micro509/pkcs
PKCS container APIs: PFX/PKCS#12 and PKCS#7/CMS.
Owns PFX archive creation and parsing, PKCS#7 certificate bags and SignedData, and PKCS#12 MAC integrity helpers.
CreatePfxErrorCode
Caller-correctable failure code from createPfx.
The only parse boundary in creation is the certificate source: it is normalized from untrusted PEM/DER. Private keys are either a WebCrypto CryptoKey (platform errors stay throws) or raw PKCS#8 bytes passed through unvalidated, so there is no distinct invalid_private_key failure to model.
type CreatePfxErrorCode = invalid_certificateCreatePfxFailure
Error payload for a failed PFX creation.
interface CreatePfxFailure extends Micro509Error<CreatePfxErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
CreatePfxInput
Input for createPfx.
interface CreatePfxInput {
readonly certificates?: readonly PfxCertificateBagInput[];
readonly privateKeys?: readonly PfxPrivateKeyBagInput[];
readonly encryption?: PfxEncryptionOptions;
readonly mac?: Pkcs12MacOptions;
}Properties
readonlycertificates?:readonlyPfxCertificateBagInput[]— Certificates to include as certBag entries.readonlyprivateKeys?:readonlyPfxPrivateKeyBagInput[]— Private keys to include as keyBag entries.readonlyencryption?:PfxEncryptionOptions— PBES2 encryption settings for the key-bag ContentInfo. Omit for unencrypted.readonlymac?:Pkcs12MacOptions— PKCS#12 MAC integrity settings. Omit to skip MAC generation.
CreatePfxResult
Success-or-failure result from createPfx.
type CreatePfxResult = {
readonly ok: true;
readonly value: PfxMaterial
} | ErrorResult<CreatePfxErrorCode, Record<never, never>, CreatePfxFailure>ParsedPfx
Fully decoded PFX container returned by parsePfxDer / parsePfxPem.
interface ParsedPfx {
readonly bags: readonly ParsedPfxBag[];
readonly certificates: readonly ParsedCertificate[];
readonly privateKeys: readonly Uint8Array[];
readonly macData?: ParsedPkcs12MacData;
}Properties
readonlybags:readonlyParsedPfxBag[]— All SafeBags in the PFX, including unknown types.readonlycertificates:readonlyParsedCertificate[]— Convenience: only the parsed certificates extracted from certBag entries.readonlyprivateKeys:readonlyUint8Array``[]— Convenience: raw PKCS#8 DER of each private key extracted from keyBag entries.readonlymacData?:ParsedPkcs12MacData— MAC verification metadata, present when the PFX includes a MacData block.
ParsedPfxAttribute
A single PKCS#12 bag attribute as decoded by parsePfxDer.
interface ParsedPfxAttribute {
readonly oid: string;
readonly valuesHex: readonly string[];
}Properties
readonlyoid:string— Dotted-decimal OID identifying this attribute type.readonlyvaluesHex:readonlystring``[]— Hex-encoded DER of each attribute value.
ParsedPfxBag
Discriminated union of SafeBag types decoded from a PFX container.
Use kind to narrow: 'certificate' | 'privateKey' | 'unknown'.
type ParsedPfxBag = {
readonly kind: certificate;
readonly bagId: string;
readonly attributes: ParsedPfxBagAttributes;
readonly certificate: ParsedCertificate
} | {
readonly kind: privateKey;
readonly bagId: string;
readonly attributes: ParsedPfxBagAttributes;
readonly pkcs8Der: Uint8Array
} | {
readonly kind: unknown;
readonly bagId: string;
readonly attributes: ParsedPfxBagAttributes;
readonly valueDer: Uint8Array
}ParsedPfxBagAttributes
Decoded bag attributes for a single SafeBag inside a PFX.
interface ParsedPfxBagAttributes {
readonly entries: readonly ParsedPfxAttribute[];
readonly friendlyName?: string;
readonly localKeyId?: string;
}Properties
readonlyentries:readonlyParsedPfxAttribute[]— All raw attributes as OID + hex-encoded values.readonlyfriendlyName?:string— Decoded BMPString friendly-name attribute, if present.readonlylocalKeyId?:string— Hex-encoded localKeyId attribute, if present.
