-KeyTripleDES-CBC': '1.2.840.113549.1.12.1.3',
		'1.2.840.113549.1.12.1.4': 'pbeWithSHAAnd2-KeyTripleDES-CBC',
		'pbeWithSHAAnd2-KeyTripleDES-CBC': '1.2.840.113549.1.12.1.4',
		'1.2.840.113549.1.12.1.5': 'pbeWithSHAAnd128BitRC2-CBC',
		'pbeWithSHAAnd128BitRC2-CBC': '1.2.840.113549.1.12.1.5',
		'1.2.840.113549.1.12.1.6': 'pbewithSHAAnd40BitRC2-CBC',
		'pbewithSHAAnd40BitRC2-CBC': '1.2.840.113549.1.12.1.6',

		// symmetric key algorithm oids
		'1.2.840.113549.3.7': 'des-EDE3-CBC',
		'des-EDE3-CBC': '1.2.840.113549.3.7',
		'2.16.840.1.101.3.4.1.2': 'aes128-CBC',
		'aes128-CBC': '2.16.840.1.101.3.4.1.2',
		'2.16.840.1.101.3.4.1.22': 'aes192-CBC',
		'aes192-CBC': '2.16.840.1.101.3.4.1.22',
		'2.16.840.1.101.3.4.1.42': 'aes256-CBC',
		'aes256-CBC': '2.16.840.1.101.3.4.1.42',

		// certificate issuer/subject OIDs
		'2.5.4.3': 'commonName',
		'commonName': '2.5.4.3',
		'2.5.4.5': 'serialName',
		'serialName': '2.5.4.5',
		'2.5.4.6': 'countryName',
		'countryName': '2.5.4.6',
		'2.5.4.7': 'localityName',
		'localityName': '2.5.4.7',
		'2.5.4.8': 'stateOrProvinceName',
		'stateOrProvinceName': '2.5.4.8',
		'2.5.4.10': 'organizationName',
		'organizationName': '2.5.4.10',
		'2.5.4.11': 'organizationalUnitName',
		'organizationalUnitName': '2.5.4.11',

		// X.509 extension OIDs
		'2.16.840.1.113730.1.1': 'nsCertType',
		'nsCertType': '2.16.840.1.113730.1.1',
		'2.5.29.1': 'authorityKeyIdentifier', // deprecated, use .35
		'2.5.29.2': 'keyAttributes', // obsolete use .37 or .15
		'2.5.29.3': 'certificatePolicies', // deprecated, use .32
		'2.5.29.4': 'keyUsageRestriction', // obsolete use .37 or .15
		'2.5.29.5': 'policyMapping', // deprecated use .33
		'2.5.29.6': 'subtreesConstraint', // obsolete use .30
		'2.5.29.7': 'subjectAltName', // deprecated use .17
		'2.5.29.8': 'issuerAltName', // deprecated use .18
		'2.5.29.9': 'subjectDirectoryAttributes',
		'2.5.29.10': 'basicConstraints', // deprecated use .19
		'2.5.29.11': 'nameConstraints', // deprecated use .30
		'2.5.29.12': 'policyConstraints', // deprecated use .36
		'2.5.29.13': 'basicConstraints', // deprecated use .19
		'2.5.29.14': 'subjectKeyIdentifier',
		'subjectKeyIdentifier': '2.5.29.14',
		'2.5.29.15': 'keyUsage',
		'keyUsage': '2.5.29.15',
		'2.5.29.16': 'privateKeyUsagePeriod',
		'2.5.29.17': 'subjectAltName',
		'subjectAltName': '2.5.29.17',
		'2.5.29.18': 'issuerAltName',
		'issuerAltName': '2.5.29.18',
		'2.5.29.19': 'basicConstraints',
		'basicConstraints': '2.5.29.19',
		'2.5.29.20': 'cRLNumber',
		'2.5.29.21': 'cRLReason',
		'2.5.29.22': 'expirationDate',
		'2.5.29.23': 'instructionCode',
		'2.5.29.24': 'invalidityDate',
		'2.5.29.25': 'cRLDistributionPoints', // deprecated use .31
		'2.5.29.26': 'issuingDistributionPoint', // deprecated use .28
		'2.5.29.27': 'deltaCRLIndicator',
		'2.5.29.28': 'issuingDistributionPoint',
		'2.5.29.29': 'certificateIssuer',
		'2.5.29.30': 'nameConstraints',
		'2.5.29.31': 'cRLDistributionPoints',
		'2.5.29.32': 'certificatePolicies',
		'2.5.29.33': 'policyMappings',
		'2.5.29.34': 'policyConstraints', // deprecated use .36
		'2.5.29.35': 'authorityKeyIdentifier',
		'2.5.29.36': 'policyConstraints',
		'2.5.29.37': 'extKeyUsage',
		'extKeyUsage': '2.5.29.37',
		'2.5.29.46': 'freshestCRL',
		'2.5.29.54': 'inhibitAnyPolicy',

