setup-python/node_modules/sshpk/lib/certificate.js

// Copyright 2016 Joyent, Inc.

module.exports = Certificate;

var assert = require('assert-plus');
var Buffer = require('safer-buffer').Buffer;
var algs = require('./algs');
var crypto = require('crypto');
var Fingerprint = require('./fingerprint');
var Signature = require('./signature');
var errs = require('./errors');
var util = require('util');
var utils = require('./utils');
var Key = require('./key');
var PrivateKey = require('./private-key');
var Identity = require('./identity');

var formats = {};
formats['openssh'] = require('./formats/openssh-cert');
formats['x509'] = require('./formats/x509');
formats['pem'] = require('./formats/x509-pem');

var CertificateParseError = errs.CertificateParseError;
var InvalidAlgorithmError = errs.InvalidAlgorithmError;

function Certificate(opts) {
	assert.object(opts, 'options');
	assert.arrayOfObject(opts.subjects, 'options.subjects');
	utils.assertCompatible(opts.subjects[0], Identity, [1, 0],
	    'options.subjects');
	utils.assertCompatible(opts.subjectKey, Key, [1, 0],
	    'options.subjectKey');
	utils.assertCompatible(opts.issuer, Identity, [1, 0], 'options.issuer');
	if (opts.issuerKey !== undefined) {
		utils.assertCompatible(opts.issuerKey, Key, [1, 0],
		    'options.issuerKey');
	}
	assert.object(opts.signatures, 'options.signatures');
	assert.buffer(opts.serial, 'options.serial');
	assert.date(opts.validFrom, 'options.validFrom');
	assert.date(opts.validUntil, 'optons.validUntil');

	assert.optionalArrayOfString(opts.purposes, 'options.purposes');

	this._hashCache = {};

	this.subjects = opts.subjects;
	this.issuer = opts.issuer;
	this.subjectKey = opts.subjectKey;
	this.issuerKey = opts.issuerKey;
	this.signatures = opts.signatures;
	this.serial = opts.serial;
	this.validFrom = opts.validFrom;
	this.validUntil = opts.validUntil;
	this.purposes = opts.purposes;
}

Certificate.formats = formats;

Certificate.prototype.toBuffer = function (format, options) {
	if (format === undefined)
		format = 'x509';
	assert.string(format, 'format');
	assert.object(formats[format], 'formats[format]');
	assert.optionalObject(options, 'options');

	return (formats[format].write(this, options));
};

Certificate.prototype.toString = function (format, options) {
	if (format === undefined)
		format = 'pem';
	return (this.toBuffer(format, options).toString());
};

Certificate.prototype.fingerprint = function (algo) {
	if (algo === undefined)
		algo = 'sha256';
	assert.string(algo, 'algorithm');
	var opts = {
		type: 'certificate',
		hash: this.hash(algo),
		algorithm: algo
	};
	return (new Fingerprint(opts));
};

Certificate.prototype.hash = function (algo) {
	assert.string(algo, 'algorithm');
	algo = algo.toLowerCase();
	if (algs.hashAlgs[algo] === undefined)
		throw (new InvalidAlgorithmError(algo));

	if (this._hashCache[algo])
		return (this._hashCache[algo]);

	var hash = crypto.createHash(algo).
	    update(this.toBuffer('x509')).digest();
	this._hashCache[algo] = hash;
	return (hash);
};

Certificate.prototype.isExpired = function (when) {
	if (when === undefined)
		when = new Date();
	return (!((when.getTime() >= this.validFrom.getTime()) &&
		(when.getTime() < this.validUntil.getTime())));
};

Certificate.prototype.isSignedBy = function (issuerCert) {
	utils.assertCompatible(issuerCert, Certificate, [1, 0], 'issuer');

	if (!this.issuer.equals(issuerCert.subjects[0]))
		return (false);
	if (this.issuer.purposes && this.issuer.purposes.length > 0 &&
	    this.issuer.purposes.indexOf('ca') === -1) {
		return (false);
	}

	return (this.isSignedByKey(issuerCert.subjectKey));
};

