diff --git a/LICENSE b/LICENSE index cf218b2..c212878 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1,375 @@ -The MIT License (MIT) +Copyright 2016-2018 AJ ONeal -Copyright (c) 2016 Daplie, Inc +Mozilla Public License Version 2.0 +================================== -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: +1. Definitions +-------------- -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. +1.1. "Contributor" + means each individual or legal entity that creates, contributes to + the creation of, or owns Covered Software. -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +1.2. "Contributor Version" + means the combination of the Contributions of others (if any) used + by a Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + means Source Code Form to which the initial Contributor has attached + the notice in Exhibit A, the Executable Form of such Source Code + Form, and Modifications of such Source Code Form, in each case + including portions thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + (a) that the initial Contributor has attached the notice described + in Exhibit B to the Covered Software; or + + (b) that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the + terms of a Secondary License. + +1.6. "Executable Form" + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + means a work that combines Covered Software with other material, in + a separate file or files, that is not Covered Software. + +1.8. "License" + means this document. + +1.9. "Licensable" + means having the right to grant, to the maximum extent possible, + whether at the time of the initial grant or subsequently, any and + all of the rights conveyed by this License. + +1.10. "Modifications" + means any of the following: + + (a) any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered + Software; or + + (b) any new file in Source Code Form that contains any Covered + Software. + +1.11. "Patent Claims" of a Contributor + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the + License, by the making, using, selling, offering for sale, having + made, import, or transfer of either its Contributions or its + Contributor Version. + +1.12. "Secondary License" + means either the GNU General Public License, Version 2.0, the GNU + Lesser General Public License, Version 2.1, the GNU Affero General + Public License, Version 3.0, or any later versions of those + licenses. + +1.13. "Source Code Form" + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + +2. License Grants and Conditions +-------------------------------- + +2.1. Grants + +Each Contributor hereby grants You a world-wide, royalty-free, +non-exclusive license: + +(a) under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + +(b) under Patent Claims of such Contributor to make, use, sell, offer + for sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + +The licenses granted in Section 2.1 with respect to any Contribution +become effective for each Contribution on the date the Contributor first +distributes such Contribution. + +2.3. Limitations on Grant Scope + +The licenses granted in this Section 2 are the only rights granted under +this License. No additional rights or licenses will be implied from the +distribution or licensing of Covered Software under this License. +Notwithstanding Section 2.1(b) above, no patent license is granted by a +Contributor: + +(a) for any code that a Contributor has removed from Covered Software; + or + +(b) for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + +(c) under Patent Claims infringed by Covered Software in the absence of + its Contributions. + +This License does not grant any rights in the trademarks, service marks, +or logos of any Contributor (except as may be necessary to comply with +the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + +No Contributor makes additional grants as a result of Your choice to +distribute the Covered Software under a subsequent version of this +License (see Section 10.2) or under the terms of a Secondary License (if +permitted under the terms of Section 3.3). + +2.5. Representation + +Each Contributor represents that the Contributor believes its +Contributions are its original creation(s) or it has sufficient rights +to grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + +This License is not intended to limit any rights You have under +applicable copyright doctrines of fair use, fair dealing, or other +equivalents. + +2.7. Conditions + +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted +in Section 2.1. + +3. Responsibilities +------------------- + +3.1. Distribution of Source Form + +All distribution of Covered Software in Source Code Form, including any +Modifications that You create or to which You contribute, must be under +the terms of this License. You must inform recipients that the Source +Code Form of the Covered Software is governed by the terms of this +License, and how they can obtain a copy of this License. You may not +attempt to alter or restrict the recipients' rights in the Source Code +Form. + +3.2. Distribution of Executable Form + +If You distribute Covered Software in Executable Form then: + +(a) such Covered Software must also be made available in Source Code + Form, as described in Section 3.1, and You must inform recipients of + the Executable Form how they can obtain a copy of such Source Code + Form by reasonable means in a timely manner, at a charge no more + than the cost of distribution to the recipient; and + +(b) You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter + the recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + +You may create and distribute a Larger Work under terms of Your choice, +provided that You also comply with the requirements of this License for +the Covered Software. If the Larger Work is a combination of Covered +Software with a work governed by one or more Secondary Licenses, and the +Covered Software is not Incompatible With Secondary Licenses, this +License permits You to additionally distribute such Covered Software +under the terms of such Secondary License(s), so that the recipient of +the Larger Work may, at their option, further distribute the Covered +Software under the terms of either this License or such Secondary +License(s). + +3.4. Notices + +You may not remove or alter the substance of any license notices +(including copyright notices, patent notices, disclaimers of warranty, +or limitations of liability) contained within the Source Code Form of +the Covered Software, except that You may alter any license notices to +the extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + +You may choose to offer, and to charge a fee for, warranty, support, +indemnity or liability obligations to one or more recipients of Covered +Software. However, You may do so only on Your own behalf, and not on +behalf of any Contributor. You must make it absolutely clear that any +such warranty, support, indemnity, or liability obligation is offered by +You alone, and You hereby agree to indemnify every Contributor for any +liability incurred by such Contributor as a result of warranty, support, +indemnity or liability terms You offer. You may include additional +disclaimers of warranty and limitations of liability specific to any +jurisdiction. + +4. Inability to Comply Due to Statute or Regulation +--------------------------------------------------- + +If it is impossible for You to comply with any of the terms of this +License with respect to some or all of the Covered Software due to +statute, judicial order, or regulation then You must: (a) comply with +the terms of this License to the maximum extent possible; and (b) +describe the limitations and the code they affect. Such description must +be placed in a text file included with all distributions of the Covered +Software under this License. Except to the extent prohibited by statute +or regulation, such description must be sufficiently detailed for a +recipient of ordinary skill to be able to understand it. + +5. Termination +-------------- + +5.1. The rights granted under this License will terminate automatically +if You fail to comply with any of its terms. However, if You become +compliant, then the rights granted under this License from a particular +Contributor are reinstated (a) provisionally, unless and until such +Contributor explicitly and finally terminates Your grants, and (b) on an +ongoing basis, if such Contributor fails to notify You of the +non-compliance by some reasonable means prior to 60 days after You have +come back into compliance. Moreover, Your grants from a particular +Contributor are reinstated on an ongoing basis if such Contributor +notifies You of the non-compliance by some reasonable means, this is the +first time You have received notice of non-compliance with this License +from such Contributor, and You become compliant prior to 30 days after +Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent +infringement claim (excluding declaratory judgment actions, +counter-claims, and cross-claims) alleging that a Contributor Version +directly or indirectly infringes any patent, then the rights granted to +You by any and all Contributors for the Covered Software under Section +2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all +end user license agreements (excluding distributors and resellers) which +have been validly granted by You or Your distributors under this License +prior to termination shall survive termination. + +************************************************************************ +* * +* 6. Disclaimer of Warranty * +* ------------------------- * +* * +* Covered Software is provided under this License on an "as is" * +* basis, without warranty of any kind, either expressed, implied, or * +* statutory, including, without limitation, warranties that the * +* Covered Software is free of defects, merchantable, fit for a * +* particular purpose or non-infringing. The entire risk as to the * +* quality and performance of the Covered Software is with You. * +* Should any Covered Software prove defective in any respect, You * +* (not any Contributor) assume the cost of any necessary servicing, * +* repair, or correction. This disclaimer of warranty constitutes an * +* essential part of this License. No use of any Covered Software is * +* authorized under this License except under this disclaimer. * +* * +************************************************************************ + +************************************************************************ +* * +* 7. Limitation of Liability * +* -------------------------- * +* * +* Under no circumstances and under no legal theory, whether tort * +* (including negligence), contract, or otherwise, shall any * +* Contributor, or anyone who distributes Covered Software as * +* permitted above, be liable to You for any direct, indirect, * +* special, incidental, or consequential damages of any character * +* including, without limitation, damages for lost profits, loss of * +* goodwill, work stoppage, computer failure or malfunction, or any * +* and all other commercial damages or losses, even if such party * +* shall have been informed of the possibility of such damages. This * +* limitation of liability shall not apply to liability for death or * +* personal injury resulting from such party's negligence to the * +* extent applicable law prohibits such limitation. Some * +* jurisdictions do not allow the exclusion or limitation of * +* incidental or consequential damages, so this exclusion and * +* limitation may not apply to You. * +* * +************************************************************************ + +8. Litigation +------------- + +Any litigation relating to this License may be brought only in the +courts of a jurisdiction where the defendant maintains its principal +place of business and such litigation shall be governed by laws of that +jurisdiction, without reference to its conflict-of-law provisions. +Nothing in this Section shall prevent a party's ability to bring +cross-claims or counter-claims. + +9. Miscellaneous +---------------- + +This License represents the complete agreement concerning the subject +matter hereof. If any provision of this License is held to be +unenforceable, such provision shall be reformed only to the extent +necessary to make it enforceable. Any law or regulation which provides +that the language of a contract shall be construed against the drafter +shall not be used to construe this License against a Contributor. + +10. Versions of the License +--------------------------- + +10.1. New Versions + +Mozilla Foundation is the license steward. Except as provided in Section +10.3, no one other than the license steward has the right to modify or +publish new versions of this License. Each version will be given a +distinguishing version number. + +10.2. Effect of New Versions + +You may distribute the Covered Software under the terms of the version +of the License under which You originally received the Covered Software, +or under the terms of any subsequent version published by the license +steward. + +10.3. Modified Versions + +If you create software not governed by this License, and you want to +create a new license for such software, you may create and use a +modified version of this License if you rename the license and remove +any references to the name of the license steward (except to note that +such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary +Licenses + +If You choose to distribute Source Code Form that is Incompatible With +Secondary Licenses under the terms of this version of the License, the +notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice +------------------------------------------- + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular +file, then You may include the notice in a location (such as a LICENSE +file in a relevant directory) where a recipient would be likely to look +for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice +--------------------------------------------------------- + + This Source Code Form is "Incompatible With Secondary Licenses", as + defined by the Mozilla Public License, v. 2.0. diff --git a/README.md b/README.md index 72b0064..2b72313 100644 --- a/README.md +++ b/README.md @@ -3,19 +3,20 @@ !["Monthly Downloads"](https://img.shields.io/npm/dm/rsa-compat.svg "Monthly Download Count can't be shown") !["Weekly Downloads"](https://img.shields.io/npm/dw/rsa-compat.svg "Weekly Download Count can't be shown") -| Sponsored by [ppl](https://ppl.family). +| A [Root](https://therootcompany.com) Project. JavaScript RSA utils that work on Windows, Mac, and Linux with or without C compiler -In order to provide a module that "just works" everywhere, we mix and match methods -from `node.js` core, `ursa`, `forge`, and others. +This now uses node-native RSA key generation and lightweight, zero-dependency solutions for key conversion. +However, it also optionally depends on `ursa` and `forge` for backwards compatibility with older node versions. -This is useful for **certbot** and **letsencrypt**. +This was built for the [ACME.js](https://git.coolaj86.com/coolaj86/acme.js) and +[Greenlock.js](https://git.coolaj86.com/coolaj86/greenlock.js) **Let's Encrypt** clients +and is particularly suitable for building **certbot**-like clients. -(in the future we'd like to provide the same API to the browser) +(if you're looking for similar tools in the browser, consider [Bluecrypt](https://www.npmjs.com/search?q=bluecrypt)) -Install -======= +# Install node.js @@ -23,27 +24,13 @@ node.js npm install --save rsa-compat ``` -For **more efficient** RSA key generation: -(I dropped `ursa` as an "optional dependency" because the non-fatal error messages on unsupported platforms and node versions were confusing people, but I still recommend installing it) - -```bash -npm install --save ursa -``` - -**Node < v6** support: - -```bash -npm install --save buffer-v6-polyfill -``` - ### CLI ```bash npm install --global rsa-compat ``` -Usage -===== +# Usage CLI --- @@ -105,27 +92,7 @@ NOTE: this object is JSON safe as _ursa and _forge will be ignored See http://crypto.stackexchange.com/questions/6593/what-data-is-saved-in-rsa-private-key to learn a little more about the meaning of the specific fields in the JWK. -Security and Compatibility ------- - -**TL;DR**: Use the default values 2048 and 65537 unless you have a really, really good reason to do otherwise. - -Various platforms *require* these values. - -Most security experts agree that 4096-bit is no more "secure" than 2048-bit - -a fundamental vulnerability in the RSA algorithm which causes 2048 to be broken -will most likely also cause 4096 to be broken -(i.e. if someone can prove mathematically prove P=NP or a way to predict prime numbers). -Also, many platforms -only support 2048 bit keys due to the insecurity of 1024-bit keys (which are not 1/2 secure -but rather 1/(2^1028) less secure) and the excess computational -cost of 4096-bit keys (it's not a 2x increase, it's more like a 2^2048 increase). - -As to why 65537 is even optional as a prime exponent or why it matters... no idea, -but it does matter. - -API ---- +# API Summary * `RSA.generateKeypair(options, cb)` * (deprecated `RSA.generateKeypair(bitlen, exp, options, cb)`) @@ -248,8 +215,65 @@ var web64 = RSA.generateCsrDerWeb64(keypair, [ 'example.com', 'www.example.com' console.log(web64); ``` -ChangeLog: +# Old Node Versions +In recent versions of node >= v10.12 native RSA key generation is fairly quick for 2048-bit keys +(though it may still be too slow for some applications with 4096-bit keys). + +In old versions, however, and especially on ARM and/or MIPS procesors, RSA key generation can be +very, very slow. + +In old node versions `ursa` can provide faster key generation, but it must be compiled. +`ursa` will not compile for new node versions, but they already include the same openssl bindings anyawy. + + +```bash +npm install --save ursa +``` + +Also, if you need **Node < v6** support: + +```bash +npm install --save buffer-v6-polyfill +``` + +## Security and Compatibility + +**TL;DR**: Use the default values 2048 and 65537 unless you have a really, really good reason to do otherwise. + +Various platforms *require* these values. + +Most security experts agree that 4096-bit is no more "secure" than 2048-bit - +a fundamental vulnerability in the RSA algorithm which causes 2048 to be broken +will most likely also cause 4096 to be broken +(i.e. if someone can prove mathematically prove P=NP or a way to predict prime numbers). +Also, many platforms +only support 2048 bit keys due to the insecurity of 1024-bit keys (which are not 1/2 secure +but rather 1/(2^1028) less secure) and the excess computational +cost of 4096-bit keys (it's not a 2x increase, it's more like a 2^2048 increase). + +As to why 65537 is even optional as a prime exponent or why it matters... no idea, +but it does matter. + +# ChangeLog: + +* v1.9.0 + * consistently handle key generation across node crypto, ursa, and forge + * move all other operations to rasha.js and rsa-csr.js * v1.4.0 * remove ursa as dependency (just causes confusion), but note in docs * drop node < v6 support + +# Legal + +rsa-compat.js directly includes code from +[Rasha.js](https://git.coolaj86.com/coolaj86/rasha.js) +and +[RSA-CSR.js](https://git.coolaj86.com/coolaj86/rsa-csr.js) +(also [Root](https://therootcompany.com) projects), +retrofitted for rsa-compat. + +[rsa-compat.js](https://git.coolaj86.com/coolaj86/rsa-compat.js) | +MPL-2.0 | +[Terms of Use](https://therootcompany.com/legal/#terms) | +[Privacy Policy](https://therootcompany.com/legal/#privacy) diff --git a/fixtures/csr.pem b/fixtures/csr.pem new file mode 100644 index 0000000..562c8b2 --- /dev/null +++ b/fixtures/csr.