Issue 21 fix

[andreihaiducu]

Replace jsrsasign with pkijs + asn1js + Web Crypto API

Why

jsrsasign is end-of-life (no maintenance / security fixes since April 2026). Migrate the web-ui to a maintained PKI stack built on the browser's native Web Crypto API.

What changed

• Dependencies (web-ui/package.json): removed jsrsasign; added pkijs, asn1js, pvutils.
• New helper module web-ui/src/utils/pkiHelpers.js: centralizes PEM ↔ DER conversion, OID → friendly-name maps, RDN/DN rendering, SAN and KeyUsage decoding, fingerprint hashing, and Web Crypto key import (PKCS#8, PKCS#1 RSA, SEC1 EC).
• Rewritten web-ui/src/utils/certificateUtils.js: parseCertificate and parseCertificateChainFromPem are now async; base64ToPem / base64ToPrivateKeyPem are now idempotent (won't re-wrap input that is already PEM).
• Rewritten web-ui/src/utils/verificationUtils.js: validateCertificateChain uses pkijs Certificate.verify(issuer) plus subject/issuer matching; validatePrivateKey is a Web Crypto sign + verify round-trip against the certificate's public key; getFingerprint and verifyCertificate are async.
• Call sites updated to await the new async helpers: CertificateDetailsDialog.jsx, ImportCertificateChainDialogContent.jsx, useCertificateImport.js.
• Docs: appended a section to web-ui/specs.md documenting the migration, the lenient PEM contract, the async API, and the DSA decision.

Behavioral changes worth calling out

• DSA private keys are no longer accepted. Web Crypto does not implement DSA and no current flow uses it. RSA and ECDSA remain fully supported.
• PEM parsing is more permissive than before. pemToDer strips every -----BEGIN/END …----- marker line, and the base64ToPem helpers no longer re-wrap input that already contains -----BEGIN . This was needed because the backend returns full PEM strings, and jsrsasign silently tolerated double-wrapped input while the strict pkijs parser did not — without this, the Certificate Details dialog reported "Invalid certificate. Make sure the file is a .pem." for valid backend certificates.
• All previously synchronous certificate APIs are now async; consumers must await.

Test plan

• Open Certificate Details on an existing certificate from the backend → dialog renders with correct subject, issuer, validity, fingerprint, key info, and extensions.
• Click Verify Certificate without a private key → result is "Valid" for a good cert.
• Click Verify Certificate for a certificate that has a stored private key → match succeeds.
• Import a single PEM certificate (RSA) → succeeds; details preview is correct.
• Import a single PEM certificate (EC) → succeeds; details preview is correct.
• Import a certificate chain (leaf + intermediate + root) → all entries parsed and validated.
• Import a malformed / non-PEM file → friendly error, no crash.
• Import a DSA private key → rejected with a clear error.
• Import an RSA private key that does not match the certificate → rejected.
• npm run build succeeds; npm run lint shows no new errors introduced by this change.
• Bundle size is comparable to the previous jsrsasign-based build.