acme.js/lib/ecdsa.js

/*global Promise*/
(function (exports) {
'use strict';

var EC = exports.Eckles = {};
var x509 = exports.x509;
if ('undefined' !== typeof module) { module.exports = EC; }
var PEM = exports.PEM;
var SSH = exports.SSH;
var Enc = {};
var textEncoder = new TextEncoder();

EC._stance = "We take the stance that if you're knowledgeable enough to"
  + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway.";
EC._universal = "Bluecrypt only supports crypto with standard cross-browser and cross-platform support.";
EC.generate = function (opts) {
  var wcOpts = {};
  if (!opts) { opts = {}; }
  if (!opts.kty) { opts.kty = 'EC'; }

  // ECDSA has only the P curves and an associated bitlength
  wcOpts.name = 'ECDSA';
  if (!opts.namedCurve) {
    opts.namedCurve = 'P-256';
  }
  wcOpts.namedCurve = opts.namedCurve; // true for supported curves
  if (/256/.test(wcOpts.namedCurve)) {
    wcOpts.namedCurve = 'P-256';
    wcOpts.hash = { name: "SHA-256" };
  } else if (/384/.test(wcOpts.namedCurve)) {
    wcOpts.namedCurve = 'P-384';
    wcOpts.hash = { name: "SHA-384" };
  } else {
    return Promise.Reject(new Error("'" + wcOpts.namedCurve + "' is not an NIST approved ECDSA namedCurve. "
      + " Please choose either 'P-256' or 'P-384'. "
      + EC._stance));
  }

  var extractable = true;
  return window.crypto.subtle.generateKey(
    wcOpts
  , extractable
  , [ 'sign', 'verify' ]
  ).then(function (result) {
    return window.crypto.subtle.exportKey(
      "jwk"
    , result.privateKey
    ).then(function (privJwk) {
      privJwk.key_ops = undefined;
      privJwk.ext = undefined;
      return {
        private: privJwk
      , public: EC.neuter({ jwk: privJwk })
      };
    });
  });
};

EC.export = function (opts) {
  return Promise.resolve().then(function () {
    if (!opts || !opts.jwk || 'object' !== typeof opts.jwk) {
      throw new Error("must pass { jwk: jwk } as a JSON object");
    }
    var jwk = JSON.parse(JSON.stringify(opts.jwk));
    var format = opts.format;
    if (opts.public || -1 !== [ 'spki', 'pkix', 'ssh', 'rfc4716' ].indexOf(format)) {
      jwk.d = null;
    }
    if ('EC' !== jwk.kty) {
      throw new Error("options.jwk.kty must be 'EC' for EC keys");
    }
    if (!jwk.d) {
      if (!format || -1 !== [ 'spki', 'pkix' ].indexOf(format)) {
        format = 'spki';
      } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {
        format = 'ssh';
      } else {
        throw new Error("options.format must be 'spki' or 'ssh' for public EC keys, not ("
          + typeof format + ") " + format);
      }
    } else {
      if (!format || 'sec1' === format) {
        format = 'sec1';
      } else if ('pkcs8' !== format) {
        throw new Error("options.format must be 'sec1' or 'pkcs8' for private EC keys, not '" + format + "'");
      }
    }
    if (-1 === [ 'P-256', 'P-384' ].indexOf(jwk.crv)) {
      throw new Error("options.jwk.crv must be either P-256 or P-384 for EC keys, not '" + jwk.crv + "'");
    }
    if (!jwk.y) {
      throw new Error("options.jwk.y must be a urlsafe base64-encoded either P-256 or P-384");
    }

    if ('sec1' === format) {
      return PEM.packBlock({ type: "EC PRIVATE KEY", bytes: x509.packSec1(jwk) });
    } else if ('pkcs8' === format) {
      return PEM.packBlock({ type: "PRIVATE KEY", bytes: x509.packPkcs8(jwk) });
    } else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) {
      return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) });
    } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {
      return SSH.packSsh(jwk);
    } else {
      throw new Error("Sanity Error: reached unreachable code block with format: " + format);
    }
  });
};
EC.pack = function (opts) {
  return Promise.resolve().then(function () {
    return EC.exportSync(opts);
  });
};

// Chopping off the private parts is now part of the public API.
// I thought it sounded a little too crude at first, but it really is the best name in every possible way.
EC.neuter = function (opts) {
  // trying to find the best balance of an immutable copy with custom attributes
  var jwk = {};
  Object.keys(opts.jwk).forEach(function (k) {
    if ('undefined' === typeof opts.jwk[k]) { return; }
    // ignore EC private parts
    if ('d' === k) { return; }
    jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k]));
  });
  return jwk;
};