Certificate.prototype.getExtension = function (keyOrOid) {
	assert.string(keyOrOid, 'keyOrOid');
	var ext = this.getExtensions().filter(function (maybeExt) {
		if (maybeExt.format === 'x509')
			return (maybeExt.oid === keyOrOid);
		if (maybeExt.format === 'openssh')
			return (maybeExt.name === keyOrOid);
		return (false);
	})[0];
	return (ext);
};

Certificate.prototype.getExtensions = function () {
	var exts = [];
	var x509 = this.signatures.x509;
	if (x509 && x509.extras && x509.extras.exts) {
		x509.extras.exts.forEach(function (ext) {
			ext.format = 'x509';
			exts.push(ext);
		});
	}
	var openssh = this.signatures.openssh;
	if (openssh && openssh.exts) {
		openssh.exts.forEach(function (ext) {
			ext.format = 'openssh';
			exts.push(ext);
		});
	}
	return (exts);
};

Certificate.prototype.isSignedByKey = function (issuerKey) {
	utils.assertCompatible(issuerKey, Key, [1, 2], 'issuerKey');

	if (this.issuerKey !== undefined) {
		return (this.issuerKey.
		    fingerprint('sha512').matches(issuerKey));
	}

	var fmt = Object.keys(this.signatures)[0];
	var valid = formats[fmt].verify(this, issuerKey);
	if (valid)
		this.issuerKey = issuerKey;
	return (valid);
};

Certificate.prototype.signWith = function (key) {
	utils.assertCompatible(key, PrivateKey, [1, 2], 'key');
	var fmts = Object.keys(formats);
	var didOne = false;
	for (var i = 0; i < fmts.length; ++i) {
		if (fmts[i] !== 'pem') {
			var ret = formats[fmts[i]].sign(this, key);
			if (ret === true)
				didOne = true;
		}
	}
	if (!didOne) {
		throw (new Error('Failed to sign the certificate for any ' +
		    'available certificate formats'));
	}
};

Certificate.createSelfSigned = function (subjectOrSubjects, key, options) {
	var subjects;
	if (Array.isArray(subjectOrSubjects))
		subjects = subjectOrSubjects;
	else
		subjects = [subjectOrSubjects];

	assert.arrayOfObject(subjects);
	subjects.forEach(function (subject) {
		utils.assertCompatible(subject, Identity, [1, 0], 'subject');
	});

	utils.assertCompatible(key, PrivateKey, [1, 2], 'private key');

	assert.optionalObject(options, 'options');
	if (options === undefined)
		options = {};
	assert.optionalObject(options.validFrom, 'options.validFrom');
	assert.optionalObject(options.validUntil, 'options.validUntil');
	var validFrom = options.validFrom;
	var validUntil = options.validUntil;
	if (validFrom === undefined)
		validFrom = new Date();
	if (validUntil === undefined) {
		assert.optionalNumber(options.lifetime, 'options.lifetime');
		var lifetime = options.lifetime;
		if (lifetime === undefined)
			lifetime = 10*365*24*3600;
		validUntil = new Date();
		validUntil.setTime(validUntil.getTime() + lifetime*1000);
	}
	assert.optionalBuffer(options.serial, 'options.serial');
	var serial = options.serial;
	if (serial === undefined)
		serial = Buffer.from('0000000000000001', 'hex');

	var purposes = options.purposes;
	if (purposes === undefined)
		purposes = [];

	if (purposes.indexOf('signature') === -1)
		purposes.push('signature');

	/* Self-signed certs are always CAs. */
	if (purposes.indexOf('ca') === -1)
		purposes.push('ca');
	if (purposes.indexOf('crl') === -1)
		purposes.push('crl');

