ecdsa-csr.js/lib/ecdsacsr.js

'use strict';

var crypto = require('crypto');

// 1.2.840.10045.3.1.7
// prime256v1 (ANSI X9.62 named elliptic curve)
var OBJ_ID_EC  = '06 08 2A8648CE3D030107'.replace(/\s+/g, '').toLowerCase();

var ECDSACSR = {};
var ECDSA = {};
var DER = {};
var PEM = {};
var ASN1;
var Hex = {};
var AB = {};

//
// CSR - the main event
//

ECDSACSR.create = function createEcCsr(keypem, domains) {
  var pemblock = PEM.parseBlock(keypem);
  var ecpub = PEM.parseEcPubkey(pemblock.der);
  var request = ECDSACSR.request(ecpub, domains);
  return AB.fromHex(ECDSACSR.sign(keypem, request));
};

ECDSACSR.request = function createCsrBodyEc(xy, domains) {
  var publen = xy.x.byteLength;
  var compression = '04';
  var hxy = '';
  // 04 == x+y, 02 == x-only
  if (xy.y) {
    publen += xy.y.byteLength;
  } else {
    // Note: I don't intend to support compression - it isn't used by most
    // libraries and it requir more dependencies for bigint ops to deflate.
    // This is more just a placeholder. It won't work right now anyway
    // because compression requires an exta bit stored (odd vs even), which
    // I haven't learned yet, and I'm not sure if it's allowed at all
    compression = '02';
  }
  hxy += Hex.fromAB(xy.x);
  if (xy.y) { hxy += Hex.fromAB(xy.y); }

  // Sorry for the mess, but it is what it is
  return ASN1('30'

      // Version (0)
    , ASN1.UInt('00')

      // CN / Subject
    , ASN1('30'
      , ASN1('31'
        , ASN1('30'
            // object id (commonName)
          , ASN1('06', '55 04 03')
          , ASN1('0C', Hex.fromString(domains[0])))))

      // EC P-256 Public Key
    , ASN1('30'
      , ASN1('30'
          // 1.2.840.10045.2.1 ecPublicKey
          // (ANSI X9.62 public key type)
        , ASN1('06', '2A 86 48 CE 3D 02 01')
          // 1.2.840.10045.3.1.7 prime256v1
          // (ANSI X9.62 named elliptic curve)
        , ASN1('06', '2A 86 48 CE 3D 03 01 07')
        )
      , ASN1.BitStr(compression + hxy))

      // CSR Extension Subject Alternative Names
    , ASN1('A0'
      , ASN1('30'
          // (extensionRequest (PKCS #9 via CRMF))
        , ASN1('06', '2A 86 48 86 F7 0D 01 09 0E')
        , ASN1('31'
          , ASN1('30'
            , ASN1('30'
                // (subjectAltName (X.509 extension))
              , ASN1('06', '55 1D 11')
              , ASN1('04'
                , ASN1('30', domains.map(function (d) {
                    return ASN1('82', Hex.fromString(d));
                  }).join(''))))))))
  );
};

ECDSACSR.sign = function csrEcSig(keypem, request) {
  var sig = ECDSA.sign(keypem, AB.fromHex(request));
  var rLen = sig.r.byteLength;
  var rc = '';
  var sLen = sig.s.byteLength;
  var sc = '';

  if (0x80 & new Uint8Array(sig.r)[0]) { rc = '00'; rLen += 1; }
  if (0x80 & new Uint8Array(sig.s)[0]) { sc = '00'; sLen += 1; }

  return ASN1('30'
      // The Full CSR Request Body
    , request

      // The Signature Type
    , ASN1('30'
        // 1.2.840.10045.4.3.2 ecdsaWithSHA256
        // (ANSI X9.62 ECDSA algorithm with SHA256)
      , ASN1('06', '2A 86 48 CE 3D 04 03 02')
      )