// https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk
EC.__thumbprint = function (jwk) {
  // Use the same entropy for SHA as for key
  var alg = 'SHA-256';
  if (/384/.test(jwk.crv)) {
    alg = 'SHA-384';
  }
  return window.crypto.subtle.digest(
    { name: alg }
  , textEncoder.encode('{"crv":"' + jwk.crv + '","kty":"EC","x":"' + jwk.x + '","y":"' + jwk.y + '"}')
  ).then(function (hash) {
    return Enc.bufToUrlBase64(new Uint8Array(hash));
  });
};

EC.thumbprint = function (opts) {
  return Promise.resolve().then(function () {
    var jwk;
    if ('EC' === opts.kty) {
      jwk = opts;
    } else if (opts.jwk) {
      jwk = opts.jwk;
    } else {
      return EC.import(opts).then(function (jwk) {
        return EC.__thumbprint(jwk);
      });
    }
    return EC.__thumbprint(jwk);
  });
};

Enc.bufToUrlBase64 = function (u8) {
  return Enc.bufToBase64(u8)
    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
};

Enc.bufToBase64 = function (u8) {
  var bin = '';
  u8.forEach(function (i) {
    bin += String.fromCharCode(i);
  });
  return btoa(bin);
};

}('undefined' !== typeof module ? module.exports : window));
making headway 2019-04-18 01:56:32 -06:00			`/global Promise/`
			`(function (exports) {`
			`'use strict';`

			`var EC = exports.Eckles = {};`
display all ASN.1/x509 formats 2019-04-27 00:34:49 -06:00			`var x509 = exports.x509;`
making headway 2019-04-18 01:56:32 -06:00			`if ('undefined' !== typeof module) { module.exports = EC; }`
display all ASN.1/x509 formats 2019-04-27 00:34:49 -06:00			`var PEM = exports.PEM;`
			`var SSH = exports.SSH;`
making headway 2019-04-18 01:56:32 -06:00			`var Enc = {};`
			`var textEncoder = new TextEncoder();`

			`EC._stance = "We take the stance that if you're knowledgeable enough to"`
			`+ " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway.";`
			`EC._universal = "Bluecrypt only supports crypto with standard cross-browser and cross-platform support.";`
			`EC.generate = function (opts) {`
			`var wcOpts = {};`
			`if (!opts) { opts = {}; }`
			`if (!opts.kty) { opts.kty = 'EC'; }`

			`// ECDSA has only the P curves and an associated bitlength`
			`wcOpts.name = 'ECDSA';`
			`if (!opts.namedCurve) {`
			`opts.namedCurve = 'P-256';`
			`}`
			`wcOpts.namedCurve = opts.namedCurve; // true for supported curves`
			`if (/256/.test(wcOpts.namedCurve)) {`
			`wcOpts.namedCurve = 'P-256';`
			`wcOpts.hash = { name: "SHA-256" };`
			`} else if (/384/.test(wcOpts.namedCurve)) {`
			`wcOpts.namedCurve = 'P-384';`
			`wcOpts.hash = { name: "SHA-384" };`
			`} else {`
			`return Promise.Reject(new Error("'" + wcOpts.namedCurve + "' is not an NIST approved ECDSA namedCurve. "`
			`+ " Please choose either 'P-256' or 'P-384'. "`
			`+ EC._stance));`
			`}`
display all ASN.1/x509 formats 2019-04-27 00:34:49 -06:00
making headway 2019-04-18 01:56:32 -06:00			`var extractable = true;`
			`return window.crypto.subtle.generateKey(`
			`wcOpts`
			`, extractable`
			`, [ 'sign', 'verify' ]`
			`).then(function (result) {`
			`return window.crypto.subtle.exportKey(`
			`"jwk"`
			`, result.privateKey`
			`).then(function (privJwk) {`
Can register new ECDSA or RSA account, huzzah! 2019-04-28 02:11:33 -06:00			`privJwk.key_ops = undefined;`
			`privJwk.ext = undefined;`
making headway 2019-04-18 01:56:32 -06:00			`return {`
			`private: privJwk`
			`, public: EC.neuter({ jwk: privJwk })`
			`};`
			`});`
			`});`
			`};`

