From 274e47b726a34a99bcf672efc0822b06d1f059f9 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Mon, 6 May 2019 03:35:22 -0600 Subject: [PATCH] generates seemingly-valid EC and RSA CSRs --- app.js | 7 +- lib/csr-ec.js | 157 -------------------------------------------- lib/csr.js | 168 +++++++++++++++++++++++++----------------------- lib/keypairs.js | 76 +++++++++------------- lib/x509.js | 2 +- 5 files changed, 125 insertions(+), 285 deletions(-) delete mode 100644 lib/csr-ec.js diff --git a/app.js b/app.js index fc3d9da..1185815 100644 --- a/app.js +++ b/app.js @@ -58,8 +58,10 @@ , namedCurve: $('input[name="ec-crv"]:checked').value , modulusLength: $('input[name="rsa-len"]:checked').value }; + var then = Date.now(); console.log('opts', opts); Keypairs.generate(opts).then(function (results) { + console.log("Key generation time:", (Date.now() - then) + "ms"); var pubDer; var privDer; if (/EC/i.test(opts.kty)) { @@ -165,8 +167,9 @@ var acme = accountStuff.acme; return Keypairs.generate({ - kty: 'RSA' - , modulusLength: 2048 + kty: $('input[name="kty"]:checked').value + , namedCurve: $('input[name="ec-crv"]:checked').value + , modulusLength: $('input[name="rsa-len"]:checked').value }).then(function (pair) { console.log('domain keypair:', pair); var domains = ($('.js-domains').value||'example.com').split(/[, ]+/g); diff --git a/lib/csr-ec.js b/lib/csr-ec.js deleted file mode 100644 index 72ee072..0000000 --- a/lib/csr-ec.js +++ /dev/null @@ -1,157 +0,0 @@ -// 1.2.840.10045.3.1.7 -// prime256v1 (ANSI X9.62 named elliptic curve) -var OBJ_ID_EC = '06 08 2A8648CE3D030107'.replace(/\s+/g, '').toLowerCase(); -// 1.3.132.0.34 -// secp384r1 (SECG (Certicom) named elliptic curve) -var OBJ_ID_EC_384 = '06 05 2B81040022'.replace(/\s+/g, '').toLowerCase(); - -var ECDSACSR = {}; -var ECDSA = {}; -var DER = {}; -var PEM = {}; -var ASN1; -var Hex = {}; -var AB = {}; - -// -// CSR - the main event -// - -ECDSACSR.create = function createEcCsr(keypem, domains) { - var pemblock = PEM.parseBlock(keypem); - var ecpub = PEM.parseEcPubkey(pemblock.der); - var request = ECDSACSR.request(ecpub, domains); - return AB.fromHex(ECDSACSR.sign(keypem, request)); -}; - -ECDSACSR.request = function createCsrBodyEc(xy, domains) { - var publen = xy.x.byteLength; - var compression = '04'; - var hxy = ''; - // 04 == x+y, 02 == x-only - if (xy.y) { - publen += xy.y.byteLength; - } else { - // Note: I don't intend to support compression - it isn't used by most - // libraries and it requir more dependencies for bigint ops to deflate. - // This is more just a placeholder. It won't work right now anyway - // because compression requires an exta bit stored (odd vs even), which - // I haven't learned yet, and I'm not sure if it's allowed at all - compression = '02'; - } - hxy += Hex.fromAB(xy.x); - if (xy.y) { hxy += Hex.fromAB(xy.y); } - - // Sorry for the mess, but it is what it is - return ASN1('30' - - // Version (0) - , ASN1.UInt('00') - - // CN / Subject - , ASN1('30' - , ASN1('31' - , ASN1('30' - // object id (commonName) - , ASN1('06', '55 04 03') - , ASN1('0C', Hex.fromString(domains[0]))))) - - // EC P-256 Public Key - , ASN1('30' - , ASN1('30' - // 1.2.840.10045.2.1 ecPublicKey - // (ANSI X9.62 public key type) - , ASN1('06', '2A 86 48 CE 3D 02 01') - // 1.2.840.10045.3.1.7 prime256v1 - // (ANSI X9.62 named elliptic curve) - , ASN1('06', '2A 86 48 CE 3D 03 01 07') - ) - , ASN1.BitStr(compression + hxy)) - - // CSR Extension Subject Alternative Names - , ASN1('A0' - , ASN1('30' - // (extensionRequest (PKCS #9 via CRMF)) - , ASN1('06', '2A 