		// extKeyUsage purposes
		'1.3.6.1.5.5.7.3.1': 'serverAuth',
		'serverAuth': '1.3.6.1.5.5.7.3.1',
		'1.3.6.1.5.5.7.3.2': 'clientAuth',
		'clientAuth': '1.3.6.1.5.5.7.3.2',
		'1.3.6.1.5.5.7.3.3': 'codeSigning',
		'codeSigning': '1.3.6.1.5.5.7.3.3',
		'1.3.6.1.5.5.7.3.4': 'emailProtection',
		'emailProtection': '1.3.6.1.5.5.7.3.4',
		'1.3.6.1.5.5.7.3.8': 'timeStamping',
		'timeStamping': '1.3.6.1.5.5.7.3.8'
	},
	shortNames = {
		'CN': oids['commonName'],
		'commonName': 'CN',
		'C': oids['countryName'],
		'countryName': 'C',
		'L': oids['localityName'],
		'localityName': 'L',
		'ST': oids['stateOrProvinceName'],
		'stateOrProvinceName': 'ST',
		'O': oids['organizationName'],
		'organizationName': 'O',
		'OU': oids['organizationalUnitName'],
		'organizationalUnitName': 'OU',
		'E': oids['emailAddress'],
		'emailAddress': 'E'
	};

function pem2cert(pem) {
	var msg = decodePem(pem)[0];

	if (msg.type !== 'CERTIFICATE' && msg.type !== 'X509 CERTIFICATE' && msg.type !== 'TRUSTED CERTIFICATE') {
		throw new Error(__('Could not convert certificate from PEM; PEM header type is "%s", but must be "CERTIFICATE", "X509 CERTIFICATE", or "TRUSTED CERTIFICATE".', msg.type));
	}

	if (msg.procType && msg.procType.type === 'ENCRYPTED') {
		throw new Error(__('Could not convert certificate from PEM; PEM is encrypted.'));
	}

	return asn2cert(der2asn(new ByteStringBuffer(msg.body)));
}

function decodePem(str) {
	var rval = [],
		match, msg, lines, li, line, nl, next, header, values, vi;

	while (true) {
		match = rMessage.exec(str);
		if (!match) {
			break;
		}

		rval.push(msg = {
			type: match[1],
			procType: null,
			contentDomain: null,
			dekInfo: null,
			headers: [],
			body: Buffer.from(match[3], 'base64').toString('binary')
		});

		// no headers
		if (!match[2]) {
			continue;
		}

		// parse headers
		lines = match[2].split(rCRLF);
		for (li = 0; match && li < lines.length; ++li) {
			// get line, trim any rhs whitespace
			line = lines[li].replace(/\s+$/, '');

			// RFC2822 unfold any following folded lines
			for (nl = li + 1; nl < lines.length; ++nl) {
				next = lines[nl];
				if (!whitespaceRegExp.test(next[0])) {
					break;
				}
				line += next;
				li = nl;
			}

			// parse header
			match = line.match(rHeader);
			if (match) {
				header = {name: match[1], values: []};
				values = match[2].split(',');
				for (vi = 0; vi < values.length; ++vi) {
					header.values.push(values[vi].replace(leadingSpaceRegExp, ''));
				}

				// Proc-Type must be the first header
				if (!msg.procType) {
					if (header.name !== 'Proc-Type') {
						throw new Error(__('Invalid PEM formatted message. The first encapsulated header must be "Proc-Type".'));
					} else if (header.values.length !== 2) {
						throw new Error(__('Invalid PEM formatted message. The "Proc-Type" header must have two subfields.'));
					}
					msg.procType = { version: values[0], type: values[1] };

				// special-case Content-Domain
				} else if (!msg.contentDomain && header.name === 'Content-Domain') {
					msg.contentDomain = values[0] || '';

