From 4031cb791bf022eedc3d1a6588063f936798806f Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Sun, 18 Nov 2018 15:34:34 -0700
Subject: [PATCH] WIP more asn1

---
 lib/ecdsacsr.js | 89 ++++++++++++++++++-------------------------------
 test.sh         | 26 +++++++++++++++
 2 files changed, 58 insertions(+), 57 deletions(-)
 create mode 100644 test.sh

diff --git a/lib/ecdsacsr.js b/lib/ecdsacsr.js
index adb1d42..98b3e7c 100644
--- a/lib/ecdsacsr.js
+++ b/lib/ecdsacsr.js
@@ -10,21 +10,35 @@ function ASN1() {
   var args = Array.prototype.slice.call(arguments);
   var typ = args.shift();
   var str = args.join('').replace(/\s+/g, '');
-  console.log('typ:', typ, 'str:', str);
   var len = (str.length/2);
   var len2 = len;
-  var lenlen = 1;
+  var lenlen = 0;
   var hex = typ;
+  var hlen = '';
   // high-order bit means multiple bytes
   if (len2 !== Math.round(len2)) {
     throw new Error("invalid hex");
   }
-  console.log(len);
-  if (0x80 & len) {
-    while (len2 > 127) { lenlen += 1; len2 = len2 >> 8; }
-    hex += numToHex(0x80 + lenlen);
+  if (len2 > 127) {
+    lenlen += 1;
+    while (len2 > 255) {
+      lenlen += 1;
+      len2 = len2 >> 8;
+      //console.warn("LEN2", len2);
+    }
   }
-  return hex + numToHex(len) + str;
+  if (lenlen) {
+    hlen = numToHex(0x80 + lenlen);
+  }
+  /*
+  console.warn(
+    'typ:', typ
+  , 'lenlen:', hlen
+  , 'len:', len, numToHex(len)
+  );
+  console.warn('str:', str);
+  */
+  return hex + hlen + numToHex(len) + str;
 }
 ASN1.UInt = function UINT() {
   var str = Array.prototype.slice.call(arguments).join('');
@@ -49,9 +63,7 @@ function SET() {
   return ASN1('31', Array.prototype.slice.call(arguments).join(''));
 }
 */
-function OBJID() {
-  return ASN1('06', Array.prototype.slice.call(arguments).join(''));
-}
+
 /*
 function NULL() {
   return '0500';
@@ -191,30 +203,22 @@ function toBase64(der) {
   return btoa(chs.join(''));
 }
 
-// these are static ASN.1 segments
-// The head specifies that there will be 3 segments and a content length
-// (those segments will be content, signature header, and signature)
-var csrHead = '30 82 {0seq0len}'.replace(/\s+/g, '');
-// The tail specifies the ES256 signature header (and is followed by the signature
-
 function csrEcSig(r, s) {
   return [
-    SEQ(
+    ASN1('30'
       // 1.2.840.10045.4.3.2 ecdsaWithSHA256
       // (ANSI X9.62 ECDSA algorithm with SHA256)
-      OBJID('2A 86 48 CE 3D 04 03 02')
+    , ASN1('06', '2A 86 48 CE 3D 04 03 02')
     )
   , ASN1.BitStr(
-      SEQ(
-        ASN1.UInt(toHex(r))
+      ASN1('30'
+      , ASN1.UInt(toHex(r))
       , ASN1.UInt(toHex(s))
       )
     )
   ].join('');
 }
-var csrDomains = '82 {dlen} {domain.tld}';  // 2+n bytes (type 82?)
 
-// TODO utf8
 function strToHex(str) {
   var escstr = encodeURIComponent(str);
   // replaces any uri escape sequence, such as %0A,
@@ -307,8 +311,7 @@ function createCsrBodyEc(domains, xy) {
               , ASN1('30', domains.map(function (d) {
                   return ASN1('82', strToHex(d));
                 }).join(''))))))));
-  var body = [ '30 81 {+85+n}'                                        // 4 bytes, sequence
-    .replace(/{[^}]+}/, numToHex(3 + 13 + sublen + 27 + publen + 30 + sanlen))
+  var body = ASN1('30'
 
       // #0 Total 3
     , version
@@ -324,9 +327,9 @@ function createCsrBodyEc(domains, xy) {
       // Altnames
       // #3 Total 2+28+n
     , altnames
-    ];
-  body = body.join('').replace(/\s+/g, '');
-  return fromHex(body);
+  );
+
+  return body;
 }
 
