coolaj86
/
x509.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
VanillaJS, Lightweight, Zero-Dependency, x509 encoder and decoder for Private / Public Keypairs and CSRs.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
3 Tags
192 KiB
 
 
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
x509.js/parsers.js

263 lines
6.3 KiB
Raw Permalink Blame History

'use strict';
var X509 = module.exports;
var Enc = require('@root/encoding');
var ASN1 = require('@root/asn1/parser');
// 1.2.840.10045.3.1.7
// prime256v1 (ANSI X9.62 named elliptic curve)
var OBJ_ID_EC = '06 08 2A8648CE3D030107'.replace(/\s+/g, '').toLowerCase();
// 1.3.132.0.34
// secp384r1 (SECG (Certicom) named elliptic curve)
var OBJ_ID_EC_384 = '06 05 2B81040022'.replace(/\s+/g, '').toLowerCase();
X509.parsePkcs1 = function parseRsaPkcs1(asn1, jwk) {
if (!jwk) {
jwk = {};
}
// might be a buffer
if (asn1.byteLength) {
asn1 = ASN1.parse({ der: asn1, verbose: true, json: false });
}
if (
!asn1.children.every(function(el) {
return 0x02 === el.type;
})
) {
throw new Error(
'not an RSA PKCS#1 public or private key (not all ints)'
);
}
if (2 === asn1.children.length) {
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
jwk.kty = 'RSA';
} else if (asn1.children.length >= 9) {
// the standard allows for "otherPrimeInfos", hence at least 9
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
jwk.kty = 'RSA';
} else {
throw new Error(
'not an RSA PKCS#1 public or private key (wrong number of ints)'
);
}
return jwk;
};
X509.parseSec1 = function parseEcOnlyPrivkey(u8, jwk) {
var index = 7;
var len = 32;
var olen = OBJ_ID_EC.length / 2;
if ('P-384' === jwk.crv) {
olen = OBJ_ID_EC_384.length / 2;
index = 8;
len = 48;
}
if (len !== u8[index - 1]) {
throw new Error('Unexpected bitlength ' + len);
}
// private part is d
var d = u8.slice(index, index + len);
// compression bit index
var ci = index + len + 2 + olen + 2 + 3;
var c = u8[ci];
var x, y;
if (0x04 === c) {
y = u8.slice(ci + 1 + len, ci + 1 + len + len);
} else if (0x02 !== c) {
throw new Error('not a supported EC private key');
}
x = u8.slice(ci + 1, ci + 1 + len);
return {
kty: jwk.kty || 'EC',
crv: jwk.crv || 'P-256',
d: Enc.bufToUrlBase64(d),
//, dh: Enc.bufToHex(d)
x: Enc.bufToUrlBase64(x),
//, xh: Enc.bufToHex(x)
y: Enc.bufToUrlBase64(y)
//, yh: Enc.bufToHex(y)
};
};
X509.parsePkcs8 = function(u8, jwk) {
try {
return X509.parseRsaPkcs8(u8, jwk);
} catch (e) {
return X509.parseEcPkcs8(u8, jwk);
}
};
X509.parseEcPkcs8 = function parseEcPkcs8(u8, jwk) {
var index = 24 + OBJ_ID_EC.length / 2;
var len = 32;
if ('P-384' === jwk.crv) {
index = 24 + OBJ_ID_EC_384.length / 2 + 2;
len = 48;
}
if (0x04 !== u8[index]) {
throw new Error('privkey not found');
}
var d = u8.slice(index + 2, index + 2 + len);
var ci = index + 2 + len + 5;
var xi = ci + 1;
var x = u8.slice(xi, xi + len);
var yi = xi + len;
var y;
if (0x04 === u8[ci]) {
y = u8.slice(yi, yi + len);
} else if (0x02 !== u8[ci]) {
throw new Error('invalid compression bit (expected 0x04 or 0x02)');
}
return {
kty: jwk.kty || 'EC',
crv: jwk.crv || 'P-256',
d: Enc.bufToUrlBase64(d),
//, dh: Enc.bufToHex(d)
x: Enc.bufToUrlBase64(x),
//, xh: Enc.bufToHex(x)
y: Enc.bufToUrlBase64(y)
//, yh: Enc.bufToHex(y)
};
};
X509.parseRsaPkcs8 = function parseRsaPkcs8(asn1, jwk) {
if (!jwk) {
jwk = {};
}
// might be a buffer
if (asn1.byteLength) {
asn1 = ASN1.parse({ der: asn1, verbose: true, json: false });
}
if (
2 === asn1.children.length &&
0x03 === asn1.children[1].type // && 2 === asn1.children[1].children.length
) {
asn1 = asn1.children[1].children[0];
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
jwk.kty = 'RSA';
} else if (
3 === asn1.children.length &&
0x04 === asn1.children[2].type &&
0x30 === asn1.children[2].children[0].type &&
0x02 === asn1.children[2].children[0].children[0].type
) {
asn1 = asn1.children[2].children[0];
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
jwk.kty = 'RSA';
} else {
throw new Error(
'not an RSA PKCS#8 public or private key (wrong format)'
);
}
return jwk;
};
X509.parseSpki = function(buf, jwk) {
try {
return X509.parseRsaPkcs8(buf, jwk);
} catch (e) {
return X509.parseEcSpki(buf, jwk);
}
};
X509.parseEcSpki = function(u8, jwk) {
var ci = 16 + OBJ_ID_EC.length / 2;
var len = 32;
if ('P-384' === jwk.crv) {
ci = 16 + OBJ_ID_EC_384.length / 2;
len = 48;
}
var c = u8[ci];
var xi = ci + 1;
var x = u8.slice(xi, xi + len);
var yi = xi + len;
var y;
if (0x04 === c) {
y = u8.slice(yi, yi + len);
} else if (0x02 !== c) {
throw new Error('not a supported EC private key');
}
return {
kty: jwk.kty || 'EC',
crv: jwk.crv || 'P-256',
x: Enc.bufToUrlBase64(x),
//, xh: Enc.bufToHex(x)
y: Enc.bufToUrlBase64(y)
//, yh: Enc.bufToHex(y)
};
};
X509.parsePkix = X509.parseSpki;
// TODO look for ECDSA as well
X509._parseRsa = function(asn1) {
// accepting der for compatability with other usages
if (asn1.byteLength) {
asn1 = ASN1.parse({ der: asn1, verbose: true, json: false });
}
var meta = { kty: 'RSA', format: 'pkcs1', public: true };
//meta.asn1 = ASN1.parse(u8);
if (
asn1.children.every(function(el) {
return 0x02 === el.type;
})
) {
if (2 === asn1.children.length) {
// rsa pkcs1 public
//return meta;
} else if (asn1.children.length >= 9) {
// the standard allows for "otherPrimeInfos", hence at least 9
meta.public = false;
// rsa pkcs1 private
//return meta;
} else {
throw new Error(
'not an RSA PKCS#1 public or private key (wrong number of ints)'
);
}
} else {
meta.format = 'pkcs8';
}
var jwk = { kty: 'RSA', n: null, e: null };
if ('pkcs1' === meta.format) {
return X509.parsePkcs1(asn1, jwk);
} else {
return X509.parsePkcs8(asn1, jwk);
}
};