node.jsserverless-frameworkpkicsrnode-forge

How can I extract the SAN's inside a .csr file in node.js (Serverless Framework)?

Using Serverless Framework with node.js, I need to read information inside a .csr file received via http POST. Using the node-forge module, and with the following code, I was able to extract the different information that composes the certificate signing request:

const forge = require('node-forge');
...
var csr = forge.pki.certificationRequestFromPem(cert);
console.log(csr.subject.attributes)

if(csr.subject.getField('CN'))
  var CN = csr.subject.getField('CN').value

if(csr.subject.getField('SAN'))
  var SAN = csr.subject.getField('SAN').value

 if(csr.subject.getField('O'))
  var O = csr.subject.getField('O').value

if(csr.subject.getField('OU'))
  var OU = csr.subject.getField('OU').value

if(csr.subject.getField('C'))
  var C = csr.subject.getField('C').value

if(csr.subject.getField('ST'))
  var S = csr.subject.getField('ST').value

if(csr.subject.getField('L'))
  var L = csr.subject.getField('L').value

if(csr.subject.getField('E'))
  var E = csr.subject.getField('E').value

What I need right now is to also extract the SAN's of the CSR if they exist, problem is that after inspecting the x509.js file ("Javascript implementation of X.509 and related components (such as Certification Signing Requests) of a Public Key Infrastructure") that comes within the module, I dot not think there is a way to extract the SAN's:

// short name OID mappings
var _shortNames = {};
_shortNames['CN'] = oids['commonName'];
_shortNames['commonName'] = 'CN';
_shortNames['C'] = oids['countryName'];
_shortNames['countryName'] = 'C';
_shortNames['L'] = oids['localityName'];
_shortNames['localityName'] = 'L';
_shortNames['ST'] = oids['stateOrProvinceName'];
_shortNames['stateOrProvinceName'] = 'ST';
_shortNames['O'] = oids['organizationName'];
_shortNames['organizationName'] = 'O';
_shortNames['OU'] = oids['organizationalUnitName'];
_shortNames['organizationalUnitName'] = 'OU';
_shortNames['E'] = oids['emailAddress'];
_shortNames['emailAddress'] = 'E';

Am I using a deprecated module or old version? Is there a way for me to achieve this and I'm simply using the incorrect stuff inside node-forge?

Please let me know if anyone had a similar problem or was able to overcome this issue. Regards

Solution

  • So, I was able to solve this with the following code:

    var csr = forge.pki.certificationRequestFromPem(cert);
var altNames = csr.attributes.find(t=>t.name === 'extensionRequest').extensions.find(t=>t.name === 'subjectAltName').altNames;

    I created a dummy certificate with SANs and Apparently node-forge extracts that information and places them inside extensionRequest -> subjectAltNames. I have these hardcoded since I'm assuming these attribute names will not change, but I can't be 100% sure about it.

    Hope this helps someone who might have gone through this issue. Thank you.