ParsePfxErrorCode
Error codes returned by parsePfxDer and parsePfxPem.
type ParsePfxErrorCode = malformed | invalid_password | password_requiredParsePfxFailure
Error payload for a failed PFX parse.
interface ParsePfxFailure extends Micro509Error<ParsePfxErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
ParsePfxOptions
Options for parsePfxDer and parsePfxPem.
interface ParsePfxOptions {
readonly password?: string;
readonly macPassword?: string;
}Properties
readonlypassword?:string— Password used to decrypt PBES2-encrypted ContentInfo entries. Also used for MAC verification whenmacPasswordis omitted.readonlymacPassword?:string— Separate password for MAC verification. Falls back topasswordwhen omitted.
ParsePfxResult
Success-or-failure result from parsePfxDer / parsePfxPem.
type ParsePfxResult = {
readonly ok: true;
readonly value: ParsedPfx
} | ErrorResult<ParsePfxErrorCode, Record<never, never>, ParsePfxFailure>PfxBagAttributesInput
Optional metadata attached to a certificate or key bag inside a PFX.
interface PfxBagAttributesInput {
readonly friendlyName?: string;
readonly localKeyId?: Uint8Array;
}Properties
readonlyfriendlyName?:string— Human-readable label stored as a BMPString attribute.readonlylocalKeyId?:Uint8Array— Opaque identifier linking a certificate bag to its corresponding key bag.
PfxCertificateBagInput
A certificate to embed in a PFX container. Input for createPfx.
interface PfxCertificateBagInput {
readonly certificate: PfxCertificateSource;
readonly attributes?: PfxBagAttributesInput;
}Properties
readonlycertificate:PfxCertificateSource— Certificate as PEM text or DER bytes.readonlyattributes?:PfxBagAttributesInput— Optional bag-level attributes (friendly name, local key ID).
PfxCertificateSource
PEM string or DER bytes for a certificate to include in a PFX bag.
type PfxCertificateSource = string | Uint8Array | ParsedCertificatePfxEncryptionOptions
PBES2 encryption settings for PFX key-bag protection. Alias of EncryptedPkcs8Options.
type PfxEncryptionOptions = EncryptedPkcs8OptionsPfxMaterial
DER, PEM, and base64 encodings of a PFX container produced by createPfx.
interface PfxMaterial {
readonly der: Uint8Array;
readonly pem: string;
readonly base64: string;
}Properties
readonlyder:Uint8Array— Raw DER-encoded PFX bytes.readonlypem:string— PEM-armored PFX (-----BEGIN PKCS12-----).readonlybase64:string— Base64-encoded DER (no PEM armor).
PfxPrivateKeyBagInput
A private key to embed in a PFX container. Input for createPfx.
interface PfxPrivateKeyBagInput {
readonly privateKey: PfxPrivateKeySource;
readonly attributes?: PfxBagAttributesInput;
}Properties
readonlyprivateKey:PfxPrivateKeySource— Private key as a WebCryptoCryptoKeyor raw PKCS#8 DER bytes.readonlyattributes?:PfxBagAttributesInput— Optional bag-level attributes (friendly name, local key ID).
PfxPrivateKeySource
A WebCrypto private key or raw PKCS#8 DER bytes for a PFX key bag.
type PfxPrivateKeySource = CryptoKey | Uint8ArraycreatePfx
Builds a PKCS#12/PFX archive containing certificates and/or private keys.
When encryption is provided, the key-bag ContentInfo is PBES2-encrypted. When mac is provided, a PKCS#12 MAC integrity block is appended.