	/*
	 * If we weren't explicitly given any other purposes, do the sensible
	 * thing and add some basic ones depending on the subject type.
	 */
	if (purposes.length <= 3) {
		var hostSubjects = subjects.filter(function (subject) {
			return (subject.type === 'host');
		});
		var userSubjects = subjects.filter(function (subject) {
			return (subject.type === 'user');
		});
		if (hostSubjects.length > 0) {
			if (purposes.indexOf('serverAuth') === -1)
				purposes.push('serverAuth');
		}
		if (userSubjects.length > 0) {
			if (purposes.indexOf('clientAuth') === -1)
				purposes.push('clientAuth');
		}
		if (userSubjects.length > 0 || hostSubjects.length > 0) {
			if (purposes.indexOf('keyAgreement') === -1)
				purposes.push('keyAgreement');
			if (key.type === 'rsa' &&
			    purposes.indexOf('encryption') === -1)
				purposes.push('encryption');
		}
	}

	var cert = new Certificate({
		subjects: subjects,
		issuer: subjects[0],
		subjectKey: key.toPublic(),
		issuerKey: key.toPublic(),
		signatures: {},
		serial: serial,
		validFrom: validFrom,
		validUntil: validUntil,
		purposes: purposes
	});
	cert.signWith(key);

	return (cert);
};

Certificate.create =
    function (subjectOrSubjects, key, issuer, issuerKey, options) {
	var subjects;
	if (Array.isArray(subjectOrSubjects))
		subjects = subjectOrSubjects;
	else
		subjects = [subjectOrSubjects];

	assert.arrayOfObject(subjects);
	subjects.forEach(function (subject) {
		utils.assertCompatible(subject, Identity, [1, 0], 'subject');
	});

	utils.assertCompatible(key, Key, [1, 0], 'key');
	if (PrivateKey.isPrivateKey(key))
		key = key.toPublic();
	utils.assertCompatible(issuer, Identity, [1, 0], 'issuer');
	utils.assertCompatible(issuerKey, PrivateKey, [1, 2], 'issuer key');

	assert.optionalObject(options, 'options');
	if (options === undefined)
		options = {};
	assert.optionalObject(options.validFrom, 'options.validFrom');
	assert.optionalObject(options.validUntil, 'options.validUntil');
	var validFrom = options.validFrom;
	var validUntil = options.validUntil;
	if (validFrom === undefined)
		validFrom = new Date();
	if (validUntil === undefined) {
		assert.optionalNumber(options.lifetime, 'options.lifetime');
		var lifetime = options.lifetime;
		if (lifetime === undefined)
			lifetime = 10*365*24*3600;
		validUntil = new Date();
		validUntil.setTime(validUntil.getTime() + lifetime*1000);
	}
	assert.optionalBuffer(options.serial, 'options.serial');
	var serial = options.serial;
	if (serial === undefined)
		serial = Buffer.from('0000000000000001', 'hex');

	var purposes = options.purposes;
	if (purposes === undefined)
		purposes = [];

	if (purposes.indexOf('signature') === -1)
		purposes.push('signature');

	if (options.ca === true) {
		if (purposes.indexOf('ca') === -1)
			purposes.push('ca');
		if (purposes.indexOf('crl') === -1)
			purposes.push('crl');
	}

	var hostSubjects = subjects.filter(function (subject) {
		return (subject.type === 'host');
	});
	var userSubjects = subjects.filter(function (subject) {
		return (subject.type === 'user');
	});
	if (hostSubjects.length > 0) {
		if (purposes.indexOf('serverAuth') === -1)
			purposes.push('serverAuth');
	}
	if (userSubjects.length > 0) {
		if (purposes.indexOf('clientAuth') === -1)
			purposes.push('clientAuth');
	}
	if (userSubjects.length > 0 || hostSubjects.length > 0) {
		if (purposes.indexOf('keyAgreement') === -1)
			purposes.push('keyAgreement');
		if (key.type === 'rsa' &&
		    purposes.indexOf('encryption') === -1)
			purposes.push('encryption');
	}

	var cert = new Certificate({
		subjects: subjects,
		issuer: issuer,
		subjectKey: key,
		issuerKey: issuerKey.toPublic(),
		signatures: {},
		serial: serial,
		validFrom: validFrom,
		validUntil: validUntil,
		purposes: purposes
	});
	cert.signWith(issuerKey);

	return (cert);
};

