bluecrypt-keypairs.js/lib/keypairs.js

/*global Promise*/
(function (exports) {
'use strict';

var Keypairs = exports.Keypairs = {};
var Rasha = exports.Rasha;
var Eckles = exports.Eckles;
var Enc = exports.Enc || {};

Keypairs._stance = "We take the stance that if you're knowledgeable enough to"
  + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway.";
Keypairs._universal = "Bluecrypt only supports crypto with standard cross-browser and cross-platform support.";
Keypairs.generate = function (opts) {
  opts = opts || {};
  var p;
  if (!opts.kty) { opts.kty = opts.type; }
  if (!opts.kty) { opts.kty = 'EC'; }
  if (/^EC/i.test(opts.kty)) {
    p = Eckles.generate(opts);
  } else if (/^RSA$/i.test(opts.kty)) {
    p = Rasha.generate(opts);
  } else {
    return Promise.Reject(new Error("'" + opts.kty + "' is not a well-supported key type."
      + Keypairs._universal
      + " Please choose 'EC', or 'RSA' if you have good reason to."));
  }
  return p.then(function (pair) {
    return Keypairs.thumbprint({ jwk: pair.public }).then(function (thumb) {
      pair.private.kid = thumb; // maybe not the same id on the private key?
      pair.public.kid = thumb;
      return pair;
    });
  });
};

Keypairs.export = function (opts) {
  return Eckles.export(opts).catch(function (err) {
    return Rasha.export(opts).catch(function () {
      return Promise.reject(err);
    });
  });
};


/**
 * Chopping off the private parts is now part of the public API.
 * I thought it sounded a little too crude at first, but it really is the best name in every possible way.
 */
Keypairs.neuter = function (opts) {
  /** trying to find the best balance of an immutable copy with custom attributes */
  var jwk = {};
  Object.keys(opts.jwk).forEach(function (k) {
    if ('undefined' === typeof opts.jwk[k]) { return; }
    // ignore RSA and EC private parts
    if (-1 !== ['d', 'p', 'q', 'dp', 'dq', 'qi'].indexOf(k)) { return; }
    jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k]));
  });
  return jwk;
};

Keypairs.thumbprint = function (opts) {
  return Promise.resolve().then(function () {
    if (/EC/i.test(opts.jwk.kty)) {
      return Eckles.thumbprint(opts);
    } else {
      return Rasha.thumbprint(opts);
    }
  });
};

Keypairs.publish = function (opts) {
  if ('object' !== typeof opts.jwk || !opts.jwk.kty) { throw new Error("invalid jwk: " + JSON.stringify(opts.jwk)); }

  /** returns a copy */
  var jwk = Keypairs.neuter(opts);

  if (jwk.exp) {
    jwk.exp = setTime(jwk.exp);
  } else {
    if (opts.exp) { jwk.exp = setTime(opts.exp); }
    else if (opts.expiresIn) { jwk.exp = Math.round(Date.now()/1000) + opts.expiresIn; }
    else if (opts.expiresAt) { jwk.exp = opts.expiresAt; }
  }
  if (!jwk.use && false !== jwk.use) { jwk.use = "sig"; }

  if (jwk.kid) { return Promise.resolve(jwk); }
  return Keypairs.thumbprint({ jwk: jwk }).then(function (thumb) { jwk.kid = thumb; return jwk; });
};

// JWT a.k.a. JWS with Claims using Compact Serialization
Keypairs.signJwt = function (opts) {
  return Keypairs.thumbprint({ jwk: opts.jwk }).then(function (thumb) {
    var header = opts.header || {};
    var claims = JSON.parse(JSON.stringify(opts.claims || {}));
    header.typ = 'JWT';

    if (!header.kid) { header.kid = thumb; }
    if (!header.alg && opts.alg) { header.alg = opts.alg; }
    if (!claims.iat && (false === claims.iat || false === opts.iat)) {
      claims.iat = undefined;
    } else if (!claims.iat) {
      claims.iat = Math.round(Date.now()/1000);
    }

