From c88b0866142867e117898b8763dd9f4ad0d0cfde Mon Sep 17 00:00:00 2001 From: microshine Date: Sun, 25 Aug 2019 02:12:05 +0300 Subject: [PATCH] RSA: Support RSA-PKCS1 mechanism --- README.md | 1 + src/mechs/rsa/crypto.ts | 2 +- src/mechs/rsa/helper.ts | 2 + src/mechs/rsa/index.ts | 1 + src/mechs/rsa/rsa_pkcs1.ts | 134 +++++++++++++++++++++++++++++++++++++ src/subtle.ts | 3 +- test/rsa.ts | 108 ++++++++++++++++++++++++++++++ 7 files changed, 249 insertions(+), 2 deletions(-) create mode 100644 src/mechs/rsa/rsa_pkcs1.ts diff --git a/README.md b/README.md index bf35c63..dd8b40f 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ npm install @peculiar/webcrypto | HMAC | X | | X | X | | | | | RSASSA-PKCS1-v1_5 | X | | X | X | | | | | RSA-PSS | X | | X | X | | | | +| RSA-PKCS12| X | | X | X | X | X | | | RSA-OAEP | X | | X | | X | X | | | AES-CMAC | X | | X | X | | | | | AES-CBC | X | | X | | X | X | | diff --git a/src/mechs/rsa/crypto.ts b/src/mechs/rsa/crypto.ts index 137118c..1ebc2bb 100644 --- a/src/mechs/rsa/crypto.ts +++ b/src/mechs/rsa/crypto.ts @@ -19,7 +19,7 @@ export class RsaCrypto { public static publicKeyUsages = ["verify", "encrypt", "wrapKey"]; public static privateKeyUsages = ["sign", "decrypt", "unwrapKey"]; - public static async generateKey(algorithm: RsaHashedKeyGenParams, extractable: boolean, keyUsages: string[]): Promise { + public static async generateKey(algorithm: RsaHashedKeyGenParams | RsaKeyGenParams, extractable: boolean, keyUsages: string[]): Promise { const privateKey = new RsaPrivateKey(); privateKey.algorithm = algorithm as RsaHashedKeyAlgorithm; privateKey.extractable = extractable; diff --git a/src/mechs/rsa/helper.ts b/src/mechs/rsa/helper.ts index dff4d5f..5b374f2 100644 --- a/src/mechs/rsa/helper.ts +++ b/src/mechs/rsa/helper.ts @@ -9,6 +9,8 @@ export function getJwkAlgorithm(algorithm: RsaHashedKeyAlgorithm) { return `RS${/(\d+)$/.exec(algorithm.hash.name)![1]}`; case "RSA-PSS": return `PS${/(\d+)$/.exec(algorithm.hash.name)![1]}`; + case "RSA-PKCS1": + return `RS1`; default: throw new core.OperationError("algorithm: Is not recognized"); } diff --git a/src/mechs/rsa/index.ts b/src/mechs/rsa/index.ts index b077c10..7d805ce 100644 --- a/src/mechs/rsa/index.ts +++ b/src/mechs/rsa/index.ts @@ -3,3 +3,4 @@ export * from "./public_key"; export * from "./rsa_ssa"; export * from "./rsa_pss"; export * from "./rsa_oaep"; +export * from "./rsa_pkcs1"; diff --git a/src/mechs/rsa/rsa_pkcs1.ts b/src/mechs/rsa/rsa_pkcs1.ts