Returns a CreatePfxResult: the container material on success, or a typed invalid_certificate failure when a certificate source is not a single PEM/DER certificate.
function createPfx(
input: CreatePfxInput,
): Promise<CreatePfxResult>Parameters
input:CreatePfxInput
Examples
import { createPfx, unwrap } from 'micro509';
const result = await createPfx({
certificates: [{ certificate: certPem }],
privateKeys: [{ privateKey: keyPair.privateKey }],
encryption: { password: 's3cret' },
mac: { password: 's3cret' },
});
if (result.ok) {
const pfx = result.value; // pfx.der, pfx.pem, pfx.base64
}
// or, when inputs are already validated: const pfx = unwrap(result);parsePfxDer
Decodes a DER-encoded PKCS#12/PFX container into its constituent bags.
Returns a result union — check ok before accessing value. Encrypted containers require options.password. MAC verification uses options.macPassword (falls back to options.password).
function parsePfxDer(
der: Uint8Array,
options?: ParsePfxOptions,
): Promise<ParsePfxResult>Parameters
der:Uint8Arrayoptions?:ParsePfxOptions
Examples
import { parsePfxDer } from 'micro509';
const result = await parsePfxDer(pfxBytes, { password: 's3cret' });
if (result.ok) {
console.log(result.value.certificates.length);
}parsePfxPem
Decodes a PEM-armored PKCS#12/PFX container. Expects exactly one PKCS12 block.
Delegates to parsePfxDer after PEM decoding.
function parsePfxPem(
pem: string,
options?: ParsePfxOptions,
): Promise<ParsePfxResult>Parameters
pem:stringoptions?:ParsePfxOptions
Examples
import { parsePfxPem } from 'micro509';
const result = await parsePfxPem(pfxPemString, { password: 's3cret' });
if (result.ok) {
console.log(result.value.privateKeys.length);
}CreatePkcs7CertBagErrorCode
Caller-correctable failure code from createPkcs7CertBag.
type CreatePkcs7CertBagErrorCode = invalid_certificateCreatePkcs7CertBagFailure
Error payload for a failed PKCS#7 certificate bag creation.
interface CreatePkcs7CertBagFailure extends Micro509Error<CreatePkcs7CertBagErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
CreatePkcs7CertBagResult
Success-or-failure result from createPkcs7CertBag.
type CreatePkcs7CertBagResult = {
readonly ok: true;
readonly value: Pkcs7CertBagMaterial
} | ErrorResult<CreatePkcs7CertBagErrorCode, Record<never, never>, CreatePkcs7CertBagFailure>CreatePkcs7SignedDataErrorCode
Caller-correctable failure codes from createPkcs7SignedData.
type CreatePkcs7SignedDataErrorCode = no_signers | invalid_signer_certificate | invalid_certificate | unsupported_signer_keyCreatePkcs7SignedDataFailure
Error payload for a failed PKCS#7 SignedData creation.
interface CreatePkcs7SignedDataFailure extends Micro509Error<CreatePkcs7SignedDataErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
CreatePkcs7SignedDataInput
Input for createPkcs7SignedData.
interface CreatePkcs7SignedDataInput {
readonly content: Uint8Array;
readonly signers: readonly Pkcs7Signer[];
readonly additionalCertificates?: readonly Pkcs7CertificateSource[];
readonly encapsulatedContentTypeOid?: string;
readonly detached?: boolean;
}Properties
readonlycontent:Uint8Array— Content to encapsulate and sign (the eContent).readonlysigners:readonlyPkcs7Signer[]— One or more signers. Each produces a SignerInfo with signed attributes.readonlyadditionalCertificates?:readonlyPkcs7CertificateSource[]— Additional certificates to embed (e.g. intermediates). Signer certificates are always embedded; duplicate DER is removed.readonlyencapsulatedContentTypeOid?:string— Encapsulated content type OID.readonlydetached?:boolean— OmiteContentfromencapContentInfo(RFC 5652 Section 5.2 detached form). The signature still coverscontentvia the messageDigest signed attribute, but the bytes are not embedded — the verifier must supply them externally (e.g. git x509 commit signing, S/MIME detached signatures).