Certificate.parse = function (data, format, options) {
	if (typeof (data) !== 'string')
		assert.buffer(data, 'data');
	if (format === undefined)
		format = 'auto';
	assert.string(format, 'format');
	if (typeof (options) === 'string')
		options = { filename: options };
	assert.optionalObject(options, 'options');
	if (options === undefined)
		options = {};
	assert.optionalString(options.filename, 'options.filename');
	if (options.filename === undefined)
		options.filename = '(unnamed)';

	assert.object(formats[format], 'formats[format]');

	try {
		var k = formats[format].read(data, options);
		return (k);
	} catch (e) {
		throw (new CertificateParseError(options.filename, format, e));
	}
};

Certificate.isCertificate = function (obj, ver) {
	return (utils.isCompatible(obj, Certificate, ver));
};

/*
 * API versions for Certificate:
 * [1,0] -- initial ver
 * [1,1] -- openssh format now unpacks extensions
 */
Certificate.prototype._sshpkApiVersion = [1, 1];

Certificate._oldVersionDetect = function (obj) {
	return ([1, 0]);
};
Initial pass 2019-06-26 21:12:00 -04:00			`// Copyright 2016 Joyent, Inc.`

			`module.exports = Certificate;`

			`var assert = require('assert-plus');`
			`var Buffer = require('safer-buffer').Buffer;`
			`var algs = require('./algs');`
			`var crypto = require('crypto');`
			`var Fingerprint = require('./fingerprint');`
			`var Signature = require('./signature');`
			`var errs = require('./errors');`
			`var util = require('util');`
			`var utils = require('./utils');`
			`var Key = require('./key');`
			`var PrivateKey = require('./private-key');`
			`var Identity = require('./identity');`

			`var formats = {};`
			`formats['openssh'] = require('./formats/openssh-cert');`
			`formats['x509'] = require('./formats/x509');`
			`formats['pem'] = require('./formats/x509-pem');`

			`var CertificateParseError = errs.CertificateParseError;`
			`var InvalidAlgorithmError = errs.InvalidAlgorithmError;`

			`function Certificate(opts) {`
			`assert.object(opts, 'options');`
			`assert.arrayOfObject(opts.subjects, 'options.subjects');`
			`utils.assertCompatible(opts.subjects[0], Identity, [1, 0],`
			`'options.subjects');`
			`utils.assertCompatible(opts.subjectKey, Key, [1, 0],`
			`'options.subjectKey');`
			`utils.assertCompatible(opts.issuer, Identity, [1, 0], 'options.issuer');`
			`if (opts.issuerKey !== undefined) {`
			`utils.assertCompatible(opts.issuerKey, Key, [1, 0],`
			`'options.issuerKey');`
			`}`
			`assert.object(opts.signatures, 'options.signatures');`
			`assert.buffer(opts.serial, 'options.serial');`
			`assert.date(opts.validFrom, 'options.validFrom');`
			`assert.date(opts.validUntil, 'optons.validUntil');`

			`assert.optionalArrayOfString(opts.purposes, 'options.purposes');`

			`this._hashCache = {};`

			`this.subjects = opts.subjects;`
			`this.issuer = opts.issuer;`
			`this.subjectKey = opts.subjectKey;`
			`this.issuerKey = opts.issuerKey;`
			`this.signatures = opts.signatures;`
			`this.serial = opts.serial;`
			`this.validFrom = opts.validFrom;`
			`this.validUntil = opts.validUntil;`
			`this.purposes = opts.purposes;`
			`}`

			`Certificate.formats = formats;`

			`Certificate.prototype.toBuffer = function (format, options) {`
			`if (format === undefined)`
			`format = 'x509';`
			`assert.string(format, 'format');`
			`assert.object(formats[format], 'formats[format]');`
			`assert.optionalObject(options, 'options');`

			`return (formats[format].write(this, options));`
			`};`

			`Certificate.prototype.toString = function (format, options) {`
			`if (format === undefined)`
			`format = 'pem';`
			`return (this.toBuffer(format, options).toString());`
			`};`