86 48 86 F7 0D 01 09 0E') - , ASN1('31' - , ASN1('30' - , ASN1('30' - // (subjectAltName (X.509 extension)) - , ASN1('06', '55 1D 11') - , ASN1('04' - , ASN1('30', domains.map(function (d) { - return ASN1('82', Hex.fromString(d)); - }).join('')))))))) - ); -}; - -ECDSACSR.sign = function csrEcSig(keypem, request) { - var sig = ECDSA.sign(keypem, AB.fromHex(request)); - var rLen = sig.r.byteLength; - var rc = ''; - var sLen = sig.s.byteLength; - var sc = ''; - - if (0x80 & new Uint8Array(sig.r)[0]) { rc = '00'; rLen += 1; } - if (0x80 & new Uint8Array(sig.s)[0]) { sc = '00'; sLen += 1; } - - return ASN1('30' - // The Full CSR Request Body - , request - - // The Signature Type - , ASN1('30' - // 1.2.840.10045.4.3.2 ecdsaWithSHA256 - // (ANSI X9.62 ECDSA algorithm with SHA256) - , ASN1('06', '2A 86 48 CE 3D 04 03 02') - ) - - // The Signature, embedded in a Bit Stream - , ASN1.BitStr( - // As far as I can tell this is a completely separate ASN.1 structure - // that just so happens to be embedded in a Bit String of another ASN.1 - ASN1('30' - , ASN1.UInt(Hex.fromAB(sig.r)) - , ASN1.UInt(Hex.fromAB(sig.s)))) - ); -}; - -// -// ECDSA -// - -// Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a -ECDSA.sign = function signEc(keypem, ab) { - // Signer is a stream - var sign = crypto.createSign('SHA256'); - sign.write(new Uint8Array(ab)); - sign.end(); - - // The signature is ASN1 encoded - var sig = sign.sign(keypem); - - // Convert to a JavaScript ArrayBuffer just because - sig = new Uint8Array(sig.buffer.slice(sig.byteOffset, sig.byteOffset + sig.byteLength)); - - // The first two bytes '30 xx' signify SEQUENCE and LENGTH - // The sequence length byte will be a single byte because the signature is less that 128 bytes (0x80, 1024-bit) - // (this would not be true for P-521, but I'm not supporting that yet) - // The 3rd byte will be '02', signifying INTEGER - // The 4th byte will tell us the length of 'r' (which, on occassion, will be less than the full 255 bytes) - var rIndex = 3; - var rLen = sig[rIndex]; - var rEnd = rIndex + 1 + rLen; - var sIndex = rEnd + 1; - var sLen = sig[sIndex]; - var sEnd = sIndex + 1 + sLen; - var r = sig.slice(rIndex + 1, rEnd); - var s = sig.slice(sIndex + 1, sEnd); // this should be end-of-file - - // ASN1 INTEGER types use the high-order bit to signify a negative number, - // hence a leading '00' is used for numbers that begin with '80' or greater - // which is why r length is sometimes a byte longer than its bit length - if (0 === s[0]) { s = s.slice(1); } - if (0 === r[0]) { r = r.slice(1); } - - return { raw: sig.buffer, r: r.buffer, s: s.buffer }; -}; diff --git a/lib/csr.js b/lib/csr.js index bd21fa3..89609e2 100644 --- a/lib/csr.js +++ b/lib/csr.js @@ -4,6 +4,7 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ (function (exports) { 'use strict'; +/*global Promise*/ var ASN1 = exports.ASN1; var Enc = exports.Enc; @@ -15,63 +16,57 @@ var Keypairs = exports.Keypairs; var CSR = exports.CSR = function (opts) { // We're using a Promise here to be compatible with the browser version // which will probably use the webcrypto API for some of the conversions - opts = CSR._prepare(opts); - - return CSR.create(opts).then(function (bytes) { - return CSR._encode(opts, bytes); + return CSR._prepare(opts).then(function (opts) { + return CSR.create(opts).then(function (bytes) { + return CSR._encode(opts, bytes); + }); }); }; CSR._prepare = function (opts) { - var Rasha; - opts = JSON.parse(JSON.stringify(opts)); - var pem, jwk; + return Promise.resolve().then(function () { + var Keypairs; + opts = JSON.parse(JSON.stringify(opts)); - // We do a bit of extra error checking for user convenience - if (!opts) { throw new Error("You must pass options with key and domains to rsacsr"); } - if (!Array.isArray(opts.domains) || 0 === opts.domains.length) { - new Error("You must pass options.domains as a non-empty array"); - } - - // I need to check that 例.