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBjzCB+QIBADAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0B +AQEFAAOBjQAwgYkCgYEAwm5tN860BqucnK0sTx+E2wQjzCemNG8FcYr8qnTrvknX +Q5HPHIwurMhkXe1ytSQoGu11zv27hfQahwNSC6Sl+Rj7ZQ9RL8bF6FRhtislhY4u +SglbPGfvB+ij1fUmC8ExjrAdCdMq+fNl2SibYUyEbGQtoRQYNJ+w3OdNNk0EGD0C +AwEAAaA6MDgGCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5jb22C +D3d3dy5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOBgQCv1nj7zL0vnP11GEDb +TWlXPyT2XaFH9lYOm8By3BKrtk6rhGojlLppmNGaCEBqztebCY2T5LT6mi5lz0xc +YHJ9YC4w1yKz94//gmEMYJ+7fuILexnaeZudp9GjR3OeRWIWr/+3H0U3XnZpazGP +/qK4BCIl9HOOJbF5tyTd/CeeBg== +-----END CERTIFICATE REQUEST----- diff --git a/fixtures/csr.urlbase64 b/fixtures/csr.urlbase64 new file mode 100644 index 0000000..12dffac --- /dev/null +++ b/fixtures/csr.urlbase64 @@ -0,0 +1 @@ +MIIBjzCB-QIBADAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwm5tN860BqucnK0sTx-E2wQjzCemNG8FcYr8qnTrvknXQ5HPHIwurMhkXe1ytSQoGu11zv27hfQahwNSC6Sl-Rj7ZQ9RL8bF6FRhtislhY4uSglbPGfvB-ij1fUmC8ExjrAdCdMq-fNl2SibYUyEbGQtoRQYNJ-w3OdNNk0EGD0CAwEAAaA6MDgGCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5jb22CD3d3dy5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOBgQCv1nj7zL0vnP11GEDbTWlXPyT2XaFH9lYOm8By3BKrtk6rhGojlLppmNGaCEBqztebCY2T5LT6mi5lz0xcYHJ9YC4w1yKz94__gmEMYJ-7fuILexnaeZudp9GjR3OeRWIWr_-3H0U3XnZpazGP_qK4BCIl9HOOJbF5tyTd_CeeBg diff --git a/fixtures/privkey.jwk.json b/fixtures/privkey.jwk.json new file mode 100644 index 0000000..92180d0 --- /dev/null +++ b/fixtures/privkey.jwk.json @@ -0,0 +1,11 @@ +{ + "kty": "RSA", + "n": "wm5tN860BqucnK0sTx-E2wQjzCemNG8FcYr8qnTrvknXQ5HPHIwurMhkXe1ytSQoGu11zv27hfQahwNSC6Sl-Rj7ZQ9RL8bF6FRhtislhY4uSglbPGfvB-ij1fUmC8ExjrAdCdMq-fNl2SibYUyEbGQtoRQYNJ-w3OdNNk0EGD0", + "e": "AQAB", + "d": "HT8DCrv69G3n9uFNovE4yMEMqW7lX0m75eJkMze3Jj5xNOa_4qlrc-4IuuA2uuyfY72IVQRxqqqXOuvS8ZForZZk-kWSd6z45hrpbNAAHH2Rf7XwnwHY8VJrOQF3UtbktTWqHX36ITZb9Hmf18hWsIeEp8Ng7Ru9h7hNuVxKMjk", + "p": "42M69lUC-EIzYmcsZYkbf7kGhqvcwHk_h7N8TEOa7IYRP_DQL49LrSNuMHxOK9CxJ0RwajsY5o6WYBfoRC0B5w", + "q": "2uWWAmzLitMx9reZDnSQwhw1qGIQ55quEBwmBBQIe46O4SeFT0V8TED-bkVeOYQVCFHCS6GTRBoipMZtTPEYOw", + "dp": "u7Ec6lghq2p5n7AqJWWXHUZM7LzP6tAqcIjnAMyNBM9lTbIpJhjSDohAXCU_IUuR7ye-4vEFDMqFtawGPMAp4Q", + "dq": "XLhDAmPzE6rBzy-VtXnKl247jEd9wZzTfh9uOuwBa9TG0Lhcz2cvb11YaH0ZnGNGRW_cTQzzxDUN1531TlIRYQ", + "qi": "jZqnPoQJ8bCGy8hxTf7IW37cIDvwJRWxfg1S6XmbcKWzab7kxsZAbkrSEanGMMLc6ZdOrVjmCd6nnJRm9U9kjg" +} diff --git a/fixtures/privkey.pkcs1.pem b/fixtures/privkey.pkcs1.pem new file mode 100644 index 0000000..8281814 --- /dev/null +++ b/fixtures/privkey.pkcs1.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDCbm03zrQGq5ycrSxPH4TbBCPMJ6Y0bwVxivyqdOu+SddDkc8c +jC6syGRd7XK1JCga7XXO/buF9BqHA1ILpKX5GPtlD1EvxsXoVGG2KyWFji5KCVs8 +Z+8H6KPV9SYLwTGOsB0J0yr582XZKJthTIRsZC2hFBg0n7Dc5002TQQYPQIDAQAB +AoGAHT8DCrv69G3n9uFNovE4yMEMqW7lX0m75eJkMze3Jj5xNOa/4qlrc+4IuuA2 +uuyfY72IVQRxqqqXOuvS8ZForZZk+kWSd6z45hrpbNAAHH2Rf7XwnwHY8VJrOQF3 +UtbktTWqHX36ITZb9Hmf18hWsIeEp8Ng7Ru9h7hNuVxKMjkCQQDjYzr2VQL4QjNi +ZyxliRt/uQaGq9zAeT+Hs3xMQ5rshhE/8NAvj0utI24wfE4r0LEnRHBqOxjmjpZg +F+hELQHnAkEA2uWWAmzLitMx9reZDnSQwhw1qGIQ55quEBwmBBQIe46O4SeFT0V8 +TED+bkVeOYQVCFHCS6GTRBoipMZtTPEYOwJBALuxHOpYIatqeZ+wKiVllx1GTOy8 +z+rQKnCI5wDMjQTPZU2yKSYY0g6IQFwlPyFLke8nvuLxBQzKhbWsBjzAKeECQFy4 +QwJj8xOqwc8vlbV5ypduO4xHfcGc034fbjrsAWvUxtC4XM9nL29dWGh9GZxjRkVv +3E0M88Q1Dded9U5SEWECQQCNmqc+hAnxsIbLyHFN/shbftwgO/AlFbF+DVLpeZtw +pbNpvuTGxkBuStIRqcYwwtzpl06tWOYJ3qeclGb1T2SO +-----END RSA PRIVATE KEY----- diff --git a/fixtures/privkey.pkcs8.pem b/fixtures/privkey.pkcs8.pem new file mode 100644 index 0000000..cfecdc3 --- /dev/null +++ b/fixtures/privkey.pkcs8.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMJubTfOtAarnJyt +LE8fhNsEI8wnpjRvBXGK/Kp0675J10ORzxyMLqzIZF3tcrUkKBrtdc79u4X0GocD +UgukpfkY+2UPUS/GxehUYbYrJYWOLkoJWzxn7wfoo9X1JgvBMY6wHQnTKvnzZdko +m2FMhGxkLaEUGDSfsNznTTZNBBg9AgMBAAECgYAdPwMKu/r0bef24U2i8TjIwQyp +buVfSbvl4mQzN7cmPnE05r/iqWtz7gi64Da67J9jvYhVBHGqqpc669LxkWitlmT6 +RZJ3rPjmGuls0AAcfZF/tfCfAdjxUms5AXdS1uS1NaodffohNlv0eZ/XyFawh4Sn +w2DtG72HuE25XEoyOQJBAONjOvZVAvhCM2JnLGWJG3+5Boar3MB5P4ezfExDmuyG +ET/w0C+PS60jbjB8TivQsSdEcGo7GOaOlmAX6EQtAecCQQDa5ZYCbMuK0zH2t5kO +dJDCHDWoYhDnmq4QHCYEFAh7jo7hJ4VPRXxMQP5uRV45hBUIUcJLoZNEGiKkxm1M +8Rg7AkEAu7Ec6lghq2p5n7AqJWWXHUZM7LzP6tAqcIjnAMyNBM9lTbIpJhjSDohA +XCU/IUuR7ye+4vEFDMqFtawGPMAp4QJAXLhDAmPzE6rBzy+VtXnKl247jEd9wZzT +fh9uOuwBa9TG0Lhcz2cvb11YaH0ZnGNGRW/cTQzzxDUN1531TlIRYQJBAI2apz6E +CfGwhsvIcU3+yFt+3CA78CUVsX4NUul5m3Cls2m+5MbGQG5K0hGpxjDC3OmXTq1Y +5gnep5yUZvVPZI4= +-----END PRIVATE KEY----- diff --git a/fixtures/signed.jwk.json b/fixtures/signed.jwk.json new file mode 100644 index 0000000..509867b --- /dev/null +++ b/fixtures/signed.jwk.json @@ -0,0 +1,13 @@ +{ + "header": { + "alg": "RS256", + "jwk": { + "kty": "RSA", + "n": "AMJubTfOtAarnJytLE8fhNsEI8wnpjRvBXGK_Kp0675J10ORzxyMLqzIZF3tcrUkKBrtdc79u4X0GocDUgukpfkY-2UPUS_GxehUYbYrJYWOLkoJWzxn7wfoo9X1JgvBMY6wHQnTKvnzZdkom2FMhGxkLaEUGDSfsNznTTZNBBg9", + "e": "AQAB" + } + }, + "protected": "eyJub25jZSI6IjhlZjU2MjRmNWVjOWQzZWYifQ", + "payload": "JLzF1NBNCV3kfbJ5sFaFyX94fJuL2H-IzaoBN-ciiHk", + "signature": "Wb2al5SDyh5gjmkV79MK9m3sfNBBPjntSKor-34BBoGwr6n8qEnBmqB1Y4zbo-5rmvsoPmJsnRlP_hRiUY86zSAQyfbisTGrGBl0IQ7ditpkfYVm0rBWJ8WnYNqYNp8K3qcD7NW72tsy-XoWEjNlz4lWJeRdEG2Nt4CJgnREH4Y" +} diff --git a/index.js b/index.js new file mode 100644 index 0000000..de04827 --- /dev/null +++ b/index.js @@ -0,0 +1,7 @@ +// Copyright 2016-2018 AJ ONeal. All rights reserved +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +'use strict'; + +module.exports.RSA = require('./lib/rsa.js'); diff --git a/lib/generate-privkey-forge.js b/lib/generate-privkey-forge.js index 890fbb6..a11def9 100644 --- a/lib/generate-privkey-forge.js +++ b/lib/generate-privkey-forge.js @@ -1,6 +1,10 @@ +// Copyright 2016-2018 AJ ONeal. All rights reserved +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 'use strict'; -var Rasha = require('rasha'); +var Rasha = require('./rasha'); module.exports = function (bitlen, exp) { var k = require('node-forge').pki.rsa diff --git a/lib/generate-privkey-node.js b/lib/generate-privkey-node.js index 1502e38..cfc3c8b 100644 --- a/lib/generate-privkey-node.js +++ b/lib/generate-privkey-node.js @@ -1,6 +1,10 @@ +// Copyright 2016-2018 AJ ONeal. All rights reserved +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 'use strict'; -var Rasha = require('rasha'); +var Rasha = require('./rasha'); module.exports = function (bitlen, exp) { var keypair = require('crypto').generateKeyPairSync( @@ -8,11 +12,11 @@ module.exports = function (bitlen, exp) { , { modulusLength: bitlen , publicExponent: exp , privateKeyEncoding: { - type: 'pkcs8' + type: 'pkcs1' , format: 'pem' } , publicKeyEncoding: { - type: 'spki' + type: 'pkcs1' , format: 'pem' } } diff --git a/lib/generate-privkey-ursa.js b/lib/generate-privkey-ursa.js index 2ad7979..2267233 100644 --- a/lib/generate-privkey-ursa.js +++ b/lib/generate-privkey-ursa.js @@ -1,6 +1,10 @@ +// Copyright 2016-2018 AJ ONeal. All rights reserved +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 'use strict'; -var Rasha = require('rasha'); +var Rasha = require('./rasha'); module.exports = function (bitlen, exp) { var ursa; diff --git a/lib/generate-privkey.js b/lib/generate-privkey.js index 287bc1b..3f71b2b 100644 --- a/lib/generate-privkey.js +++ b/lib/generate-privkey.js @@ -1,3 +1,7 @@ +// Copyright 2016-2018 AJ ONeal. All rights reserved +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 'use strict'; var oldver = false; @@ -7,13 +11,13 @@ module.exports = function (bitlen, exp) { exp = parseInt(exp, 10) || 65537; try { - return require('./generate-privkey-node')(bitlen, exp); + return require('./generate-privkey-node.js')(bitlen, exp); } catch(e) { if (!/generateKeyPairSync is not a function/.test(e.message)) { throw e; } try { - return require('./generate-privkey-ursa')(bitlen, exp); + return require('./generate-privkey-ursa.js')(bitlen, exp); } catch(e) { if (e.code !== 'MODULE_NOT_FOUND') { throw e; @@ -41,7 +45,7 @@ module.exports = function (bitlen, exp) { } } try { - return require('./generate-privkey-forge')(bitlen, exp); + return require('./generate-privkey-forge.js')(bitlen, exp); } catch(e) { if (e.code !== 'MODULE_NOT_FOUND') { throw e; @@ -54,5 +58,9 @@ module.exports = function (bitlen, exp) { }; if (require.main === module) { - console.log(module.exports(2048, 0x10001)); + var keypair = module.exports(2048, 0x10001); + console.info(keypair.privateKeyPem); + console.warn(keypair.publicKeyPem); + //console.info(keypair.privateKeyJwk); + //console.warn(keypair.publicKeyJwk); } diff --git a/lib/key-utils.js b/lib/key-utils.js deleted file mode 100644 index 55defeb..0000000 --- a/lib/key-utils.js +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2014 ISRG. All rights reserved -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. -'use strict'; - -var utils = { - - fromStandardB64: function(x) { - return x.replace(/[+]/g, "-").replace(/\//g, "_").replace(/=/g,""); - }, - - toStandardB64: function(x) { - var b64 = x.replace(/-/g, "+").replace(/_/g, "/").replace(/=/g, ""); - - switch (b64.length % 4) { - case 2: b64 += "=="; break; - case 3: b64 += "="; break; - } - - return b64; - }, - - b64enc: function(buffer) { - return utils.fromStandardB64(buffer.toString("base64")); - }, - - b64dec: function(str) { - return Buffer.from(utils.toStandardB64(str), "base64"); - }, - - isB64String: function(x) { - return ("string" === typeof x) && !x.match(/[^a-zA-Z0-9_-]/); - }, - - fieldsPresent: function(fields, object) { - for (var i in fields) { - if (!(fields[i] in object)) { - return false; - } - } - return true; - }, - - validSignature: function(sig) { - return (("object" === typeof sig) && - ("alg" in sig) && ("string" === typeof sig.alg) && - ("nonce" in sig) && utils.isB64String(sig.nonce) && - ("sig" in sig) && utils.isB64String(sig.sig) && - ("jwk" in sig) && utils.validJWK(sig.jwk)); - }, - - validJWK: function(jwk) { - return (("object" === typeof jwk) && ("kty" in jwk) && ( - ((jwk.kty === "RSA") - && ("n" in jwk) && utils.isB64String(jwk.n) - && ("e" in jwk) && utils.isB64String(jwk.e)) || - ((jwk.kty === "EC") - && ("crv" in jwk) - && ("x" in jwk) && utils.isB64String(jwk.x) - && ("y" in jwk) && utils.isB64String(jwk.y)) - ) && !("d" in jwk)); - }, - - // A simple, non-standard fingerprint for a JWK, - // just so that we don't have to store objects - keyFingerprint: function(jwk) { - switch (jwk.kty) { - case "RSA": return jwk.n; - case "EC": return jwk.crv + jwk.x + jwk.y; - } - throw "Unrecognized key type"; - } -}; - -module.exports = utils; diff --git a/lib/node.js b/lib/node.js deleted file mode 100644 index d9b923d..0000000 --- a/lib/node.js +++ /dev/null @@ -1,42 +0,0 @@ -/*! - * rsa-compat - * Copyright(c) 2016 AJ ONeal https://daplie.com - * Apache-2.0 OR MIT (and hence also MPL 2.0) -*/ -'use strict'; - -var cryptoc = module.exports; -var rsaExtra = require('./rsa-extra'); -var rsaForge = require('./rsa-forge'); -var rsaUrsa; - -try { - rsaUrsa = require('./rsa-ursa'); -} catch(e) { - rsaUrsa = {}; - // things will run a little slower on keygen, but it'll work on windows - // (but don't try this on raspberry pi - 20+ MINUTES key generation) -} - -// order of crypto precdence is -// * native -// * ursa -// * forge extra (the new one aimed to be less-forgey) -// * forge (fallback) -Object.keys(rsaUrsa).forEach(function (key) { - if (!cryptoc[key]) { - cryptoc[key] = rsaUrsa[key]; - } -}); - -Object.keys(rsaForge).forEach(function (key) { - if (!cryptoc[key]) { - cryptoc[key] = rsaForge[key]; - } -}); - -Object.keys(rsaExtra).forEach(function (key) { - if (!cryptoc[key]) { - cryptoc[key] = rsaExtra[key]; - } -}); diff --git a/lib/rasha/.drone.yml b/lib/rasha/.drone.yml new file mode 100644 index 0000000..309fe40 --- /dev/null +++ b/lib/rasha/.drone.yml @@ -0,0 +1,11 @@ +kind: pipeline +name: default + +pipeline: + build: + image: node + environment: + RASHA_TEST_LARGE_KEYS: "true" + commands: + - npm install --ignore-scripts + - npm test diff --git a/lib/rasha/.gitignore b/lib/rasha/.gitignore new file mode 100644 index 0000000..f080492 --- /dev/null +++ b/lib/rasha/.gitignore @@ -0,0 +1 @@ +all.* diff --git a/lib/rasha/README.md b/lib/rasha/README.md new file mode 100644 index 0000000..e2d5fb2 --- /dev/null +++ b/lib/rasha/README.md @@ -0,0 +1,218 @@ +[Rasha.js](https://git.coolaj86.com/coolaj86/rasha.js) · [![Build Status](https://strong-emu-11.telebit.io/api/badges/coolaj86/rasha.js/status.svg)](https://strong-emu-11.telebit.io/coolaj86/rasha.js) +========= + +Sponsored by [Root](https://therootcompany.com). +Built for [ACME.js](https://git.coolaj86.com/coolaj86/acme.js) +and [Greenlock.js](https://git.coolaj86.com/coolaj86/greenlock.js) + + + +| ~550 lines of code | 3kb gzipped | 10kb minified | 18kb with comments | + +RSA tools. Lightweight. Zero Dependencies. Universal compatibility. + +* [x] Fast and Easy RSA Key Generation +* [x] PEM-to-JWK +* [x] JWK-to-PEM +* [x] SSH "pub" format +* [ ] ECDSA + * **Need EC or ECDSA tools?** Check out [Eckles.js](https://git.coolaj86.com/coolaj86/eckles.js) + + +## Generate RSA Key + +Achieves the *fastest possible key generation* using node's native RSA bindings to OpenSSL, +then converts to JWK for ease-of-use. + +``` +Rasha.generate({ format: 'jwk' }).then(function (keypair) { + console.log(keypair.private); + console.log(keypair.public); +}); +``` + +**options** + +* `format` defaults to `'jwk'` + * `'pkcs1'` (traditional) + * `'pkcs8'` +* `modulusLength` defaults to 2048 (must not be lower) + * generally you shouldn't pick a larger key size - they're slow + * **2048** is more than sufficient + * 3072 is way, way overkill and takes a few seconds to generate + * 4096 can take about a minute to generate and is just plain wasteful + +**advanced options** + +These options are provided for debugging and should not be used. + +* `publicExponent` defaults to 65537 (`0x10001`) + +## PEM-to-JWK + +* [x] PKCS#1 (traditional) +* [x] PKCS#8, SPKI/PKIX +* [x] 2048-bit, 3072-bit, 4096-bit (and ostensibily all others) +* [x] SSH (RFC4716), (RFC 4716/SSH2) + +```js +var Rasha = require('rasha'); +var pem = require('fs') + .readFileSync('./node_modles/rasha/fixtures/privkey-rsa-2048.pkcs1.pem', 'ascii'); + +Rasha.import({ pem: pem }).then(function (jwk) { + console.log(jwk); +}); +``` + +```js +{ + "kty": "RSA", + "n": "m2ttVBxPlWw06ZmGBWVDl...QlEz7UNNj9RGps_50-CNw", + "e": "AQAB", + "d": "Cpfo7Mm9Nu8YMC_xrZ54W...Our1IdDzJ_YfHPt9sHMQQ", + "p": "ynG-t9HwKCN3MWRYFdnFz...E9S4DsGcAarIuOT2TsTCE", + "q": "xIkAjgUzB1zaUzJtW2Zgv...38ahSrBFEVnxjpnPh1Q1c", + "dp": "tzDGjECFOU0ehqtuqhcu...dVGAXJoGOdv5VpaZ7B1QE", + "dq": "kh5dyDk7YCz7sUFbpsmu...aX9PKa12HFlny6K1daL48", + "qi": "AlHWbx1gp6Z9pbw_1hlS...lhmIOgRApS0t9VoXtHhFU" +} +``` + +## JWK-to-PEM + +* [x] PKCS#1 (traditional) +* [x] PKCS#8, SPKI/PKIX +* [x] 2048-bit, 4096-bit (and ostensibily all others) +* [x] SSH (RFC4716), (RFC 4716/SSH2) + +```js +var Rasha = require('rasha'); +var jwk = require('rasha/fixtures/privkey-rsa-2048.jwk.json'); + +Rasha.export({ jwk: jwk }).then(function (pem) { + // PEM in PKCS1 (traditional) format + console.log(pem); +}); +``` + +``` +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAm2ttVBxPlWw06ZmGBWVDlfjkPAJ4DgnY0TrDwtCohHzLxGhD +NzUJefLukC+xu0LBKylYojT5vTkxaOhxeSYo31syu4WhxbkTBLICOFcCGMob6pSQ +38P8LdAIlb0pqDHxEJ9adWomjuFf.....5cCBahfsiNtNR6WV1/iCSuINYs6uPdA +Jlw7hm9m8TAmFWWyfL0s7wiRvAYkQvpxetorTwHJVLabBDJ+WBOAY2enOLHIRQv+ +atAvHrLXjkUdzF96o0icyF6n7QzGfUPmeWGYg6BEClLS31Whe0eEVQ== +-----END RSA PRIVATE KEY----- +``` + +### Advanced Options + +`format: 'pkcs8'`: + +The default output format `pkcs1` (RSA-specific format) is used for private keys. +Use `format: 'pkcs8'` to output in PKCS#8 format instead. + +```js +Rasha.export({ jwk: jwk, format: 'pkcs8' }).then(function (pem) { + // PEM in PKCS#8 format + console.log(pem); +}); +``` + +``` +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCba21UHE+VbDTp +mYYFZUOV+OQ8AngOCdjROsPC0KiEfMvEaEM3NQl58u6QL7G7QsErKViiNPm9OTFo +6HF5JijfWzK7haHFuRMEsgI4VwIY.....LorV1ovjwKBgAJR1m8dYKemfaW8P9YZ +Uux7lwIFqF+yI201HpZXX+IJK4g1izq490AmXDuGb2bxMCYVZbJ8vSzvCJG8BiRC ++nF62itPAclUtpsEMn5YE4BjZ6c4schFC/5q0C8esteORR3MX3qjSJzIXqftDMZ9 +Q+Z5YZiDoEQKUtLfVaF7R4RV +-----END PRIVATE KEY----- +``` + +`format: 'ssh'`: + +Although SSH uses PKCS#1 for private keys, it uses ts own special non-ASN1 format +(affectionately known as rfc4716) for public keys. I got curious and then decided +to add this format as well. + +To get the same format as you +would get with `ssh-keygen`, pass `ssh` as the format option: + +```js +Rasha.export({ jwk: jwk, format: 'ssh' }).then(function (pub) { + // Special SSH2 Public Key format (RFC 4716) + console.log(pub); +}); +``` + +``` +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCba21UHE.....Q02P1Eamz/nT4I3 rsa@localhost +``` + +`public: 'true'`: + +If a private key is used as input, a private key will be output. + +If you'd like to output a public key instead you can pass `public: true`. + +or `format: 'spki'`. + +```js +Rasha.export({ jwk: jwk, public: true }).then(function (pem) { + // PEM in SPKI/PKIX format + console.log(pem); +}); +``` + +``` +-----BEGIN PUBLIC KEY----- +MIIBCgKCAQEAm2ttVBxPlWw06ZmGBWVDlfjkPAJ4DgnY0TrDwtCohHzLxGhDNzUJ +efLukC+xu0LBKylYojT5vTkxaOhx.....TmzCh2ikrwTMja7mUdBJf2bK3By5AB0 +Qi49OykUCfNZeQlEz7UNNj9RGps/50+CNwIDAQAB +-----END PUBLIC KEY----- +``` + +Testing +------- + +All cases are tested in `test.sh`. + +You can compare these keys to the ones that you get from OpenSSL, OpenSSH/ssh-keygen, and WebCrypto: + +```bash +# Generate 2048-bit RSA Keypair +openssl genrsa -out privkey-rsa-2048.pkcs1.pem 2048 + +# Convert PKCS1 (traditional) RSA Keypair to PKCS8 format +openssl rsa -in privkey-rsa-2048.pkcs1.pem -pubout -out pub-rsa-2048.spki.pem + +# Export Public-only RSA Key in PKCS1 (traditional) format +openssl pkcs8 -topk8 -nocrypt -in privkey-rsa-2048.pkcs1.pem -out privkey-rsa-2048.pkcs8.pem + +# Convert PKCS1 (traditional) RSA Public Key to SPKI/PKIX format +openssl rsa -in pub-rsa-2048.spki.pem -pubin -RSAPublicKey_out -out pub-rsa-2048.pkcs1.pem + +# Convert RSA public key to SSH format +ssh-keygen -f ./pub-rsa-2048.spki.pem -i -mPKCS8 > ./pub-rsa-2048.ssh.pub +``` + +Goals of this project +----- + +* Focused support for 2048-bit and 4096-bit RSA keypairs (although any size is technically supported) +* Zero Dependencies +* VanillaJS +* Quality Code: Good comments and tests +* Convert both ways: PEM-to-JWK and JWK-to-PEM (also supports SSH pub files) +* Browser support as well (TODO) +* OpenSSL, ssh-keygen, and WebCrypto compatibility + +Legal +----- + +[Rasha.js](https://git.coolaj86.com/coolaj86/rasha.js) | +MPL-2.0 | +[Terms of Use](https://therootcompany.com/legal/#terms) | +[Privacy Policy](https://therootcompany.com/legal/#privacy) diff --git a/lib/rasha/TODO.txt b/lib/rasha/TODO.txt new file mode 100644 index 0000000..598d29a --- /dev/null +++ b/lib/rasha/TODO.txt @@ -0,0 +1,63 @@ +ACME <- rsa-compat + +unsign csr + +greenlock-ecdsa +greenlock-ec-pem-to-jwk +greenlock-ec-jwk-to-pem +greenlock-ec-ssh-to-jwk +greenlock-ec-jwk-to-ssh +greenlock-ec-csr +greenlock-rsa +greenlock-rsa-pem-to-jwk +greenlock-rsa-jwk-to-pem +greenlock-rsa-ssh-to-jwk +greenlock-rsa-jwk-to-ssh +greenlock-rsa-csr +greenlock-x509 +greenlock-acme +greenlock-asn1 +greenlock-encoding +bluecrypt-ecdsa +bluecrypt-ec-pem-to-jwk +bluecrypt-ec-jwk-to-pem +bluecrypt-ec-ssh-to-jwk +bluecrypt-ec-jwk-to-ssh +bluecrypt-ec-csr +bluecrypt-rsa +bluecrypt-rsa-pem-to-jwk +bluecrypt-rsa-jwk-to-pem +bluecrypt-rsa-ssh-to-jwk +bluecrypt-rsa-jwk-to-ssh +bluecrypt-rsa-csr +bluecrypt-ans1 +bluecrypt-x509 +bluecrypt-acme +bluecrypt-encoding +keypairs +asymmetric +symmetric +groot-crypto +broot-crypto + +** unified openssl commands ** + +https://gist.github.com/briansmith/2ee42439923d8e65a266994d0f70180b + +https://connect2id.com/products/nimbus-jose-jwt/examples/jwk-generation + +https://gist.github.com/briansmith/2ee42439923d8e65a266994d0f70180b + + +RSAPrivateKey ::= SEQUENCE { + version Version, + modulus INTEGER, -- n + publicExponent INTEGER, -- e + privateExponent INTEGER, -- d + prime1 INTEGER, -- p + prime2 INTEGER, -- q + exponent1 INTEGER, -- d mod (p-1) + exponent2 INTEGER, -- d mod (q-1) + coefficient INTEGER, -- (inverse of q) mod p + otherPrimeInfos OtherPrimeInfos OPTIONAL +} diff --git a/lib/rasha/bin/rasha.js b/lib/rasha/bin/rasha.js new file mode 100755 index 0000000..4ffed3c --- /dev/null +++ b/lib/rasha/bin/rasha.js @@ -0,0 +1,97 @@ +#!