				// special-case DEK-Info
				} else if (!msg.dekInfo && header.name === 'DEK-Info') {
					if (header.values.length === 0) {
						throw new Error(__('Invalid PEM formatted message. The "DEK-Info" header must have at least one subfield.'));
					}
					msg.dekInfo = { algorithm: values[0], parameters: values[1] || null };
				} else {
					msg.headers.push(header);
				}
			}
		}

		if (msg.procType === 'ENCRYPTED' && !msg.dekInfo) {
			throw new Error(__('Invalid PEM formatted message. The "DEK-Info" header must be present if "Proc-Type" is "ENCRYPTED".'));
		}
	}

	if (rval.length === 0) {
		throw new Error(__('Invalid PEM formatted message.'));
	}

	return rval;
}

function ByteStringBuffer(str) {
	this.data = str;
	this.read = 0;
}

ByteStringBuffer.prototype.length = function length() {
	return this.data.length - this.read;
};

ByteStringBuffer.prototype.getByte = function getByte() {
	return this.data.charCodeAt(this.read++);
};

ByteStringBuffer.prototype.getInt = function getInt(n) {
	var rval = 0;
	do {
		rval = (rval << 8) + this.data.charCodeAt(this.read++);
		n -= 8;
	} while (n > 0);
	return rval;
};

ByteStringBuffer.prototype.bytes = function bytes(count) {
	return count === undefined ?
		this.data.slice(this.read) :
		this.data.slice(this.read, this.read + count);
};

ByteStringBuffer.prototype.getBytes = function getBytes(count) {
	var rval;
	if (count) {
		// read count bytes
		count = Math.min(this.length(), count);
		rval = this.data.slice(this.read, this.read + count);
		this.read += count;
	} else if (count === 0) {
		rval = '';
	} else {
		// read all bytes, optimize to only copy when needed
		rval = this.read === 0 ? this.data : this.data.slice(this.read);
		this.clear();
	}
	return rval;
};

ByteStringBuffer.prototype.getInt16 = function getInt16() {
	var rval = (this.data.charCodeAt(this.read) << 8 ^ this.data.charCodeAt(this.read + 1));
	this.read += 2;
	return rval;
};

ByteStringBuffer.prototype.clear = function clear() {
	this.data = '';
	this.read = 0;
	return this;
};

function der2asn(bytes) {
	// minimum length for ASN.1 DER structure is 2
	if (bytes.length() < 2) {
		throw new Error(__('Too few bytes to parse DER; expected at least 2, got %d', bytes.length()));
	}

	// get the first byte
	var b1 = bytes.getByte(),
		// get the tag class
		tagClass = (b1 & 0xC0),
		// get the type (bits 1-5)
		type = b1 & 0x1F,

		_getValueLength = function _getValueLength(b) {
			var b2 = b.getByte();
			if (b2 === 0x80) {
				return undefined;
			}

			// see if the length is "short form" or "long form" (bit 8 set)
			// if "long form", the number of bytes the length is specified in bits 7 through 1
			// and each length byte is in big-endian base-256
			return b2 & 0x80 ? b.getInt((b2 & 0x7F) << 3) : b2;
		},

		// get the value length
		length = _getValueLength(bytes),
		// prepare to get value
		value,
		// constructed flag is bit 6 (32 = 0x20) of the first byte
		constructed = ((b1 & 0x20) === 0x20),
		composed = constructed;

	// ensure there are enough bytes to get the value
	if (bytes.length() < length) {
		throw new Error(__('Too few bytes to read ASN.1 value. %d < %d', bytes.length(), length));
	}

	// determine if the value is composed of other ASN.1 objects (if its
	// constructed it will be and if its a BITSTRING it may be)
	if (!composed && tagClass === asn1Class.UNIVERSAL && type === asn1Type.BITSTRING && length > 1) {
		/* The first octet gives the number of bits by which the length of the
		bit string is less than the next multiple of eight (this is called
		the "number of unused bits").

		The second and following octets give the value of the bit string
		converted to an octet string. */