      // The Signature, embedded in a Bit Stream
    , ASN1.BitStr(
        // As far as I can tell this is a completely separate ASN.1 structure
        // that just so happens to be embedded in a Bit String of another ASN.1
        ASN1('30'
        , ASN1.UInt(Hex.fromAB(sig.r))
        , ASN1.UInt(Hex.fromAB(sig.s))))
  );
};

//
// ECDSA
//

// Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a
ECDSA.sign = function signEc(keypem, ab) {
  // Signer is a stream
  var sign = crypto.createSign('SHA256');
  sign.write(new Uint8Array(ab));
  sign.end();

  // The signature is ASN1 encoded
  var sig = sign.sign(keypem);

  // Convert to a JavaScript ArrayBuffer just because
  sig = new Uint8Array(sig.buffer.slice(sig.byteOffset, sig.byteOffset + sig.byteLength));

  // The first two bytes '30 xx' signify SEQUENCE and LENGTH
  // The sequence length byte will be a single byte because the signature is less that 128 bytes (0x80, 1024-bit)
  // (this would not be true for P-521, but I'm not supporting that yet)
  // The 3rd byte will be '02', signifying INTEGER
  // The 4th byte will tell us the length of 'r' (which, on occassion, will be less than the full 255 bytes)
  var rIndex = 3;
  var rLen = sig[rIndex];
  var rEnd = rIndex + 1 + rLen;
  var sIndex = rEnd + 1;
  var sLen = sig[sIndex];
  var sEnd = sIndex + 1 + sLen;
  var r = sig.slice(rIndex + 1, rEnd);
  var s = sig.slice(sIndex + 1, sEnd); // this should be end-of-file

  // ASN1 INTEGER types use the high-order bit to signify a negative number,
  // hence a leading '00' is used for numbers that begin with '80' or greater
  // which is why r length is sometimes a byte longer than its bit length
  if (0 === s[0]) { s = s.slice(1); }
  if (0 === r[0]) { r = r.slice(1); }

  return { raw: sig.buffer, r: r.buffer, s: s.buffer };
};

//
// DER
//

DER.toCSR = function createEcCsrPem(der) {
  var pem = PEM._format(AB.toBase64(der));
  return '-----BEGIN CERTIFICATE REQUEST-----\n' + pem + '-----END CERTIFICATE REQUEST-----';
};

//
// PEM
//

// Just for error checking
PEM.from = function ensurePem(key) {
  if (!key) { throw new Error("no private key given"); }
  // whether PEM or DER, convert to Uint8Array
  if ('string' === typeof key) { key = AB.utf8ToUint8Array(key); }

  // for consistency
  if (key instanceof Buffer) { key = new Uint8Array(key.buffer.slice(key.byteOffset, key.byteOffset + key.byteLength)); }

  // just as a sanity check
  if (key instanceof Array) {
    key = Uint8Array.from(key);
    if (!key.every(function (el) {
      return ('number' === typeof el) && (el >= 0) && (el <= 255);
    })) {
      throw new Error("key was an array, but not an array of ints between 0 and 255");
    }
  }

  // no matter which path we take, we should arrive at a Uint8Array
  if (!(key instanceof Uint8Array)) {
    throw new Error("typeof key is '" + typeof key + "', not any of the supported types: utf8 string,"
      + " binary string, node Buffer, Uint8Array, or Array of ints between 0 and 255");
  }

  // if DER, convert to PEM
  if ((0x30 === key[0]) && (0x80 & key[1])) {
    key = AB.toBase64(key);
  }
  key = [].map.call(key, function (i) {
    return String.fromCharCode(i);
  }).join('');
  if ('M' === key[0]) {
    key = '-----BEGIN EC PRIVATE KEY-----\n' + key + '-----END EC PRIVATE KEY-----';
  }
  if ('-' === key[0]) {
    return key;
  } else {
    throw new Error("key does not appear to be in PEM formt (does not begin with either '-' or 'M'),"
      + " nor DER format (does not begin with 0x308X)");
  }
};