/usr/bin/env node +'use strict'; + +var fs = require('fs'); +var Rasha = require('../index.js'); +var PEM = require('../lib/pem.js'); +var ASN1 = require('../lib/asn1.js'); + +var infile = process.argv[2]; +var format = process.argv[3]; +var msg = process.argv[4]; +var sign; +if ('sign' === format) { + sign = true; + format = 'pkcs8'; +} + +if (!infile) { + infile = 'jwk'; +} + +if (-1 !== [ 'jwk', 'pem', 'json', 'der', 'pkcs1', 'pkcs8', 'spki' ].indexOf(infile)) { + console.log("Generating new key..."); + Rasha.generate({ + format: infile + , modulusLength: parseInt(format, 10) || 2048 + , encoding: parseInt(format, 10) ? null : format + }).then(function (key) { + if ('der' === infile || 'der' === format) { + key.private = key.private.toString('binary'); + key.public = key.public.toString('binary'); + } + console.log(key.private); + console.log(key.public); + }).catch(function (err) { + console.error(err); + process.exit(1); + }); + return; +} +var key = fs.readFileSync(infile, 'ascii'); + +try { + key = JSON.parse(key); +} catch(e) { + // ignore +} + +if ('string' === typeof key) { + if ('tpl' === format) { + var block = PEM.parseBlock(key); + var asn1 = ASN1.parse(block.der); + ASN1.tpl(asn1); + return; + } + if (sign) { signMessage(key, msg); return; } + + var pub = (-1 !== [ 'public', 'spki', 'pkix' ].indexOf(format)); + Rasha.import({ pem: key, public: (pub || format) }).then(function (jwk) { + console.info(JSON.stringify(jwk, null, 2)); + }).catch(function (err) { + console.error(err); + process.exit(1); + }); +} else { + Rasha.export({ jwk: key, format: format }).then(function (pem) { + if (sign) { signMessage(pem, msg); return; } + console.info(pem); + }).catch(function (err) { + console.error(err); + process.exit(2); + }); +} + +function signMessage(pem, name) { + var msg; + try { + msg = fs.readFileSync(name); + } catch(e) { + console.warn("[info] input string did not exist as a file, signing the string itself"); + msg = Buffer.from(name, 'binary'); + } + var crypto = require('crypto'); + var sign = crypto.createSign('SHA256'); + sign.write(msg) + sign.end() + var buf = sign.sign(pem, 'hex'); + console.log(buf); + //console.log(buf.toString('base64')); + /* + Rasha.sign({ pem: pem, message: msg, alg: 'SHA256' }).then(function (sig) { + }).catch(function () { + console.error(err); + process.exit(3); + }); + */ +} diff --git a/lib/rasha/fixtures/privkey-rsa-2048.jwk.json b/lib/rasha/fixtures/privkey-rsa-2048.jwk.json new file mode 100644 index 0000000..f344c22 --- /dev/null +++ b/lib/rasha/fixtures/privkey-rsa-2048.jwk.json @@ -0,0 +1,11 @@ +{ + "kty": "RSA", + "n": "m2ttVBxPlWw06ZmGBWVDlfjkPAJ4DgnY0TrDwtCohHzLxGhDNzUJefLukC-xu0LBKylYojT5vTkxaOhxeSYo31syu4WhxbkTBLICOFcCGMob6pSQ38P8LdAIlb0pqDHxEJ9adWomjuFf0SUhN1cP7s9m8Yk9trkpEqjskocn2BOnTB57qAZM6-I70on0_iDZm7-jcqOPgADAmbWHhy67BXkk4yy_YzD4yOGZFXZcNp915_TW5bRd__AKPHUHxJasPiyEFqlNKBR2DSD-LbX5eTmzCh2ikrwTMja7mUdBJf2bK3By5AB0Qi49OykUCfNZeQlEz7UNNj9RGps_50-CNw", + "e": "AQAB", + "d": "Cpfo7Mm9Nu8YMC_xrZ54W9mKHPkCG9rZ93Ds9PNp-RXUgb-ljTbFPZWsYxGNKLllFz8LNosr1pT2ZDMrwNk0Af1iWNvD6gkyXaiQdCyiDPSBsJyNv2LJZon-e85X74nv53UlIkmo9SYxdLz2JaJ-iIWEe8Qh-7llLktrTJV_xr98_tbhgSppz_IeOymq3SEZaQHM8pTU7w7XvCj2pb9r8fN0M0XcgWZIaf3LGEfkhF_WtX67XJ0C6-LbkT51jtlLRNGX6haGdscXS0OWWjKOJzKGuV-NbthEn5rmRtVnjRZ3yaxQ0ud8vC-NONn7yvGUlOur1IdDzJ_YfHPt9sHMQQ", + "p": "ynG-t9HwKCN3MWRYFdnFzi9-02Qcy3p8B5pu3ary2E70hYn2pHlUG2a9BNE8c5xHQ3Hx43WoWf6s0zOunPV1G28LkU_UYEbAtPv_PxSmzpQp9n9XnYvBLBF8Y3z7gxgLn1vVFNARrQdRtj87qY3aw7E9S4DsGcAarIuOT2TsTCE", + "q": "xIkAjgUzB1zaUzJtW2Zgvp9cYYr1DmpH30ePZl3c_8397_DZDDo46fnFYjs6uPa03HpmKUnbjwr14QHlfXlntJBEuXxcqLjkdKdJ4ob7xueLTK4suo9V8LSrkLChVxlZQwnFD2E5ll0sVeeDeMJHQw38ahSrBFEVnxjpnPh1Q1c", + "dp": "tzDGjECFOU0ehqtuqhcuT63a7h8hj19-7MJqoFwY9HQ-ALkfXyYLXeBSGxHbyiIYuodZg6LsfMNgUJ3r3Eyhc_nAVfYPEC_2IdAG4WYmq7iXYF9LQV09qEsKbFykm7QekE3hO7wswo5k-q2tp3ieBYdVGAXJoGOdv5VpaZ7B1QE", + "dq": "kh5dyDk7YCz7sUFbpsmuAeuPjoH2ghooh2u3xN7iUVmAg-ToKjwbVnG5-7eXiC779rQVwnrD_0yh1AFJ8wjRPqDIR7ObXGHikIxT1VSQWqiJm6AfZzDsL0LUD4YS3iPdhob7-NxLKWzqao_u4lhnDQaX9PKa12HFlny6K1daL48", + "qi": "AlHWbx1gp6Z9pbw_1hlS7HuXAgWoX7IjbTUelldf4gkriDWLOrj3QCZcO4ZvZvEwJhVlsny9LO8IkbwGJEL6cXraK08ByVS2mwQyflgTgGNnpzixyEUL_mrQLx6y145FHcxfeqNInMhep-0Mxn1D5nlhmIOgRApS0t9VoXtHhFU" +} diff --git a/lib/rasha/fixtures/privkey-rsa-2048.pkcs1.pem b/lib/rasha/fixtures/privkey-rsa-2048.pkcs1.pem new file mode 100644 index 0000000..246bd35 --- /dev/null +++ b/lib/rasha/fixtures/privkey-rsa-2048.pkcs1.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAm2ttVBxPlWw06ZmGBWVDlfjkPAJ4DgnY0TrDwtCohHzLxGhD +NzUJefLukC+xu0LBKylYojT5vTkxaOhxeSYo31syu4WhxbkTBLICOFcCGMob6pSQ +38P8LdAIlb0pqDHxEJ9adWomjuFf0SUhN1cP7s9m8Yk9trkpEqjskocn2BOnTB57 +qAZM6+I70on0/iDZm7+jcqOPgADAmbWHhy67BXkk4yy/YzD4yOGZFXZcNp915/TW +5bRd//AKPHUHxJasPiyEFqlNKBR2DSD+LbX5eTmzCh2ikrwTMja7mUdBJf2bK3By +5AB0Qi49OykUCfNZeQlEz7UNNj9RGps/50+CNwIDAQABAoIBAAqX6OzJvTbvGDAv +8a2eeFvZihz5Ahva2fdw7PTzafkV1IG/pY02xT2VrGMRjSi5ZRc/CzaLK9aU9mQz +K8DZNAH9Yljbw+oJMl2okHQsogz0gbCcjb9iyWaJ/nvOV++J7+d1JSJJqPUmMXS8 +9iWifoiFhHvEIfu5ZS5La0yVf8a/fP7W4YEqac/yHjspqt0hGWkBzPKU1O8O17wo +9qW/a/HzdDNF3IFmSGn9yxhH5IRf1rV+u1ydAuvi25E+dY7ZS0TRl+oWhnbHF0tD +lloyjicyhrlfjW7YRJ+a5kbVZ40Wd8msUNLnfLwvjTjZ+8rxlJTrq9SHQ8yf2Hxz +7fbBzEECgYEAynG+t9HwKCN3MWRYFdnFzi9+02Qcy3p8B5pu3ary2E70hYn2pHlU +G2a9BNE8c5xHQ3Hx43WoWf6s0zOunPV1G28LkU/UYEbAtPv/PxSmzpQp9n9XnYvB +LBF8Y3z7gxgLn1vVFNARrQdRtj87qY3aw7E9S4DsGcAarIuOT2TsTCECgYEAxIkA +jgUzB1zaUzJtW2Zgvp9cYYr1DmpH30ePZl3c/8397/DZDDo46fnFYjs6uPa03Hpm +KUnbjwr14QHlfXlntJBEuXxcqLjkdKdJ4ob7xueLTK4suo9V8LSrkLChVxlZQwnF +D2E5ll0sVeeDeMJHQw38ahSrBFEVnxjpnPh1Q1cCgYEAtzDGjECFOU0ehqtuqhcu +T63a7h8hj19+7MJqoFwY9HQ+ALkfXyYLXeBSGxHbyiIYuodZg6LsfMNgUJ3r3Eyh +c/nAVfYPEC/2IdAG4WYmq7iXYF9LQV09qEsKbFykm7QekE3hO7wswo5k+q2tp3ie +BYdVGAXJoGOdv5VpaZ7B1QECgYEAkh5dyDk7YCz7sUFbpsmuAeuPjoH2ghooh2u3 +xN7iUVmAg+ToKjwbVnG5+7eXiC779rQVwnrD/0yh1AFJ8wjRPqDIR7ObXGHikIxT +1VSQWqiJm6AfZzDsL0LUD4YS3iPdhob7+NxLKWzqao/u4lhnDQaX9PKa12HFlny6 +K1daL48CgYACUdZvHWCnpn2lvD/WGVLse5cCBahfsiNtNR6WV1/iCSuINYs6uPdA +Jlw7hm9m8TAmFWWyfL0s7wiRvAYkQvpxetorTwHJVLabBDJ+WBOAY2enOLHIRQv+ +atAvHrLXjkUdzF96o0icyF6n7QzGfUPmeWGYg6BEClLS31Whe0eEVQ== +-----END RSA PRIVATE KEY----- diff --git a/lib/rasha/fixtures/privkey-rsa-2048.pkcs8.pem b/lib/rasha/fixtures/privkey-rsa-2048.pkcs8.pem new file mode 100644 index 0000000..53dbf83 --- /dev/null +++ b/lib/rasha/fixtures/privkey-rsa-2048.pkcs8.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCba21UHE+VbDTp +mYYFZUOV+OQ8AngOCdjROsPC0KiEfMvEaEM3NQl58u6QL7G7QsErKViiNPm9OTFo +6HF5JijfWzK7haHFuRMEsgI4VwIYyhvqlJDfw/wt0AiVvSmoMfEQn1p1aiaO4V/R +JSE3Vw/uz2bxiT22uSkSqOyShyfYE6dMHnuoBkzr4jvSifT+INmbv6Nyo4+AAMCZ +tYeHLrsFeSTjLL9jMPjI4ZkVdlw2n3Xn9NbltF3/8Ao8dQfElqw+LIQWqU0oFHYN +IP4ttfl5ObMKHaKSvBMyNruZR0El/ZsrcHLkAHRCLj07KRQJ81l5CUTPtQ02P1Ea +mz/nT4I3AgMBAAECggEACpfo7Mm9Nu8YMC/xrZ54W9mKHPkCG9rZ93Ds9PNp+RXU +gb+ljTbFPZWsYxGNKLllFz8LNosr1pT2ZDMrwNk0Af1iWNvD6gkyXaiQdCyiDPSB +sJyNv2LJZon+e85X74nv53UlIkmo9SYxdLz2JaJ+iIWEe8Qh+7llLktrTJV/xr98 +/tbhgSppz/IeOymq3SEZaQHM8pTU7w7XvCj2pb9r8fN0M0XcgWZIaf3LGEfkhF/W +tX67XJ0C6+LbkT51jtlLRNGX6haGdscXS0OWWjKOJzKGuV+NbthEn5rmRtVnjRZ3 +yaxQ0ud8vC+NONn7yvGUlOur1IdDzJ/YfHPt9sHMQQKBgQDKcb630fAoI3cxZFgV +2cXOL37TZBzLenwHmm7dqvLYTvSFifakeVQbZr0E0TxznEdDcfHjdahZ/qzTM66c +9XUbbwuRT9RgRsC0+/8/FKbOlCn2f1edi8EsEXxjfPuDGAufW9UU0BGtB1G2Pzup +jdrDsT1LgOwZwBqsi45PZOxMIQKBgQDEiQCOBTMHXNpTMm1bZmC+n1xhivUOakff +R49mXdz/zf3v8NkMOjjp+cViOzq49rTcemYpSduPCvXhAeV9eWe0kES5fFyouOR0 +p0nihvvG54tMriy6j1XwtKuQsKFXGVlDCcUPYTmWXSxV54N4wkdDDfxqFKsEURWf +GOmc+HVDVwKBgQC3MMaMQIU5TR6Gq26qFy5PrdruHyGPX37swmqgXBj0dD4AuR9f +Jgtd4FIbEdvKIhi6h1mDoux8w2BQnevcTKFz+cBV9g8QL/Yh0AbhZiaruJdgX0tB +XT2oSwpsXKSbtB6QTeE7vCzCjmT6ra2neJ4Fh1UYBcmgY52/lWlpnsHVAQKBgQCS +Hl3IOTtgLPuxQVumya4B64+OgfaCGiiHa7fE3uJRWYCD5OgqPBtWcbn7t5eILvv2 +tBXCesP/TKHUAUnzCNE+oMhHs5tcYeKQjFPVVJBaqImboB9nMOwvQtQPhhLeI92G +hvv43EspbOpqj+7iWGcNBpf08prXYcWWfLorV1ovjwKBgAJR1m8dYKemfaW8P9YZ +Uux7lwIFqF+yI201HpZXX+IJK4g1izq490AmXDuGb2bxMCYVZbJ8vSzvCJG8BiRC ++nF62itPAclUtpsEMn5YE4BjZ6c4schFC/5q0C8esteORR3MX3qjSJzIXqftDMZ9 +Q+Z5YZiDoEQKUtLfVaF7R4RV +-----END PRIVATE KEY----- diff --git a/lib/rasha/fixtures/pub-rsa-2048.jwk.json b/lib/rasha/fixtures/pub-rsa-2048.jwk.json new file mode 100644 index 0000000..333b300 --- /dev/null +++ b/lib/rasha/fixtures/pub-rsa-2048.jwk.json @@ -0,0 +1,5 @@ +{ + "kty": "RSA", + "n": "m2ttVBxPlWw06ZmGBWVDlfjkPAJ4DgnY0TrDwtCohHzLxGhDNzUJefLukC-xu0LBKylYojT5vTkxaOhxeSYo31syu4WhxbkTBLICOFcCGMob6pSQ38P8LdAIlb0pqDHxEJ9adWomjuFf0SUhN1cP7s9m8Yk9trkpEqjskocn2BOnTB57qAZM6-I70on0_iDZm7-jcqOPgADAmbWHhy67BXkk4yy_YzD4yOGZFXZcNp915_TW5bRd__AKPHUHxJasPiyEFqlNKBR2DSD-LbX5eTmzCh2ikrwTMja7mUdBJf2bK3By5AB0Qi49OykUCfNZeQlEz7UNNj9RGps_50-CNw", + "e": "AQAB" +} diff --git a/lib/rasha/fixtures/pub-rsa-2048.pkcs1.pem b/lib/rasha/fixtures/pub-rsa-2048.pkcs1.pem new file mode 100644 index 0000000..e592fda --- /dev/null +++ b/lib/rasha/fixtures/pub-rsa-2048.pkcs1.pem @@ -0,0 +1,8 @@ +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAm2ttVBxPlWw06ZmGBWVDlfjkPAJ4DgnY0TrDwtCohHzLxGhDNzUJ +efLukC+xu0LBKylYojT5vTkxaOhxeSYo31syu4WhxbkTBLICOFcCGMob6pSQ38P8 +LdAIlb0pqDHxEJ9adWomjuFf0SUhN1cP7s9m8Yk9trkpEqjskocn2BOnTB57qAZM +6+I70on0/iDZm7+jcqOPgADAmbWHhy67BXkk4yy/YzD4yOGZFXZcNp915/TW5bRd +//AKPHUHxJasPiyEFqlNKBR2DSD+LbX5eTmzCh2ikrwTMja7mUdBJf2bK3By5AB0 +Qi49OykUCfNZeQlEz7UNNj9RGps/50+CNwIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/lib/rasha/fixtures/pub-rsa-2048.spki.pem b/lib/rasha/fixtures/pub-rsa-2048.spki.pem new file mode 100644 index 0000000..465d115 --- /dev/null +++ b/lib/rasha/fixtures/pub-rsa-2048.spki.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm2ttVBxPlWw06ZmGBWVD +lfjkPAJ4DgnY0TrDwtCohHzLxGhDNzUJefLukC+xu0LBKylYojT5vTkxaOhxeSYo +31syu4WhxbkTBLICOFcCGMob6pSQ38P8LdAIlb0pqDHxEJ9adWomjuFf0SUhN1cP +7s9m8Yk9trkpEqjskocn2BOnTB57qAZM6+I70on0/iDZm7+jcqOPgADAmbWHhy67 +BXkk4yy/YzD4yOGZFXZcNp915/TW5bRd//AKPHUHxJasPiyEFqlNKBR2DSD+LbX5 +eTmzCh2ikrwTMja7mUdBJf2bK3By5AB0Qi49OykUCfNZeQlEz7UNNj9RGps/50+C +NwIDAQAB +-----END PUBLIC KEY----- diff --git a/lib/rasha/fixtures/pub-rsa-2048.ssh.pub b/lib/rasha/fixtures/pub-rsa-2048.ssh.pub new file mode 100644 index 0000000..a00fd4c --- /dev/null +++ b/lib/rasha/fixtures/pub-rsa-2048.ssh.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCba21UHE+VbDTpmYYFZUOV+OQ8AngOCdjROsPC0KiEfMvEaEM3NQl58u6QL7G7QsErKViiNPm9OTFo6HF5JijfWzK7haHFuRMEsgI4VwIYyhvqlJDfw/wt0AiVvSmoMfEQn1p1aiaO4V/RJSE3Vw/uz2bxiT22uSkSqOyShyfYE6dMHnuoBkzr4jvSifT+INmbv6Nyo4+AAMCZtYeHLrsFeSTjLL9jMPjI4ZkVdlw2n3Xn9NbltF3/8Ao8dQfElqw+LIQWqU0oFHYNIP4ttfl5ObMKHaKSvBMyNruZR0El/ZsrcHLkAHRCLj07KRQJ81l5CUTPtQ02P1Eamz/nT4I3 rsa@localhost diff --git a/lib/rasha/index.js b/lib/rasha/index.js new file mode 100644 index 0000000..c538483 --- /dev/null +++ b/lib/rasha/index.js @@ -0,0 +1,2 @@ +'use strict'; +module.exports = require('./lib/rasha.js'); diff --git a/lib/rasha/lib/asn1.js b/lib/rasha/lib/asn1.js new file mode 100644 index 0000000..bce9568 --- /dev/null +++ b/lib/rasha/lib/asn1.js @@ -0,0 +1,235 @@ +'use strict'; + +// +// A dumbed-down, minimal ASN.1 parser / packer combo +// +// Note: generally I like to write congruent code +// (i.e. output can be used as input and vice-versa) +// However, this seemed to be more readable and easier +// to use written as-is, asymmetrically. +// (I also generally prefer to export objects rather +// functions but, yet again, asthetics one in this case) + +var Enc = require('./encoding.js'); + +// +// Packer +// + +// Almost every ASN.1 type that's important for CSR +// can be represented generically with only a few rules. +var ASN1 = module.exports = function ASN1(/*type, hexstrings...*/) { + var args = Array.prototype.slice.call(arguments); + var typ = args.shift(); + var str = args.join('').replace(/\s+/g, '').toLowerCase(); + var len = (str.length/2); + var lenlen = 0; + var hex = typ; + + // We can't have an odd number of hex chars + if (len !== Math.round(len)) { + throw new Error("invalid hex"); + } + + // The first byte of any ASN.1 sequence is the type (Sequence, Integer, etc) + // The second byte is either the size of the value, or the size of its size + + // 1. If the second byte is < 0x80 (128) it is considered the size + // 2. If it is > 0x80 then it describes the number of bytes of the size + // ex: 0x82 means the next 2 bytes describe the size of the value + // 3. The special case of exactly 0x80 is "indefinite" length (to end-of-file) + + if (len > 127) { + lenlen += 1; + while (len > 255) { + lenlen += 1; + len = len >> 8; + } + } + + if (lenlen) { hex += Enc.numToHex(0x80 + lenlen); } + return hex + Enc.numToHex(str.length/2) + str; +}; + +// The Integer type has some special rules +ASN1.UInt = function UINT() { + var str = Array.prototype.slice.call(arguments).join(''); + var first = parseInt(str.slice(0, 2), 16); + + // If the first byte is 0x80 or greater, the number is considered negative + // Therefore we add a '00' prefix if the 0x80 bit is set + if (0x80 & first) { str = '00' + str; } + + return ASN1('02', str); +}; + +// The Bit String type also has a special rule +ASN1.BitStr = function BITSTR() { + var str = Array.prototype.slice.call(arguments).join(''); + // '00' is a mask of how many bits of the next byte to ignore + return ASN1('03', '00' + str); +}; + + +// +// Parser +// + +ASN1.ELOOP = "uASN1.js Error: iterated over 15+ elements (probably a malformed file)"; +ASN1.EDEEP = "uASN1.js Error: element nested 20+ layers deep (probably a malformed file)"; +// Container Types are Sequence 0x30, Octect String 0x04, Array? (0xA0, 0xA1) +// Value Types are Integer 0x02, Bit String 0x03, Null 0x05, Object ID 0x06, +// Sometimes Bit String is used as a container (RSA Pub Spki) +ASN1.VTYPES = [ 0x02, 0x03, 0x05, 0x06, 0x0c, 0x82 ]; +ASN1.parse = function parseAsn1(buf, depth, ws) { + if (!ws) { ws = ''; } + if (depth >= 20) { throw new Error(ASN1.EDEEP); } + + var index = 2; // we know, at minimum, data starts after type (0) and lengthSize (1) + var asn1 = { type: buf[0], lengthSize: 0, length: buf[1] }; + var child; + var iters = 0; + var adjust = 0; + var adjustedLen; + + // Determine how many bytes the length uses, and what it is + if (0x80 & asn1.length) { + asn1.lengthSize = 0x7f & asn1.length; + // I think that buf->hex->int solves the problem of Endianness... not sure + asn1.length = parseInt(Enc.bufToHex(buf.slice(index, index + asn1.lengthSize)), 16); + index += asn1.lengthSize; + } + + // High-order bit Integers have a leading 0x00 to signify that they are positive. + // Bit Streams use the first byte to signify padding, which x.509 doesn't use. + if (0x00 === buf[index] && (0x02 === asn1.type || 0x03 === asn1.type)) { + // However, 0x00 on its own is a valid number + if (asn1.length > 1) { + index += 1; + adjust = -1; + } + } + adjustedLen = asn1.length + adjust; + + //console.warn(ws + '0x' + Enc.numToHex(asn1.type), index, 'len:', asn1.length, asn1); + + // this is a primitive value type + if (-1 !== ASN1.VTYPES.indexOf(asn1.type)) { + asn1.value = buf.slice(index, index + adjustedLen); + return asn1; + } + + asn1.children = []; + //console.warn('1 len:', (2 + asn1.lengthSize + asn1.length), 'idx:', index, 'clen:', 0); + while (iters < 15 && index < (2 + asn1.length + asn1.lengthSize)) { + iters += 1; + child = ASN1.parse(buf.slice(index, index + adjustedLen), (depth || 0) + 1, ws + ' '); + // The numbers don't match up exactly and I don't remember why... + // probably something with adjustedLen or some such, but the tests pass + index += (2 + child.lengthSize + child.length); + //console.warn('2 len:', (2 + asn1.lengthSize + asn1.length), 'idx:', index, 'clen:', (2 + child.lengthSize + child.length)); + if (index > (2 + asn1.lengthSize + asn1.length)) { + console.error(JSON.stringify(asn1, function (k, v) { + if ('value' === k) { return '0x' + Enc.bufToHex(v.data); } return v; + }, 2)); + throw new Error("Parse error: child value length (" + child.length + + ") is greater than remaining parent length (" + (asn1.length - index) + + " = " + asn1.length + " - " + index + ")"); + } + asn1.children.push(child); + //console.warn(ws + '0x' + Enc.numToHex(asn1.type), index, 'len:', asn1.length, asn1); + } + if (index !== (2 + asn1.lengthSize + asn1.length)) { + console.warn('index:', index, 'length:', (2 + asn1.lengthSize + asn1.length)) + throw new Error("premature end-of-file"); + } + if (iters >= 15) { throw new Error(ASN1.ELOOP); } + + return asn1; +}; + +/* +ASN1._stringify = function(asn1) { + //console.log(JSON.stringify(asn1, null, 2)); + //console.log(asn1); + var ws = ''; + + function write(asn1) { + console.log(ws, 'ch', Enc.numToHex(asn1.type), asn1.length); + if (!asn1.children) { + return; + } + asn1.children.forEach(function (a) { + ws += '\t'; + write(a); + ws = ws.slice(1); + }); + } + write(asn1); +}; +*/ + +ASN1.tpl = function (asn1) { + //console.log(JSON.stringify(asn1, null, 2)); + //console.log(asn1); + var sp = ' '; + var ws = sp; + var i = 0; + var vars = []; + var str = ws; + + function write(asn1, k) { + str += "\n" + ws; + var val; + if ('number' !