		// if there are no unused bits, maybe the bitstring holds ASN.1 objs
		var read = bytes.read,
			unused = bytes.getByte();

		if (unused === 0) {
			// if the first byte indicates UNIVERSAL or CONTEXT_SPECIFIC,
			// and the length is valid, assume we've got an ASN.1 object
			b1 = bytes.getByte();
			var tc = (b1 & 0xC0);
			if (tc === asn1Class.UNIVERSAL || tc === asn1Class.CONTEXT_SPECIFIC) {
				try {
					var len = _getValueLength(bytes);
					composed = (len === length - (bytes.read - read));
					if (composed) {
						// adjust read/length to account for unused bits byte
						++read;
						--length;
					}
				} catch(ex) {}
			}
		}
		// restore read pointer
		bytes.read = read;
	}

	if (composed) {
		// parse child asn1 objects from the value
		value = [];
		if (length === undefined) {
			// asn1 object of indefinite length, read until end tag
			for (;;) {
				if (bytes.bytes(2) === String.fromCharCode(0, 0)) {
					bytes.getBytes(2);
					break;
				}
				value.push(der2asn(bytes));
			}
		} else {
			// parsing asn1 object of definite length
			var start = bytes.length();
			while (length > 0) {
				value.push(der2asn(bytes));
				length -= start - bytes.length();
				start = bytes.length();
			}
		}
	} else {
	    // asn1 not composed, get raw value
	    // TODO: do DER to OID conversion and vice-versa in .toDer?

		if (length === undefined) {
			throw new Error(__('Non-constructed ASN.1 object of indefinite length.'));
		}

		if (type === asn1Type.BMPSTRING) {
			value = '';
			for (var i = 0; i < length; i += 2) {
				value += String.fromCharCode(bytes.getInt16());
			}
		} else {
			value = bytes.getBytes(length);
		}
	}

	return {
		tagClass: tagClass,
		type: type,
		constructed: constructed,
		composed: constructed || Array.isArray(value),
		value: Array.isArray(value) ? value.filter(function (v) { return v !== undefined; }) : value
	};
}

function asn1validate(obj, v, capture, errors) {
	var rval = false;

	// ensure tag class and type are the same if specified
	if ((obj.tagClass === v.tagClass || v.tagClass === undefined) && (obj.type === v.type || v.type === undefined)) {
		// ensure constructed flag is the same if specified
		if (obj.constructed === v.constructed || v.constructed === undefined) {
			rval = true;

			// handle sub values
			if (v.value && Array.isArray(v.value)) {
				var j = 0;
				for (var i = 0; rval && i < v.value.length; ++i) {
					rval = v.value[i].optional || false;
					if (obj.value[j]) {
						rval = asn1validate(obj.value[j], v.value[i], capture, errors);
						if (rval) {
							++j;
						} else if (v.value[i].optional) {
							rval = true;
						}
					}
					if (!rval && errors) {
						errors.push('[' + v.name + '] Tag class "' + v.tagClass + '", type "' + v.type + '" expected value length "' + v.value.length + '", got "' + obj.value.length + '"');
					}
				}
			}

			if (rval && capture) {
				if (v.capture) {
					capture[v.capture] = obj.value;
				}
				if (v.captureAsn1) {
					capture[v.captureAsn1] = obj;
				}
			}
		} else if (errors) {
			errors.push('[' + v.name + '] Expected constructed "' + v.constructed + '", got "' + obj.constructed + '"');
		}
	} else if (errors) {
		if (obj.tagClass !== v.tagClass) {
			errors.push('[' + v.name + '] Expected tag class "' + v.tagClass + '", got "' + obj.tagClass + '"');
		}
		if (obj.type !== v.type) {
			errors.push('[' + v.name + '] Expected type "' + v.type + '", got "' + obj.type + '"');
		}
	}
	return rval;
}

/**
 * Converts a UTCTime value to a date.
 *
 * Note: GeneralizedTime has 4 digits for the year and is used for X.509
 * dates passed 2049. Parsing that structure hasn't been implemented yet.
 *
 * @param utc the UTCTime value to convert.
 *
 * @return the date.
 */
function asn1utcTimeToDate(utc) {
	/*
	The following formats can be used:
		YYMMDDhhmmZ
		YYMMDDhhmm+hh'mm'
		YYMMDDhhmm-hh'mm'
		YYMMDDhhmmssZ
		YYMMDDhhmmss+hh'mm'
		YYMMDDhhmmss-hh'mm'

	Where:
		YY is the least significant two digits of the year
		MM is the month (01 to 12)
		DD is the day (01 to 31)
		hh is the hour (00 to 23)
		mm are the minutes (00 to 59)
		ss are the seconds (00 to 59)
		Z indicates that local time is GMT, + indicates that local time is
		later than GMT, and - indicates that local time is earlier than GMT
		hh' is the absolute value of the offset from GMT in hours
		mm' is the absolute value of the offset from GMT in minutes
	*/

	var date = new Date;