new file mode 100644 index 0000000..6f86d96 --- /dev/null +++ b/src/mechs/rsa/rsa_pkcs1.ts @@ -0,0 +1,134 @@ +import * as crypto from "crypto"; +import { Convert } from "pvtsutils"; +import * as core from "webcrypto-core"; +import { CryptoKey } from "../../keys"; +import { RsaCrypto } from "./crypto"; +import { RsaPrivateKey } from "./private_key"; +import { RsaPublicKey } from "./public_key"; + +export type RsaPkcs1Params = Algorithm; +export type RsaPkcs1SignParams = core.HashedAlgorithm; + +export class RsaPkcs1Provider extends core.ProviderCrypto { + + public name = "RSA-PKCS1"; + public usages = { + publicKey: ["encrypt", "wrapKey", "verify"] as core.KeyUsages, + privateKey: ["decrypt", "unwrapKey", "sign"] as core.KeyUsages, + }; + public hashAlgorithms = ["SHA-1", "SHA-256", "SHA-384", "SHA-512"]; + + public async onGenerateKey(algorithm: RsaKeyGenParams, extractable: boolean, keyUsages: KeyUsage[]): Promise { + const key = await RsaCrypto.generateKey( + { + ...algorithm, + name: this.name, + }, + extractable, + keyUsages); + + return key; + } + + public checkGenerateKeyParams(algorithm: RsaKeyGenParams) { + // public exponent + this.checkRequiredProperty(algorithm, "publicExponent"); + if (!(algorithm.publicExponent && algorithm.publicExponent instanceof Uint8Array)) { + throw new TypeError("publicExponent: Missing or not a Uint8Array"); + } + const publicExponent = Convert.ToBase64(algorithm.publicExponent); + if (!(publicExponent === "Aw==" || publicExponent === "AQAB")) { + throw new TypeError("publicExponent: Must be [3] or [1,0,1]"); + } + + // modulus length + this.checkRequiredProperty(algorithm, "modulusLength"); + switch (algorithm.modulusLength) { + case 1024: + case 2048: + case 4096: + break; + default: + throw new TypeError("modulusLength: Must be 1024, 2048, or 4096"); + } + } + + public async onSign(algorithm: RsaPkcs1SignParams, key: RsaPrivateKey, data: ArrayBuffer): Promise { + const signature = crypto + .createSign((algorithm.hash as Algorithm).name.replace("-", "")) + .update(Buffer.from(data)) + .sign(this.toCryptoOptions(key) as any); + return new Uint8Array(signature).buffer; + } + + public checkSign(algorithm: RsaPkcs1SignParams, key: CryptoKey, data: ArrayBuffer) { + this.checkAlgorithmName(algorithm); + this.checkAlgorithmSignParams(algorithm); + this.checkCryptoKey(key, "sign"); + } + + public checkAlgorithmSignParams(algorithm: RsaPkcs1SignParams) { + this.checkRequiredProperty(algorithm, "hash"); + this.checkHashAlgorithm(algorithm.hash