Example for validating a certificate chain

[csuermann]

@peculiar/x509 is an easy to use TypeScript/Javascript library based on @peculiar/asn1-schema that makes generating X.509 Certificates and Certificate Requests as well as validating certificate chains easy.

I would like to check whether a given x.509 certificate has been signed by a known root certificate (CA). Can this library be used for that?

[rmhrisk]

Yes

https://github.com/PeculiarVentures/x509#build-a-certificate-chain

[microshine]

Current version doesn't check certificate revocations.

You can use current API for path building. And check by yourself that the last cert in chain is trusted

const chain = new x509.X509ChainBuilder({
  certificates: certs,
});
const items = await chain.build(cert);

We are going to extend current API for chain validation described in RFC5280

[OR13]

Could use some better examples of this, ideally a simple 2 layer example.

[microshine]

Example

import * as x509 from "@peculiar/x509";

// Read certificates
const rootCert = new x509.X509Certificate(rootRaw);
const ca1Cert = new x509.X509Certificate(ca1Raw);
const ca2Cert = new x509.X509Certificate(ca2Raw);
const ca3Cert = new x509.X509Certificate(ca3Raw);
// ...
const leafCert = new x509.X509Certificate(leafRaw);

// Build chain
const certificates = [ca3Cert, ca2Cert, ca1Cert, /* ... */, rootCert];
const chain = new x509.X509ChainBuilder({
  certificates,
});
const items = await chain.build(leafCert);

// Print chain
for (const cert of items) {
  console.log(cert.subject);
}
console.log(items.toString("pem-chain"));

Output

CN=Client #1
CN=Intermediate CA #1.1.1
CN=Intermediate CA #1.1
CN=Intermediate CA #1
CN=Root CA

-----BEGIN CERTIFICATE-----
MIIC8jCCAdqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZJbnRl
...
5L4AqKQK14RU+4lFO5qhlaVSQd0PbWZoE1VOQG/5Chi8zxgMzus=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC/TCCAeWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDExRJbnRl
...
76pvUKAWXKUUPCebfTawHY9q1ASQEsnCIHtQ4/WFlSdFbns2vxrKR1y5EpNanpn7
SA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDExJJbnRl
...
LsK2eGf1WtuvsrNUjmBie9/N+KpClRycBl2uRnOJMB/hb2IYJJXVIu8xsQJL
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290
...
NEubGPJVpBz7zftQ1SbxWPjTXYF2f6QdwpPZ1wwPigg=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICwDCCAaigAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290
...
CtFu2HdSv7/M1NcNnueecn6B4YUCY4mueTXVsV9JJKM1T8XU
-----END CERTIFICATE-----

[OR13]

Thank you!

I was able to figure it out after I left this comment, but your code is probably better for future readers than mine would have been.

I suggest closing this issue.