	// if YY >= 50 use 19xx, if YY < 50 use 20xx
	var year = parseInt(utc.substr(0, 2), 10);
	year = (year >= 50) ? 1900 + year : 2000 + year;
	var MM = parseInt(utc.substr(2, 2), 10) - 1; // use 0-11 for month
	var DD = parseInt(utc.substr(4, 2), 10);
	var hh = parseInt(utc.substr(6, 2), 10);
	var mm = parseInt(utc.substr(8, 2), 10);
	var ss = 0;

	// not just YYMMDDhhmmZ
	if (utc.length > 11) {
		// get character after minutes
		var c = utc.charAt(10);
		var end = 10;

		// see if seconds are present
		if (c !== '+' && c !== '-') {
			// get seconds
			ss = parseInt(utc.substr(10, 2), 10);
			end += 2;
		}
	}

	// update date
	date.setUTCFullYear(year, MM, DD);
	date.setUTCHours(hh, mm, ss, 0);

	if (end) {
		// get +/- after end of time
		c = utc.charAt(end);
		if (c === '+' || c === '-') {
			// get hours+minutes offset
			var hhoffset = parseInt(utc.substr(end + 1, 2), 10);
			var mmoffset = parseInt(utc.substr(end + 4, 2), 10);

			// calculate offset in milliseconds
			var offset = hhoffset * 60 + mmoffset;
			offset *= 60000;

			// apply offset
			if (c === '+') {
				date.setTime(+date - offset);
			} else {
				date.setTime(+date + offset);
			}
		}
	}

	return date;
}

/**
 * Converts a GeneralizedTime value to a date.
 *
 * @param gentime the GeneralizedTime value to convert.
 *
 * @return the date.
 */
function asn1generalizedTimeToDate(gentime) {
	/*
	The following formats can be used:
		YYYYMMDDHHMMSS
		YYYYMMDDHHMMSS.fff
		YYYYMMDDHHMMSSZ
		YYYYMMDDHHMMSS.fffZ
		YYYYMMDDHHMMSS+hh'mm'
		YYYYMMDDHHMMSS.fff+hh'mm'
		YYYYMMDDHHMMSS-hh'mm'
		YYYYMMDDHHMMSS.fff-hh'mm'

	Where:
		YYYY is the year
		MM is the month (01 to 12)
		DD is the day (01 to 31)
		hh is the hour (00 to 23)
		mm are the minutes (00 to 59)
		ss are the seconds (00 to 59)
		.fff is the second fraction, accurate to three decimal places
		Z indicates that local time is GMT, + indicates that local time is
		later than GMT, and - indicates that local time is earlier than GMT
		hh' is the absolute value of the offset from GMT in hours
		mm' is the absolute value of the offset from GMT in minutes
	*/

	var date = new Date,
		YYYY = parseInt(gentime.substr(0, 4), 10),
		MM = parseInt(gentime.substr(4, 2), 10) - 1, // use 0-11 for month
		DD = parseInt(gentime.substr(6, 2), 10),
		hh = parseInt(gentime.substr(8, 2), 10),
		mm = parseInt(gentime.substr(10, 2), 10),
		ss = parseInt(gentime.substr(12, 2), 10),
		fff = 0,
		offset = 0,
		isUTC = false;

	if (gentime.charAt(gentime.length - 1) === 'Z') {
		isUTC = true;
	}

	var end = gentime.length - 5,
		c = gentime.charAt(end);

	if (c === '+' || c === '-') {
		// get hours+minutes offset
		var hhoffset = parseInt(gentime.substr(end + 1, 2), 10);
		var mmoffset = parseInt(gentime.substr(end + 4, 2), 10);

		// calculate offset in milliseconds
		offset = hhoffset * 60 + mmoffset;
		offset *= 60000;

		// apply offset
		if(c === '+') {
			offset *= -1;
		}

		isUTC = true;
	}

	// check for second fraction
	if(gentime.charAt(14) === '.') {
		fff = parseFloat(gentime.substr(14), 10) * 1000;
	}

	if(isUTC) {
		date.setUTCFullYear(YYYY, MM, DD);
		date.setUTCHours(hh, mm, ss, fff);

		// apply offset
		date.setTime(+date + offset);
	} else {
		date.setFullYear(YYYY, MM, DD);
		date.setHours(hh, mm, ss, fff);
	}

	return date;
}

/**
 * Converts a DER-encoded byte buffer to an OID dot-separated string. The
 * byte buffer should contain only the DER-encoded value, not any tag or
 * length bytes.
 *
 * @param bytes the byte buffer.
 *
 * @return the OID dot-separated string.
 */
function asn1derToOid(bytes) {
	var oid;