PEM.parseBlock = function parsePem(pem) {
  var typ;
  var pub;
  var crv;
  var der = AB.fromBase64(pem.split(/\n/).filter(function (line, i) {
    if (0 === i) {
      if (/ PUBLIC /.test(line)) {
        pub = true;
      } else if (/ PRIVATE /.test(line)) {
        pub = false;
      }
      if (/ EC/.test(line)) {
        typ = 'EC';
      }
    }
    return !/---/.test(line);
  }).join(''));

  if (!typ || 'EC' === typ) {
    var hex = Hex.fromAB(der).toLowerCase();
    if (-1 !== hex.indexOf(OBJ_ID_EC)) {
      typ = 'EC';
      crv = 'P-256';
    } else {
      // TODO support P-384 as well (but probably nothing else)
      console.warn("unsupported ec curve");
    }
  }

  return { typ: typ, pub: pub, der: der, crv: crv };
};

PEM._format = function formatAsPem(str) {
  var finalString = '';

  while (str.length > 0) {
      finalString += str.substring(0, 64) + '\n';
      str = str.substring(64);
  }
  return finalString;
};

PEM.parseEcPubkey = function readEcPubkey(der) {
  // the key is the last 520 bits of both the private key and the public key
  // he 3 bits prior identify the key as
  var x, y;
  var compressed;
  var keylen = 32;
  var offset = 64;
  var headerSize = 4;
  var header = Hex.fromAB(der.slice(der.byteLength - (offset + headerSize), der.byteLength - offset));

  if ('03420004' !== header) {
    offset = 32;
    header = Hex.fromAB(der.slice(der.byteLength - (offset + headerSize), der.byteLength - offset));
    if ('03420002' !== header) {
      throw new Error("not a valid EC P-256 key (expected 0x0342004 or 0x0342002 as pub key preamble, but found " + header + ")");
    }
  }

  // The one good thing that came from the b***kchain hysteria: good EC documentation
  // https://davidederosa.com/basic-blockchain-programming/elliptic-curve-keys/
  compressed = ('2' === header[header.byteLength -1]);
  x = der.slice(der.byteLength - offset, (der.byteLength - offset) + keylen);
  if (!compressed) {
    y = der.slice(der.byteLength - keylen, der.byteLength);
  }

  return {
    x: x
  , y: y || null
  };
};

//
// A dumbed-down, minimal ASN.1 packer
//

// Almost every ASN.1 type that's important for CSR
// can be represented generically with only a few rules.
ASN1 = function ASN1(/*type, hexstrings...*/) {
  var args = Array.prototype.slice.call(arguments);
  var typ = args.shift();
  var str = args.join('').replace(/\s+/g, '').toLowerCase();
  var len = (str.length/2);
  var lenlen = 0;
  var hex = typ;

  // We can't have an odd number of hex chars
  if (len !== Math.round(len)) {
    throw new Error("invalid hex");
  }

  // The first byte of any ASN.1 sequence is the type (Sequence, Integer, etc)
  // The second byte is either the size of the value, or the size of its size

  // 1. If the second byte is < 0x80 (128) it is considered the size
  // 2. If it is > 0x80 then it describes the number of bytes of the size
  //    ex: 0x82 means the next 2 bytes describe the size of the value
  // 3. The special case of exactly 0x80 is "indefinite" length (to end-of-file)

  if (len > 127) {
    lenlen += 1;
    while (len > 255) {
      lenlen += 1;
      len = len >> 8;
    }
  }

  if (lenlen) { hex += Hex.fromInt(0x80 + lenlen); }
  return hex + Hex.fromInt(str.length/2) + str;
};

// The Integer type has some special rules
ASN1.UInt = function UINT() {
  var str = Array.prototype.slice.call(arguments).join('');
  var first = parseInt(str.slice(0, 2), 16);