    if (opts.exp) {
      claims.exp = setTime(opts.exp);
    } else if (!claims.exp && (false === claims.exp || false === opts.exp)) {
      claims.exp = undefined;
    } else if (!claims.exp) {
      throw new Error("opts.claims.exp should be the expiration date as seconds, human form (i.e. '1h' or '15m') or false");
    }

    if (opts.iss) { claims.iss = opts.iss; }
    if (!claims.iss && (false === claims.iss || false === opts.iss)) {
      claims.iss = undefined;
    } else if (!claims.iss) {
      throw new Error("opts.claims.iss should be in the form of https://example.com/, a secure OIDC base url");
    }

    return Keypairs.signJws({
      jwk: opts.jwk
    , pem: opts.pem
    , protected: header
    , header: undefined
    , payload: claims
    }).then(function (jws) {
      return [ jws.protected, jws.payload, jws.signature ].join('.');
    });
  });
};

Keypairs.signJws = function (opts) {
  return Keypairs.thumbprint(opts).then(function (thumb) {

    function alg() {
      if (!opts.jwk) {
        throw new Error("opts.jwk must exist and must declare 'typ'");
      }
      if (opts.jwk.alg) { return opts.jwk.alg; }
      var typ = ('RSA' === opts.jwk.kty) ? "RS" : "ES";
      return typ + Keypairs._getBits(opts);
    }

    function sign() {
      var protect = opts.protected;
      var payload = opts.payload;

      // Compute JWS signature
      var protectedHeader = "";
      // Because unprotected headers are allowed, regrettably...
      // https://stackoverflow.com/a/46288694
      if (false !== protect) {
        if (!protect) { protect = {}; }
        if (!protect.alg) { protect.alg = alg(); }
        // There's a particular request where ACME / Let's Encrypt explicitly doesn't use a kid
        if (false === protect.kid) { protect.kid = undefined; }
        else if (!protect.kid) { protect.kid = thumb; }
        protectedHeader = JSON.stringify(protect);
      }

      // Not sure how to handle the empty case since ACME POST-as-GET must be empty
      //if (!payload) {
      //  throw new Error("opts.payload should be JSON, string, or ArrayBuffer (it may be empty, but that must be explicit)");
      //}
      // Trying to detect if it's a plain object (not Buffer, ArrayBuffer, Array, Uint8Array, etc)
      if (payload && ('string' !== typeof payload)
        && ('undefined' === typeof payload.byteLength)
        && ('undefined' === typeof payload.buffer)
      ) {
        payload = JSON.stringify(payload);
      }
      // Converting to a buffer, even if it was just converted to a string
      if ('string' === typeof payload) {
        payload = Enc.binToBuf(payload);
      }

      // node specifies RSA-SHAxxx even when it's actually ecdsa (it's all encoded x509 shasums anyway)
      var protected64 = Enc.strToUrlBase64(protectedHeader);
      var payload64 = Enc.bufToUrlBase64(payload);
      var msg = protected64 + '.' + payload64;

      return Keypairs._sign(opts, msg).then(function (buf) {
        var signedMsg = {
          protected: protected64
        , payload: payload64
        , signature: Enc.bufToUrlBase64(buf)
        };

        return signedMsg;
      });
    }

    if (opts.jwk) {
      return sign();
    } else {
      return Keypairs.import({ pem: opts.pem }).then(function (pair) {
        opts.jwk = pair.private;
        return sign();
      });
    }
  });
};

Keypairs._sign = function (opts, payload) {
  return Keypairs._import(opts).then(function (privkey) {
    if ('string' === typeof payload) {
      payload = (new TextEncoder()).encode(payload);
    }
    return window.crypto.subtle.sign(
      { name: Keypairs._getName(opts)
      , hash: { name: 'SHA-' + Keypairs._getBits(opts) }
      }
    , privkey
    , payload
    ).then(function (signature) {
      signature = new Uint8Array(signature); // ArrayBuffer -> u8
      // This will come back into play for CSRs, but not for JOSE
      if ('EC' === opts.jwk.kty && /x509|asn1/i.test(opts.format)) {
        return Keypairs._ecdsaJoseSigToAsn1Sig(signature);
      } else {
        // jose/jws/jwt
        return signature;
      }
    });
  });
};
Keypairs._getBits = function (opts) {
  if (opts.alg) { return opts.alg.replace(/[a-z\-]/ig, ''); }
  // base64 len to byte len
  var len = Math.floor((opts.jwk.n||'').length * 0.75);