as Algorithm, this.hashAlgorithms); + } + + public async onVerify(algorithm: RsaPkcs1SignParams, key: RsaPublicKey, signature: ArrayBuffer, data: ArrayBuffer): Promise { + const ok = crypto + .createVerify((algorithm.hash as Algorithm).name.replace("-", "")) + .update(Buffer.from(data)) + .verify(this.toCryptoOptions(key) as any, Buffer.from(signature)); + return ok; + } + + public checkVerify(algorithm: RsaPkcs1SignParams, key: CryptoKey, signature: ArrayBuffer, data: ArrayBuffer) { + this.checkAlgorithmName(algorithm); + this.checkAlgorithmSignParams(algorithm); + this.checkCryptoKey(key, "verify"); + } + + public async onEncrypt(algorithm: RsaPkcs1Params, key: RsaPublicKey, data: ArrayBuffer): Promise { + const options = this.toCryptoOptions(key); + const enc = crypto.publicEncrypt(options, new Uint8Array(data)); + return new Uint8Array(enc).buffer; + } + + public async onDecrypt(algorithm: RsaPkcs1Params, key: RsaPrivateKey, data: ArrayBuffer): Promise { + const options = this.toCryptoOptions(key); + const dec = crypto.privateDecrypt(options, new Uint8Array(data)); + return new Uint8Array(dec).buffer; + } + + public async onExportKey(format: KeyFormat, key: CryptoKey): Promise { + return RsaCrypto.exportKey(format, key); + } + + public async onImportKey(format: KeyFormat, keyData: JsonWebKey | ArrayBuffer, algorithm: RsaHashedImportParams, extractable: boolean, keyUsages: KeyUsage[]): Promise { + const key = await RsaCrypto.importKey(format, keyData, { ...algorithm, name: this.name }, extractable, keyUsages); + return key; + } + + public checkCryptoKey(key: CryptoKey, keyUsage?: KeyUsage) { + super.checkCryptoKey(key, keyUsage); + if (!(key instanceof RsaPrivateKey || key instanceof RsaPublicKey)) { + throw new TypeError("key: Is not RSA CryptoKey"); + } + } + + private toCryptoOptions(key: RsaPrivateKey): crypto.RsaPrivateKey; + private toCryptoOptions(key: RsaPublicKey): crypto.RsaPublicKey; + private toCryptoOptions(key: RsaPrivateKey | RsaPublicKey) { + const type = key.type.toUpperCase(); + return { + key: `-----BEGIN ${type} KEY-----\n${key.data.toString("base64")}\n-----END ${type} KEY-----`, + // @ts-ignore + padding: crypto.constants.RSA_PKCS1_PADDING, + }; + } + + private prepareSignData(algorithm: RsaPkcs1SignParams, data: ArrayBuffer) { + return crypto + .createHash((algorithm.hash as Algorithm).name.replace("-", "")) + .update(Buffer.from(data)) + .digest(); + } +} diff --git a/src/subtle.ts