 // https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a
@@ -369,7 +372,7 @@ function createEcCsr(domains, keypem, ecpub) {
   // TODO get pub from priv
 
   var csrBody = createCsrBodyEc(domains, ecpub);
-  var sig = signEc(keypem, csrBody);
+  var sig = signEc(keypem, fromHex(csrBody));
   var rLen = sig.r.byteLength;
   var rc = '';
   var sLen = sig.s.byteLength;
@@ -379,19 +382,7 @@ function createEcCsr(domains, keypem, ecpub) {
   if (0x80 & new Uint8Array(sig.s)[0]) { sc = '00'; sLen += 1; }
 
   var csrSig = csrEcSig(sig.r, sig.s);
-  /*
-    .replace(/{len}/, numToHex(1 + 2 + 2 + 2 + rLen + sLen))
-    .replace(/{rslen}/, numToHex(2 + 2 + rLen + sLen))
-    .replace(/{rlen}/, numToHex(rLen))
-    .replace(/{r}/, rc + toHex(sig.r))
-    .replace(/{slen}/, numToHex(sLen))
-    .replace(/{s}/, sc + toHex(sig.s))
-  ;
-  */
 
-  // Note: If we supported P-521 a number of the lengths would change
-  // by one byte and that would be... annoying to update
-  var len = csrBody.byteLength + (csrSig.length/2);
   /*
   console.log('sig:', sig.raw.byteLength, toHex(sig.raw));
   console.log('r:', sig.r.byteLength, toHex(sig.r));
@@ -399,23 +390,7 @@ function createEcCsr(domains, keypem, ecpub) {
   console.log('csr sig:', csrSig.length / 2, csrSig);
   console.log('csrBodyLen + csrSigLen', numToHex(len));
   */
-  var head = csrHead.replace(/{[^}]+}/, numToHex(len));
-  var ab = new Uint8Array(new ArrayBuffer((head.length/2) + len));
-  var i = 0;
-  fromHex(head).forEach(function (b) {
-    ab[i] = b;
-    i += 1;
-  });
-  csrBody.forEach(function (b) {
-    ab[i] = b;
-    i += 1;
-  });
-  fromHex(csrSig).forEach(function (b) {
-    ab[i] = b;
-    i += 1;
-  });
-
-  return ab;
+  return fromHex(ASN1('30', csrBody, csrSig));
 }
 
 function createEcCsrPem(domains, keypem) {
diff --git a/test.sh b/test.sh
new file mode 100644
index 0000000..22ad594
--- /dev/null
+++ b/test.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# creating privkey
+openssl ecparam -genkey -name prime256v1 -noout -out ./privkey-ec-p256.pem
+
+
+# canonical example
+rm csr.pem
+node bin/ecdsacsr.js ./privkey-ec-p256.pem example.com,www.example.com > csr.pem
+cat csr.pem
+openssl req -text -noout -verify -in csr.pem
+sleep 2
+
+
+# 100 domains (max allowed by Let's Encrypt)
+rm csr.pem
+node bin/ecdsacsr.js ./privkey-ec-p256.pem example.com,www.example.com,api.example.com,assets.example.com,ftp.example.com,example.org,www.example.org,api.example.org,assets.example.org,ftp.example.org,example.co,www.example.co,api.example.co,assets.example.co,ftp.example.co,example.net,www.example.net,api.example.net,assets.example.net,ftp.example.net,whatever.com,www.whatever.com,api.whatever.com,assets.whatever.com,ftp.whatever.com,whatever.org,www.whatever.org,api.whatever.org,assets.whatever.org,ftp.whatever.org,whatever.net,www.whatever.net,api.whatever.net,assets.whatever.net,ftp.whatever.net,whatever.co,www.whatever.co,api.whatever.co,assets.whatever.co,ftp.whatever.co,sample.com,www.sample.com,api.sample.com,assets.sample.com,ftp.sample.com,sample.org,www.sample.org,api.sample.org,assets.sample.org,ftp.sample.org,sample.net,www.sample.net,api.sample.net,assets.sample.net,ftp.sample.net,sample.co,www.sample.co,api.sample.co,assets.sample.co,ftp.sample.co,foobar.com,www.foobar.com,api.foobar.com,assets.foobar.com,ftp.foobar.com,foobar.org,www.foobar.org,api.foobar.org,assets.foobar.org,ftp.foobar.org,foobar.net,www.foobar.net,api.foobar.net,assets.foobar.net,ftp.foobar.net,foobar.co,www.foobar.co,api.foobar.co,assets.foobar.co,ftp.foobar.co,quux.com,www.quux.com,api.quux.com,assets.quux.com,ftp.quux.com,quux.org,www.quux.org,api.quux.org,assets.quux.org,ftp.quux.org,quux.net,www.quux.net,api.quux.net,assets.quux.net,ftp.quux.net,quux.co,www.quux.co,api.quux.co,assets.quux.co,ftp.quux.co >csr.pem
+cat csr.pem
+openssl req -text -noout -verify -in csr.pem
+sleep 2
+
+# single domain
+rm csr.pem
+node bin/ecdsacsr.js ./privkey-ec-p256.pem example.com > csr.pem
+cat csr.pem
+openssl req -text -noout -verify -in csr.pem