PKIX Over Secure HTTP (POSH) tools for node.js
PKIX Over Secure HTTP (POSH) tools for node.js. See http://tools.ietf.org/html/draft-miller-posh-00 for more information.
Usage: genposh [options] [cert filename...] Options: --help, -h Show this message and exit --out, -o Directory in which to output files [default: "."] --days, -d Days of validity for the generated certificate [default: 365] --service, -s SRV-style service name for the POSH file [default: "_xmpp._tcp"] --maxcerts, -m The maximum number of certs to output in the x5c field. 0 means all. [default: 0] --commonname, -c Create a new certificate, with this common name (multiple ok)
npm install node-posh
Generate a new certificate that is good for 30 days. Keep the old certificate in the the POSH output to support the roll-over period:
genposh -d 30 -s _imap._tcp -c localhost old-cert.pem
This will generate a file called
posh._imap._tcp.json that contains POSH JSON
that looks like this:
Create a POSH document from a list of certificates.
certsan array of PEM-encoded certificate chains. The first certificate in each chain will be extracted into the POSH public key information.
maxdepththe maxiumum number of certificates to use from each chain.
Write a file with the given POSH object in a file with the correct name for the given service.
dirthe directory to write into
servicethe SRV record name for the target service. Example: "_xmpp-server._tcp"
Make a POSH-verified connection to a given domain on a given service.
'posh request', urlabout to request a POSH document at the given URL
'no posh', erNo POSH document could be retrieved. Not really an error.
'connecting', host, port, tlsConnecting on the given host and port. If
tlsis true, a TLS handshake will start as soon as the connection finishes.
'error', eran error was detected.
'connect', socketthe given socket was connected
'secure', service_cert, posh_documentthe connection is secure either by RFC 6125 or POSH. The posh_document is null if the service_cert was valid via RFC 6125.
'insecure', service_cert, posh_documentthe connection could not be determined to be secure. The posh_document is null if it could not be retrieved.
Create a POSH connection object
domainconnect to the given domain
srvthe DNS SRV protocol name to connect with. For example, "_xmpp-server._tcp"
optionsa configuration object
fallback_portThe port to fall back on if SRV fails. If -1, use the port for the given SRV protocol name from /etc/services. Defaults to -1.
start_tlsDon't do TLS immediately after connecting. Instead, wait for a listener for the
connectevent to call
caAn array of zero or more certificate authority (CA) certs to trust when making HTTPS calls for POSH certs.
Attempt to get the POSH assertion for the domain and SRV protocol given in the constructor
Do the SRV resolution.
portwhen complete. Ignores DNS errors, returning the original domain and fallback port.
Connect without starting TLS. Wait for the
connect event, then call
Connect to the given serice, and start TLS immediately.
On the already-connected socket, start a TLS handshake. This MUST occur after the 'connect' event has been called.
Connect to the domain on the specified service, using either an initially- plaintext approach (options.start_tls=true), or an initially-encrypted approach (options.start_tls=false).