  // TODO this may be a bug
  // need to confirm that the padding is no more or less than 1 byte
  if (/521/.test(opts.jwk.crv) || len >= 511) {
    return '512';
  } else if (/384/.test(opts.jwk.crv) || len >= 383) {
    return '384';
  }

  return '256';
};
Keypairs._getName = function (opts) {
  if (/EC/i.test(opts.jwk.kty)) {
    return 'ECDSA';
  } else {
    return 'RSASSA-PKCS1-v1_5';
  }
};
Keypairs._import = function (opts) {
  return Promise.resolve().then(function () {
    var ops;
    // all private keys just happen to have a 'd'
    if (opts.jwk.d) {
      ops = [ 'sign' ];
    } else {
      ops = [ 'verify' ];
    }
    // gotta mark it as extractable, as if it matters
    opts.jwk.ext = true;
    opts.jwk.key_ops = ops;

    return window.crypto.subtle.importKey(
      "jwk"
    , opts.jwk
    , { name: Keypairs._getName(opts)
      , namedCurve: opts.jwk.crv
      , hash: { name: 'SHA-' + Keypairs._getBits(opts) } }
    , true
    , ops
    ).then(function (privkey) {
      delete opts.jwk.ext;
      return privkey;
    });
  });
};
// ECDSA JOSE / JWS / JWT signatures differ from "normal" ASN1/X509 ECDSA signatures
// https://tools.ietf.org/html/rfc7518#section-3.4
Keypairs._ecdsaJoseSigToAsn1Sig = function (bufsig) {
  // it's easier to do the manipulation in the browser with an array
  bufsig = Array.from(bufsig);
  var hlen = bufsig.length / 2; // should be even
  var r = bufsig.slice(0, hlen);
  var s = bufsig.slice(hlen);
  // unpad positive ints less than 32 bytes wide
  while (!r[0]) { r = r.slice(1); }
  while (!s[0]) { s = s.slice(1); }
  // pad (or re-pad) ambiguously non-negative BigInts, up to 33 bytes wide
  if (0x80 & r[0]) { r.unshift(0); }
  if (0x80 & s[0]) { s.unshift(0); }

  var len = 2 + r.length + 2 + s.length;
  var head = [0x30];
  // hard code 0x80 + 1 because it won't be longer than
  // two SHA512 plus two pad bytes (130 bytes <= 256)
  if (len >= 0x80) { head.push(0x81); }
  head.push(len);

  return Uint8Array.from(head.concat([0x02, r.length], r, [0x02, s.length], s));
};

function setTime(time) {
  if ('number' === typeof time) { return time; }

  var t = time.match(/^(\-?\d+)([dhms])$/i);
  if (!t || !t[0]) {
    throw new Error("'" + time + "' should be datetime in seconds or human-readable format (i.e. 3d, 1h, 15m, 30s");
  }

  var now = Math.round(Date.now()/1000);
  var num = parseInt(t[1], 10);
  var unit = t[2];
  var mult = 1;
  switch(unit) {
    // fancy fallthrough, what fun!
    case 'd':
      mult *= 24;
      /*falls through*/
    case 'h':
      mult *= 60;
      /*falls through*/
    case 'm':
      mult *= 60;
      /*falls through*/
    case 's':
      mult *= 1;
  }

  return now + (mult * num);
}

Enc.hexToBuf = function (hex) {
  var arr = [];
  hex.match(/.{2}/g).forEach(function (h) {
    arr.push(parseInt(h, 16));
  });
  return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr;
};
Enc.strToUrlBase64 = function (str) {
  return Enc.bufToUrlBase64(Enc.binToBuf(str));
};
Enc.binToBuf = function (bin) {
  var arr = bin.split('').map(function (ch) {
    return ch.charCodeAt(0);
  });
  return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr;
};

}('undefined' !== typeof module ? module.exports : window));