  // If the first byte is 0x80 or greater, the number is considered negative
  // Therefore we add a '00' prefix if the 0x80 bit is set
  if (0x80 & first) { str = '00' + str; }

  return ASN1('02', str);
};

// The Bit String type also has a special rule
ASN1.BitStr = function BITSTR() {
  var str = Array.prototype.slice.call(arguments).join('');
  // '00' is a mask of how many bits of the next byte to ignore
  return ASN1('03', '00' + str);
};

//
// Hex, Base64, Buffer, String
//

Hex.fromAB = function toHex(ab) {
  var hex = [];
  var u8 = new Uint8Array(ab);
  var size = u8.byteLength;
  var i;
  var h;
  for (i = 0; i < size; i += 1) {
    h = u8[i].toString(16);
    if (2 === h.length) {
      hex.push(h);
    } else {
      hex.push('0' + h);
    }
  }
  return hex.join('');
};

Hex.fromString = function strToHex(str) {
  var escstr = encodeURIComponent(str);
  // replaces any uri escape sequence, such as %0A,
  // with binary escape, such as 0x0A
  var binstr = escstr.replace(/%([0-9A-F]{2})/g, function(match, p1) {
    return String.fromCharCode('0x' + p1);
  });
  return binstr.split('').map(function (b) {
    var h = b.charCodeAt(0).toString(16);
    if (2 === h.length) { return h; }
    return '0' + h;
  }).join('');
};

Hex.fromInt = function numToHex(d) {
  d = d.toString(16);
  if (d.length % 2) {
    return '0' + d;
  }
  return d;
};

// Taken from Unibabel
// https://git.coolaj86.com/coolaj86/unibabel.js#readme
// https://coolaj86.com/articles/base64-unicode-utf-8-javascript-and-you/
AB.utf8ToUint8Array = function (str) {
  var escstr = encodeURIComponent(str);
  // replaces any uri escape sequence, such as %0A,
  // with binary escape, such as 0x0A
  var binstr = escstr.replace(/%([0-9A-F]{2})/g, function(match, p1) {
    return String.fromCharCode('0x' + p1);
  });
  var buf = new Uint8Array(binstr.length);
  binstr.split('').forEach(function (ch, i) {
    buf[i] = ch.charCodeAt(0);
  });

  return buf;
};

AB.fromHex = function fromHex(hex) {
  if ('undefined' !== typeof Buffer) {
    return Buffer.from(hex, 'hex');
  }
  var ab = new ArrayBuffer(hex.length/2);
  var i;
  var j;
  ab = new Uint8Array(ab);
  for (i = 0, j = 0; i < (hex.length/2); i += 1) {
    ab[i] = parseInt(hex.slice(j, j+1), 16);
    j += 2;
  }
  return ab.buffer;
};

AB.fromBase64 = function fromBase64(b64) {
  var buf = Buffer.from(b64, 'base64');
  return buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength);
};

AB.toBase64 = function toBase64(der) {
  return Buffer.from(der).toString('base64');
};

/*global Promise*/
module.exports = function (opts) {
  // We're using a Promise here to be compatible with the browser version
  // which uses the webcrypto API for some of the conversions
  return Promise.resolve().then(function () {

    // We do a bit of extra error checking for user convenience
    if (!opts) { throw new Error("You must pass options with key and domains to ecdsacsr"); }
    if (!Array.isArray(opts.domains) || 0 === opts.domains.length) {
      new Error("You must pass options.domains as a non-empty array");
    }

    // I need to check that 例.中国 is a valid domain name
    if (!opts.domains.every(function (d) {
      // allow punycode? xn--
      if ('string' === typeof d /*&& /\./.test(d) && !/--/.test(d)*/) {
        return true;
      }
    })) {
      throw new Error("You must pass options.domains as utf8 strings (not punycode)");
    }
    var key = PEM.from(opts.key);
    return DER.toCSR(ECDSACSR.create(key, opts.domains));
  });
};