中国 is a valid domain name - if (!opts.domains.every(function (d) { - // allow punycode? xn-- - if ('string' === typeof d /*&& /\./.test(d) && !/--/.test(d)*/) { - return true; + // We do a bit of extra error checking for user convenience + if (!opts) { throw new Error("You must pass options with key and domains to rsacsr"); } + if (!Array.isArray(opts.domains) || 0 === opts.domains.length) { + new Error("You must pass options.domains as a non-empty array"); } - })) { - throw new Error("You must pass options.domains as strings"); - } - if (opts.pem) { - pem = opts.pem; - } else if (opts.jwk) { - jwk = opts.jwk; - } else { - if (!opts.key) { + // I need to check that 例.中国 is a valid domain name + if (!opts.domains.every(function (d) { + // allow punycode? xn-- + if ('string' === typeof d /*&& /\./.test(d) && !/--/.test(d)*/) { + return true; + } + })) { + throw new Error("You must pass options.domains as strings"); + } + + if (opts.jwk) { return opts; } + if (opts.key && opts.key.kty) { + opts.jwk = opts.key; + return opts; + } + if (!opts.pem && !opts.key) { throw new Error("You must pass options.key as a JSON web key"); - } else if (opts.key.kty) { - jwk = opts.key; - } else { - pem = opts.key; } - } - if (pem) { - try { - Rasha = require('rasha'); - } catch(e) { - throw new Error("Rasha.js is an optional dependency for PEM-to-JWK.\n" + Keypairs = exports.Keypairs; + if (!exports.Keypairs) { + throw new Error("Keypairs.js is an optional dependency for PEM-to-JWK.\n" + "Install it if you'd like to use it:\n" + "\tnpm install --save rasha\n" + "Otherwise supply a jwk as the private key." ); } - jwk = Rasha.importSync({ pem: pem }); - } - opts.jwk = jwk; - return opts; + return Keypairs.import({ pem: opts.pem || opts.key }).then(function (pair) { + opts.jwk = pair.private; + return opts; + }); + }); }; CSR._encode = function (opts, bytes) { @@ -86,47 +81,56 @@ CSR._encode = function (opts, bytes) { CSR.create = function createCsr(opts) { var hex = CSR.request(opts.jwk, opts.domains); - return CSR.sign(opts.jwk, hex).then(function (csr) { + return CSR._sign(opts.jwk, hex).then(function (csr) { return Enc.hexToBuf(csr); }); }; // -// RSA -// +// EC / RSA // CSR.request = function createCsrBodyEc(jwk, domains) { - var asn1pub = X509.packCsrRsaPublicKey(jwk); - return X509.packCsrRsa(asn1pub, domains); + var asn1pub; + if (/^EC/i.test(jwk.kty)) { + asn1pub = X509.packCsrEcPublicKey(jwk); + } else { + asn1pub = X509.packCsrRsaPublicKey(jwk); + } + return X509.packCsr(asn1pub, domains); }; -CSR.sign = function csrEcSig(jwk, request) { +CSR._sign = function csrEcSig(jwk, request) { // Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a // TODO will have to convert web ECDSA signatures to PEM ECDSA signatures (but RSA should be the same) // TODO have a consistent non-private way to sign - return Keypairs._sign({ jwk: jwk }, Enc.hexToBuf(request)).then(function (sig) { - return CSR.toDer({ request: request, signature: sig }); + return Keypairs._sign({ jwk: jwk, format: 'x509' }, Enc.hexToBuf(request)).then(function (sig) { + return CSR._toDer({ request: request, signature: sig, kty: jwk.kty }); }); }; - -CSR.toDer = function encode(opts) { - var