			`Certificate.prototype.fingerprint = function (algo) {`
			`if (algo === undefined)`
			`algo = 'sha256';`
			`assert.string(algo, 'algorithm');`
			`var opts = {`
			`type: 'certificate',`
			`hash: this.hash(algo),`
			`algorithm: algo`
			`};`
			`return (new Fingerprint(opts));`
			`};`

			`Certificate.prototype.hash = function (algo) {`
			`assert.string(algo, 'algorithm');`
			`algo = algo.toLowerCase();`
			`if (algs.hashAlgs[algo] === undefined)`
			`throw (new InvalidAlgorithmError(algo));`

			`if (this._hashCache[algo])`
			`return (this._hashCache[algo]);`

			`var hash = crypto.createHash(algo).`
			`update(this.toBuffer('x509')).digest();`
			`this._hashCache[algo] = hash;`
			`return (hash);`
			`};`

			`Certificate.prototype.isExpired = function (when) {`
			`if (when === undefined)`
			`when = new Date();`
			`return (!((when.getTime() >= this.validFrom.getTime()) &&`
			`(when.getTime() < this.validUntil.getTime())));`
			`};`

			`Certificate.prototype.isSignedBy = function (issuerCert) {`
			`utils.assertCompatible(issuerCert, Certificate, [1, 0], 'issuer');`

			`if (!this.issuer.equals(issuerCert.subjects[0]))`
			`return (false);`
			`if (this.issuer.purposes && this.issuer.purposes.length > 0 &&`
			`this.issuer.purposes.indexOf('ca') === -1) {`
			`return (false);`
			`}`

			`return (this.isSignedByKey(issuerCert.subjectKey));`
			`};`

			`Certificate.prototype.getExtension = function (keyOrOid) {`
			`assert.string(keyOrOid, 'keyOrOid');`
			`var ext = this.getExtensions().filter(function (maybeExt) {`
			`if (maybeExt.format === 'x509')`
			`return (maybeExt.oid === keyOrOid);`
			`if (maybeExt.format === 'openssh')`
			`return (maybeExt.name === keyOrOid);`
			`return (false);`
			`})[0];`
			`return (ext);`
			`};`

			`Certificate.prototype.getExtensions = function () {`
			`var exts = [];`
			`var x509 = this.signatures.x509;`
			`if (x509 && x509.extras && x509.extras.exts) {`
			`x509.extras.exts.forEach(function (ext) {`
			`ext.format = 'x509';`
			`exts.push(ext);`
			`});`
			`}`
			`var openssh = this.signatures.openssh;`
			`if (openssh && openssh.exts) {`
			`openssh.exts.forEach(function (ext) {`
			`ext.format = 'openssh';`
			`exts.push(ext);`
			`});`
			`}`
			`return (exts);`
			`};`

			`Certificate.prototype.isSignedByKey = function (issuerKey) {`
			`utils.assertCompatible(issuerKey, Key, [1, 2], 'issuerKey');`

			`if (this.issuerKey !== undefined) {`
			`return (this.issuerKey.`
			`fingerprint('sha512').matches(issuerKey));`
			`}`

			`var fmt = Object.keys(this.signatures)[0];`
			`var valid = formats[fmt].verify(this, issuerKey);`
			`if (valid)`
			`this.issuerKey = issuerKey;`
			`return (valid);`
			`};`

			`Certificate.prototype.signWith = function (key) {`
			`utils.assertCompatible(key, PrivateKey, [1, 2], 'key');`
			`var fmts = Object.keys(formats);`
			`var didOne = false;`
			`for (var i = 0; i < fmts.length; ++i) {`
			`if (fmts[i] !== 'pem') {`
			`var ret = formats[fmts[i]].sign(this, key);`
			`if (ret === true)`
			`didOne = true;`
			`}`
			`}`
			`if (!didOne) {`
			`throw (new Error('Failed to sign the certificate for any ' +`
			`'available certificate formats'));`
			`}`
			`};`