CreatePkcs7SignedDataResult
Success-or-failure result from createPkcs7SignedData.
type CreatePkcs7SignedDataResult = {
readonly ok: true;
readonly value: Pkcs7SignedDataMaterial
} | ErrorResult<CreatePkcs7SignedDataErrorCode, Record<never, never>, CreatePkcs7SignedDataFailure>ParsedPkcs7SignedData
Decoded PKCS#7 SignedData content, including certificates and signer info.
interface ParsedPkcs7SignedData {
readonly der?: Uint8Array;
readonly contentTypeOid: string;
readonly version: number;
readonly digestAlgorithmOids: readonly string[];
readonly digestAlgorithmNames: readonly string[];
readonly encapsulatedContentTypeOid: string;
readonly encapsulatedContent?: Uint8Array;
readonly certificates: readonly ParsedCertificate[];
readonly signerInfos: readonly ParsedPkcs7SignerInfo[];
}Properties
readonlyder?:Uint8Array— Original DER bytes when this object came fromparsePkcs7SignedDataDeror PEM parsing.readonlycontentTypeOid:string— Outer ContentInfo type OID (alwayspkcs7-signedData).readonlyversion:number— SignedData version number.readonlydigestAlgorithmOids:readonlystring``[]— OIDs of digest algorithms declared indigestAlgorithms.readonlydigestAlgorithmNames:readonlystring``[]— Human-readable digest algorithm names declared indigestAlgorithms.readonlyencapsulatedContentTypeOid:string— OID of the encapsulated content type (e.g.pkcs7-data).readonlyencapsulatedContent?:Uint8Array— Raw encapsulated content bytes. Absent in degenerate (certs-only) bags.readonlycertificates:readonlyParsedCertificate[]— Certificates included in the SignedData certificate set.readonlysignerInfos:readonlyParsedPkcs7SignerInfo[]— Decoded signer info entries. Empty for degenerate cert bags.
ParsedPkcs7SignerInfo
A single SignerInfo decoded from a PKCS#7 SignedData structure.
Discriminated on hasSignedAttrs: when true, signedAttrsDer is always present; when false, it cannot exist.
type ParsedPkcs7SignerInfo = (ParsedPkcs7SignerInfoBase & {
readonly hasSignedAttrs: true;
readonly signedAttrsDer: Uint8Array
}) | (ParsedPkcs7SignerInfoBase & {
readonly hasSignedAttrs: false;
readonly signedAttrsDer?: undefined
})ParsedPkcs7SignerInfoBase
Fields shared by every decoded SignerInfo, regardless of signed-attribute presence.
interface ParsedPkcs7SignerInfoBase {
readonly version: number;
readonly issuer?: ParsedName;
readonly serialNumberHex?: string;
readonly subjectKeyIdentifier?: string;
readonly digestAlgorithmOid: string;
readonly digestAlgorithmName: string;
readonly signatureAlgorithmOid: string;
readonly signatureAlgorithmName: string;
readonly signatureAlgorithmParametersDer?: Uint8Array;
readonly signatureHex: string;
readonly signature: Uint8Array;
}Properties
readonlyversion:number— CMS SignerInfo version (typically 1 for issuerAndSerialNumber).readonlyissuer?:ParsedName— Parsed issuer distinguished name, if present (issuerAndSerialNumber signer identifier).readonlyserialNumberHex?:string— Hex-encoded serial number used to locate the signer certificate, if present.readonlysubjectKeyIdentifier?:string— Hex-encoded SubjectKeyIdentifier used to locate the signer certificate, if present.readonlydigestAlgorithmOid:string— OID of the digest algorithm used to hash the content.readonlydigestAlgorithmName:string— Human-readable digest algorithm name (e.g."SHA-256").readonlysignatureAlgorithmOid:string— OID of the algorithm used to produce the signature.readonlysignatureAlgorithmName:string— Human-readable signature algorithm name.readonlysignatureAlgorithmParametersDer?:Uint8Array— Raw DER of the signature AlgorithmIdentifier parameters, if present.readonlysignatureHex:string— Hex-encoded raw signature bytes.readonlysignature:Uint8Array— Raw signature bytes.