b/src/subtle.ts index 53428ee..79ab90d 100644 --- a/src/subtle.ts +++ b/src/subtle.ts @@ -6,7 +6,7 @@ import { EcdsaProvider, HkdfProvider, HmacProvider, Pbkdf2Provider, - RsaOaepProvider, RsaPssProvider, RsaSsaProvider, + RsaOaepProvider, RsaPkcs1Provider, RsaPssProvider, RsaSsaProvider, Sha1Provider, Sha256Provider, Sha384Provider, Sha512Provider, } from "./mechs"; @@ -31,6 +31,7 @@ export class SubtleCrypto extends core.SubtleCrypto { this.providers.set(new RsaSsaProvider()); this.providers.set(new RsaPssProvider()); this.providers.set(new RsaOaepProvider()); + this.providers.set(new RsaPkcs1Provider()); //#endregion //#region EC diff --git a/test/rsa.ts b/test/rsa.ts index f714312..37910e9 100644 --- a/test/rsa.ts +++ b/test/rsa.ts @@ -300,6 +300,114 @@ context("RSA", () => { ], }, }, + // RSA-PKCS1 + { + name: "RSA-PKCS1", + actions: { + generateKey: [ + { + algorithm: { + name: "RSA-PKCS1", + publicExponent: new Uint8Array([1, 0, 1]), + modulusLength: 1024, + } as RsaKeyGenParams, + extractable: false, + keyUsages: ["encrypt", "decrypt"], + } as ITestGenerateKeyAction, + ], + encrypt: [ + { + algorithm: { + name: "RSA-PKCS1", + } as Algorithm, + data: Convert.FromHex("01435e62ad3ec4850720e34f8cab620e203749f2315b203d"), + encData: Convert.FromHex("76e5ea6e1df52471454f790923f60e2baa7adf5017fe0a36c0af3e32f6390d570e1d592375ba6035fdf4ffa70764b797ab54d0ab1efe89cf31d7fc98240a4d08c2476b7eb4c2d92355b8bf60e3897c3fcbfe09f20c7b159d9a9c4a6b2ce5021dd313e492afa762c24930f97f03a429f7b2b1e1d6088651d60e323835807c6fefe7952f74e5da29e8e327ea46e69a0a6684272f022bf18ec602ffcd10a62666b35a51ec7c7d101096f663ddfa0924a86bdbcde0433b4f71dc42bfd9facf329558026f8667f1a71c3365e09843a12339d8aaf31987b0d800e53fd0835e990096cb145e278153faf1188cd5713c6fcd289cb77d80515e1d200139b8ccac4d3bcebc"), + key: { + publicKey: { + format: "jwk" as KeyFormat, + algorithm: { name: "RSA-PKCS1" } as Algorithm, + data: { + alg: "RS1", + e: "AQAB", + ext: true, + key_ops: ["encrypt"], + kty: "RSA", + n: "xr8ELXq5dGFycys8jrc8vVPkWl2GzuRgyOxATtjcNIy5MD7j1XVsUH62VVdIVUUGt0IQ7K288ij3gkIPcIkRO6GmV0vbQAqHrjSHYUAtKQXbIgNRIuJGZvO5AXsxSo1X-tfhOxe140pseOkaehz1bGduhdcYWNR3xLmp7i-GQTRDo-v6CQXtFvSUwG_EIOXnl1trN2Q1Yw4wA1dbtY9FDz69uH-dEWTx7BFCAXVTQMjNe7BTvgGeQcX7XZIw5e2pd0pXjdIgb0xMgziwmc5bbABrGlhK7TmKqA47RlWzY_Lcj7VcTUfMfh7YKKichGTUbqxlgsRTma_e-0-vgDEz6w", + }, + extractable: true, + keyUsages: ["encrypt"] as KeyUsage[], + }, + privateKey: { + format: "jwk" as KeyFormat, + algorithm: { name: "RSA-PKCS1"} as Algorithm, + data: { + kty: "RSA", + alg: "RS1", + key_ops: ["decrypt"], + ext: true, + n: "xr8ELXq5dGFycys8jrc8vVPkWl2GzuRgyOxATtjcNIy5MD7j1XVsUH62VVdIVUUGt0IQ7K288ij3gkIPcIkRO6GmV0vbQAqHrjSHYUAtKQXbIgNRIuJGZvO5AXsxSo1X-tfhOxe140pseOkaehz1bGduhdcYWNR3xLmp7i-GQTRDo-v6CQXtFvSUwG_EIOXnl1trN2Q1Yw4wA1dbtY9FDz69uH-dEWTx7BFCAXVTQMjNe7BTvgGeQcX7XZIw5e2pd0pXjdIgb0xMgziwmc5bbABrGlhK7TmKqA47RlWzY_Lcj7VcTUfMfh7YKKichGTUbqxlgsRTma_e-0-vgDEz6w", + e: "AQAB", + d: "kZ2IoQ3G7UcshMdL8kC85vadW7wktldLtkqqf1qSVIo6cOfTJCWJe5yrWPG_VIJjfkeQgOh2hHKRjcV67HfwwWEZr-IrPMu6R1_DRPSxYdohiNUnUEi7TlkJ1tT882OF74rWQeaIZIS13wzjUk7_XjKWHsfO1d6t9dwWbiYx1nj4syQCcUrvHIgVXCfL85Tyu3NHqpxOdbzRb2OLmkv5ciHFExm4ai98xAgsEXbNvZQeSOOfKNsiCb-NjBXLYrbaDIsakAEV75893JubfeD51UHn7dPT8M8MmKEvrTOKCscShf01scTDHfx_hiOXK3XG4tVx9l2YGEkt3xCedljocQ", + p: "_dWMJ57SECcBbOjPRCvT97ypDyw9ydvnSZXTsn9c7ScxvUxBk6-wuMtgsLI8OWkhZGDBLyVrn-I3RMAN-A5QI_adoGdK7fq5lFWmQYvb1u1xUaGEInVFsM3BW7RBBF8N7OzHwULEQLTXb4jkpgwyCynsX0OEbVVvVerqrcr7osM", + q: "yHEjuQe9TNo-leMrL6cu-yDPfA85M8xQuBM59Cwz06-ggBRi9EOpbV-CrejGUbVlE9QmKGqIBT8C3NVBQwybzlgUihgIpnVgkb01lLEf13ohQ_GWV1mS8ybznjMgaVtVF5Lva4WixIDlXbOu4svVQpkr-KRpKvEMUCTsX-Sxx7k", + dp: "jMP4TaCN7dczuyoAh1Wm3yQIvRlTyrXgtbYZCEwJRJsPwmKfmz87Sb-_hz3QmCXtFrVxbKvb23agH8hB9uY5GziQgXvG2eLJN7Gn2YGuEKrsxNBFbraKR1pTeH-l7r6oAlPtEwfrvdaMApZv9oWc2wQMyWev8NIIRCVar7Z5hfE", + dq: "wi2g3sJZp9cRpGEDWFHM2KnrdxLEZqK7W-f8T8h2mM9eXFXjmyDlRLivP0zuuv9QoUn3gVXa2cI2QrsxUwQm-Fop47Hux1uUpvs2qgqBf1yoV0r2Sz7Sdk442fxLnOVG5OSKno5Cpbz89q54cOvoeHEswN59p4UHWai7eRZzB7k", + qi: "k9hlEyvZCWj8Fvxrknj5WHgaLrSqaVku3PVod2wUJox3aZ8vUsGmmD27lfiWwVKNRmgxLiazY40pLPu07SEmlJgF8QjzDb33k5Pcn9wRuezcCi-53LBRK6-EptZ-UjEINBlM_Cx_WOuxs7P77pwcCo2NV76ilxP5PP_34SUZ0ts", + }, + extractable: true, + keyUsages: ["decrypt"] as KeyUsage[], + }, + }, + }, + ], + sign: [ + { + algorithm: { + name: "RSA-PKCS1", + hash: "SHA-256", + } as Algorithm, + data: Convert.FromUtf8String("12345678901234567890"), // SHA-1 hash + signature: Convert.FromHex("3538e16a7181ea028f2bdb3e295e24b701635607c32802a3f8dfb7489f8469ddbf2095d221cf9aaeb7274c45e7e7fc127cc67d01d0954bf71a2b6c7e18f3449cf09ddb1eb85aea687e36ac4747deeb896583992d66216298b3ef85b799afec281298da777aa2eb0dbd71d80c0258be01566dd37f99022e98c7e59b8fb0e619b3990a7d120e31ac15ec39643f8f4ae3dd9282cb2c68ff9c364eb9a2caa28053e8008d531ba6c559187ebafd931554b94bb630ab96e0abffa824a10791eef3716fe1853260331173d3a1b04e5cd644423985b90d73828a7d7091519e9821eb12f2eb7d86bf6569f06cc6526931018b1deaba4e8b2dd8d02f7bdd8c53cef4f04a93"), + key: { + publicKey: { + format: "jwk" as KeyFormat, + algorithm: { name: "RSA-PKCS1" } as Algorithm, + data: { + alg: "RS1", + e: "AQAB", + ext: true, + key_ops: ["verify"], + kty: "RSA", + n: "xr8ELXq5dGFycys8jrc8vVPkWl2GzuRgyOxATtjcNIy5MD7j1XVsUH62VVdIVUUGt0IQ7K288ij3gkIPcIkRO6GmV0vbQAqHrjSHYUAtKQXbIgNRIuJGZvO5AXsxSo1X-tfhOxe140pseOkaehz1bGduhdcYWNR3xLmp7i-GQTRDo-v6CQXtFvSUwG_EIOXnl1trN2Q1Yw4wA1dbtY9FDz69uH-dEWTx7BFCAXVTQMjNe7BTvgGeQcX7XZIw5e2pd0pXjdIgb0xMgziwmc5bbABrGlhK7TmKqA47RlWzY_Lcj7VcTUfMfh7YKKichGTUbqxlgsRTma_e-0-vgDEz6w", + }, + extractable: true, + keyUsages: ["verify"] as KeyUsage[], + }, + privateKey: { + format: "jwk" as KeyFormat, + algorithm: { name: "RSA-PKCS1"} as Algorithm, + data: { + kty: "RSA", + alg: "RS1", + key_ops: ["sign"], + ext: true, + n: "xr8ELXq5dGFycys8jrc8vVPkWl2GzuRgyOxATtjcNIy5MD7j1XVsUH62VVdIVUUGt0IQ7K288ij3gkIPcIkRO6GmV0vbQAqHrjSHYUAtKQXbIgNRIuJGZvO5AXsxSo1X-tfhOxe140pseOkaehz1bGduhdcYWNR3xLmp7i-GQTRDo-v6CQXtFvSUwG_EIOXnl1trN2Q1Yw4wA1dbtY9FDz69uH-dEWTx7BFCAXVTQMjNe7BTvgGeQcX7XZIw5e2pd0pXjdIgb0xMgziwmc5bbABrGlhK7TmKqA47RlWzY_Lcj7VcTUfMfh7YKKichGTUbqxlgsRTma_e-0-vgDEz6w", + e: "AQAB", + d: "kZ2IoQ3G7UcshMdL8kC85vadW7wktldLtkqqf1qSVIo6cOfTJCWJe5yrWPG_VIJjfkeQgOh2hHKRjcV67HfwwWEZr-IrPMu6R1_DRPSxYdohiNUnUEi7TlkJ1tT882OF74rWQeaIZIS13wzjUk7_XjKWHsfO1d6t9dwWbiYx1nj4syQCcUrvHIgVXCfL85Tyu3NHqpxOdbzRb2OLmkv5ciHFExm4ai98xAgsEXbNvZQeSOOfKNsiCb-NjBXLYrbaDIsakAEV75893JubfeD51UHn7dPT8M8MmKEvrTOKCscShf01scTDHfx_hiOXK3XG4tVx9l2YGEkt3xCedljocQ", + p: "_dWMJ57SECcBbOjPRCvT97ypDyw9ydvnSZXTsn9c7ScxvUxBk6-wuMtgsLI8OWkhZGDBLyVrn-I3RMAN-A5QI_adoGdK7fq5lFWmQYvb1u1xUaGEInVFsM3BW7RBBF8N7OzHwULEQLTXb4jkpgwyCynsX0OEbVVvVerqrcr7osM", + q: "yHEjuQe9TNo-leMrL6cu-yDPfA85M8xQuBM59Cwz06-ggBRi9EOpbV-CrejGUbVlE9QmKGqIBT8C3NVBQwybzlgUihgIpnVgkb01lLEf13ohQ_GWV1mS8ybznjMgaVtVF5Lva4WixIDlXbOu4svVQpkr-KRpKvEMUCTsX-Sxx7k", + dp: "jMP4TaCN7dczuyoAh1Wm3yQIvRlTyrXgtbYZCEwJRJsPwmKfmz87Sb-_hz3QmCXtFrVxbKvb23agH8hB9uY5GziQgXvG2eLJN7Gn2YGuEKrsxNBFbraKR1pTeH-l7r6oAlPtEwfrvdaMApZv9oWc2wQMyWev8NIIRCVar7Z5hfE", + dq: "wi2g3sJZp9cRpGEDWFHM2KnrdxLEZqK7W-f8T8h2mM9eXFXjmyDlRLivP0zuuv9QoUn3gVXa2cI2QrsxUwQm-Fop47Hux1uUpvs2qgqBf1yoV0r2Sz7Sdk442fxLnOVG5OSKno5Cpbz89q54cOvoeHEswN59p4UHWai7eRZzB7k", + qi: "k9hlEyvZCWj8Fvxrknj5WHgaLrSqaVku3PVod2wUJox3aZ8vUsGmmD27lfiWwVKNRmgxLiazY40pLPu07SEmlJgF8QjzDb33k5Pcn9wRuezcCi-53LBRK6-EptZ-UjEINBlM_Cx_WOuxs7P77pwcCo2NV76ilxP5PP_34SUZ0ts", + }, + extractable: true, + keyUsages: ["sign"] as KeyUsage[], + }, + }, + }, + ], + }, + }, ]); });