== typeof k) { + // ignore + } else { + str += ', '; + } + if (0x02 === asn1.type) { + str += "ASN1.UInt("; + } else if (0x03 === asn1.type) { + str += "ASN1.BitStr("; + } else { + str += "ASN1('" + Enc.numToHex(asn1.type) + "'"; + } + if (!asn1.children) { + if (0x05 !== asn1.type) { + if (0x06 !== asn1.type) { + val = asn1.value || new Uint8Array(0); + vars.push("\n// 0x" + Enc.numToHex(val.byteLength) + " (" + val.byteLength + " bytes)\nopts.tpl" + i + " = '" + + Enc.bufToHex(val) + "';"); + if (0x02 !== asn1.type && 0x03 !== asn1.type) { + str += ", "; + } + str += "Enc.bufToHex(opts.tpl" + i + ")"; + } else { + str += ", '" + Enc.bufToHex(asn1.value) + "'"; + } + } else { + console.warn("XXXXXXXXXXXXXXXXXXXXX"); + } + str += ")"; + return ; + } + asn1.children.forEach(function (a, j) { + i += 1; + ws += sp; + write(a, j); + ws = ws.slice(sp.length); + }); + str += "\n" + ws + ")"; + } + + write(asn1); + console.log('var opts = {};'); + console.log(vars.join('\n') + '\n'); + console.log(); + console.log('function buildSchema(opts) {'); + console.log(sp + 'return Enc.hexToBuf(' + str.slice(3) + ');'); + console.log('}'); + console.log(); + console.log('buildSchema(opts);'); +}; + +module.exports = ASN1; diff --git a/lib/rasha/lib/encoding.js b/lib/rasha/lib/encoding.js new file mode 100644 index 0000000..7ed4116 --- /dev/null +++ b/lib/rasha/lib/encoding.js @@ -0,0 +1,104 @@ +'use strict'; + +var Enc = module.exports; + +Enc.base64ToBuf = function (str) { + // always convert from urlsafe base64, just in case + //return Buffer.from(Enc.urlBase64ToBase64(str)).toString('base64'); + // node handles urlBase64 automatically + return Buffer.from(str, 'base64'); +}; + +Enc.base64ToHex = function (b64) { + return Enc.bufToHex(Enc.base64ToBuf(b64)); +}; + +Enc.bufToBase64 = function (u8) { + // we want to maintain api compatability with browser APIs, + // so we assume that this could be a Uint8Array + return Buffer.from(u8).toString('base64'); +}; + +/* +Enc.bufToUint8 = function bufToUint8(buf) { + return new Uint8Array(buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength)); +}; +*/ + +Enc.bufToUrlBase64 = function (u8) { + return Enc.bufToBase64(u8) + .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); +}; + + +Enc.bufToHex = function (u8) { + var hex = []; + var i, h; + var len = (u8.byteLength || u8.length); + + for (i = 0; i < len; i += 1) { + h = u8[i].toString(16); + if (2 !== h.length) { h = '0' + h; } + hex.push(h); + } + + return hex.join('').toLowerCase(); +}; + +Enc.hexToBase64 = function (hex) { + return Buffer.from(hex, 'hex').toString('base64'); +}; + +Enc.hexToBuf = function (hex) { + return Buffer.from(hex, 'hex'); +}; + +Enc.numToHex = function (d) { + d = d.toString(16); + if (d.length % 2) { + return '0' + d; + } + return d; +}; + +/* +Enc.strToBase64 = function (str) { + // node automatically can tell the difference + // between uc2 (utf-8) strings and binary strings + // so we don't have to re-encode the strings + return Buffer.from(str).toString('base64'); +}; +*/ + +/* +Enc.strToBin = function (str) { + var escstr = encodeURIComponent(str); + // replaces any uri escape sequence, such as %0A, + // with binary escape, such as 0x0A + var binstr = escstr.replace(/%([0-9A-F]{2})/g, function(match, p1) { + return String.fromCharCode(parseInt(p1, 16)); + }); + + return binstr; +}; +*/ + +Enc.strToBuf = function (str) { + return Buffer.from(str); +}; + +Enc.strToHex = function (str) { + return Buffer.from(str).toString('hex'); +}; + +/* +Enc.urlBase64ToBase64 = function (str) { + var r = str % 4; + if (2 === r) { + str += '=='; + } else if (3 === r) { + str += '='; + } + return str.replace(/-/g, '+').replace(/_/g, '/'); +}; +*/ diff --git a/lib/rasha/lib/pem.js b/lib/rasha/lib/pem.js new file mode 100644 index 0000000..76aec96 --- /dev/null +++ b/lib/rasha/lib/pem.js @@ -0,0 +1,28 @@ +'use strict'; + +var PEM = module.exports; +var Enc = require('./encoding.js'); + +PEM.parseBlock = function pemToDer(pem) { + var lines = pem.trim().split(/\n/); + var end = lines.length - 1; + var head = lines[0].match(/-----BEGIN (.*)-----/); + var foot = lines[end].match(/-----END (.*)-----/); + + if (head) { + lines = lines.slice(1, end); + head = head[1]; + if (head !== foot[1]) { + throw new Error("headers and footers do not match"); + } + } + + return { type: head, bytes: Enc.base64ToBuf(lines.join('')) }; +}; + +PEM.packBlock = function (opts) { + return '-----BEGIN ' + opts.type + '-----\n' + + Enc.bufToBase64(opts.bytes).match(/.{1,64}/g).join('\n') + '\n' + + '-----END ' + opts.type + '-----' + ; +}; diff --git a/lib/rasha/lib/rasha.js b/lib/rasha/lib/rasha.js new file mode 100644 index 0000000..67d1d0b --- /dev/null +++ b/lib/rasha/lib/rasha.js @@ -0,0 +1,204 @@ +'use strict'; + +var RSA = module.exports; +var SSH = require('./ssh.js'); +var PEM = require('./pem.js'); +var x509 = require('./x509.js'); +var ASN1 = require('./asn1.js'); + +/*global Promise*/ +RSA.generate = function (opts) { + return Promise.resolve().then(function () { + var typ = 'rsa'; + var format = opts.format; + var encoding = opts.encoding; + var priv; + var pub; + + if (!format) { + format = 'jwk'; + } + if ('spki' === format || 'pkcs8' === format) { + format = 'pkcs8'; + pub = 'spki'; + } + + if ('pem' === format) { + format = 'pkcs1'; + encoding = 'pem'; + } else if ('der' === format) { + format = 'pkcs1'; + encoding = 'der'; + } + + if ('jwk' === format || 'json' === format) { + format = 'jwk'; + encoding = 'json'; + } else { + priv = format; + pub = pub || format; + } + + if (!encoding) { + encoding = 'pem'; + } + + if (priv) { + priv = { type: priv, format: encoding }; + pub = { type: pub, format: encoding }; + } else { + // jwk + priv = { type: 'pkcs1', format: 'pem' }; + pub = { type: 'pkcs1', format: 'pem' }; + } + + return new Promise(function (resolve, reject) { + return require('crypto').generateKeyPair(typ, { + modulusLength: opts.modulusLength || 2048 + , publicExponent: opts.publicExponent || 0x10001 + , privateKeyEncoding: priv + , publicKeyEncoding: pub + }, function (err, pubkey, privkey) { + if (err) { reject(err); } + resolve({ + private: privkey + , public: pubkey + }); + }); + }).then(function (keypair) { + if ('jwk' !== format) { + return keypair; + } + + return { + private: RSA.importSync({ pem: keypair.private, format: priv.type }) + , public: RSA.importSync({ pem: keypair.public, format: pub.type, public: true }) + }; + }); + }); +}; + +RSA.importSync = function (opts) { + if (!opts || !opts.pem || 'string' !== typeof opts.pem) { + throw new Error("must pass { pem: pem } as a string"); + } + + var jwk = { kty: 'RSA', n: null, e: null }; + if (0 === opts.pem.indexOf('ssh-rsa ')) { + return SSH.parse(opts.pem, jwk); + } + var pem = opts.pem; + var block = PEM.parseBlock(pem); + //var hex = toHex(u8); + var asn1 = ASN1.parse(block.bytes); + + var meta = x509.guess(block.bytes, asn1); + + if ('pkcs1' === meta.format) { + jwk = x509.parsePkcs1(block.bytes, asn1, jwk); + } else { + jwk = x509.parsePkcs8(block.bytes, asn1, jwk); + } + + if (opts.public) { + jwk = RSA.nueter(jwk); + } + return jwk; +}; +RSA.parse = function parseRsa(opts) { + // wrapped in a promise for API compatibility + // with the forthcoming browser version + // (and potential future native node capability) + return Promise.resolve().then(function () { + return RSA.importSync(opts); + }); +}; +RSA.toJwk = RSA.import = RSA.parse; + +/* +RSAPrivateKey ::= SEQUENCE { + version Version, + modulus INTEGER, -- n + publicExponent INTEGER, -- e + privateExponent INTEGER, -- d + prime1 INTEGER, -- p + prime2 INTEGER, -- q + exponent1 INTEGER, -- d mod (p-1) + exponent2 INTEGER, -- d mod (q-1) + coefficient INTEGER, -- (inverse of q) mod p + otherPrimeInfos OtherPrimeInfos OPTIONAL +} +*/ + +RSA.exportSync = function (opts) { + if (!opts || !opts.jwk || 'object' !== typeof opts.jwk) { + throw new Error("must pass { jwk: jwk }"); + } + var jwk = JSON.parse(JSON.stringify(opts.jwk)); + var format = opts.format; + var pub = opts.public; + if (pub || -1 !== [ 'spki', 'pkix', 'ssh', 'rfc4716' ].indexOf(format)) { + jwk = RSA.nueter(jwk); + } + if ('RSA' !== jwk.kty) { + throw new Error("options.jwk.kty must be 'RSA' for RSA keys"); + } + if (!jwk.p) { + // TODO test for n and e + pub = true; + if (!format || 'pkcs1' === format) { + format = 'pkcs1'; + } else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) { + format = 'spki'; + } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) { + format = 'ssh'; + } else { + throw new Error("options.format must be 'spki', 'pkcs1', or 'ssh' for public RSA keys, not (" + + typeof format + ") " + format); + } + } else { + // TODO test for all necessary keys (d, p, q ...) + if (!format || 'pkcs1' === format) { + format = 'pkcs1'; + } else if ('pkcs8' !== format) { + throw new Error("options.format must be 'pkcs1' or 'pkcs8' for private RSA keys"); + } + } + + if ('pkcs1' === format) { + if (jwk.d) { + return PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: x509.packPkcs1(jwk) }); + } else { + return PEM.packBlock({ type: "RSA PUBLIC KEY", bytes: x509.packPkcs1(jwk) }); + } + } else if ('pkcs8' === format) { + return PEM.packBlock({ type: "PRIVATE KEY", bytes: x509.packPkcs8(jwk) }); + } else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) { + return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) }); + } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) { + return SSH.pack({ jwk: jwk, comment: opts.comment }); + } else { + throw new Error("Sanity Error: reached unreachable code block with format: " + format); + } +}; +RSA.pack = function (opts) { + // wrapped in a promise for API compatibility + // with the forthcoming browser version + // (and potential future native node capability) + return Promise.resolve().then(function () { + return RSA.exportSync(opts); + }); +}; +RSA.toPem = RSA.export = RSA.pack; + +// snip the _private_ parts... hAHAHAHA! +RSA.nueter = function (jwk) { + // (snip rather than new object to keep potential extra data) + // otherwise we could just do this: + // return { kty: jwk.kty, n: jwk.n, e: jwk.e }; + [ 'p', 'q', 'd', 'dp', 'dq', 'qi' ].forEach(function (key) { + if (key in jwk) { jwk[key] = undefined; } + return jwk; + }); + return jwk; +}; diff --git a/lib/rasha/lib/ssh.js b/lib/rasha/lib/ssh.js new file mode 100644 index 0000000..6304171 --- /dev/null +++ b/lib/rasha/lib/ssh.js @@ -0,0 +1,80 @@ +'use strict'; + +var SSH = module.exports; +var Enc = require('./encoding.js'); + + // 7 s s h - r s a +SSH.RSA = '00000007 73 73 68 2d 72 73 61'.replace(/\s+/g, '').toLowerCase(); + +SSH.parse = function (pem, jwk) { + + var parts = pem.split(/\s+/); + var buf = Enc.base64ToBuf(parts[1]); + var els = []; + var index = 0; + var len; + var i = 0; + var offset = (buf.byteOffset || 0); + // using dataview to be browser-compatible (I do want _some_ code reuse) + var dv = new DataView(buf.buffer.slice(offset, offset + buf.byteLength)); + var el; + + if (SSH.RSA !== Enc.bufToHex(buf.slice(0, SSH.RSA.length/2))) { + throw new Error("does not lead with ssh header"); + } + + while (index < buf.byteLength) { + i += 1; + if (i > 3) { throw new Error("15+ elements, probably not a public ssh key"); } + len = dv.getUint32(index, false); + index += 4; + el = buf.slice(index, index + len); + // remove BigUInt '00' prefix + if (0x00 === el[0]) { + el = el.slice(1); + } + els.push(el); + index += len; + } + + jwk.n = Enc.bufToUrlBase64(els[2]); + jwk.e = Enc.bufToUrlBase64(els[1]); + + return jwk; +}; + +SSH.pack = function (opts) { + var jwk = opts.jwk; + var header = 'ssh-rsa'; + var comment = opts.comment || 'rsa@localhost'; + var e = SSH._padHexInt(Enc.base64ToHex(jwk.e)); + var n = SSH._padHexInt(Enc.base64ToHex(jwk.n)); + var hex = [ + SSH._numToUint32Hex(header.length) + , Enc.strToHex(header) + , SSH._numToUint32Hex(e.length/2) + , e + , SSH._numToUint32Hex(n.length/2) + , n + ].join(''); + return [ header, Enc.hexToBase64(hex), comment ].join(' '); +}; + +SSH._numToUint32Hex = function (num) { + var hex = num.toString(16); + while (hex.length < 8) { + hex = '0' + hex; + } + return hex; +}; + +SSH._padHexInt = function (hex) { + // BigInt is negative if the high order bit 0x80 is set, + // so ASN1, SSH, and many other formats pad with '0x00' + // to signifiy a positive number. + var i = parseInt(hex.slice(0, 2), 16); + if (0x80 & i) { + return '00' + hex; + } + return hex; +}; diff --git a/lib/rasha/lib/telemetry.js b/lib/rasha/lib/telemetry.js new file mode 100644 index 0000000..9623b77 --- /dev/null +++ b/lib/rasha/lib/telemetry.js @@ -0,0 +1,111 @@ +'use strict'; + +// We believe in a proactive approach to sustainable open source. +// As part of that we make it easy for you to opt-in to following our progress +// and we also stay up-to-date on telemetry such as operating system and node +// version so that we can focus our efforts where they'll have the greatest impact. +// +// Want to learn more about our Terms, Privacy Policy, and Mission? +// Check out https://therootcompany.com/legal/ + +var os = require('os'); +var crypto = require('crypto'); +var https = require('https'); +var pkg = require('../package.json'); + +// to help focus our efforts in the right places +var data = { + package: pkg.name +, version: pkg.version +, node: process.version +, arch: process.arch || os.arch() +, platform: process.platform || os.platform() +, release: os.release() +}; + +function addCommunityMember(opts) { + setTimeout(function () { + var req = https.request({ + hostname: 'api.therootcompany.com' + , port: 443 + , path: '/api/therootcompany.com/public/community' + , method: 'POST' + , headers: { 'Content-Type': 'application/json' } + }, function (resp) { + // let the data flow, so we can ignore it + resp.on('data', function () {}); + //resp.on('data', function (chunk) { console.log(chunk.toString()); }); + resp.on('error', function () { /*ignore*/ }); + //resp.on('error', function (err) { console.error(err); }); + }); + var obj = JSON.parse(JSON.stringify(data)); + obj.action = 'updates'; + try { + obj.ppid = ppid(obj.action); + } catch(e) { + // ignore + //console.error(e); + } + obj.name = opts.name || undefined; + obj.address = opts.email; + obj.community = 'node.js@therootcompany.com'; + + req.write(JSON.stringify(obj, 2, null)); + req.end(); + req.on('error', function () { /*ignore*/ }); + //req.on('error', function (err) { console.error(err); }); + }, 50); +} + +function ping(action) { + setTimeout(function () { + var req = https.request({ + hostname: 'api.therootcompany.com' + , port: 443 + , path: '/api/therootcompany.com/public/ping' + , method: 'POST' + , headers: { 'Content-Type': 'application/json' } + }, function (resp) { + // let the data flow, so we can ignore it + resp.on('data', function () { }); + //resp.on('data', function (chunk) { console.log(chunk.toString()); }); + resp.on('error', function () { /*ignore*/ }); + //resp.on('error', function (err) { console.error(err); }); + }); + var obj = JSON.parse(JSON.stringify(data)); + obj.action = action; + try { + obj.ppid = ppid(obj.action); + } catch(e) { + // ignore + //console.error(e); + } + + req.write(JSON.stringify(obj, 2, null)); + req.end(); + req.on('error', function (/*e*/) { /*console.error('req.error', e);*/ }); + }, 50); +} + +// to help identify unique installs without getting +// the personally identifiable info that we don't want +function ppid(action) { + var parts = [ action, data.package, data.version, data.node, data.arch, data.platform, data.release ]; + var ifaces = os.networkInterfaces(); + Object.keys(ifaces).forEach(function (ifname) { + if (/^en/.test(ifname) || /^eth/.test(ifname) || /^wl/.test(ifname)) { + if (ifaces[ifname] && ifaces[ifname].length) { + parts.push(ifaces[ifname][0].mac); + } + } + }); + return crypto.createHash('sha1').update(parts.join(',')).digest('base64'); +} + +module.exports.ping = ping; +module.exports.joinCommunity = addCommunityMember; + +if (require.main === module) { + ping('install'); + //addCommunityMember({ name: "AJ ONeal", email: 'coolaj86@gmail.com' }); +} diff --git a/lib/rasha/lib/x509.js b/lib/rasha/lib/x509.js new file mode 100644 index 0000000..fb193e1 --- /dev/null +++ b/lib/rasha/lib/x509.js @@ -0,0 +1,153 @@ +'use strict'; + +var x509 = module.exports; +var ASN1 = require('./asn1.js'); +var Enc = require('./encoding.js'); + +x509.guess = function (der, asn1) { + // accepting der for compatability with other usages + + var meta = { kty: 'RSA', format: 'pkcs1', public: true }; + //meta.asn1 = ASN1.parse(u8); + + if (asn1.children.every(function(el) { + return 0x02 === el.type; + })) { + if (2 === asn1.children.length) { + // rsa pkcs1 public + return meta; + } else if (asn1.children.length >= 9) { + // the standard allows for "otherPrimeInfos", hence at least 9 + meta.public = false; + // rsa pkcs1 private + return meta; + } else { + throw new Error("not an RSA PKCS#1 public or private key (wrong number of ints)"); + } + } else { + meta.format = 'pkcs8'; + } + + return meta; +}; + +x509.parsePkcs1 = function parseRsaPkcs1(buf, asn1, jwk) { + if (!asn1.children.every(function(el) { + return 0x02 === el.type; + })) { + throw new Error("not an RSA PKCS#1 public or private key (not all ints)"); + } + + if (2 === asn1.children.length) { + + jwk.n = Enc.bufToUrlBase64(asn1.children[0].value); + jwk.e = Enc.bufToUrlBase64(asn1.children[1].value); + return jwk; + + } else if (asn1.children.length >= 9) { + // the standard allows for "otherPrimeInfos", hence at least 9 + + jwk.n = Enc.bufToUrlBase64(asn1.children[1].value); + jwk.e = Enc.bufToUrlBase64(asn1.children[2].value); + jwk.d = Enc.bufToUrlBase64(asn1.children[3].value); + jwk.p = Enc.bufToUrlBase64(asn1.children[4].value); + jwk.q = Enc.bufToUrlBase64(asn1.children[5].value); + jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value); + jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value); + jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value); + return jwk; + + } else { + throw new Error("not an RSA PKCS#1 public or private key (wrong number of ints)"); + } +}; + +x509.parsePkcs8 = function parseRsaPkcs8(buf, asn1, jwk) { + if (2 === asn1.children.length + && 0x03 === asn1.children[1].type + && 0x30 === asn1.children[1].value[0]) { + + asn1 = ASN1.parse(asn1.children[1].value); + jwk.n = Enc.bufToUrlBase64(asn1.children[0].value); + jwk.e = Enc.bufToUrlBase64(asn1.children[1].value); + + } else if (3 === asn1.children.length + && 0x04 === asn1.children[2].type + && 0x30 === asn1.children[2].children[0].type + && 0x02 === asn1.children[2].children[0].children[0].type) { + + asn1 = asn1.children[2].children[0]; + jwk.n = Enc.bufToUrlBase64(asn1.children[1].value); + jwk.e = Enc.bufToUrlBase64(asn1.children[2].value); + jwk.d = Enc.bufToUrlBase64(asn1.children[3].value); + jwk.p = Enc.bufToUrlBase64(asn1.children[4].value); + jwk.q = Enc.bufToUrlBase64(asn1.children[5].value); + jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value); + jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value); + jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value); + + } else { + throw new Error("not an RSA PKCS#8 public or private key (wrong format)"); + } + return jwk; +}; + +x509.packPkcs1 = function (jwk) { + var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); + var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); + + if (!jwk.d) { + return Enc.hexToBuf(ASN1('30', n, e)); + } + + return Enc.hexToBuf(ASN1('30' + , ASN1.UInt('00') + , n + , e + , ASN1.UInt(Enc.base64ToHex(jwk.d)) + , ASN1.UInt(Enc.base64ToHex(jwk.p)) + , ASN1.UInt(Enc.base64ToHex(jwk.q)) + , ASN1.UInt(Enc.base64ToHex(jwk.dp)) + , ASN1.UInt(Enc.base64ToHex(jwk.dq)) + , ASN1.UInt(Enc.base64ToHex(jwk.qi)) + )); +}; + +x509.packPkcs8 = function (jwk) { + if (!jwk.d) { + // Public RSA + return Enc.hexToBuf(ASN1('30' + , ASN1('30' + , ASN1('06', '2a864886f70d010101') + , ASN1('05') + ) + , ASN1.BitStr(ASN1('30' + , ASN1.UInt(Enc.base64ToHex(jwk.n)) + , ASN1.UInt(Enc.base64ToHex(jwk.e)) + )) + )); + } + + // Private RSA + return Enc.hexToBuf(ASN1('30' + , ASN1.UInt('00') + , ASN1('30' + , ASN1('06', '2a864886f70d010101') + , ASN1('05') + ) + , ASN1('04' + , ASN1('30' + , ASN1.UInt('00') + , ASN1.UInt(Enc.base64ToHex(jwk.n)) + , ASN1.UInt(Enc.base64ToHex(jwk.e)) + , ASN1.UInt(Enc.base64ToHex(jwk.d)) + , ASN1.UInt(Enc.base64ToHex(jwk.p)) + , ASN1.UInt(Enc.base64ToHex(jwk.q)) + , ASN1.UInt(Enc.base64ToHex(jwk.dp)) + , ASN1.UInt(Enc.base64ToHex(jwk.dq)) + , ASN1.UInt(Enc.base64ToHex(jwk.qi)) + ) + ) + )); +}; +x509.packSpki = x509.packPkcs8; diff --git a/lib/rasha/package.json b/lib/rasha/package.json new file mode 100644 index 0000000..21a17c4 --- /dev/null +++ b/lib/rasha/package.json @@ -0,0 +1,40 @@ +{ + "name": "rasha", + "version": "1.1.0", + "description": "💯 PEM-to-JWK and JWK-to-PEM for RSA keys in a lightweight, zero-dependency library focused on perfect universal compatibility.", + "homepage": "https://git.coolaj86.com/coolaj86/rasha.js", + "main": "index.js", + "bin": { + "rasha": "bin/rasha.js" + }, + "files": [ + "bin", + "fixtures", + "lib" + ], + "directories": { + "lib": "lib" + }, + "scripts": { + "postinstall": "node lib/telemetry.js event:install", + "test": "bash test.sh" + }, + "repository": { + "type": "git", + "url": "https://git.coolaj86.com/coolaj86/rasha.js" + }, + "keywords": [ + "zero-dependency", + "PEM-to-JWK", + "JWK-to-PEM", + "RSA", + "2048", + "4096", + "asn1", + "x509", + "JWK-to-SSH", + "PEM-to-SSH" + ], + "author": "AJ ONeal (https://coolaj86.com/)", + "license": "MPL-2.0" +} diff --git a/lib/rasha/test.js b/lib/rasha/test.js new file mode 100644 index 0000000..c09a216 --- /dev/null +++ b/lib/rasha/test.js @@ -0,0 +1,6 @@ +var Rasha = require('./'); + +var pem = require('fs').readFileSync(process.argv[2], 'ascii'); +var jwk = Rasha.importSync({ pem: pem }); + +console.log(Buffer.from(jwk.n, 'base64').byteLength); diff --git a/lib/rasha/test.sh b/lib/rasha/test.sh new file mode 100755 index 0000000..db1ea9d --- /dev/null +++ b/lib/rasha/test.sh @@ -0,0 +1,172 @@ +#!/bin/bash + +# cause errors to hard-fail +# (and diff non-0 exit status will cause failure) +set -e + +pemtojwk() { + keyid=$1 + if [ -z "$keyid" ]; then + echo "" + echo "Testing PEM-to-JWK PKCS#1" + fi + # + node bin/rasha.js ./fixtures/privkey-rsa-2048.pkcs1.${keyid}pem \ + > ./fixtures/privkey-rsa-2048.jwk.1.json + diff ./fixtures/privkey-rsa-2048.jwk.${keyid}json ./fixtures/privkey-rsa-2048.jwk.1.json + # + node bin/rasha.js ./fixtures/pub-rsa-2048.pkcs1.${keyid}pem \ + > ./fixtures/pub-rsa-2048.jwk.1.json + diff ./fixtures/pub-rsa-2048.jwk.${keyid}json ./fixtures/pub-rsa-2048.jwk.1.json + if [ -z "$keyid" ]; then + echo "Pass" + fi + + + if [ -z "$keyid" ]; then + echo "" + echo "Testing PEM-to-JWK PKCS#8" + fi + # + node bin/rasha.js ./fixtures/privkey-rsa-2048.pkcs8.${keyid}pem \ + > ./fixtures/privkey-rsa-2048.jwk.1.json + diff ./fixtures/privkey-rsa-2048.jwk.${keyid}json ./fixtures/privkey-rsa-2048.jwk.1.json + # + node bin/rasha.js ./fixtures/pub-rsa-2048.spki.${keyid}pem \ + > ./fixtures/pub-rsa-2048.jwk.1.json + diff ./fixtures/pub-rsa-2048.jwk.${keyid}json ./fixtures/pub-rsa-2048.jwk.1.json + if [ -z "$keyid" ]; then + echo "Pass" + fi +} + +jwktopem() { + keyid=$1 + if [ -z "$keyid" ]; then + echo "" + echo "Testing JWK-to-PEM PKCS#1" + fi + # + node bin/rasha.js ./fixtures/privkey-rsa-2048.jwk.${keyid}json pkcs1 \ + > ./fixtures/privkey-rsa-2048.pkcs1.1.pem + diff ./fixtures/privkey-rsa-2048.pkcs1.${keyid}pem ./fixtures/privkey-rsa-2048.pkcs1.1.pem + # + node bin/rasha.js ./fixtures/pub-rsa-2048.jwk.${keyid}json pkcs1 \ + > ./fixtures/pub-rsa-2048.pkcs1.1.pem + diff ./fixtures/pub-rsa-2048.pkcs1.${keyid}pem ./fixtures/pub-rsa-2048.pkcs1.1.pem + if [ -z "$keyid" ]; then + echo "Pass" + fi + + if [ -z "$keyid" ]; then + echo "" + echo "Testing JWK-to-PEM PKCS#8" + fi + # + node bin/rasha.js ./fixtures/privkey-rsa-2048.jwk.${keyid}json pkcs8 \ + > ./fixtures/privkey-rsa-2048.pkcs8.1.pem + diff ./fixtures/privkey-rsa-2048.pkcs8.${keyid}pem ./fixtures/privkey-rsa-2048.pkcs8.1.pem + # + node bin/rasha.js ./fixtures/pub-rsa-2048.jwk.${keyid}json spki \ + > ./fixtures/pub-rsa-2048.spki.1.pem + diff ./fixtures/pub-rsa-2048.spki.${keyid}pem ./fixtures/pub-rsa-2048.spki.1.pem + if [ -z "$keyid" ]; then + echo "Pass" + fi + + if [ -z "$keyid" ]; then + echo "" + echo "Testing JWK-to-SSH" + fi + # + node bin/rasha.js ./fixtures/privkey-rsa-2048.jwk.${keyid}json ssh > ./fixtures/pub-rsa-2048.ssh.1.pub + diff ./fixtures/pub-rsa-2048.ssh.${keyid}pub ./fixtures/pub-rsa-2048.ssh.1.pub + # + node bin/rasha.js ./fixtures/pub-rsa-2048.jwk.${keyid}json ssh > ./fixtures/pub-rsa-2048.ssh.1.pub + diff ./fixtures/pub-rsa-2048.ssh.${keyid}pub ./fixtures/pub-rsa-2048.ssh.1.pub + if [ -z "$keyid" ]; then + echo "Pass" + fi +} + +rndkey() { + keyid="rnd.1." + keysize=$1 + # Generate 2048-bit RSA Keypair + openssl genrsa -out fixtures/privkey-rsa-2048.pkcs1.${keyid}pem $keysize + # Convert PKCS1 (traditional) RSA Keypair to PKCS8 format + openssl rsa -in fixtures/privkey-rsa-2048.pkcs1.${keyid}pem -pubout \ + -out fixtures/pub-rsa-2048.spki.${keyid}pem + # Export Public-only RSA Key in PKCS1 (traditional) format + openssl pkcs8 -topk8 -nocrypt -in fixtures/privkey-rsa-2048.pkcs1.${keyid}pem \ + -out fixtures/privkey-rsa-2048.pkcs8.${keyid}pem + # Convert PKCS1 (traditional) RSA Public Key to SPKI/PKIX format + openssl rsa -in fixtures/pub-rsa-2048.spki.${keyid}pem -pubin -RSAPublicKey_out \ + -out fixtures/pub-rsa-2048.pkcs1.${keyid}pem + # Convert RSA public key to SSH format + sshpub=$(ssh-keygen -f fixtures/pub-rsa-2048.spki.${keyid}pem -i -mPKCS8) + echo "$sshpub rsa@localhost" > fixtures/pub-rsa-2048.ssh.${keyid}pub + + + # to JWK + node bin/rasha.js ./fixtures/privkey-rsa-2048.pkcs1.${keyid}pem \ + > ./fixtures/privkey-rsa-2048.jwk.${keyid}json + node bin/rasha.js ./fixtures/pub-rsa-2048.pkcs1.${keyid}pem \ + > ./fixtures/pub-rsa-2048.jwk.${keyid}json + + pemtojwk "$keyid" + jwktopem "$keyid" +} + +pemtojwk "" +jwktopem "" + +echo "" +echo "testing node key generation" +node bin/rasha.js > /dev/null +node bin/rasha.js jwk > /dev/null +node bin/rasha.js json 2048 > /dev/null +node bin/rasha.js der > /dev/null +node bin/rasha.js pkcs8 der > /dev/null +node bin/rasha.js pem > /dev/null +node bin/rasha.js pkcs1 pem > /dev/null +node bin/rasha.js spki > /dev/null +echo "PASS" + +echo "" +echo "" +echo "Re-running tests with random keys of varying sizes" +echo "" + +# commented out sizes below 512, since they are below minimum size on some systems. +# rndkey 32 # minimum key size +# rndkey 64 +# rndkey 128 +# rndkey 256 + +rndkey 512 +rndkey 768 +rndkey 1024 +rndkey 2048 # first secure key size + +if [ "${RASHA_TEST_LARGE_KEYS}" == "true" ]; then + rndkey 3072 + rndkey 4096 # largest reasonable key size +else + echo "" + echo "Note:" + echo "Keys larger than 2048 have been tested and work, but are omitted from automated tests to save time." + echo "Set RASHA_TEST_LARGE_KEYS=true to enable testing of keys up to 4096." +fi + +echo "" +echo "Pass" + +rm fixtures/*.1.* + +echo "" +echo "" +echo "PASSED:" +echo "• All inputs produced valid outputs" +echo "• All outputs matched known-good values" +echo "• All random tests passed reciprosity" diff --git a/lib/rsa-csr/README.md b/lib/rsa-csr/README.md new file mode 100644 index 0000000..108d55a --- /dev/null +++ b/lib/rsa-csr/README.md @@ -0,0 +1,214 @@ +[RSA-CSR.js](https://git.coolaj86.com/coolaj86/rsa-csr.js) +========== + +Sponsored by [Root](https://therootcompany.com), +built for [ACME.js](https://git.coolaj86.com/coolaj86/acme.js) +and [Greenlock.js](https://git.coolaj86.com/coolaj86/greenlock-express.js) + +A focused, **zero-dependency** library that can do exactly one thing really, really well: + * Generate a Certificate Signing Requests (CSR), and sign it! + +| < 300 lines of code | 1.7k gzipped | 4.7k minified | 8.5k with comments | + +Need JWK-to-PEM? Try [Rasha.js](https://git.coolaj86.com/coolaj86/rasha.js) + +Need to generate an EC CSR? Try [ECSDA-CSR.js](https://git.coolaj86.com/coolaj86/ecdsa-csr.js) + +Features +======== + +* [x] Universal CSR support (RSA signing) that Just Works™ + * Common Name (CN) Subject + * Subject Alternative Names (SANs / altnames) + * 2048, 3072, and 4096 bit JWK RSA + * RSASSA PKCS1 v1.5 +* [x] Zero Dependencies + * (no ASN1.js, PKI.js, forge, jrsasign - not even elliptic.js!) +* [x] Quality + * Focused + * Lightweight + * Well-Commented, Well-Documented + * Secure +* [x] Vanilla Node.js + * no school like the old school + * easy to read and understand + +Usage +----- + +Given an array of domains it uses the first for the Common Name (CN), +also known as Subject, and all of them as the Subject Alternative Names (SANs or altnames). + +```js +'use strict'; + +var rsacsr = require('rsa-csr'); +var key = { + "kty": "RSA", + "n": "m2tt...-CNw", + "e": "AQAB", + "d": "Cpfo...HMQQ", + "p": "ynG-...sTCE", + "q": "xIkA...1Q1c", + "dp": "tzDG...B1QE", + "dq": "kh5d...aL48", + "qi": "AlHW...HhFU" +}; +var domains = [ 'example.com', 'www.example.com' ]; + +return rsacsr({ key: key, domains: domains }).then(function (csr) { + console.log('CSR PEM:'); + console.log(csr); +}); +``` + +The output will look something like this (but much longer): + +``` +-----BEGIN CERTIFICATE REQUEST----- +MIIClTCCAX0CAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCba21UHE+VbDTpmYYFZUOV+OQ8AngOCdjROsPC +0KiEfMvEaEM3NQl58u6QL7G7QsEr.....3pIpUUkx5WbwJY6xDrCyFKG8ktpnee6 +WjpTOBnpgHUI1/5ydnf0v29L9N+ALIJGKQxhub3iqB6EhCl93iiQtf4e7M/lzX7l +c1xqsSwVZ3RQVY9bRP9NdGuW4hVvscy5ypqRtXPXQpxMnYwfi9qW5Uo= +-----END CERTIFICATE REQUEST----- +``` + +#### PEM-to-JWK + +If you need to convert a PEM to JWK first, do so: + +```js +var Rasha = require('rasha'); + +Rasha.import({ pem: "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAI..." }).then(function (jwk) { + console.log(jwk); +}) +``` + +#### CLI + +You're probably better off using OpenSSL for most commandline tasks, +but the `rsa-csr` and `rasha` CLIs are useful for testing and debugging. + +```bash +npm install -g rsa-csr +npm install -g rasha + +rasha ./privkey.pem > ./privkey.jwk.json +rsa-csr ./privkey.jwk.json example.com,www.example.com > csr.pem +``` + +### Options + +* `key` should be a JWK + * Need PEM support? Use [Rasha.js](https://git.coolaj86.com/coolaj86/rasha.js). + * (supports PEM, DER, PKCS#1 and PKCS#8) +* `domains` must be a list of strings representing domain names + * correctly handles utf-8 + * you may also use punycoded, if needed +* `subject` will be `domains[0]` by default + * you shouldn't use this unless you need to + * you may need to if you need utf-8 for domains, but punycode for the subject + +### Testing + +You can double check that the CSR you get out is actually valid: + +```bash +# Generate a key, if needed +openssl genrsa -out ./privkey-rsa.pkcs1.pem $keysize + +# Convert to JWK +rasha ./privkey-rsa.pkcs1.pem > ./privkey-rsa.jwk.json + +# Create a CSR with your domains +npx rsa-csr ./privkey-rsa.jwk.json example.com,www.example.com > csr.pem + +# Verify +openssl req -text -noout -verify -in csr.pem +``` + +New to Crypto? +-------------- + +Just a heads up in case you have no idea what you're doing: + +First of all, [don't panic](https://coolaj86.com/articles/dont-panic.html). + +Next: + +* RSA stands for... well, that doesn't matter, actually. +* DSA stands for _Digital Signing Algorithm_. +* RSA a separate standard from EC/ECDSA, but both are *asymmetric* +* Private keys are actually keypairs (they contain the public key) + +In many cases the terms get used (and misused) interchangably, +which can be confusing. You'll survive, I promise. + +* PEM is just a Base64-encoded DER (think JSON as hex or base64) +* DER is an binary _object notation_ for ASN.1 (think actual stringified JSON or XML) +* ASN.1 is _object notation_ standard (think JSON, the standard) +* X.509 is a suite of schemas (think XLST or json-schema.org) +* PKCS#8, PKIK, SPKI are all X.509 schemas (think defining `firstName` vs `first_name` vs `firstname`) + +Now forget about all that and just know this: + +**This library solves your problem if** you need RSA _something-or-other_ and CSR _something-or-other_ +in order to deal with SSL certificates in an internal organization. + +If that's not what you're doing, you may want HTTPS and SSL through +[Greenlock.js](https://git.coolaj86.com/coolaj86/greenlock-express.js), +or you may be looking for something else entirely. + +Goals vs Non-Goals +----- + +This was built for use by [ACME.js](https://git.coolaj86.com/coolaj86/acme.js) +and [Greenlock.js](https://git.coolaj86.com/coolaj86/greenlock-express.js). + +Rather than trying to make a generic implementation that works with everything under the sun, +this library is intentionally focused on around the use case of generating certificates for +ACME services (such as Let's Encrypt). + +That said, [please tell me](https://git.coolaj86.com/coolaj86/rsa-csr.js/issues) if it doesn't +do what you need, it may make sense to add it (or otherwise, perhaps to help you create a fork). + +The primary goal of this project is for this code to do exactly (and all of) +what it needs to do - No more, no less. + +* Support RSA JWKs + * 2048-bit + * 3072-bit + * 4096-bit +* Support PEM and DER via Rasha.js + * PKCS#1 (traditional) + * PKCS#8 + * RSASSA-PKCS1-v1_5 +* Vanilla node.js (ECMAScript 5.1) + * No babel + * No dependencies + +However, there are a few areas where I'd be willing to stretch: + +* Type definition files for altscript languages + +It is not a goal of this project to support any RSA profiles +except those that are universally supported by browsers and +are sufficiently secure (overkill is overkill). + +> A little copying is better than a little dependency. - [Go Proverbs](https://go-proverbs.github.io) by Rob Pike + +This code is considered small and focused enough that, +rather than making it a dependency in other small projects, +I personally just copy over the code. + +Hence, all of these projects are MPL-2.0 licensed. + +Legal +----- + +[RSA-CSR.js](https://git.coolaj86.com/coolaj86/rsa-csr.js) | +MPL-2.0 | +[Terms of Use](https://therootcompany.com/legal/#terms) | +[Privacy Policy](https://therootcompany.com/legal/#privacy) diff --git a/lib/rsa-csr/bin/rsa-csr.js b/lib/rsa-csr/bin/rsa-csr.js new file mode 100755 index 0000000..a923330 --- /dev/null +++ b/lib/rsa-csr/bin/rsa-csr.js @@ -0,0 +1,23 @@ +#!/usr/bin/env node +'use strict'; + +var fs = require('fs'); +var rsacsr = require('../index.js'); + +var keyname = process.argv[2]; +var domains = process.argv[3].split(/,/); + +var key = fs.readFileSync(keyname, 'ascii'); + +try { + key = JSON.parse(key); +} catch(e) { + // ignore +} + +rsacsr({ key: key, domains: domains }).then(function (csr) { + // Using error so that we can redirect stdout to file + //console.error("CN=" + domains[0]); + //console.error("subjectAltName=" + domains.join(',')); + console.log(csr); +}); diff --git a/lib/rsa-csr/fixtures/example.com-www.csr.pem b/lib/rsa-csr/fixtures/example.com-www.csr.pem new file mode 100644 index 0000000..d876ff8 --- /dev/null +++ b/lib/rsa-csr/fixtures/example.com-www.csr.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIClTCCAX0CAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCba21UHE+VbDTpmYYFZUOV+OQ8AngOCdjROsPC +0KiEfMvEaEM3NQl58u6QL7G7QsErKViiNPm9OTFo6HF5JijfWzK7haHFuRMEsgI4 +VwIYyhvqlJDfw/wt0AiVvSmoMfEQn1p1aiaO4V/RJSE3Vw/uz2bxiT22uSkSqOyS +hyfYE6dMHnuoBkzr4jvSifT+INmbv6Nyo4+AAMCZtYeHLrsFeSTjLL9jMPjI4ZkV +dlw2n3Xn9NbltF3/8Ao8dQfElqw+LIQWqU0oFHYNIP4ttfl5ObMKHaKSvBMyNruZ +R0El/ZsrcHLkAHRCLj07KRQJ81l5CUTPtQ02P1Eamz/nT4I3AgMBAAGgOjA4Bgkq +hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs +ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAGOFydCZPtRqnEidrB3vkpPp1GmQVqrl +XhqVM3X7UppsD3QDtJfgoSuBuVy3X/mPvy/Ly8WqEwJ7Ur+h76e7rgeFLvN5fQIr +frlpfCXrKaxxl6vxqKJ8s3Mn2LT8VmSVNig34NCtn99/SHNAlr3aU9L3b1+R25VI +FwFbOz/i92gOchT7Xat3fOiQ02k9GrHT33pIpUUkx5WbwJY6xDrCyFKG8ktpnee6 +WjpTOBnpgHUI1/5ydnf0v29L9N+ALIJGKQxhub3iqB6EhCl93iiQtf4e7M/lzX7l +c1xqsSwVZ3RQVY9bRP9NdGuW4hVvscy5ypqRtXPXQpxMnYwfi9qW5Uo= +-----END CERTIFICATE REQUEST----- diff --git a/lib/rsa-csr/fixtures/privkey-rsa-2048.jwk.json b/lib/rsa-csr/fixtures/privkey-rsa-2048.jwk.json new file mode 100644 index 0000000..f344c22 --- /dev/null +++ b/lib/rsa-csr/fixtures/privkey-rsa-2048.jwk.json @@ -0,0 +1,11 @@ +{ + "kty": "RSA", + "n": "m2ttVBxPlWw06ZmGBWVDlfjkPAJ4DgnY0TrDwtCohHzLxGhDNzUJefLukC-xu0LBKylYojT5vTkxaOhxeSYo31syu4WhxbkTBLICOFcCGMob6pSQ38P8LdAIlb0pqDHxEJ9adWomjuFf0SUhN1cP7s9m8Yk9trkpEqjskocn2BOnTB57qAZM6-I70on0_iDZm7-jcqOPgADAmbWHhy67BXkk4yy_YzD4yOGZFXZcNp915_TW5bRd__AKPHUHxJasPiyEFqlNKBR2DSD-LbX5eTmzCh2ikrwTMja7mUdBJf2bK3By5AB0Qi49OykUCfNZeQlEz7UNNj9RGps_50-CNw", + "e": "AQAB", + "d": "Cpfo7Mm9Nu8YMC_xrZ54W9mKHPkCG9rZ93Ds9PNp-RXUgb-ljTbFPZWsYxGNKLllFz8LNosr1pT2ZDMrwNk0Af1iWNvD6gkyXaiQdCyiDPSBsJyNv2LJZon-e85X74nv53UlIkmo9SYxdLz2JaJ-iIWEe8Qh-7llLktrTJV_xr98_tbhgSppz_IeOymq3SEZaQHM8pTU7w7XvCj2pb9r8fN0M0XcgWZIaf3LGEfkhF_WtX67XJ0C6-LbkT51jtlLRNGX6haGdscXS0OWWjKOJzKGuV-NbthEn5rmRtVnjRZ3yaxQ0ud8vC-NONn7yvGUlOur1IdDzJ_YfHPt9sHMQQ", + "p": "ynG-t9HwKCN3MWRYFdnFzi9-02Qcy3p8B5pu3ary2E70hYn2pHlUG2a9BNE8c5xHQ3Hx43WoWf6s0zOunPV1G28LkU_UYEbAtPv_PxSmzpQp9n9XnYvBLBF8Y3z7gxgLn1vVFNARrQdRtj87qY3aw7E9S4DsGcAarIuOT2TsTCE", + "q": "xIkAjgUzB1zaUzJtW2Zgvp9cYYr1DmpH30ePZl3c_8397_DZDDo46fnFYjs6uPa03HpmKUnbjwr14QHlfXlntJBEuXxcqLjkdKdJ4ob7xueLTK4suo9V8LSrkLChVxlZQwnFD2E5ll0sVeeDeMJHQw38ahSrBFEVnxjpnPh1Q1c", + "dp": "tzDGjECFOU0ehqtuqhcuT63a7h8hj19-7MJqoFwY9HQ-ALkfXyYLXeBSGxHbyiIYuodZg6LsfMNgUJ3r3Eyhc_nAVfYPEC_2IdAG4WYmq7iXYF9LQV09qEsKbFykm7QekE3hO7wswo5k-q2tp3ieBYdVGAXJoGOdv5VpaZ7B1QE", + "dq": "kh5dyDk7YCz7sUFbpsmuAeuPjoH2ghooh2u3xN7iUVmAg-ToKjwbVnG5-7eXiC779rQVwnrD_0yh1AFJ8wjRPqDIR7ObXGHikIxT1VSQWqiJm6AfZzDsL0LUD4YS3iPdhob7-NxLKWzqao_u4lhnDQaX9PKa12HFlny6K1daL48", + "qi": "AlHWbx1gp6Z9pbw_1hlS7HuXAgWoX7IjbTUelldf4gkriDWLOrj3QCZcO4ZvZvEwJhVlsny9LO8IkbwGJEL6cXraK08ByVS2mwQyflgTgGNnpzixyEUL_mrQLx6y145FHcxfeqNInMhep-0Mxn1D5nlhmIOgRApS0t9VoXtHhFU" +} diff --git a/lib/rsa-csr/fixtures/privkey-rsa-2048.pkcs1.pem b/lib/rsa-csr/fixtures/privkey-rsa-2048.pkcs1.pem new file mode 100644 index 0000000..246bd35 --- /dev/null +++ b/lib/rsa-csr/fixtures/privkey-rsa-2048.pkcs1.