ParsePkcs7CertBagResult
Success-or-failure result from parsePkcs7CertBagDer / parsePkcs7CertBagPem.
type ParsePkcs7CertBagResult = {
readonly ok: true;
readonly value: readonly ParsedCertificate[]
} | ErrorResult<ParsePkcs7ErrorCode, Record<never, never>, ParsePkcs7Failure>ParsePkcs7ErrorCode
Error codes for PKCS#7 parse failures.
type ParsePkcs7ErrorCode = malformed | not_signed_dataParsePkcs7Failure
Error payload for a failed PKCS#7 parse.
interface ParsePkcs7Failure extends Micro509Error<ParsePkcs7ErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
ParsePkcs7SignedDataResult
Success-or-failure result from parsePkcs7SignedDataDer / parsePkcs7SignedDataPem.
type ParsePkcs7SignedDataResult = {
readonly ok: true;
readonly value: ParsedPkcs7SignedData
} | ErrorResult<ParsePkcs7ErrorCode, Record<never, never>, ParsePkcs7Failure>Pkcs7CertBagMaterial
DER, PEM, and base64 encodings of a PKCS#7 certificate bag.
interface Pkcs7CertBagMaterial {
readonly der: Uint8Array;
readonly pem: string;
readonly base64: string;
}Properties
readonlyder:Uint8Array— Raw DER-encoded PKCS#7 structure.readonlypem:string— PEM-armored PKCS#7 (-----BEGIN PKCS7-----).readonlybase64:string— Base64-encoded DER (no PEM armor).
Pkcs7CertificateSource
PEM text (may contain multiple CERTIFICATE blocks), raw DER bytes, or an already-parsed certificate.
type Pkcs7CertificateSource = string | Uint8Array | ParsedCertificatePkcs7SignedDataMaterial
DER, PEM, and base64 encodings of a PKCS#7 SignedData structure.
interface Pkcs7SignedDataMaterial {
readonly der: Uint8Array;
readonly pem: string;
readonly base64: string;
}Properties
readonlyder:Uint8Array— Raw DER-encoded PKCS#7 SignedData.readonlypem:string— PEM-armored PKCS#7 (-----BEGIN PKCS7-----).readonlybase64:string— Base64-encoded DER (no PEM armor).
Pkcs7Signer
A single signer for createPkcs7SignedData.
interface Pkcs7Signer {
readonly certificate: Pkcs7CertificateSource;
readonly privateKey: CryptoKey;
readonly signature?: SignatureProfileInput;
}Properties
readonlycertificate:Pkcs7CertificateSource— Signer certificate (PEM text with one CERTIFICATE block, or raw DER). Embedded in the SignedData certificate set and referenced by the SignerInfo via issuerAndSerialNumber.readonlyprivateKey:CryptoKey— Private key matching the certificate's public key, used to sign.readonlysignature?:SignatureProfileInput— Signature profile. Defaults to inferring the algorithm from the key (e.g. ECDSA→ecdsa-with-SHA*, RSA→sha*WithRSAEncryption, Ed25519). Pass{ kind: 'rsa-pss' }to force RSA-PSS padding for an RSA-PSS key.
VerifyPkcs7SignedDataErrorCode
Error codes for verifyPkcs7SignedData failures.
detached_content_required means the SignedData carries no eContent (detached signature or degenerate cert bag) and no external content was supplied via VerifyPkcs7SignedDataOptions.
type VerifyPkcs7SignedDataErrorCode = signer_not_found | signature_invalid | message_digest_mismatch | detached_content_required | ParsePkcs7ErrorCodeVerifyPkcs7SignedDataFailure
Error payload for a failed verifyPkcs7SignedData call.
interface VerifyPkcs7SignedDataFailure extends Micro509Error<VerifyPkcs7SignedDataErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
VerifyPkcs7SignedDataOptions
Options for verifyPkcs7SignedData.
interface VerifyPkcs7SignedDataOptions {
readonly content?: Uint8Array;
}Properties
readonlycontent?:Uint8Array— External content for a detached SignedData (RFC 5652 Section 5.2, absenteContent). Required to verify a detached signature; ignored when the SignedData embeds its own content.