			`Certificate.createSelfSigned = function (subjectOrSubjects, key, options) {`
			`var subjects;`
			`if (Array.isArray(subjectOrSubjects))`
			`subjects = subjectOrSubjects;`
			`else`
			`subjects = [subjectOrSubjects];`

			`assert.arrayOfObject(subjects);`
			`subjects.forEach(function (subject) {`
			`utils.assertCompatible(subject, Identity, [1, 0], 'subject');`
			`});`

			`utils.assertCompatible(key, PrivateKey, [1, 2], 'private key');`

			`assert.optionalObject(options, 'options');`
			`if (options === undefined)`
			`options = {};`
			`assert.optionalObject(options.validFrom, 'options.validFrom');`
			`assert.optionalObject(options.validUntil, 'options.validUntil');`
			`var validFrom = options.validFrom;`
			`var validUntil = options.validUntil;`
			`if (validFrom === undefined)`
			`validFrom = new Date();`
			`if (validUntil === undefined) {`
			`assert.optionalNumber(options.lifetime, 'options.lifetime');`
			`var lifetime = options.lifetime;`
			`if (lifetime === undefined)`
			`lifetime = 1036524*3600;`
			`validUntil = new Date();`
			`validUntil.setTime(validUntil.getTime() + lifetime*1000);`
			`}`
			`assert.optionalBuffer(options.serial, 'options.serial');`
			`var serial = options.serial;`
			`if (serial === undefined)`
			`serial = Buffer.from('0000000000000001', 'hex');`

			`var purposes = options.purposes;`
			`if (purposes === undefined)`
			`purposes = [];`

			`if (purposes.indexOf('signature') === -1)`
			`purposes.push('signature');`

			`/* Self-signed certs are always CAs. */`
			`if (purposes.indexOf('ca') === -1)`
			`purposes.push('ca');`
			`if (purposes.indexOf('crl') === -1)`
			`purposes.push('crl');`

			`/*`
			`* If we weren't explicitly given any other purposes, do the sensible`
			`* thing and add some basic ones depending on the subject type.`
			`*/`
			`if (purposes.length <= 3) {`
			`var hostSubjects = subjects.filter(function (subject) {`
			`return (subject.type === 'host');`
			`});`
			`var userSubjects = subjects.filter(function (subject) {`
			`return (subject.type === 'user');`
			`});`
			`if (hostSubjects.length > 0) {`
			`if (purposes.indexOf('serverAuth') === -1)`
			`purposes.push('serverAuth');`
			`}`
			`if (userSubjects.length > 0) {`
			`if (purposes.indexOf('clientAuth') === -1)`
			`purposes.push('clientAuth');`
			`}`
			`if (userSubjects.length > 0 \|\| hostSubjects.length > 0) {`
			`if (purposes.indexOf('keyAgreement') === -1)`
			`purposes.push('keyAgreement');`
			`if (key.type === 'rsa' &&`
			`purposes.indexOf('encryption') === -1)`
			`purposes.push('encryption');`
			`}`
			`}`

			`var cert = new Certificate({`
			`subjects: subjects,`
			`issuer: subjects[0],`
			`subjectKey: key.toPublic(),`
			`issuerKey: key.toPublic(),`
			`signatures: {},`
			`serial: serial,`
			`validFrom: validFrom,`
			`validUntil: validUntil,`
			`purposes: purposes`
			`});`
			`cert.signWith(key);`

			`return (cert);`
			`};`

			`Certificate.create =`
			`function (subjectOrSubjects, key, issuer, issuerKey, options) {`
			`var subjects;`
			`if (Array.isArray(subjectOrSubjects))`
			`subjects = subjectOrSubjects;`
			`else`
			`subjects = [subjectOrSubjects];`

			`assert.arrayOfObject(subjects);`
			`subjects.forEach(function (subject) {`
			`utils.assertCompatible(subject, Identity, [1, 0], 'subject');`
			`});`

			`utils.assertCompatible(key, Key, [1, 0], 'key');`
			`if (PrivateKey.isPrivateKey(key))`
			`key = key.toPublic();`
			`utils.assertCompatible(issuer, Identity, [1, 0], 'issuer');`
			`utils.assertCompatible(issuerKey, PrivateKey, [1, 2], 'issuer key');`