sty = ASN1('30' +CSR._toDer = function encode(opts) { + var sty; + var sig; + if (/^EC/i.test(opts.kty)) { + // 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256) + sty = ASN1('30', ASN1('06', '2a8648ce3d040302')); + sig = ASN1.BitStr(ASN1('30', Enc.bufToHex(opts.signature))); + } else { // 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1) - , ASN1('06', '2a864886f70d01010b') - , ASN1('05') - ); + sty = ASN1('30', ASN1('06', '2a864886f70d01010b'), ASN1('05')); + sig = ASN1.BitStr(Enc.bufToHex(opts.signature)); + } return ASN1('30' // The Full CSR Request Body , opts.request // The Signature Type , sty // The Signature - , ASN1.BitStr(Enc.bufToHex(opts.signature)) + , sig ); }; -X509.packCsrRsa = function (asn1pubkey, domains) { +X509.packCsr = function (asn1pubkey, domains) { return ASN1('30' // Version (0) , ASN1.UInt('00') @@ -154,36 +158,42 @@ X509.packCsrRsa = function (asn1pubkey, domains) { ); }; -X509.packPkcs1 = function (jwk) { - var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); - var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); - - if (!jwk.d) { - return Enc.hexToBuf(ASN1('30', n, e)); - } - - return Enc.hexToBuf(ASN1('30' - , ASN1.UInt('00') - , n - , e - , ASN1.UInt(Enc.base64ToHex(jwk.d)) - , ASN1.UInt(Enc.base64ToHex(jwk.p)) - , ASN1.UInt(Enc.base64ToHex(jwk.q)) - , ASN1.UInt(Enc.base64ToHex(jwk.dp)) - , ASN1.UInt(Enc.base64ToHex(jwk.dq)) - , ASN1.UInt(Enc.base64ToHex(jwk.qi)) - )); -}; - X509.packCsrRsaPublicKey = function (jwk) { // Sequence the key var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); var asn1pub = ASN1('30', n, e); - //var asn1pub = X509.packPkcs1({ kty: jwk.kty, n: jwk.n, e: jwk.e }); // Add the CSR pub key header return ASN1('30', ASN1('30', ASN1('06', '2a864886f70d010101'), ASN1('05')), ASN1.BitStr(asn1pub)); }; +X509.packCsrEcPublicKey = function (jwk) { + var ecOid = X509._oids[jwk.crv]; + if (!ecOid) { + throw new Error("Unsupported namedCurve '" + jwk.crv + "'. Supported types are " + Object.keys(X509._oids)); + } + var cmp = '04'; // 04 == x+y, 02 == x-only + var hxy = ''; + // Placeholder. I'm not even sure if compression should be supported. + if (!jwk.y) { cmp = '02'; } + hxy += Enc.base64ToHex(jwk.x); + if (jwk.y) { hxy += Enc.base64ToHex(jwk.y); } + + // 1.2.840.10045.2.1 ecPublicKey + return ASN1('30', ASN1('30', ASN1('06', '2a8648ce3d0201'), ASN1('06', ecOid)), ASN1.BitStr(cmp + hxy)); +}; +X509._oids = { + // 1.2.840.10045.3.1.7 prime256v1 + // (ANSI X9.62 named elliptic curve) (06 08 - 2A 86 48 CE 3D 03 01 07) + 'P-256': '2a8648ce3d030107' + // 1.3.132.0.34 P-384 (06 05 - 2B 81 04 00 22) + // (SEC 2 recommended EC domain secp256r1) +, 'P-384': '2b81040022' + // requires more logic and isn't a recommended standard + // 1.3.132.0.35 P-521 (06 05 - 2B 81 04 00 23) + // (SEC 2 alternate P-521) +//, 'P-521': '2B 81 04 00 23' +}; + }('undefined' === typeof window ? module.exports : window)); diff --git a/lib/keypairs.js b/lib/keypairs.js index 9d6cf3d..2e423f9 100644 --- a/lib/keypairs.js +++ b/lib/keypairs.js @@ -180,14 +180,6 @@ Keypairs.signJws = function (opts) { var msg = protected64 + '.' + payload64; return Keypairs._sign(opts, msg).then(function (buf) { - /* - * This will come back into play for CSRs, but not for JOSE - if ('EC' === opts.jwk.kty) { - // ECDSA JWT signatures differ from "normal" ECDSA signatures - // https://tools.ietf.org/html/rfc7518#section-3.4 - binsig = convertIfEcdsa(binsig); - } - */ var signedMsg = { protected: protected64 , payload: payload64 @@ -212,40 +204,6 @@ Keypairs.signJws = function (opts) { } }); }; -Keypairs._convertIfEcdsa = function (binsig) { - // should have asn1 sequence header of 0x30 - if (0x30 !