VerifyPkcs7SignedDataResult
Success-or-failure result from verifyPkcs7SignedData.
type VerifyPkcs7SignedDataResult = {
readonly ok: true;
readonly value: ParsedPkcs7SignedData
} | ErrorResult<VerifyPkcs7SignedDataErrorCode, Record<never, never>, VerifyPkcs7SignedDataFailure>createPkcs7CertBag
Creates a degenerate PKCS#7 SignedData structure containing only certificates (no signers), returning DER, PEM, and base64 forms, or a typed invalid_certificate failure when a certificate source is not valid PEM/DER.
function createPkcs7CertBag(
certificates: readonly Pkcs7CertificateSource[],
): CreatePkcs7CertBagResultParameters
certificates:readonlyPkcs7CertificateSource[]
createPkcs7SignedData
Creates a PKCS#7/CMS SignedData with one or more signers over content.
Each signer uses the RFC 5652 Section 5.4 signed-attributes flow: the signature covers a SET OF authenticated attributes carrying contentType and messageDigest (the digest of the encapsulated content). By default the content is embedded (attached signature), so the result verifies with verifyPkcs7SignedData without any external data. With detached: true the eContent is omitted (RFC 5652 Section 5.2) and the verifier must supply the content externally.
The content digest is derived from each signer's key (P-256/RSA-SHA256 → SHA-256, P-384 → SHA-384, P-521 → SHA-512, Ed25519 → SHA-512 per RFC 8419).
Returns a CreatePkcs7SignedDataResult: DER, PEM, and base64 forms on success, or a typed failure for caller-correctable input (no signers, a signer source that is not exactly one certificate, or an unsupported signer key).
function createPkcs7SignedData(
input: CreatePkcs7SignedDataInput,
): Promise<CreatePkcs7SignedDataResult>Parameters
input:CreatePkcs7SignedDataInput
parsePkcs7CertBagDer
Parses a DER-encoded PKCS#7 cert bag, returning the contained certificates.
function parsePkcs7CertBagDer(
der: Uint8Array,
): ParsePkcs7CertBagResultParameters
der:Uint8Array
parsePkcs7CertBagPem
Parses a PEM-armored PKCS#7 cert bag. Expects exactly one PKCS7 PEM block.
function parsePkcs7CertBagPem(
pem: string,
): ParsePkcs7CertBagResultParameters
pem:string
parsePkcs7SignedDataDer
Decodes a DER-encoded PKCS#7 ContentInfo expecting signedData content type.
function parsePkcs7SignedDataDer(
der: Uint8Array,
): ParsePkcs7SignedDataResultParameters
der:Uint8Array
parsePkcs7SignedDataPem
Decodes a PEM-armored PKCS#7 SignedData. Expects exactly one PKCS7 PEM block.
function parsePkcs7SignedDataPem(
pem: string,
): ParsePkcs7SignedDataResultParameters
pem:string
verifyPkcs7SignedData
Verifies all signer signatures in a PKCS#7 SignedData structure.
Accepts PEM text, raw DER, or an already-parsed ParsedPkcs7SignedData. For each signer, locates the matching certificate in the embedded set and verifies the signature (including signed-attribute digest checks per RFC 5652 Section 5.4).
