/*global Promise*/ (function(exports) { 'use strict'; var Keypairs = (exports.Keypairs = {}); var Rasha = exports.Rasha; var Eckles = exports.Eckles; var Enc = exports.Enc || {}; Keypairs._stance = "We take the stance that if you're knowledgeable enough to" + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway."; Keypairs._universal = 'Bluecrypt only supports crypto with standard cross-browser and cross-platform support.'; Keypairs.generate = function(opts) { opts = opts || {}; var p; if (!opts.kty) { opts.kty = opts.type; } if (!opts.kty) { opts.kty = 'EC'; } if (/^EC/i.test(opts.kty)) { p = Eckles.generate(opts); } else if (/^RSA$/i.test(opts.kty)) { p = Rasha.generate(opts); } else { return Promise.Reject( new Error( "'" + opts.kty + "' is not a well-supported key type." + Keypairs._universal + " Please choose 'EC', or 'RSA' if you have good reason to." ) ); } return p.then(function(pair) { return Keypairs.thumbprint({ jwk: pair.public }).then(function( thumb ) { pair.private.kid = thumb; // maybe not the same id on the private key? pair.public.kid = thumb; return pair; }); }); }; Keypairs.export = function(opts) { return Eckles.export(opts).catch(function(err) { return Rasha.export(opts).catch(function() { return Promise.reject(err); }); }); }; /** * Chopping off the private parts is now part of the public API. * I thought it sounded a little too crude at first, but it really is the best name in every possible way. */ Keypairs.neuter = function(opts) { /** trying to find the best balance of an immutable copy with custom attributes */ var jwk = {}; Object.keys(opts.jwk).forEach(function(k) { if ('undefined' === typeof opts.jwk[k]) { return; } // ignore RSA and EC private parts if (-1 !== ['d', 'p', 'q', 'dp', 'dq', 'qi'].indexOf(k)) { return; } jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k])); }); return jwk; }; Keypairs.thumbprint = function(opts) { return Promise.resolve().then(function() { if (/EC/i.test(opts.jwk.kty)) { return Eckles.thumbprint(opts); } else { return Rasha.thumbprint(opts); } }); }; Keypairs.publish = function(opts) { if ('object' !== typeof opts.jwk || !opts.jwk.kty) { throw new Error('invalid jwk: ' + JSON.stringify(opts.jwk)); } /** returns a copy */ var jwk = Keypairs.neuter(opts); if (jwk.exp) { jwk.exp = setTime(jwk.exp); } else { if (opts.exp) { jwk.exp = setTime(opts.exp); } else if (opts.expiresIn) { jwk.exp = Math.round(Date.now() / 1000) + opts.expiresIn; } else if (opts.expiresAt) { jwk.exp = opts.expiresAt; } } if (!jwk.use && false !== jwk.use) { jwk.use = 'sig'; } if (jwk.kid) { return Promise.resolve(jwk); } return Keypairs.thumbprint({ jwk: jwk }).then(function(thumb) { jwk.kid = thumb; return jwk; }); }; // JWT a.k.a. JWS with Claims using Compact Serialization Keypairs.signJwt = function(opts) { return Keypairs.thumbprint({ jwk: opts.jwk }).then(function(thumb) { var header = opts.header || {}; var claims = JSON.parse(JSON.stringify(opts.claims || {})); header.typ = 'JWT'; if (!header.kid) { header.kid = thumb; } if (!header.alg && opts.alg) { header.alg = opts.alg; } if (!claims.iat && (false === claims.iat || false === opts.iat)) { claims.iat = undefined; } else if (!claims.iat) { claims.iat = Math.round(Date.now() / 1000); } if (opts.exp) { claims.exp = setTime(opts.exp); } else if ( !claims.exp && (false === claims.exp || false === opts.exp) ) { claims.exp = undefined; } else if (!claims.exp) { throw new Error( "opts.claims.exp should be the expiration date as seconds, human form (i.e. '1h' or '15m') or false" ); } if (opts.iss) { claims.iss = opts.iss; } if (!claims.iss && (false === claims.iss || false === opts.iss)) { claims.iss = undefined; } else if (!claims.iss) { throw new Error( 'opts.claims.iss should be in the form of https://example.com/, a secure OIDC base url' ); } return Keypairs.signJws({ jwk: opts.jwk, pem: opts.pem, protected: header, header: undefined, payload: claims }).then(function(jws) { return [jws.protected, jws.payload, jws.signature].join('.'); }); }); }; Keypairs.signJws = function(opts) { return Keypairs.thumbprint(opts).then(function(thumb) { function alg() { if (!opts.jwk) { throw new Error( "opts.jwk must exist and must declare 'typ'" ); } if (opts.jwk.alg) { return opts.jwk.alg; } var typ = 'RSA' === opts.jwk.kty ? 'RS' : 'ES'; return typ + Keypairs._getBits(opts); } function sign() { var protect = opts.protected; var payload = opts.payload; // Compute JWS signature var protectedHeader = ''; // Because unprotected headers are allowed, regrettably... // https://stackoverflow.com/a/46288694 if (false !== protect) { if (!protect) { protect = {}; } if (!protect.alg) { protect.alg = alg(); } // There's a particular request where ACME / Let's Encrypt explicitly doesn't use a kid if (false === protect.kid) { protect.kid = undefined; } else if (!protect.kid) { protect.kid = thumb; } protectedHeader = JSON.stringify(protect); } // Not sure how to handle the empty case since ACME POST-as-GET must be empty //if (!payload) { // throw new Error("opts.payload should be JSON, string, or ArrayBuffer (it may be empty, but that must be explicit)"); //} // Trying to detect if it's a plain object (not Buffer, ArrayBuffer, Array, Uint8Array, etc) if ( payload && 'string' !