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAm2ttVBxPlWw06ZmGBWVDlfjkPAJ4DgnY0TrDwtCohHzLxGhD +NzUJefLukC+xu0LBKylYojT5vTkxaOhxeSYo31syu4WhxbkTBLICOFcCGMob6pSQ +38P8LdAIlb0pqDHxEJ9adWomjuFf0SUhN1cP7s9m8Yk9trkpEqjskocn2BOnTB57 +qAZM6+I70on0/iDZm7+jcqOPgADAmbWHhy67BXkk4yy/YzD4yOGZFXZcNp915/TW +5bRd//AKPHUHxJasPiyEFqlNKBR2DSD+LbX5eTmzCh2ikrwTMja7mUdBJf2bK3By +5AB0Qi49OykUCfNZeQlEz7UNNj9RGps/50+CNwIDAQABAoIBAAqX6OzJvTbvGDAv +8a2eeFvZihz5Ahva2fdw7PTzafkV1IG/pY02xT2VrGMRjSi5ZRc/CzaLK9aU9mQz +K8DZNAH9Yljbw+oJMl2okHQsogz0gbCcjb9iyWaJ/nvOV++J7+d1JSJJqPUmMXS8 +9iWifoiFhHvEIfu5ZS5La0yVf8a/fP7W4YEqac/yHjspqt0hGWkBzPKU1O8O17wo +9qW/a/HzdDNF3IFmSGn9yxhH5IRf1rV+u1ydAuvi25E+dY7ZS0TRl+oWhnbHF0tD +lloyjicyhrlfjW7YRJ+a5kbVZ40Wd8msUNLnfLwvjTjZ+8rxlJTrq9SHQ8yf2Hxz +7fbBzEECgYEAynG+t9HwKCN3MWRYFdnFzi9+02Qcy3p8B5pu3ary2E70hYn2pHlU +G2a9BNE8c5xHQ3Hx43WoWf6s0zOunPV1G28LkU/UYEbAtPv/PxSmzpQp9n9XnYvB +LBF8Y3z7gxgLn1vVFNARrQdRtj87qY3aw7E9S4DsGcAarIuOT2TsTCECgYEAxIkA +jgUzB1zaUzJtW2Zgvp9cYYr1DmpH30ePZl3c/8397/DZDDo46fnFYjs6uPa03Hpm +KUnbjwr14QHlfXlntJBEuXxcqLjkdKdJ4ob7xueLTK4suo9V8LSrkLChVxlZQwnF +D2E5ll0sVeeDeMJHQw38ahSrBFEVnxjpnPh1Q1cCgYEAtzDGjECFOU0ehqtuqhcu +T63a7h8hj19+7MJqoFwY9HQ+ALkfXyYLXeBSGxHbyiIYuodZg6LsfMNgUJ3r3Eyh +c/nAVfYPEC/2IdAG4WYmq7iXYF9LQV09qEsKbFykm7QekE3hO7wswo5k+q2tp3ie +BYdVGAXJoGOdv5VpaZ7B1QECgYEAkh5dyDk7YCz7sUFbpsmuAeuPjoH2ghooh2u3 +xN7iUVmAg+ToKjwbVnG5+7eXiC779rQVwnrD/0yh1AFJ8wjRPqDIR7ObXGHikIxT +1VSQWqiJm6AfZzDsL0LUD4YS3iPdhob7+NxLKWzqao/u4lhnDQaX9PKa12HFlny6 +K1daL48CgYACUdZvHWCnpn2lvD/WGVLse5cCBahfsiNtNR6WV1/iCSuINYs6uPdA +Jlw7hm9m8TAmFWWyfL0s7wiRvAYkQvpxetorTwHJVLabBDJ+WBOAY2enOLHIRQv+ +atAvHrLXjkUdzF96o0icyF6n7QzGfUPmeWGYg6BEClLS31Whe0eEVQ== +-----END RSA PRIVATE KEY----- diff --git a/lib/rsa-csr/fixtures/whatever.net-www-api.csr.pem b/lib/rsa-csr/fixtures/whatever.net-www-api.csr.pem new file mode 100644 index 0000000..9275f2d --- /dev/null +++ b/lib/rsa-csr/fixtures/whatever.net-www-api.csr.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqjCCAZICAQAwFzEVMBMGA1UEAwwMd2hhdGV2ZXIubmV0MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm2ttVBxPlWw06ZmGBWVDlfjkPAJ4DgnY0TrD +wtCohHzLxGhDNzUJefLukC+xu0LBKylYojT5vTkxaOhxeSYo31syu4WhxbkTBLIC +OFcCGMob6pSQ38P8LdAIlb0pqDHxEJ9adWomjuFf0SUhN1cP7s9m8Yk9trkpEqjs +kocn2BOnTB57qAZM6+I70on0/iDZm7+jcqOPgADAmbWHhy67BXkk4yy/YzD4yOGZ +FXZcNp915/TW5bRd//AKPHUHxJasPiyEFqlNKBR2DSD+LbX5eTmzCh2ikrwTMja7 +mUdBJf2bK3By5AB0Qi49OykUCfNZeQlEz7UNNj9RGps/50+CNwIDAQABoE4wTAYJ +KoZIhvcNAQkOMT8wPTA7BgNVHREENDAyggx3aGF0ZXZlci5uZXSCEHd3dy53aGF0 +ZXZlci5uZXSCEGFwaS53aGF0ZXZlci5uZXQwDQYJKoZIhvcNAQELBQADggEBAB21 +KZYjarfd8nUAbwhH8dWZOo4rFcdYFo3xcXPQ11b1Wa79dtG67cgD/dplKFis5qD3 +6h4m818w9ESBA3Q1ZUy6HgDPMhCjg2fmCnSsZ5epo47wzvelYonfOX5DAwxgfYsa +335olrXJ0qsTiNmaS7RxDT53vfMOp41NyEAkFmpIAkaHgW/+xFPUSCBXIUWbaCG+ +pK3FVNmK3VCVCAP6UvVKYQUWSC6FRG/Q8MHoecdo+bbMlr2s2GPxq9TKInwe8JqT +E9pD7QMsN7uWpMaXNKCje4+Q88Br4URNcGAiYoy4/6hcF2Ki1saTYVIk/DG1P4hX +G5f0ezDLtsC22xe6jHI= +-----END CERTIFICATE REQUEST----- diff --git a/lib/rsa-csr/index.js b/lib/rsa-csr/index.js new file mode 100644 index 0000000..a4b74e6 --- /dev/null +++ b/lib/rsa-csr/index.js @@ -0,0 +1,2 @@ +'use strict'; +module.exports = require('./lib/csr.js'); diff --git a/lib/rsa-csr/lib/asn1.js b/lib/rsa-csr/lib/asn1.js new file mode 100644 index 0000000..c92c1c3 --- /dev/null +++ b/lib/rsa-csr/lib/asn1.js @@ -0,0 +1,72 @@ +'use strict'; + +// +// A dumbed-down, minimal ASN.1 parser / packer combo +// +// Note: generally I like to write congruent code +// (i.e. output can be used as input and vice-versa) +// However, this seemed to be more readable and easier +// to use written as-is, asymmetrically. +// (I also generally prefer to export objects rather +// functions but, yet again, asthetics one in this case) + +var Enc = require('./encoding.js'); + +// +// Packer +// + +// Almost every ASN.1 type that's important for CSR +// can be represented generically with only a few rules. +var ASN1 = module.exports = function ASN1(/*type, hexstrings...*/) { + var args = Array.prototype.slice.call(arguments); + var typ = args.shift(); + var str = args.join('').replace(/\s+/g, '').toLowerCase(); + var len = (str.length/2); + var lenlen = 0; + var hex = typ; + + // We can't have an odd number of hex chars + if (len !== Math.round(len)) { + console.error(arguments); + throw new Error("invalid hex"); + } + + // The first byte of any ASN.1 sequence is the type (Sequence, Integer, etc) + // The second byte is either the size of the value, or the size of its size + + // 1. If the second byte is < 0x80 (128) it is considered the size + // 2. If it is > 0x80 then it describes the number of bytes of the size + // ex: 0x82 means the next 2 bytes describe the size of the value + // 3. The special case of exactly 0x80 is "indefinite" length (to end-of-file) + + if (len > 127) { + lenlen += 1; + while (len > 255) { + lenlen += 1; + len = len >> 8; + } + } + + if (lenlen) { hex += Enc.numToHex(0x80 + lenlen); } + return hex + Enc.numToHex(str.length/2) + str; +}; + +// The Integer type has some special rules +ASN1.UInt = function UINT() { + var str = Array.prototype.slice.call(arguments).join(''); + var first = parseInt(str.slice(0, 2), 16); + + // If the first byte is 0x80 or greater, the number is considered negative + // Therefore we add a '00' prefix if the 0x80 bit is set + if (0x80 & first) { str = '00' + str; } + + return ASN1('02', str); +}; + +// The Bit String type also has a special rule +ASN1.BitStr = function BITSTR() { + var str = Array.prototype.slice.call(arguments).join(''); + // '00' is a mask of how many bits of the next byte to ignore + return ASN1('03', '00' + str); +}; diff --git a/lib/rsa-csr/lib/csr.js b/lib/rsa-csr/lib/csr.js new file mode 100644 index 0000000..219ab27 --- /dev/null +++ b/lib/rsa-csr/lib/csr.js @@ -0,0 +1,152 @@ +'use strict'; + +var crypto = require('crypto'); +var ASN1 = require('./asn1.js'); +var Enc = require('./encoding.js'); +var PEM = require('./pem.js'); +var X509 = require('./x509.js'); +var RSA = {}; + +/*global Promise*/ +var CSR = module.exports = function rsacsr(opts) { + // We're using a Promise here to be compatible with the browser version + // which will probably use the webcrypto API for some of the conversions + opts = CSR._prepare(opts); + + return CSR.create(opts).then(function (bytes) { + return CSR._encode(opts, bytes); + }); +}; + +CSR._prepare = function (opts) { + var Rasha; + opts = JSON.parse(JSON.stringify(opts)); + var pem, jwk; + + // We do a bit of extra error checking for user convenience + if (!opts) { throw new Error("You must pass options with key and domains to rsacsr"); } + if (!Array.isArray(opts.domains) || 0 === opts.domains.length) { + new Error("You must pass options.domains as a non-empty array"); + } + + // I need to check that 例.中国 is a valid domain name + if (!opts.domains.every(function (d) { + // allow punycode? xn-- + if ('string' === typeof d /*&& /\./.test(d) && !/--/.test(d)*/) { + return true; + } + })) { + throw new Error("You must pass options.domains as strings"); + } + + if (opts.pem) { + pem = opts.pem; + } else if (opts.jwk) { + jwk = opts.jwk; + } else { + if (!opts.key) { + throw new Error("You must pass options.key as a JSON web key"); + } else if (opts.key.kty) { + jwk = opts.key; + } else { + pem = opts.key; + } + } + + if (pem) { + try { + Rasha = require('rasha'); + } catch(e) { + throw new Error("Rasha.js is an optional dependency for PEM-to-JWK.\n" + + "Install it if you'd like to use it:\n" + + "\tnpm install --save rasha\n" + + "Otherwise supply a jwk as the private key." + ); + } + jwk = Rasha.importSync({ pem: pem }); + } + + opts.jwk = jwk; + return opts; +}; +CSR.sync = function (opts) { + opts = CSR._prepare(opts); + var bytes = CSR.createSync(opts); + return CSR._encode(opts, bytes); +}; +CSR._encode = function (opts, bytes) { + if ('der' === (opts.encoding||'').toLowerCase()) { + return bytes; + } + return PEM.packBlock({ + type: "CERTIFICATE REQUEST" + , bytes: bytes /* { jwk: jwk, domains: opts.domains } */ + }); +}; + +CSR.createSync = function createCsr(opts) { + var hex = CSR.request(opts.jwk, opts.domains); + var csr = CSR.signSync(opts.jwk, hex); + return Enc.hexToBuf(csr); +}; +CSR.create = function createCsr(opts) { + var hex = CSR.request(opts.jwk, opts.domains); + return CSR.sign(opts.jwk, hex).then(function (csr) { + return Enc.hexToBuf(csr); + }); +}; + +CSR.request = function createCsrBodyEc(jwk, domains) { + var asn1pub = X509.packCsrPublicKey(jwk); + return X509.packCsr(asn1pub, domains); +}; + +CSR.signSync = function csrEcSig(jwk, request) { + var keypem = PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: X509.packPkcs1(jwk) }); + var sig = RSA.signSync(keypem, Enc.hexToBuf(request)); + return CSR.toDer({ request: request, signature: sig }); +}; +CSR.sign = function csrEcSig(jwk, request) { + var keypem = PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: X509.packPkcs1(jwk) }); + return RSA.sign(keypem, Enc.hexToBuf(request)).then(function (sig) { + return CSR.toDer({ request: request, signature: sig }); + }); +}; +CSR.toDer = function encode(opts) { + var sty = ASN1('30' + // 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1) + , ASN1('06', '2a864886f70d01010b') + , ASN1('05') + ); + return ASN1('30' + // The Full CSR Request Body + , opts.request + // The Signature Type + , sty + // The Signature + , ASN1.BitStr(Enc.bufToHex(opts.signature)) + ); +}; + +// +// RSA +// + +// Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a +RSA.signSync = function signRsaSync(keypem, ab) { + // Signer is a stream + var sign = crypto.createSign('SHA256'); + sign.write(new Uint8Array(ab)); + sign.end(); + + // The signature is ASN1 encoded, as it turns out + var sig = sign.sign(keypem); + + // Convert to a JavaScript ArrayBuffer just because + return new Uint8Array(sig.buffer.slice(sig.byteOffset, sig.byteOffset + sig.byteLength)); +}; +RSA.sign = function signRsa(keypem, ab) { + return Promise.resolve().then(function () { + return RSA.signSync(keypem, ab); + }); +}; diff --git a/lib/rsa-csr/lib/encoding.js b/lib/rsa-csr/lib/encoding.js new file mode 100644 index 0000000..f6b6ab0 --- /dev/null +++ b/lib/rsa-csr/lib/encoding.js @@ -0,0 +1,34 @@ +'use strict'; + +var Enc = module.exports; + +Enc.base64ToHex = function base64ToHex(b64) { + return Buffer.from(b64, 'base64').toString('hex').toLowerCase(); +}; + +Enc.bufToBase64 = function bufToBase64(u8) { + // we want to maintain api compatability with browser APIs, + // so we assume that this could be a Uint8Array + return Buffer.from(u8).toString('base64'); +}; + +Enc.bufToHex = function toHex(u8) { + return Buffer.from(u8).toString('hex').toLowerCase(); +}; + +Enc.hexToBuf = function (hex) { + return Buffer.from(hex, 'hex'); +}; + +Enc.numToHex = function numToHex(d) { + d = d.toString(16); + if (d.length % 2) { + return '0' + d; + } + return d; +}; + +Enc.utf8ToHex = function utf8ToHex(str) { + // node can properly handle utf-8 strings + return Buffer.from(str).toString('hex').toLowerCase(); +}; diff --git a/lib/rsa-csr/lib/pem.js b/lib/rsa-csr/lib/pem.js new file mode 100644 index 0000000..fb08dcc --- /dev/null +++ b/lib/rsa-csr/lib/pem.js @@ -0,0 +1,12 @@ +'use strict'; + +var Enc = require('./encoding.js'); +var PEM = module.exports; + +PEM.packBlock = function (opts) { + // TODO allow for headers? + return '-----BEGIN ' + opts.type + '-----\n' + + Enc.bufToBase64(opts.bytes).match(/.{1,64}/g).join('\n') + '\n' + + '-----END ' + opts.type + '-----' + ; +}; diff --git a/lib/rsa-csr/lib/telemetry.js b/lib/rsa-csr/lib/telemetry.js new file mode 100644 index 0000000..9623b77 --- /dev/null +++ b/lib/rsa-csr/lib/telemetry.js @@ -0,0 +1,111 @@ +'use strict'; + +// We believe in a proactive approach to sustainable open source. +// As part of that we make it easy for you to opt-in to following our progress +// and we also stay up-to-date on telemetry such as operating system and node +// version so that we can focus our efforts where they'll have the greatest impact. +// +// Want to learn more about our Terms, Privacy Policy, and Mission? +// Check out https://therootcompany.com/legal/ + +var os = require('os'); +var crypto = require('crypto'); +var https = require('https'); +var pkg = require('../package.json'); + +// to help focus our efforts in the right places +var data = { + package: pkg.name +, version: pkg.version +, node: process.version +, arch: process.arch || os.arch() +, platform: process.platform || os.platform() +, release: os.release() +}; + +function addCommunityMember(opts) { + setTimeout(function () { + var req = https.request({ + hostname: 'api.therootcompany.com' + , port: 443 + , path: '/api/therootcompany.com/public/community' + , method: 'POST' + , headers: { 'Content-Type': 'application/json' } + }, function (resp) { + // let the data flow, so we can ignore it + resp.on('data', function () {}); + //resp.on('data', function (chunk) { console.log(chunk.toString()); }); + resp.on('error', function () { /*ignore*/ }); + //resp.on('error', function (err) { console.error(err); }); + }); + var obj = JSON.parse(JSON.stringify(data)); + obj.action = 'updates'; + try { + obj.ppid = ppid(obj.action); + } catch(e) { + // ignore + //console.error(e); + } + obj.name = opts.name || undefined; + obj.address = opts.email; + obj.community = 'node.js@therootcompany.com'; + + req.write(JSON.stringify(obj, 2, null)); + req.end(); + req.on('error', function () { /*ignore*/ }); + //req.on('error', function (err) { console.error(err); }); + }, 50); +} + +function ping(action) { + setTimeout(function () { + var req = https.request({ + hostname: 'api.therootcompany.com' + , port: 443 + , path: '/api/therootcompany.com/public/ping' + , method: 'POST' + , headers: { 'Content-Type': 'application/json' } + }, function (resp) { + // let the data flow, so we can ignore it + resp.on('data', function () { }); + //resp.on('data', function (chunk) { console.log(chunk.toString()); }); + resp.on('error', function () { /*ignore*/ }); + //resp.on('error', function (err) { console.error(err); }); + }); + var obj = JSON.parse(JSON.stringify(data)); + obj.action = action; + try { + obj.ppid = ppid(obj.action); + } catch(e) { + // ignore + //console.error(e); + } + + req.write(JSON.stringify(obj, 2, null)); + req.end(); + req.on('error', function (/*e*/) { /*console.error('req.error', e);*/ }); + }, 50); +} + +// to help identify unique installs without getting +// the personally identifiable info that we don't want +function ppid(action) { + var parts = [ action, data.package, data.version, data.node, data.arch, data.platform, data.release ]; + var ifaces = os.networkInterfaces(); + Object.keys(ifaces).forEach(function (ifname) { + if (/^en/.test(ifname) || /^eth/.test(ifname) || /^wl/.test(ifname)) { + if (ifaces[ifname] && ifaces[ifname].length) { + parts.push(ifaces[ifname][0].mac); + } + } + }); + return crypto.createHash('sha1').update(parts.join(',')).digest('base64'); +} + +module.exports.ping = ping; +module.exports.joinCommunity = addCommunityMember; + +if (require.main === module) { + ping('install'); + //addCommunityMember({ name: "AJ ONeal", email: 'coolaj86@gmail.com' }); +} diff --git a/lib/rsa-csr/lib/x509.js b/lib/rsa-csr/lib/x509.js new file mode 100644 index 0000000..33cb9c5 --- /dev/null +++ b/lib/rsa-csr/lib/x509.js @@ -0,0 +1,66 @@ +'use strict'; + +var ASN1 = require('./asn1.js'); +var Enc = require('./encoding.js'); + +var X509 = module.exports; + +X509.packCsr = function (asn1pubkey, domains) { + return ASN1('30' + // Version (0) + , ASN1.UInt('00') + + // 2.5.4.3 commonName (X.520 DN component) + , ASN1('30', ASN1('31', ASN1('30', ASN1('06', '550403'), ASN1('0c', Enc.utf8ToHex(domains[0]))))) + + // Public Key (RSA or EC) + , asn1pubkey + + // Request Body + , ASN1('a0' + , ASN1('30' + // 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF) + , ASN1('06', '2a864886f70d01090e') + , ASN1('31' + , ASN1('30' + , ASN1('30' + // 2.5.29.17 subjectAltName (X.509 extension) + , ASN1('06', '551d11') + , ASN1('04' + , ASN1('30', domains.map(function (d) { + return ASN1('82', Enc.utf8ToHex(d)); + }).join('')))))))) + ); +}; + +X509.packPkcs1 = function (jwk) { + var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); + var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); + + if (!jwk.d) { + return Enc.hexToBuf(ASN1('30', n, e)); + } + + return Enc.hexToBuf(ASN1('30' + , ASN1.UInt('00') + , n + , e + , ASN1.UInt(Enc.base64ToHex(jwk.d)) + , ASN1.UInt(Enc.base64ToHex(jwk.p)) + , ASN1.UInt(Enc.base64ToHex(jwk.q)) + , ASN1.UInt(Enc.base64ToHex(jwk.dp)) + , ASN1.UInt(Enc.base64ToHex(jwk.dq)) + , ASN1.UInt(Enc.base64ToHex(jwk.qi)) + )); +}; + +X509.packCsrPublicKey = function (jwk) { + // Sequence the key + var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); + var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); + var asn1pub = ASN1('30', n, e); + //var asn1pub = X509.packPkcs1({ kty: jwk.kty, n: jwk.n, e: jwk.e }); + + // Add the CSR pub key header + return ASN1('30', ASN1('30', ASN1('06', '2a864886f70d010101'), ASN1('05')), ASN1.BitStr(asn1pub)); +}; diff --git a/lib/rsa-csr/package.json b/lib/rsa-csr/package.json new file mode 100644 index 0000000..72c4e67 --- /dev/null +++ b/lib/rsa-csr/package.json @@ -0,0 +1,64 @@ +{ + "_from": "rsa-csr", + "_id": "rsa-csr@1.0.5", + "_inBundle": false, + "_integrity": "sha512-rmQY0RmcpLdsXEJgE1S2xBam09YVggDIqBGCJNFkhD6ONkmpSGjZ+28J6gWy+ygKHHgC7Z+OpzDLVQYowOte3A==", + "_location": "/rsa-csr", + "_phantomChildren": {}, + "_requested": { + "type": "tag", + "registry": true, + "raw": "rsa-csr", + "name": "rsa-csr", + "escapedName": "rsa-csr", + "rawSpec": "", + "saveSpec": null, + "fetchSpec": "latest" + }, + "_requiredBy": [ + "#USER", + "/" + ], + "_resolved": "https://registry.npmjs.org/rsa-csr/-/rsa-csr-1.0.5.tgz", + "_shasum": "ac427ae3aa16089f5f26fc93047a7d2d844b0bf4", + "_spec": "rsa-csr", + "_where": "/Volumes/Data/git.coolaj86.com/coolaj86/rsa-compat.js", + "author": { + "name": "AJ ONeal", + "email": "coolaj86@gmail.com", + "url": "https://coolaj86.com/" + }, + "bin": { + "rsa-csr": "bin/rsa-csr.js" + }, + "bundleDependencies": false, + "deprecated": false, + "description": "💯 A focused, zero-dependency library to generate a Certificate Signing Request (CSR) and sign it!", + "directories": { + "lib": "lib" + }, + "files": [ + "bin", + "fixtures", + "lib" + ], + "homepage": "https://git.coolaj86.com/coolaj86/rsa-csr.js", + "keywords": [ + "zero-dependency", + "CSR", + "RSA", + "x509" + ], + "license": "MPL-2.0", + "main": "index.js", + "name": "rsa-csr", + "repository": { + "type": "git", + "url": "https://git.coolaj86.com/coolaj86/rsa-csr.js" + }, + "scripts": { + "postinstall": "node lib/telemetry.js event:install", + "test": "bash test.sh" + }, + "version": "1.0.5" +} diff --git a/lib/rsa-extra.js b/lib/rsa-extra.js deleted file mode 100644 index 2ba7dd1..0000000 --- a/lib/rsa-extra.js +++ /dev/null @@ -1,143 +0,0 @@ -'use strict'; - -// for forge -function _bigIntToBase64Url(fbin) { - var hex = fbin.toRadix(16); - if (hex.length % 2) { - // Invalid hex string - hex = '0' + hex; - } - var buf = Buffer.from(hex, 'hex'); - var b64 = buf.toString('base64'); - var b64Url = b64.replace(/[+]/g, "-").replace(/\//g, "_").replace(/=/g,""); - - return b64Url; -} -/* -// I think this doesn't work because toByteArray() returns signed bytes -function _xxx_bigIntToBase64Url(fbin) { - if (!fbin.toByteArray) { - console.log('fbin'); - console.log(fbin); - } - var byteArray = fbin.toByteArray(); - var buf = Buffer.from(byteArray); - var b64 = buf.toString('base64'); - var b64Url = b64.replace(/[+]/g, "-").replace(/\//g, "_").replace(/=/g,""); - - return b64Url; -} -*/ - -var extrac = module.exports = { - // - // internals - // - _forgeToPrivateJwk: function (keypair) { - var k = keypair._forge; - - return { - kty: "RSA" - , n: _bigIntToBase64Url(k.n) - , e: _bigIntToBase64Url(k.e) - , d: _bigIntToBase64Url(k.d) - , p: _bigIntToBase64Url(k.p) - , q: _bigIntToBase64Url(k.q) - , dp: _bigIntToBase64Url(k.dP) - , dq: _bigIntToBase64Url(k.dQ) - , qi: _bigIntToBase64Url(k.qInv) - }; - } -, _forgeToPublicJwk: function (keypair) { - var k = keypair._forge || keypair._forgePublic; - return { - kty: "RSA" - , n: _bigIntToBase64Url(k.n) - , e: _bigIntToBase64Url(k.e) - }; - } - - - - // - // Import Forge - // -, _forgeImportJwk: require('./rsa-forge')._forgeImportJwk -, _forgeImportPublicJwk: require('./rsa-forge')._forgeImportPublicJwk -, _forgeImportPem: require('./rsa-forge')._forgeImportPem -, _forgeImportPublicPem: require('./rsa-forge')._forgeImportPublicPem -, importForge: function (keypair) { - extrac._forgeImportJwk(keypair); - if (keypair.privateKeyPem) { - extrac._forgeImportPem(keypair); - } - if (keypair.publicKeyPem) { - extrac._forgeImportPublicPem(keypair); - } - return keypair; - } - - - - // - // Export JWK - // -, exportPrivateJwk: function (keypair) { - var hasUrsaPrivate = keypair._ursa && true; - var hasPrivatePem = keypair.privateKeyPem && true; - var hasForgePrivate = keypair._forge && true; - - if (keypair.privateKeyJwk) { - return keypair.privateKeyJwk; - } - - if (!hasForgePrivate) { - if (hasUrsaPrivate && !hasPrivatePem) { - keypair.privateKeyPem = keypair._ursa.toPrivatePem().toString('ascii'); - } - - if (keypair.privateKeyPem) { - extrac._forgeImportPem(keypair); - } - } - - if (keypair._forge) { - return extrac._forgeToPrivateJwk(keypair); - } - - throw new Error("None of privateKeyPem, _ursa, _forge, or privateKeyJwk found. No way to export private key Jwk"); - } -, exportPublicJwk: function (keypair) { - var hasUrsaPublic = (keypair._ursa || keypair._ursaPublic) && true; - var hasPublicPem = (keypair.privateKeyPem || keypair.publicKeyPem) && true; - var hasForgePublic = keypair._forge && true; - - if (keypair.publicKeyJwk) { - return keypair.publicKeyJwk; - } - - if (keypair.privateKeyJwk) { - return { - kty: 'RSA' - , n: keypair.privateKeyJwk.n - , e: keypair.privateKeyJwk.e - }; - } - - if (!hasForgePublic) { - if (hasUrsaPublic && !hasPublicPem) { - keypair.publicKeyPem = (keypair._ursa || keypair._ursaPublic).toPublicPem().toString('ascii'); - } - - if (keypair.publicKeyPem) { - extrac._forgeImportPublicPem(keypair); - } - } - - if (keypair._forge || keypair._forgePublic) { - return extrac._forgeToPublicJwk(keypair); - } - - throw new Error("None of publicKeyPem privateKeyPem, _ursa, _forge, publicKeyJwk, or privateKeyJwk found. No way to export private key Jwk"); - } -}; diff --git a/lib/rsa-forge.js b/lib/rsa-forge.js deleted file mode 100644 index ee04e04..0000000 --- a/lib/rsa-forge.js +++ /dev/null @@ -1,181 +0,0 @@ -'use strict'; - -var forge = require('node-forge'); - -function notToJson() { - return undefined; -} - -var forgec = module.exports = { - - - - // - // to components - // - _toStandardBase64: function (str) { - var b64 = str.replace(/-/g, "+").replace(/_/g, "/").replace(/=/g, ""); - - switch (b64.length % 4) { - case 2: b64 += "=="; break; - case 3: b64 += "="; break; - } - - return b64; - } -, _base64UrlToBin: function (base64) { - var std64 = forgec._toStandardBase64(base64); - var hex = Buffer.from(std64, 'base64').toString("hex"); - - return new forge.jsbn.BigInteger(hex, 16); - } -, _privateJwkToComponents: function (jwk) { - var components = []; - - // [ 'n', 'e', 'd', 'p', 'q', 'dP', 'dQ', 'qInv' ] - [ 'n', 'e', 'd', 'p', 'q', 'dp', 'dq', 'qi' ].forEach(function (key) { - components.push(forgec._base64UrlToBin(jwk[key])); - }); - - return components; - } -, _publicJwkToComponents: function (jwk) { - var components = []; - [ 'n', 'e' ].forEach(function (key) { - components.push(forgec._base64UrlToBin(jwk[key])); - }); - - return components; - } - - - - // - // Generate New Keypair - // -, generateKeypair: function (bitlen, exp, options, cb) { - var fkeypair = forge.pki.rsa.generateKeyPair({ bits: bitlen || 2048, e: exp || 0x10001 }); - var result = { - _forge: fkeypair.privateKey - , _forgePublic: fkeypair.publicKey - }; - - result._forge.toJSON = notToJson; - result._forgePublic.toJSON = notToJson; - - cb(null, result); - } - - - - // - // Import (no-op) - // -, _forgeImportJwk: function (keypair) { - if (!keypair._forge && keypair.privateKeyJwk) { - keypair._forge = forge.pki.rsa.setPrivateKey.apply( - forge.pki.rsa - , forgec._privateJwkToComponents(keypair.privateKeyJwk) - ); - keypair._forge.toJSON = notToJson; - } - - forgec._forgeImportPublicJwk(keypair); - } -, _forgeImportPublicJwk: function (keypair) { - if (keypair._forgePublic) { - return; - } - - if (keypair._forge) { - keypair._forgePublic = forge.pki.rsa.setPublicKey(keypair._forge.n, keypair._forge.e); - } - else if (keypair.publicKeyJwk) { - keypair._forgePublic = forge.pki.rsa.setPublicKey.apply( - forge.pki.rsa - , forgec._publicJwkToComponents(keypair.publicKeyJwk || keypair.privateKeyJwk) - ); - } - if (keypair._forgePublic) { - keypair._forgePublic.toJSON = notToJson; - } - } -, _forgeImportPem: function (keypair) { - if (!keypair._forge && keypair.privateKeyPem) { - keypair._forge = forge.pki.privateKeyFromPem(keypair.privateKeyPem); - keypair._forge.toJSON = notToJson; - } - - forgec._forgeImportPublicPem(keypair); - } -, _forgeImportPublicPem: function (keypair) { - if (keypair._forgePublic) { - return; - } - - if (keypair._forge) { - keypair._forgePublic = forge.pki.rsa.setPublicKey(keypair._forge.n, keypair._forge.e); - } - else if (keypair.publicKeyPem) { - keypair._forgePublic = keypair._forgePublic || forge.pki.publicKeyFromPem(keypair.publicKeyPem); - } - if (keypair._forgePublic) { - keypair._forgePublic.toJSON = notToJson; - } - } -, import: function (keypair) { - // no-op since this must be done anyway in extra - return keypair; - } - - - - // - // Export Public / Private PEMs - // -, exportPrivatePem: function (keypair) { - if (keypair.privateKeyPem) { - return keypair.privateKeyPem; - } - - if (keypair.privateKeyJwk && !keypair._forge) { - forgec._forgeImportJwk(keypair); - } - - if (keypair._forge) { - return forge.pki.privateKeyToPem(keypair._forge); - } - - throw new Error("None of privateKeyPem, _forge, or privateKeyJwk found. No way to export private key PEM"); - } -, exportPublicPem: function (keypair) { - if (keypair.publicKeyPem) { - return keypair.publicKeyPem; - } - - if ((keypair.privateKeyJwk || keypair.publicKeyJwk) - && !(keypair._forge || keypair._forgePublic) - ) { - forgec._forgeImportPublicJwk(keypair); - } - - if (!keypair._forge) { - if (keypair.privateKeyPem) { - forgec._forgeImportPem(keypair); - } - } - if (keypair.publicKeyPem) { - return keypair.publicKeyPem; - } - if (keypair._forge || keypair._forgePublic) { - return forge.pki.publicKeyToPem(keypair._forgePublic || keypair._forge); - } - - throw new Error("None of publicKeyPem, _forge, _forgePublic, publicKeyJwk, privateKeyPem, or privateKeyJwk found. No way to export public key PEM"); - } -//, exportPrivateKeyJwk: NOT IMPLEMENTED HERE -//, exportPublicKeyJwk: NOT IMPLEMENTED HERE - - - -}; diff --git a/lib/rsa-ursa.js b/lib/rsa-ursa.js deleted file mode 100644 index 369a249..0000000 --- a/lib/rsa-ursa.js +++ /dev/null @@ -1,182 +0,0 @@ -'use strict'; - -var ursa; -try { - ursa = require('ursa'); -} catch(e) { - try { - ursa = require('ursa-optional'); - } catch(e2) { - throw e; - } -} - - -function notToJson() { - return undefined; -} - -var ursac = module.exports = { - - - - // - // to components - // - _privateJwkToComponents: function (jwk) { - var components = []; - - [ 'n', 'e', 'p', 'q', 'dp', 'dq', 'qi', 'd' ].forEach(function (key) { - components.push(Buffer.from(jwk[key], 'base64')); - }); - - return components; - } -, _publicJwkToComponents: function (jwk) { - var components = []; - [ 'n', 'e' ].forEach(function (key) { - components.push(Buffer.from(jwk[key], 'base64')); - }); - - return components; - } - - - - // - // Generate New Keypair - // -, generateKeypair: function (bitlen, exp, options, cb) { - var keypair = ursa.generatePrivateKey(bitlen || 2048, exp || 65537); - - keypair.toJSON = notToJson; - - cb(null, { - _ursa: keypair - }); - } - - - - // - // Import - // -, _ursaImportPem: function (keypair) { - if (keypair._ursa) { - return; - } - - if (keypair.privateKeyPem) { - keypair._ursa = ursa.createPrivateKey(keypair.privateKeyPem); - keypair._ursa.toJSON = notToJson; - } - else if (keypair.publicKeyPem) { - ursac._ursaImportPublicPem(keypair); - } - } -, _ursaImportPublicPem: function (keypair) { - if (keypair._ursa || keypair._ursaPublic) { - return; - } - - if (keypair.publicKeyPem) { - keypair._ursaPublic = ursa.createPublicKey(keypair.publicKeyPem); - keypair._ursaPublic.toJSON = notToJson; - } - } -, _ursaImportJwk: function (keypair) { - if (keypair._ursa) { - return; - } - - if (keypair.privateKeyJwk) { - keypair._ursa = ursa.createPrivateKeyFromComponents.apply( - ursa - , ursac._privateJwkToComponents(keypair.privateKeyJwk) - ); - keypair._ursa.toJSON = notToJson; - } - else if (keypair.publicKeyJwk) { - ursac._ursaImportPublicJwk(keypair); - } - } -, _ursaImportPublicJwk: function (keypair) { - if (keypair._ursa || keypair._ursaPublic) { - return; - } - - if (keypair.publicKeyJwk) { - keypair._ursaPublic = ursa.createPublicKeyFromComponents.apply( - ursa - , ursac._publicJwkToComponents(keypair.publicKeyJwk) - ); - keypair._ursaPublic.toJSON = notToJson; - } - } -, import: function (keypair) { - ursac._ursaImportJwk(keypair); - ursac._ursaImportPem(keypair); - - return keypair; - } - - - - // - // Export Public / Private PEMs - // -, _pemBinToPem: function (pem) { - return pem.toString('ascii').replace(/[\n\r]+/g, '\r\n'); - } -, exportPrivatePem: function (keypair) { - if (keypair.privateKeyPem) { - return keypair.privateKeyPem; - } - - if (keypair._ursa) { - return ursac._pemBinToPem(keypair._ursa.toPrivatePem()); - } - - if (keypair.privateKeyJwk) { - ursac._ursaImportJwk(keypair); - - return ursac._pemBinToPem(keypair._ursa.toPrivatePem()); - } - - throw new Error("None of privateKeyPem, _ursa, or privateKeyJwk found. No way to export private key PEM"); - } -, exportPublicPem: function (keypair) { - if (keypair.publicKeyPem) { - return keypair.publicKeyPem; - } - - if (keypair._ursa || keypair._ursaPublic) { - return ursac._pemBinToPem((keypair._ursa || keypair._ursaPublic).toPublicPem()); - } - - if (keypair.publicKeyJwk) { - ursac._ursaImportPublicJwk(keypair); - - return ursac._pemBinToPem(keypair._ursaPublic.toPublicPem()); - } - - if (keypair.privateKeyJwk) { - ursac._ursaImportJwk(keypair); - - return ursac._pemBinToPem(keypair._ursa.toPublicPem()); - } - - if (keypair.privateKeyPem) { - ursac._ursaImportPem(keypair); - - return ursac._pemBinToPem(keypair._ursa.toPublicPem()); - } - - throw new Error("None of publicKeyPem, _ursa, publicKeyJwk, privateKeyPem, or privateKeyJwk found. No way to export public key PEM"); - } -//, exportPrivateKeyJwk: NOT IMPLEMENTED HERE -//, exportPublicKeyJwk: NOT IMPLEMENTED HERE - - - -}; diff --git a/lib/rsa.js b/lib/rsa.js new file mode 100644 index 0000000..d642cfd --- /dev/null +++ b/lib/rsa.js @@ -0,0 +1,213 @@ +// Copyright 2016-2018 AJ ONeal. All rights reserved +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +'use strict'; + +var RSA = module.exports; +RSA.utils = {}; + +try { + require('buffer-v6-polyfill'); +} catch(e) { + /* ignore */ +} + +var Rasha = require('./rasha'); +var RSACSR = require('./rsa-csr'); +var NOBJ = {}; +var DEFAULT_BITLEN = 2048; +var DEFAULT_EXPONENT = 0x10001; + +RSA.generateKeypair = function (options, cb, extra1, extra2) { + var length; + var exponent; + if ('function' === typeof extra2) { + length = options || DEFAULT_BITLEN; + exponent = cb || DEFAULT_EXPONENT; + options = extra1 || NOBJ; + cb = extra2; + } else { + if (!options) { options = NOBJ; } + length = options.bitlen || DEFAULT_BITLEN; + exponent = options.exp || DEFAULT_EXPONENT; + } + + try { + var keypair = require('./generate-privkey.js')(length, exponent); + keypair.thumbprint = RSA.thumbprint(keypair); + cb(null, keypair); + } catch(e) { + cb(e); + } +}; + +RSA.import = function (options) { + options = JSON.parse(JSON.stringify(options)); + + // Private Keys + if (options.privateKeyPem) { + if (!options.privateKeyJwk) { + options.privateKeyJwk = Rasha.importSync({ pem: options.privateKeyPem }); + } + } + if (options.privateKeyJwk) { + if (!options.privateKeyPem) { + options.privateKeyPem = Rasha.exportSync({ + jwk: options.privateKeyJwk + , format: options.format || 'pkcs1' + , encoding: options.encoding || 'pem' + }); + } + } + + // Public Keys + if (options.publicKeyPem || options.privateKeyPem) { + if (!options.publicKeyJwk) { + options.publicKeyJwk = Rasha.importSync({ + pem: options.publicKeyPem || options.privateKeyPem + , public: true + }); + } + } + if (options.publicKeyJwk || options.privateKeyJwk) { + if (!options.publicKeyPem) { + options.publicKeyPem = Rasha.exportSync({ + jwk: options.publicKeyJwk || options.privateKeyJwk + , format: options.format || 'pkcs1' + , encoding: options.encoding || 'pem' + , public: true + }); + } + } + if (!options.publicKeyPem) { + throw new Error("Error: no keys were present to import"); + } + + // Consistent CRLF + if (options.privateKeyPem) { + options.privateKeyPem = options.privateKeyPem + .trim().replace(/[\r\n]+/g, '\r\n') + '\r\n'; + } + options.publicKeyPem = options.publicKeyPem + .trim().replace(/[\r\n]+/g, '\r\n') + '\r\n'; + + // Thumbprint + if (!options.thumbprint) { + options.thumbprint = RSA._thumbprint(options); + } + + return options; +}; + +RSA.exportPrivatePem = function (keypair) { + keypair = RSA.import(keypair); + return keypair.privateKeyPem; +}; +RSA.exportPublicPem = function (keypair) { + keypair = RSA.import(keypair); + return keypair.publicKeyPem; +}; + +RSA.exportPrivateJwk = function (keypair) { + keypair = RSA.import(keypair); + return keypair.privateKeyJwk; +}; +RSA.exportPublicJwk = function (keypair) { + if (!keypair.publicKeyJwk) { + keypair = RSA.import(keypair); + } + return keypair.publicKeyJwk; +}; + +RSA.signJws = RSA.generateJws = RSA.generateSignatureJws = RSA.generateSignatureJwk = +function (keypair, header, protect, payload) { +// old (keypair, payload, nonce) + var nonce; + + keypair = RSA.import(keypair); + keypair.publicKeyJwk = RSA.exportPublicJwk(keypair); + + if ('string' === typeof protect || ('undefined' === typeof protect && 'undefined' === typeof payload)) { + console.warn("deprecation notice: new signature for signJws(keypair, header, protect, payload)"); + // old API + payload = header; + nonce = protect; + protect = undefined; + header = { + alg: "RS256" + , jwk: keypair.publicKeyJwk + }; + protect = { nonce: nonce }; + } + + // Compute JWS signature + var protectedHeader = ""; + if (protect) { + protectedHeader = JSON.stringify(protect); // { alg: prot.alg, nonce: prot.nonce, url: prot.url }); + } + var protected64 = RSA.utils.toWebsafeBase64(Buffer.from(protectedHeader).toString('base64')); + var payload64 = RSA.utils.toWebsafeBase64(payload.toString('base64')); + var raw = protected64 + "." + payload64; + var pem = RSA.exportPrivatePem(keypair); + var signer = require('crypto').createSign("RSA-SHA256"); + signer.update(raw); + + return { + header: header + , protected: protected64 + , payload: payload64 + , signature: signer.sign(pem, 'base64') + .replace(/\+/g, '-') + .replace(/\//g, '_') + .replace(/=/g, '') + }; +}; + +RSA.generateCsrPem = function (keypair, domains) { + keypair = RSA.import(keypair); + return RSACSR.sync({ jwk: keypair.privateKeyJwk, domains: domains }); +}; +RSA.generateCsrDer = function (keypair, domains) { + keypair = RSA.import(keypair); + return RSACSR.sync({ + jwk: keypair.privateKeyJwk + , domains: domains + , encoding: 'der' + }); +}; +RSA.generateCsrDerWeb64 =RSA.generateCsrWeb64 = function (keypair, names) { + var buf = RSA.generateCsrDer(keypair, names); + var b64 = buf.toString('base64'); + return RSA.utils.toWebsafeBase64(b64); +}; + +RSA._thumbprintInput = function (n, e) { + // #L147 const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}` + return Buffer.from('{"e":"'+ e + '","kty":"RSA","n":"'+ n +'"}', 'ascii'); +}; +RSA._thumbprint = function (keypair) { + var publicKeyJwk = keypair.publicKeyJwk; + + if (!publicKeyJwk.e || !publicKeyJwk.n) { + throw new Error("You must provide an RSA jwk with 'e' and 'n' (the public components)"); + } + + var input = RSA._thumbprintInput(publicKeyJwk.n, publicKeyJwk.e); + var base64Digest = require('crypto').createHash('sha256').update(input).digest('base64'); + + return RSA.utils.toWebsafeBase64(base64Digest); +}; +RSA.thumbprint = function (keypair) { + if (!keypair.publicKeyJwk) { + keypair.publicKeyJwk = RSA.exportPublicJwk(keypair); + } + return RSA._thumbprint(keypair); +}; + +RSA.utils.toWebsafeBase64 = function (b64) { + return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g,""); +}; + +RSA.exportPrivateKey = RSA.exportPrivatePem; +RSA.exportPublicKey = RSA.exportPublicPem; diff --git a/lib/telemetry.js b/lib/telemetry.js new file mode 100644 index 0000000..9623b77 --- /dev/null +++ b/lib/telemetry.js @@ -0,0 +1,111 @@ +'use strict'; + +// We believe in a proactive approach to sustainable open source. +// As part of that we make it easy for you to opt-in to following our progress +// and we also stay up-to-date on telemetry such as operating system and node +// version so that we can focus our efforts where they'll have the greatest impact. +// +// Want to learn more about our Terms, Privacy Policy, and Mission? +// Check out https://therootcompany.com/legal/ + +var os = require('os'); +var crypto = require('crypto'); +var https = require('https'); +var pkg = require('../package.json'); + +// to help focus our efforts in the right places +var data = { + package: pkg.name +, version: pkg.version +, node: process.version +, arch: process.arch || os.arch() +, platform: process.platform || os.platform() +, release: os.release() +}; + +function addCommunityMember(opts) { + setTimeout(function () { + var req = https.request({ + hostname: 'api.therootcompany.com' + , port: 443 + , path: '/api/therootcompany.com/public/community' + , method: 'POST' + , headers: { 'Content-Type': 'application/json' } + }, function (resp) { + // let the data flow, so we can ignore it + resp.on('data', function () {}); + //resp.on('data', function (chunk) { console.log(chunk.toString()); }); + resp.on('error', function () { /*ignore*/ }); + //resp.on('error', function (err) { console.error(err); }); + }); + var obj = JSON.parse(JSON.stringify(data)); + obj.action = 'updates'; + try { + obj.ppid = ppid(obj.action); + } catch(e) { + // ignore + //console.error(e); + } + obj.name = opts.name || undefined; + obj.address = opts.email; + obj.community = 'node.js@therootcompany.com'; + + req.write(JSON.stringify(obj, 2, null)); + req.end(); + req.on('error', function () { /*ignore*/ }); + //req.on('error', function (err) { console.error(err); }); + }, 50); +} + +function ping(action) { + setTimeout(function () { + var req = https.request({ + hostname: 'api.therootcompany.com' + , port: 443 + , path: '/api/therootcompany.com/public/ping' + , method: 'POST' + , headers: { 'Content-Type': 'application/json' } + }, function (resp) { + // let the data flow, so we can ignore it + resp.on('data', function () { }); + //resp.on('data', function (chunk) { console.log(chunk.toString()); }); + resp.on('error', function () { /*ignore*/ }); + //resp.on('error', function (err) { console.error(err); }); + }); + var obj = JSON.parse(JSON.stringify(data)); + obj.action = action; + try { + obj.ppid = ppid(obj.action); + } catch(e) { + // ignore + //console.error(e); + } + + req.write(JSON.stringify(obj, 2, null)); + req.end(); + req.on('error', function (/*e*/) { /*console.error('req.error', e);*/ }); + }, 50); +} + +// to help identify unique installs without getting +// the personally identifiable info that we don't want +function ppid(action) { + var parts = [ action, data.package, data.version, data.node, data.arch, data.platform, data.release ]; + var ifaces = os.networkInterfaces(); + Object.keys(ifaces).forEach(function (ifname) { + if (/^en/.test(ifname) || /^eth/.test(ifname) || /^wl/.test(ifname)) { + if (ifaces[ifname] && ifaces[ifname].length) { + parts.push(ifaces[ifname][0].mac); + } + } + }); + return crypto.createHash('sha1').update(parts.join(',')).digest('base64'); +} + +module.exports.ping = ping; +module.exports.joinCommunity = addCommunityMember; + +if (require.main === module) { + ping('install'); + //addCommunityMember({ name: "AJ ONeal", email: 'coolaj86@gmail.com' }); +} diff --git a/node.js b/node.js deleted file mode 100644 index aa88db6..0000000 --- a/node.js +++ /dev/null @@ -1,298 +0,0 @@ -/*! - * rsa-compat - * Copyright(c) 2016 AJ ONeal https://daplie.com - * Apache-2.0 OR MIT (and hence also MPL 2.0) -*/ -'use strict'; - -try { - require('buffer-v6-polyfill'); -} catch(e) { - /* ignore */ -} - -var RSA = {}; -var NOBJ = {}; -var DEFAULT_BITLEN = 2048; -var DEFAULT_EXPONENT = 65537; - -function create(deps) { - var crypto = require('crypto'); - - deps = deps || {}; - deps.NOBJ = {}; - deps.RSA = RSA; - - try { - RSA._URSA = require('ursa'); - } catch(e) { - try { - RSA._URSA = require('ursa-optional'); - } catch(e) { - // ignore - } - } - - RSA.utils = require('./lib/key-utils.js'); - RSA.utils.toWebsafeBase64 = function (b64) { - return b64.replace(/[+]/g, "-").replace(/\//g, "_").replace(/=/g,""); - }; - - RSA.utils._forgeBytesToBuf = function (bytes) { - var forge = require("node-forge"); - return Buffer.from(forge.util.bytesToHex(bytes), "hex"); - }; - RSA._internal = require('./lib/node');//.create(deps); - - RSA._thumbprintInput = function (n, e) { - // #L147 const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}` - return Buffer.from('{"e":"'+ e + '","kty":"RSA","n":"'+ n +'"}', 'ascii'); - }; - RSA.thumbprint = function (keypair) { - var publicKeyJwk = RSA.exportPublicJwk(keypair); - - if (!publicKeyJwk.e || !publicKeyJwk.n) { - throw new Error("You must provide an RSA jwk with 'e' and 'n' (the public components)"); - } - - var input = RSA._thumbprintInput(publicKeyJwk.n, publicKeyJwk.e); - var base64Digest = crypto.createHash('sha256').update(input).digest('base64'); - - return RSA.utils.toWebsafeBase64(base64Digest); - }; - - // length, exponent, options, cb - RSA.generateKeypair = function (options, cb, extra1, extra2) { - var length; - var exponent; - if ('function' === typeof extra2) { - length = options || DEFAULT_BITLEN; - exponent = cb || DEFAULT_EXPONENT; - options = extra1 || NOBJ; - cb = extra2; - } else { - if (!options) { options = NOBJ; } - length = options.bitlen || DEFAULT_BITLEN; - exponent = options.exp || DEFAULT_EXPONENT; - } - if (!RSA._URSA && /arm|mips/i.test(require('os').arch) && !RSA._SLOW_WARN) { - console.warn("================================================================"); - console.warn(" WARNING"); - console.warn("================================================================"); - console.warn(""); - console.warn("WARNING: You are generating an RSA key using pure JavaScript on"); - console.warn(" a VERY SLOW cpu. This could take DOZENS of minutes!"); - console.warn(""); - console.warn(" We recommend installing a C compiler and 'ursa'"); - console.warn(""); - console.warn("EXAMPLE:"); - console.warn(""); - console.warn(" sudo apt-get install build-essential && npm install ursa"); - console.warn(""); - console.warn("================================================================"); - RSA._SLOW_WARN = true; - } - var keypair = { - privateKeyPem: undefined - , publicKeyPem: undefined - , privateKeyJwk: undefined - , publicKeyJwk: undefined - , _ursa: undefined - , _ursaPublic: undefined - , _forge: undefined - , _forgePublic: undefined - }; - - RSA._internal.generateKeypair(length, exponent, options, function (err, keys) { - if (false !== options.jwk || options.thumbprint) { - keypair.privateKeyJwk = RSA._internal.exportPrivateJwk(keys); - if (options.public) { - keypair.publicKeyJwk = RSA._internal.exportPublicJwk(keys); - } - } - - if (options.pem) { - keypair.privateKeyPem = RSA._internal.exportPrivatePem(keys); - if (options.public) { - keypair.publicKeyPem = RSA._internal.exportPublicPem(keys); - } - } - - if (options.thumprint) { - keypair.thumbprint = RSA.thumbprint(keypair); - } - - if (options.internal) { - //keypair._ursa = undefined; - //keypair._forge = undefined; - keypair._ursa = keys._ursa; - keypair._forge = keys._forge; - } - - cb(null, keypair); - return; - }); - }; - - RSA.import = function (options/*, options*/) { - var keypair = options; - if (keypair.key) { - keypair = keypair.key; - } - keypair = RSA._internal.import(keypair, { internal: true }); - keypair = RSA._internal.importForge(keypair, { internal: true }); - //options = options || NOBJ; // ignore - if (keypair.privateKeyJwk || keypair.privateKeyPem || keypair._ursa || keypair._forge) { - keypair.privateKeyJwk = RSA._internal.exportPrivateJwk(keypair, { internal: true }); - //keypair.privateKeyPem = RSA._internal.exportPrivatePem(keypair, { internal: true }); - return keypair; - } - - if (keypair.publicKeyJwk || keypair.publicKeyPem || keypair._ursaPublic || keypair._forgePublic) { - keypair.publicKeyJwk = RSA._internal.exportPublicJwk(keypair, { internal: true }); - //keypair.publicKeyPem = RSA._internal.exportPublicPem(keypair, { internal: true }); - return keypair; - } - - throw new Error('found neither private nor public keypair in any supported format'); - }; - - RSA._ursaGenerateSig = function (keypair, sha256Buf) { - var sig = keypair._ursa.sign('sha256', sha256Buf); - var sig64 = RSA.utils.toWebsafeBase64(sig.toString('base64')); - - return sig64; - }; - RSA._forgeGenerateSig = function (keypair, sha256Buf) { - var forge = require('node-forge'); - var bufF = forge.util.createBuffer(sha256Buf.toString('binary'), 'binary'); - var md = { - algorithm: 'sha256' - , blockLength: 64 - , digestLength: 20 - , digest: function () { - return bufF; - } - }; - var sigF = keypair._forge.sign(md); - var sig64 = RSA.utils.toWebsafeBase64( - Buffer.from(forge.util.bytesToHex(sigF), "hex").toString('base64') - ); - - return sig64; - }; - - RSA.signJws = RSA.generateJws = RSA.generateSignatureJws = RSA.generateSignatureJwk = - function (keypair, header, protect, payload) { - // old (keypair, payload, nonce) - var nonce; - - keypair = RSA._internal.import(keypair); - keypair = RSA._internal.importForge(keypair); - keypair.publicKeyJwk = RSA.exportPublicJwk(keypair); - - if ('string' === typeof protect || ('undefined' === typeof protect && 'undefined' === typeof payload)) { - console.warn("deprecation notice: new signature for signJws(keypair, header, protect, payload)"); - // old API - payload = header; - nonce = protect; - protect = undefined; - header = { - alg: "RS256" - , jwk: keypair.publicKeyJwk - }; - protect = { nonce: nonce }; - } - - // Compute JWS signature - var protectedHeader = ""; - if (protect) { - protectedHeader = JSON.stringify(protect); // { alg: prot.alg, nonce: prot.nonce, url: prot.url }); - } - var protected64 = RSA.utils.toWebsafeBase64(Buffer.from(protectedHeader).toString('base64')); - var payload64 = RSA.utils.toWebsafeBase64(payload.toString('base64')); - var raw = protected64 + "." + payload64; - var sha256Buf = crypto.createHash('sha256').update(raw).digest(); - var sig64; - - if (RSA._URSA) { - sig64 = RSA._ursaGenerateSig(keypair, sha256Buf); - } else { - sig64 = RSA._forgeGenerateSig(keypair, sha256Buf); - } - - return { - header: header - , protected: protected64 - , payload: payload64 - , signature: sig64 - }; - }; - - // - // Generate CSR - // - RSA._generateCsrForge = function (keypair, names) { - var forge = require('node-forge'); - keypair = RSA._internal.importForge(keypair); - - // Create and sign the CSR - var csr = forge.pki.createCertificationRequest(); - csr.publicKey = keypair._forgePublic; - // TODO should the commonName be shift()ed off so that it isn't also in altNames? - // http://stackoverflow.com/questions/5935369/ssl-how-do-common-names-cn-and-subject-alternative-names-san-work-together - csr.setSubject([{ name: 'commonName', value: names[0] }]); - - var sans = names.map(function (name) { - return { type: 2, value: name }; - }); - csr.setAttributes([{ - name: 'extensionRequest', - extensions: [{name: 'subjectAltName', altNames: sans}] - }]); - - // TODO wrap with node crypto (as done for signature) - csr.sign(keypair._forge, forge.md.sha256.create()); - - return csr; - }; - RSA.generateCsrAsn1 = function (keypair, names) { - var forge = require('node-forge'); - var csr = RSA._generateCsrForge(keypair, names); - var asn1 = forge.pki.certificationRequestToAsn1(csr); - - return RSA.utils._forgeBytesToBuf(asn1); - }; - RSA.generateCsrPem = function (keypair, names) { - var forge = require('node-forge'); - var csr = RSA._generateCsrForge(keypair, names); - return forge.pki.certificationRequestToPem(csr); - }; - RSA.generateCsrDer = function (keypair, names) { - var forge = require('node-forge'); - var csr = RSA._generateCsrForge(keypair, names); - var asn1 = forge.pki.certificationRequestToAsn1(csr); - var der = forge.asn1.toDer(asn1); - - return RSA.utils._forgeBytesToBuf(der); - }; - RSA.generateCsrDerWeb64 =RSA.generateCsrWeb64 = function (keypair, names) { - var buf = RSA.generateCsrDer(keypair, names); - var b64 = buf.toString('base64'); - var web64 = RSA.utils.toWebsafeBase64(b64); - return web64; - }; - - RSA.exportPrivateKey = RSA._internal.exportPrivatePem; - RSA.exportPublicKey = RSA._internal.exportPublicPem; - RSA.exportPrivatePem = RSA._internal.exportPrivatePem; - RSA.exportPublicPem = RSA._internal.exportPublicPem; - - RSA.exportPrivateJwk = RSA._internal.exportPrivateJwk; - RSA.exportPublicJwk = RSA._internal.exportPublicJwk; - - return RSA; -} - -module.exports.RSA = create(/*require('./lib/node')*/); -//module.exports.RSA.create = create; diff --git a/package.json b/package.json index 063459e..2a66a13 100644 --- a/package.json +++ b/package.json @@ -1,17 +1,18 @@ { "name": "rsa-compat", - "version": "1.6.1", + "version": "1.9.0", "description": "RSA utils that work on Windows, Mac, and Linux with or without C compiler", - "main": "node.js", + "main": "index.js", "bin": { "rsa-keygen-js": "bin/rsa-keygen.js" }, "scripts": { - "test": "node tests" + "postinstall": "node lib/telemetry.js event:install", + "test": "bash test.sh" }, "repository": { "type": "git", - "url": "git+https://git.coolaj86.com/coolaj86/rsa-compat.js.git" + "url": "https://git.coolaj86.com/coolaj86/rsa-compat.js.git" }, "keywords": [ "RSA", @@ -27,7 +28,7 @@ "jwk" ], "author": "AJ ONeal (https://coolaj86.com/)", - "license": "(MIT OR Apache-2.0)", + "license": "MPL-2.0", "bugs": { "url": "https://git.coolaj86.com/coolaj86/rsa-compat.js/issues" }, @@ -36,7 +37,7 @@ "node-forge": "^0.7.6" }, "optionalDependencies": { - "ursa-optional": "^0.9.6" + "ursa-optional": "^0.9.10" }, "trulyOptionalDependencies": { "buffer-v6-polyfill": "^1.0.3" diff --git a/test.sh b/test.sh new file mode 100644 index 0000000..27342ec --- /dev/null +++ b/test.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -e + +node tests/generate-csr.js +node tests/generate-key.js +node tests/generate-key-new.js +node tests/generate-sig.js +node tests/reciprocate.js diff --git a/tests/generate-key-new.js b/tests/generate-key-new.js index ec9e354..bc04e79 100644 --- a/tests/generate-key-new.js +++ b/tests/generate-key-new.js @@ -7,18 +7,6 @@ RSA.generateKeypair(null, function (err, keys) { throw new Error("Expected privateKeyJwk, but it is missing"); } - if ( - keys.publicKeyJwk - || keys.privateKeyPem - || keys.publicKeyPem - || keys.thumbprint - || keys._ursa - || keys._forge - ) { - console.error(Object.keys(keys)); - throw new Error("Got unexpected keys"); - } - var options = { public: true // export public keys , pem: true // export pems @@ -34,7 +22,6 @@ RSA.generateKeypair(null, function (err, keys) { || !keys.privateKeyPem || !keys.publicKeyPem //|| !keys.thumbprint - || !(keys._ursa || keys._forge) ) { console.error(Object.keys(keys)); throw new Error("Missing expected keys"); diff --git a/tests/generate-key.js b/tests/generate-key.js index ef23bfe..3911ac9 100644 --- a/tests/generate-key.js +++ b/tests/generate-key.js @@ -7,18 +7,6 @@ RSA.generateKeypair(null, null, null, function (err, keys) { throw new Error("Expected privateKeyJwk, but it is missing"); } - if ( - keys.publicKeyJwk - || keys.privateKeyPem - || keys.publicKeyPem - || keys.thumbprint - || keys._ursa - || keys._forge - ) { - console.error(Object.keys(keys)); - throw new Error("Got unexpected keys"); - } - var options = { public: true // export public keys , pem: true // export pems @@ -32,7 +20,6 @@ RSA.generateKeypair(null, null, null, function (err, keys) { || !keys.privateKeyPem || !keys.publicKeyPem //|| !keys.thumbprint - || !(keys._ursa || keys._forge) ) { console.error(Object.keys(keys)); throw new Error("Missing expected keys"); diff --git a/tests/generate-sig.js b/tests/generate-sig.js index b0cadf3..89a3b98 100644 --- a/tests/generate-sig.js +++ b/tests/generate-sig.js @@ -5,14 +5,14 @@ var RSA = require('../').RSA; var keypair = { privateKeyJwk: { "kty": "RSA", - "n": "AMJubTfOtAarnJytLE8fhNsEI8wnpjRvBXGK/Kp0675J10ORzxyMLqzIZF3tcrUkKBrtdc79u4X0GocDUgukpfkY+2UPUS/GxehUYbYrJYWOLkoJWzxn7wfoo9X1JgvBMY6wHQnTKvnzZdkom2FMhGxkLaEUGDSfsNznTTZNBBg9", + "n": "AMJubTfOtAarnJytLE8fhNsEI8wnpjRvBXGK_Kp0675J10ORzxyMLqzIZF3tcrUkKBrtdc79u4X0GocDUgukpfkY-2UPUS_GxehUYbYrJYWOLkoJWzxn7wfoo9X1JgvBMY6wHQnTKvnzZdkom2FMhGxkLaEUGDSfsNznTTZNBBg9", "e": "AQAB", - "d": "HT8DCrv69G3n9uFNovE4yMEMqW7lX0m75eJkMze3Jj5xNOa/4qlrc+4IuuA2uuyfY72IVQRxqqqXOuvS8ZForZZk+kWSd6z45hrpbNAAHH2Rf7XwnwHY8VJrOQF3UtbktTWqHX36ITZb9Hmf18hWsIeEp8Ng7Ru9h7hNuVxKMjk=", - "p": "AONjOvZVAvhCM2JnLGWJG3+5Boar3MB5P4ezfExDmuyGET/w0C+PS60jbjB8TivQsSdEcGo7GOaOlmAX6EQtAec=", - "q": "ANrllgJsy4rTMfa3mQ50kMIcNahiEOearhAcJgQUCHuOjuEnhU9FfExA/m5FXjmEFQhRwkuhk0QaIqTGbUzxGDs=", - "dp": "ALuxHOpYIatqeZ+wKiVllx1GTOy8z+rQKnCI5wDMjQTPZU2yKSYY0g6IQFwlPyFLke8nvuLxBQzKhbWsBjzAKeE=", - "dq": "XLhDAmPzE6rBzy+VtXnKl247jEd9wZzTfh9uOuwBa9TG0Lhcz2cvb11YaH0ZnGNGRW/cTQzzxDUN1531TlIRYQ==", - "qi": "AI2apz6ECfGwhsvIcU3+yFt+3CA78CUVsX4NUul5m3Cls2m+5MbGQG5K0hGpxjDC3OmXTq1Y5gnep5yUZvVPZI4=" + "d": "HT8DCrv69G3n9uFNovE4yMEMqW7lX0m75eJkMze3Jj5xNOa_4qlrc-4IuuA2uuyfY72IVQRxqqqXOuvS8ZForZZk-kWSd6z45hrpbNAAHH2Rf7XwnwHY8VJrOQF3UtbktTWqHX36ITZb9Hmf18hWsIeEp8Ng7Ru9h7hNuVxKMjk=", + "p": "AONjOvZVAvhCM2JnLGWJG3-5Boar3MB5P4ezfExDmuyGET_w0C-PS60jbjB8TivQsSdEcGo7GOaOlmAX6EQtAec=", + "q": "ANrllgJsy4rTMfa3mQ50kMIcNahiEOearhAcJgQUCHuOjuEnhU9FfExA_m5FXjmEFQhRwkuhk0QaIqTGbUzxGDs=", + "dp": "ALuxHOpYIatqeZ-wKiVllx1GTOy8z-rQKnCI5wDMjQTPZU2yKSYY0g6IQFwlPyFLke8nvuLxBQzKhbWsBjzAKeE=", + "dq": "XLhDAmPzE6rBzy-VtXnKl247jEd9wZzTfh9uOuwBa9TG0Lhcz2cvb11YaH0ZnGNGRW_cTQzzxDUN1531TlIRYQ==", + "qi": "AI2apz6ECfGwhsvIcU3-yFt-3CA78CUVsX4NUul5m3Cls2m-5MbGQG5K0hGpxjDC3OmXTq1Y5gnep5yUZvVPZI4=" } }; @@ -22,7 +22,7 @@ var ursaResult = { "alg": "RS256", "jwk": { "kty": "RSA", - "n": "AMJubTfOtAarnJytLE8fhNsEI8wnpjRvBXGK/Kp0675J10ORzxyMLqzIZF3tcrUkKBrtdc79u4X0GocDUgukpfkY+2UPUS/GxehUYbYrJYWOLkoJWzxn7wfoo9X1JgvBMY6wHQnTKvnzZdkom2FMhGxkLaEUGDSfsNznTTZNBBg9", + "n": "AMJubTfOtAarnJytLE8fhNsEI8wnpjRvBXGK_Kp0675J10ORzxyMLqzIZF3tcrUkKBrtdc79u4X0GocDUgukpfkY-2UPUS_GxehUYbYrJYWOLkoJWzxn7wfoo9X1JgvBMY6wHQnTKvnzZdkom2FMhGxkLaEUGDSfsNznTTZNBBg9", "e": "AQAB" } }, @@ -35,7 +35,7 @@ var forgeResult = { "alg": "RS256", "jwk": { "kty": "RSA", - "n": "AMJubTfOtAarnJytLE8fhNsEI8wnpjRvBXGK/Kp0675J10ORzxyMLqzIZF3tcrUkKBrtdc79u4X0GocDUgukpfkY+2UPUS/GxehUYbYrJYWOLkoJWzxn7wfoo9X1JgvBMY6wHQnTKvnzZdkom2FMhGxkLaEUGDSfsNznTTZNBBg9", + "n": "AMJubTfOtAarnJytLE8fhNsEI8wnpjRvBXGK_Kp0675J10ORzxyMLqzIZF3tcrUkKBrtdc79u4X0GocDUgukpfkY-2UPUS_GxehUYbYrJYWOLkoJWzxn7wfoo9X1JgvBMY6wHQnTKvnzZdkom2FMhGxkLaEUGDSfsNznTTZNBBg9", "e": "AQAB" } }, diff --git a/tests/reciprocate.js b/tests/reciprocate.js index ef640aa..dc7a756 100644 --- a/tests/reciprocate.js +++ b/tests/reciprocate.js @@ -45,7 +45,7 @@ if (hasUrsa) { } else { imported = RSA.import({ privateKeyPem: privkeyPemRef }); - refs.privPem2 = RSA.exportPrivatePem({ _forge: imported._forge }); + refs.privPem2 = RSA.exportPrivatePem(imported); } if (privkeyPemRef !== refs.privPem2) { console.log('REF:'); @@ -73,7 +73,7 @@ if (![ 'kty', 'n', 'e', 'p', 'q', 'dp', 'dq', 'qi', 'd' ].every(function (k) { } imported = RSA.import({ privateKeyJwk: privkeyJwkRef }); -refs.privJwk2 = RSA.exportPrivateJwk({ _forge: imported._forge }); +refs.privJwk2 = RSA.exportPrivateJwk(imported); console.log('JWK -> _ -> JWK ?', privkeyJwkRef.n === refs.privJwk2.n); if (privkeyJwkRef.n !== refs.privJwk2.n) { console.log('REF:');