For a detached SignedData (absent eContent), pass the externally-held content via options.content; without it, verification fails with the typed detached_content_required code. When the SignedData embeds its own content, that embedded content is verified and options.content is ignored.
function verifyPkcs7SignedData(
input: string | Uint8Array | ParsedPkcs7SignedData,
_: unknown,
): Promise<VerifyPkcs7SignedDataResult>Parameters
input:string|Uint8Array|ParsedPkcs7SignedData_:unknown
Examples
import { verifyPkcs7SignedData } from 'micro509';
const result = await verifyPkcs7SignedData(pkcs7Pem);
if (result.ok) {
console.log('all signers verified');
}
// Detached signature: supply the content externally
const detached = await verifyPkcs7SignedData(cmsBlob, { content: signedBytes });ParsedPkcs12MacData
Decoded PKCS#12 MacData block returned by parsePkcs12MacData.
interface ParsedPkcs12MacData {
readonly digestAlgorithmOid: string;
readonly digestAlgorithmName: string;
readonly digestHex: string;
readonly saltHex: string;
readonly iterations: number;
readonly verification: valid | invalid | unchecked;
}Properties
readonlydigestAlgorithmOid:string— OID of the digest algorithm (currently always SHA-256).readonlydigestAlgorithmName:string— Human-readable digest algorithm name (currently"SHA-256").readonlydigestHex:string— Hex-encoded MAC digest value.readonlysaltHex:string— Hex-encoded salt bytes used during key derivation.readonlyiterations:number— Number of PKCS#12 KDF iterations.readonlyverification:valid|invalid|unchecked— MAC verification outcome:'unchecked'when no password was supplied during parsing, otherwise'valid'or'invalid'.
ParsePkcs12MacDataErrorCode
Machine-readable failure reason for parsePkcs12MacData.
type ParsePkcs12MacDataErrorCode = malformedParsePkcs12MacDataFailure
Structured failure payload for MacData parsing.
interface ParsePkcs12MacDataFailure extends Micro509Error<ParsePkcs12MacDataErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
ParsePkcs12MacDataResult
Success-or-failure result from parsePkcs12MacData.
type ParsePkcs12MacDataResult = {
readonly ok: true;
readonly value: ParsedPkcs12MacData
} | ErrorResult<ParsePkcs12MacDataErrorCode, Record<never, never>, ParsePkcs12MacDataFailure>Pkcs12MacOptions
Input for createPkcs12MacData.
interface Pkcs12MacOptions {
readonly password: string;
readonly iterations?: number;
readonly salt?: Uint8Array;
}Properties
readonlypassword:string— Password used to derive the HMAC key via the PKCS#12 KDF.readonlyiterations?:number— PKCS#12 KDF iteration count. Default:2048.readonlysalt?:Uint8Array— Random salt. Default: 16 cryptographically random bytes.
createPkcs12MacData
Computes a PKCS#12 HMAC-SHA-256 MAC over the AuthenticatedSafe and returns the DER-encoded MacData block alongside its parsed representation.
function createPkcs12MacData(
authenticatedSafe: Uint8Array,
options: Pkcs12MacOptions,
): Promise<{
readonly der: Uint8Array;
readonly parsed: ParsedPkcs12MacData
}>Parameters
authenticatedSafe:Uint8Arrayoptions:Pkcs12MacOptions
parsePkcs12MacData
Decodes a DER-encoded MacData block. When password is provided, verifies the MAC and reports the outcome in verification.
Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parsePkcs12MacDataOrThrow.
function parsePkcs12MacData(
der: Uint8Array,
authenticatedSafe: Uint8Array,
password?: string,
): Promise<ParsePkcs12MacDataResult>Parameters
der:Uint8ArrayauthenticatedSafe:Uint8Arraypassword?:string
parsePkcs12MacDataOrThrow
Throwing core for parsePkcs12MacData. When password is provided, verifies the MAC and reports the outcome in verification.
function parsePkcs12MacDataOrThrow(
der: Uint8Array,
authenticatedSafe: Uint8Array,
password?: string,
): Promise<ParsedPkcs12MacData>Parameters
der:Uint8ArrayauthenticatedSafe:Uint8Arraypassword?:string