Hey there! I totally get your frustration—finding Node.js-specific solutions for crypto tasks can be tricky, especially when dealing with ECC algorithms that some libraries don't support. Let's walk through a few solid options that match the functionality of that openssl pkcs7 -print_certs command:

Option 1: Wrap OpenSSL directly with openssl-wrapper #

Since you already know the OpenSSL command works perfectly (and it fully supports ECC), why not just call it from Node.js? The openssl-wrapper package makes this clean and straightforward, no need to reinvent the wheel.

First, install the package:

npm install openssl-wrapper

Then use this code to process your base64-encoded CMS string:

const openssl = require('openssl-wrapper').exec;

async function extractCertsFromPKCS7(base64CMS) {
  // Convert your base64 string to a DER buffer (OpenSSL's preferred input format here)
  const pkcs7Buffer = Buffer.from(base64CMS, 'base64');
  
  // Run the equivalent openssl command, passing the buffer as input
  const certOutput = await openssl('pkcs7', {
    '-print_certs': true,
    '-inform': 'DER'
  }, pkcs7Buffer);
  
  // Split the combined PEM output into individual certificates
  const certPems = certOutput.toString().split(/(?=-----BEGIN CERTIFICATE-----)/).filter(cert => cert.trim());
  
  return {
    leafCert: certPems[0], // The first cert is almost always the leaf
    intermediateCerts: certPems.slice(1) // The rest are intermediates
  };
}

// Example usage
const myBase64CMS = 'your-base64-encoded-cms-string-goes-here';
extractCertsFromPKCS7(myBase64CMS)
  .then(result => {
    console.log('Leaf certificate:\n', result.leafCert);
    console.log('Intermediate certificates:\n', result.intermediateCerts.join('\n\n'));
  })
  .catch(err => console.error('Something went wrong:', err));

Pros: Uses the trusted OpenSSL tool you already know, supports all algorithms (including ECC), minimal code to write.
Note: Make sure your system has OpenSSL installed (most Linux/macOS systems do by default; Windows users may need to install it and add it to their PATH).

Option 2: Pure JavaScript with pkijs + @peculiar/webcrypto #

If you want a fully Node-native solution without relying on system OpenSSL, this combo works great and supports ECC. pkijs handles parsing PKCS#7/CMS structures, and @peculiar/webcrypto provides a WebCrypto-compatible engine that supports ECC algorithms.

First, install the packages:

npm install @peculiar/webcrypto pkijs

Here's the code to extract your certificates:

const { Crypto } = require('@peculiar/webcrypto');
const pkijs = require('pkijs');

// Configure pkijs to use the WebCrypto engine that supports ECC
pkijs.setEngine('ecc-support', new Crypto(), pkijs.engine.engine_WebCrypto);

async function extractCertsFromCMS(base64CMS) {
  // Convert base64 to an ArrayBuffer for pkijs parsing
  const cmsArrayBuffer = Buffer.from(base64CMS, 'base64').buffer;
  
  // Parse the CMS/PKCS#7 structure
  const contentInfo = await pkijs.ContentInfo.fromBER(cmsArrayBuffer);
  
  // Make sure we're dealing with a signed data structure (the common PKCS#7 cert format)
  if (!(contentInfo.content instanceof pkijs.SignedData)) {
    throw new Error('Input is not a signed PKCS#7/CMS structure');
  }
  
  // Convert each certificate in the structure to PEM format
  const certPems = contentInfo.content.certificates.map(cert => {
    const certDer = Buffer.from(cert.toSchema().toBER(false));
    const base64Cert = certDer.toString('base64').match(/.{1,64}/g).join('\n');
    return `-----BEGIN CERTIFICATE-----\n${base64Cert}\n-----END CERTIFICATE-----`;
  });
  
  return {
    leafCert: certPems[0],
    intermediateCerts: certPems.slice(1)
  };
}

// Example usage
const myBase64CMS = 'your-base64-encoded-cms-string-goes-here';
extractCertsFromCMS(myBase64CMS)
  .then(result => {
    console.log('Leaf certificate:\n', result.leafCert);
    console.log('Intermediate certificates:\n', result.intermediateCerts.join('\n\n'));
  })
  .catch(err => console.error('Something went wrong:', err));

Pros: No system dependencies, fully cross-platform, pure JS implementation.
Bonus: You get full control over parsing the CMS structure if you need to do more advanced operations later.

Either of these should solve your problem! If you're new to this space, I'd start with Option 1—it's closer to the command you already know and requires less crypto-specific knowledge.

内容的提问来源于stack exchange，提问作者user4086990