working pem generation 2019-04-27 00:02:57 -04:00			`EC.export = function (opts) {`
display all ASN.1/x509 formats 2019-04-27 00:34:49 -06:00			`return Promise.resolve().then(function () {`
			`if (!opts \|\| !opts.jwk \|\| 'object' !== typeof opts.jwk) {`
			`throw new Error("must pass { jwk: jwk } as a JSON object");`
			`}`
			`var jwk = JSON.parse(JSON.stringify(opts.jwk));`
			`var format = opts.format;`
			`if (opts.public \|\| -1 !== [ 'spki', 'pkix', 'ssh', 'rfc4716' ].indexOf(format)) {`
			`jwk.d = null;`
			`}`
			`if ('EC' !== jwk.kty) {`
			`throw new Error("options.jwk.kty must be 'EC' for EC keys");`
			`}`
			`if (!jwk.d) {`
			`if (!format \|\| -1 !== [ 'spki', 'pkix' ].indexOf(format)) {`
			`format = 'spki';`
			`} else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {`
			`format = 'ssh';`
			`} else {`
			`throw new Error("options.format must be 'spki' or 'ssh' for public EC keys, not ("`
			`+ typeof format + ") " + format);`
			`}`
working pem generation 2019-04-27 00:02:57 -04:00			`} else {`
display all ASN.1/x509 formats 2019-04-27 00:34:49 -06:00			`if (!format \|\| 'sec1' === format) {`
			`format = 'sec1';`
			`} else if ('pkcs8' !== format) {`
			`throw new Error("options.format must be 'sec1' or 'pkcs8' for private EC keys, not '" + format + "'");`
			`}`
working pem generation 2019-04-27 00:02:57 -04:00			`}`
display all ASN.1/x509 formats 2019-04-27 00:34:49 -06:00			`if (-1 === [ 'P-256', 'P-384' ].indexOf(jwk.crv)) {`
			`throw new Error("options.jwk.crv must be either P-256 or P-384 for EC keys, not '" + jwk.crv + "'");`
			`}`
			`if (!jwk.y) {`
			`throw new Error("options.jwk.y must be a urlsafe base64-encoded either P-256 or P-384");`
working pem generation 2019-04-27 00:02:57 -04:00			`}`

display all ASN.1/x509 formats 2019-04-27 00:34:49 -06:00			`if ('sec1' === format) {`
			`return PEM.packBlock({ type: "EC PRIVATE KEY", bytes: x509.packSec1(jwk) });`
			`} else if ('pkcs8' === format) {`
			`return PEM.packBlock({ type: "PRIVATE KEY", bytes: x509.packPkcs8(jwk) });`
			`} else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) {`
			`return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) });`
			`} else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {`
			`return SSH.packSsh(jwk);`
			`} else {`
			`throw new Error("Sanity Error: reached unreachable code block with format: " + format);`
			`}`
			`});`
working pem generation 2019-04-27 00:02:57 -04:00			`};`
			`EC.pack = function (opts) {`
			`return Promise.resolve().then(function () {`
			`return EC.exportSync(opts);`
			`});`
			`};`

making headway 2019-04-18 01:56:32 -06:00			`// Chopping off the private parts is now part of the public API.`
			`// I thought it sounded a little too crude at first, but it really is the best name in every possible way.`
			`EC.neuter = function (opts) {`
			`// trying to find the best balance of an immutable copy with custom attributes`
			`var jwk = {};`
			`Object.keys(opts.jwk).forEach(function (k) {`
			`if ('undefined' === typeof opts.jwk[k]) { return; }`
			`// ignore EC private parts`
			`if ('d' === k) { return; }`
			`jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k]));`
			`});`
			`return jwk;`
			`};`

			`// https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk`
			`EC.__thumbprint = function (jwk) {`
			`// Use the same entropy for SHA as for key`
			`var alg = 'SHA-256';`
			`if (/384/.test(jwk.crv)) {`
			`alg = 'SHA-384';`
			`}`
			`return window.crypto.subtle.digest(`
			`{ name: alg }`
			`, textEncoder.encode('{"crv":"' + jwk.crv + '","kty":"EC","x":"' + jwk.x + '","y":"' + jwk.y + '"}')`
			`).then(function (hash) {`
			`return Enc.bufToUrlBase64(new Uint8Array(hash));`
			`});`
			`};`

			`EC.thumbprint = function (opts) {`
			`return Promise.resolve().then(function () {`
			`var jwk;`
			`if ('EC' === opts.kty) {`
			`jwk = opts;`
			`} else if (opts.jwk) {`
			`jwk = opts.jwk;`
			`} else {`
			`return EC.import(opts).then(function (jwk) {`
			`return EC.__thumbprint(jwk);`
			`});`
			`}`
			`return EC.__thumbprint(jwk);`
			`});`
			`};`

			`Enc.bufToUrlBase64 = function (u8) {`
			`return Enc.bufToBase64(u8)`
			`.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');`
			`};`

			`Enc.bufToBase64 = function (u8) {`
			`var bin = '';`
			`u8.forEach(function (i) {`
			`bin += String.fromCharCode(i);`
			`});`
			`return btoa(bin);`
			`};`

			`}('undefined' !== typeof module ? module.exports : window));`