	// wrap in buffer if needed
	if (typeof bytes === 'string') {
		bytes = new ByteStringBuffer(bytes);
	}

	// first byte is 40 * value1 + value2
	var b = bytes.getByte();
	oid = Math.floor(b / 40) + '.' + (b % 40);

	// other bytes are each value in base 128 with 8th bit set except for
	// the last byte for each value
	var value = 0;
	while (bytes.length() > 0) {
		b = bytes.getByte();
		value = value << 7;
		// not the last byte for the value
		if (b & 0x80) {
			value += b & 0x7F;
		} else {
			// last byte
			oid += '.' + (value + b);
			value = 0;
		}
	}

	return oid;
}

/**
 * Converts an RDNSequence of ASN.1 DER-encoded RelativeDistinguishedName
 * sets into an array with objects that have type and value properties.
 *
 * @param rdn the RDNSequence to convert.
 * @param md a message digest to append type and value to if provided.
 */
function pkiRDNAttributesAsArray(rdn, md) {
	// each value in 'rdn' in is a SET of RelativeDistinguishedName
	var rval = [],
		si, i, set, attr, obj;
	for (si = 0; si < rdn.value.length; ++si) {
		// get the RelativeDistinguishedName set
		set = rdn.value[si];

		// each value in the SET is an AttributeTypeAndValue sequence
		// containing first a type (an OID) and second a value (defined by
		// the OID)
		for (i = 0; i < set.value.length; ++i) {
			obj = {};
			attr = set.value[i];
			obj.type = asn1derToOid(attr.value[0].value);
			obj.value = attr.value[1].value;
			obj.valueTagClass = attr.value[1].type;
			// if the OID is known, get its name and short name
			if (obj.type in oids) {
				obj.name = oids[obj.type];
				if (obj.name in shortNames) {
					obj.shortName = shortNames[obj.name];
				}
			}
			if (md) {
				md.update(obj.type);
				md.update(obj.value);
			}
			rval.push(obj);
		}
	}

	return rval;
}

function asn2cert(obj) {
	// validate certificate and capture data
	var capture = {},
		errors = [];

	if (!asn1validate(obj, x509CertificateValidator, capture, errors)) {
		var error = new Error(__('Cannot read X.509 certificate. ASN.1 object is not an X509v3 Certificate.'));
		error.errors = errors;
		throw error;
	}

	function _getAttribute(obj, options) {
		if (typeof options === 'string') {
			options = { shortName: options };
		}
		var rval = null,
			attr;
		for (var i = 0; rval === null && i < obj.attributes.length; ++i) {
			attr = obj.attributes[i];
			if (options.type && options.type === attr.type) {
				rval = attr;
			} else if (options.name && options.name === attr.name) {
				rval = attr;
			} else if (options.shortName && options.shortName === attr.shortName) {
				rval = attr;
			}
		}
		return rval;
	}

	var subject = {
			attributes: pkiRDNAttributesAsArray(capture.certSubject),
			getField: function (sn) {
				return _getAttribute(subject, sn);
			}
		},
		validity = [];

	if (capture.certValidity1UTCTime !== undefined) {
		validity.push(asn1utcTimeToDate(capture.certValidity1UTCTime));
	}
	if (capture.certValidity2GeneralizedTime !== undefined) {
		validity.push(asn1generalizedTimeToDate(capture.certValidity2GeneralizedTime));
	}
	if (capture.certValidity3UTCTime !== undefined) {
		validity.push(asn1utcTimeToDate(capture.certValidity3UTCTime));
	}
	if (capture.certValidity4GeneralizedTime !== undefined) {
		validity.push(asn1generalizedTimeToDate(capture.certValidity4GeneralizedTime));
	}
	if (validity.length > 2) {
		throw new Error(__('Cannot read notBefore/notAfter validity times; more than two times were provided in the certificate.'));
	}
	if (validity.length < 2) {
		throw new Error(__('Cannot read notBefore/notAfter validity times; they were not provided as either UTCTime or GeneralizedTime.'));
	}

	return {
		validity: {
			notBefore: validity[0],
			notAfter: validity[1]
		},
		subject: subject
	};
}

/*
 * If the app exits, close all filesystem watchers.
 */
process.on('exit', function () {
	if (watchTimer) {
		clearTimeout(watchTimer);
		watchTimer = null;
	}
});