			`assert.optionalObject(options, 'options');`
			`if (options === undefined)`
			`options = {};`
			`assert.optionalObject(options.validFrom, 'options.validFrom');`
			`assert.optionalObject(options.validUntil, 'options.validUntil');`
			`var validFrom = options.validFrom;`
			`var validUntil = options.validUntil;`
			`if (validFrom === undefined)`
			`validFrom = new Date();`
			`if (validUntil === undefined) {`
			`assert.optionalNumber(options.lifetime, 'options.lifetime');`
			`var lifetime = options.lifetime;`
			`if (lifetime === undefined)`
			`lifetime = 1036524*3600;`
			`validUntil = new Date();`
			`validUntil.setTime(validUntil.getTime() + lifetime*1000);`
			`}`
			`assert.optionalBuffer(options.serial, 'options.serial');`
			`var serial = options.serial;`
			`if (serial === undefined)`
			`serial = Buffer.from('0000000000000001', 'hex');`

			`var purposes = options.purposes;`
			`if (purposes === undefined)`
			`purposes = [];`

			`if (purposes.indexOf('signature') === -1)`
			`purposes.push('signature');`

			`if (options.ca === true) {`
			`if (purposes.indexOf('ca') === -1)`
			`purposes.push('ca');`
			`if (purposes.indexOf('crl') === -1)`
			`purposes.push('crl');`
			`}`

			`var hostSubjects = subjects.filter(function (subject) {`
			`return (subject.type === 'host');`
			`});`
			`var userSubjects = subjects.filter(function (subject) {`
			`return (subject.type === 'user');`
			`});`
			`if (hostSubjects.length > 0) {`
			`if (purposes.indexOf('serverAuth') === -1)`
			`purposes.push('serverAuth');`
			`}`
			`if (userSubjects.length > 0) {`
			`if (purposes.indexOf('clientAuth') === -1)`
			`purposes.push('clientAuth');`
			`}`
			`if (userSubjects.length > 0 \|\| hostSubjects.length > 0) {`
			`if (purposes.indexOf('keyAgreement') === -1)`
			`purposes.push('keyAgreement');`
			`if (key.type === 'rsa' &&`
			`purposes.indexOf('encryption') === -1)`
			`purposes.push('encryption');`
			`}`

			`var cert = new Certificate({`
			`subjects: subjects,`
			`issuer: issuer,`
			`subjectKey: key,`
			`issuerKey: issuerKey.toPublic(),`
			`signatures: {},`
			`serial: serial,`
			`validFrom: validFrom,`
			`validUntil: validUntil,`
			`purposes: purposes`
			`});`
			`cert.signWith(issuerKey);`

			`return (cert);`
			`};`

			`Certificate.parse = function (data, format, options) {`
			`if (typeof (data) !== 'string')`
			`assert.buffer(data, 'data');`
			`if (format === undefined)`
			`format = 'auto';`
			`assert.string(format, 'format');`
			`if (typeof (options) === 'string')`
			`options = { filename: options };`
			`assert.optionalObject(options, 'options');`
			`if (options === undefined)`
			`options = {};`
			`assert.optionalString(options.filename, 'options.filename');`
			`if (options.filename === undefined)`
			`options.filename = '(unnamed)';`

			`assert.object(formats[format], 'formats[format]');`

			`try {`
			`var k = formats[format].read(data, options);`
			`return (k);`
			`} catch (e) {`
			`throw (new CertificateParseError(options.filename, format, e));`
			`}`
			`};`

			`Certificate.isCertificate = function (obj, ver) {`
			`return (utils.isCompatible(obj, Certificate, ver));`
			`};`

			`/*`
			`* API versions for Certificate:`
			`* [1,0] -- initial ver`
			`* [1,1] -- openssh format now unpacks extensions`
			`*/`
			`Certificate.prototype._sshpkApiVersion = [1, 1];`

			`Certificate._oldVersionDetect = function (obj) {`
			`return ([1, 0]);`
			`};`