Lines 1-62javascript
1import { randomBytes } from 'node:crypto';
2import { writeFileSync } from 'node:fs';
3import { x509, webcrypto, RSA_ALGORITHM, AGENT_CERT_VALIDITY_YEARS, } from './crypto-provider.js';
4import { MacfError } from '../errors.js';
5export class AgentCertError extends MacfError {
7 super('AGENT_CERT_ERROR', message);
8 this.name = 'AgentCertError';
11function exportKeyToPem(exported) {
12 const b64 = Buffer.from(exported).toString('base64');
13 const lines = b64.match(/.{1,64}/g) ?? [];
14 return `-----BEGIN PRIVATE KEY-----\n${lines.join('\n')}\n-----END PRIVATE KEY-----\n`;
CriticalCritical Secret
Package contains a critical-looking secret pattern.
dist/certs/agent-cert.jsView on unpkg · L14 CriticalSecret Pattern
RSA private key in dist/certs/agent-cert.js
dist/certs/agent-cert.jsView on unpkg · L14 17 * Import a PEM private key into a WebCrypto CryptoKey for signing.
19 * Return type was `Promise<unknown>` historically — DOM CryptoKey types
20 * weren't exposed via @types/node < v25. Since @types/node v25 (#17 /
21 * PR #130) CryptoKey is resolvable from `globalThis`, so we return
22 * the precise type instead of laundering through `unknown` at each
25 * Rejects input that contains zero or multiple BEGIN/END marker pairs
26 * (e.g. two keys accidentally concatenated) — ultrareview finding H4.
27 * Without this shape check, `webcrypto.subtle.importKey` would be
28 * handed a concatenated base64 blob and throw a generic DataError,
29 * which propagates upstream with no hint that the input file itself
32export async function importPrivateKey(keyPem) {
33 const beginMatches = keyPem.match(/-----BEGIN PRIVATE KEY-----/g);
CriticalSecret Pattern
RSA private key in dist/certs/agent-cert.js
dist/certs/agent-cert.jsView on unpkg · L33 34 const endMatches = keyPem.match(/-----END PRIVATE KEY-----/g);
35 if (!beginMatches || beginMatches.length !== 1) {
36 throw new AgentCertError(`Malformed private key PEM: expected exactly one BEGIN marker, got ${beginMatches?.length ?? 0}`);
38 if (!endMatches || endMatches.length !== 1) {
39 throw new AgentCertError(`Malformed private key PEM: expected exactly one END marker, got ${endMatches?.length ?? 0}`);
41 const stripped = keyPem
42 .replace(/-----BEGIN PRIVATE KEY-----/g, '')
CriticalSecret Pattern
RSA private key in dist/certs/agent-cert.js
dist/certs/agent-cert.jsView on unpkg · L42 43 .replace(/-----END PRIVATE KEY-----/g, '')
45 const der = Buffer.from(stripped, 'base64');
46 return webcrypto.subtle.importKey('pkcs8', der, RSA_ALGORITHM, false, ['sign']);
49 * Classify a host string as an IP or DNS name for SubjectAlternativeName
50 * entries. Shape-only check (matches `999.999.999.999` too — cert
51 * generation doesn't validate octet ranges, and we'd rather keep the
52 * classifier forgiving than have it silently misclassify a typo'd IP
53 * as DNS). IPv6 not handled here; add `:` detection + `[]` URL-wrapping
54 * when there's an actual ask.
56function hostToSan(host) {
57 const ipv4Shape = /^(\d{1,3}\.){3}\d{1,3}$/;
58 return ipv4Shape.test(host)
59 ? { type: 'ip', value: host }
60 : { type: 'dns', value: host };