== binsig[0]) { throw new Error("Impossible EC SHA head marker"); } - var index = 2; // first ecdsa "R" header byte - var len = binsig[1]; - var lenlen = 0; - // Seek length of length if length is greater than 127 (i.e. two 512-bit / 64-byte R and S values) - if (0x80 & len) { - lenlen = len - 0x80; // should be exactly 1 - len = binsig[2]; // should be <= 130 (two 64-bit SHA-512s, plus padding) - index += lenlen; - } - // should be of BigInt type - if (0x02 !== binsig[index]) { throw new Error("Impossible EC SHA R marker"); } - index += 1; - - var rlen = binsig[index]; - var bits = 32; - if (rlen > 49) { - bits = 64; - } else if (rlen > 33) { - bits = 48; - } - var r = binsig.slice(index + 1, index + 1 + rlen).toString('hex'); - var slen = binsig[index + 1 + rlen + 1]; // skip header and read length - var s = binsig.slice(index + 1 + rlen + 1 + 1).toString('hex'); - if (2 *slen !== s.length) { throw new Error("Impossible EC SHA S length"); } - // There may be one byte of padding on either - while (r.length < 2*bits) { r = '00' + r; } - while (s.length < 2*bits) { s = '00' + s; } - if (2*(bits+1) === r.length) { r = r.slice(2); } - if (2*(bits+1) === s.length) { s = s.slice(2); } - return Enc.hexToBuf(r + s); -}; Keypairs._sign = function (opts, payload) { return Keypairs._import(opts).then(function (privkey) { @@ -259,9 +217,12 @@ Keypairs._sign = function (opts, payload) { , privkey , payload ).then(function (signature) { - // convert buffer to urlsafe base64 - //return Enc.bufToUrlBase64(new Uint8Array(signature)); - return new Uint8Array(signature); + signature = new Uint8Array(signature); // ArrayBuffer -> u8 + // This will come back into play for CSRs, but not for JOSE + if ('EC' === opts.jwk.kty && /x509/i.test(opts.format)) { + signature = Keypairs._ecdsaJoseSigToAsn1Sig(signature); + } + return signature; }); }); }; @@ -287,7 +248,6 @@ Keypairs._getName = function (opts) { return 'RSASSA-PKCS1-v1_5'; } }; - Keypairs._import = function (opts) { return Promise.resolve().then(function () { var ops; @@ -316,6 +276,30 @@ Keypairs._import = function (opts) { }); }); }; +// ECDSA JOSE / JWS / JWT signatures differ from "normal" ASN1/X509 ECDSA signatures +// https://tools.ietf.org/html/rfc7518#section-3.4 +Keypairs._ecdsaJoseSigToAsn1Sig = function (bufsig) { + // it's easier to do the manipulation in the browser with an array + bufsig = Array.from(bufsig); + var hlen = bufsig.length / 2; // should be even + var r = bufsig.slice(0, hlen); + var s = bufsig.slice(hlen); + // unpad positive ints less than 32 bytes wide + while (!r[0]) { r = r.slice(1); } + while (!s[0]) { s = s.slice(1); } + // pad (or re-pad) ambiguously non-negative BigInts, up to 33 bytes wide + if (0x80 & r[0]) { r.unshift(0); } + if (0x80 & s[0]) { s.unshift(0); } + + var len = 2 + r.length + 2 + s.length; + var head = [0x30]; + // hard code 0x80 + 1 because it won't be longer than + // two SHA512 plus two pad bytes (130 bytes <= 256) + if (len >= 0x80) { head.push(0x81); } + head.push(len); + + return Uint8Array.from(head.concat([0x02, r.length], r, [0x02, s.byteLength], s)); +}; function setTime(time) { if ('number' === typeof time) { return time; } diff --git a/lib/x509.js b/lib/x509.js index 901bb36..575b8c9 100644 --- a/lib/x509.js +++ b/lib/x509.js @@ -1,6 +1,6 @@ -'use strict'; (function (exports) { 'use strict'; + var x509 = exports.x509 = {}; var ASN1 = exports.ASN1; var Enc = exports.Enc;