== typeof payload && 'undefined' === typeof payload.byteLength && 'undefined' === typeof payload.buffer ) { payload = JSON.stringify(payload); } // Converting to a buffer, even if it was just converted to a string if ('string' === typeof payload) { payload = Enc.binToBuf(payload); } // node specifies RSA-SHAxxx even when it's actually ecdsa (it's all encoded x509 shasums anyway) var protected64 = Enc.strToUrlBase64(protectedHeader); var payload64 = Enc.bufToUrlBase64(payload); var msg = protected64 + '.' + payload64; return Keypairs._sign(opts, msg).then(function(buf) { var signedMsg = { protected: protected64, payload: payload64, signature: Enc.bufToUrlBase64(buf) }; return signedMsg; }); } if (opts.jwk) { return sign(); } else { return Keypairs.import({ pem: opts.pem }).then(function(pair) { opts.jwk = pair.private; return sign(); }); } }); }; Keypairs._sign = function(opts, payload) { return Keypairs._import(opts).then(function(privkey) { if ('string' === typeof payload) { payload = new TextEncoder().encode(payload); } return window.crypto.subtle .sign( { name: Keypairs._getName(opts), hash: { name: 'SHA-' + Keypairs._getBits(opts) } }, privkey, payload ) .then(function(signature) { signature = new Uint8Array(signature); // ArrayBuffer -> u8 // This will come back into play for CSRs, but not for JOSE if ( 'EC' === opts.jwk.kty && /x509|asn1/i.test(opts.format) ) { return Keypairs._ecdsaJoseSigToAsn1Sig(signature); } else { // jose/jws/jwt return signature; } }); }); }; Keypairs._getBits = function(opts) { if (opts.alg) { return opts.alg.replace(/[a-z\-]/gi, ''); } // base64 len to byte len var len = Math.floor((opts.jwk.n || '').length * 0.75); // TODO this may be a bug // need to confirm that the padding is no more or less than 1 byte if (/521/.test(opts.jwk.crv) || len >= 511) { return '512'; } else if (/384/.test(opts.jwk.crv) || len >= 383) { return '384'; } return '256'; }; Keypairs._getName = function(opts) { if (/EC/i.test(opts.jwk.kty)) { return 'ECDSA'; } else { return 'RSASSA-PKCS1-v1_5'; } }; Keypairs._import = function(opts) { return Promise.resolve().then(function() { var ops; // all private keys just happen to have a 'd' if (opts.jwk.d) { ops = ['sign']; } else { ops = ['verify']; } // gotta mark it as extractable, as if it matters opts.jwk.ext = true; opts.jwk.key_ops = ops; return window.crypto.subtle .importKey( 'jwk', opts.jwk, { name: Keypairs._getName(opts), namedCurve: opts.jwk.crv, hash: { name: 'SHA-' + Keypairs._getBits(opts) } }, true, ops ) .then(function(privkey) { delete opts.jwk.ext; return privkey; }); }); }; // ECDSA JOSE / JWS / JWT signatures differ from "normal" ASN1/X509 ECDSA signatures // https://tools.ietf.org/html/rfc7518#section-3.4 Keypairs._ecdsaJoseSigToAsn1Sig = function(bufsig) { // it's easier to do the manipulation in the browser with an array bufsig = Array.from(bufsig); var hlen = bufsig.length / 2; // should be even var r = bufsig.slice(0, hlen); var s = bufsig.slice(hlen); // unpad positive ints less than 32 bytes wide while (!r[0]) { r = r.slice(1); } while (!s[0]) { s = s.slice(1); } // pad (or re-pad) ambiguously non-negative BigInts, up to 33 bytes wide if (0x80 & r[0]) { r.unshift(0); } if (0x80 & s[0]) { s.unshift(0); } var len = 2 + r.length + 2 + s.length; var head = [0x30]; // hard code 0x80 + 1 because it won't be longer than // two SHA512 plus two pad bytes (130 bytes <= 256) if (len >= 0x80) { head.push(0x81); } head.push(len); return Uint8Array.from( head.concat([0x02, r.length], r, [0x02, s.length], s) ); }; function setTime(time) { if ('number' === typeof time) { return time; } var t = time.match(/^(\-?\d+)([dhms])$/i); if (!t || !t[0]) { throw new Error( "'" + time + "' should be datetime in seconds or human-readable format (i.e. 3d, 1h, 15m, 30s" ); } var now = Math.round(Date.now() / 1000); var num = parseInt(t[1], 10); var unit = t[2]; var mult = 1; switch (unit) { // fancy fallthrough, what fun! case 'd': mult *= 24; /*falls through*/ case 'h': mult *= 60; /*falls through*/ case 'm': mult *= 60; /*falls through*/ case 's': mult *= 1; } return now + mult * num; } Enc.hexToBuf = function(hex) { var arr = []; hex.match(/.{2}/g).forEach(function(h) { arr.push(parseInt(h, 16)); }); return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr; }; Enc.strToUrlBase64 = function(str) { return Enc.bufToUrlBase64(Enc.binToBuf(str)); }; Enc.binToBuf = function(bin) { var arr = bin.split('').map(function(ch) { return ch.charCodeAt(0); }); return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr; }; })('undefined' !== typeof module ? module.exports : window);