From f798abf2a627f51312a369d38b9ac64fbe241630 Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Thu, 22 Nov 2018 04:32:33 -0700
Subject: [PATCH] cleanup (and JWK-to-PEM prep)

---
 lib/encoding.js |  14 +++---
 lib/rasha.js    | 123 +++++++++++++++++++++++-------------------------
 lib/x509.js     |  64 ++++++++++++++++++++++++-
 test.sh         |   6 +++
 4 files changed, 136 insertions(+), 71 deletions(-)
 create mode 100755 test.sh

diff --git a/lib/encoding.js b/lib/encoding.js
index 48de237..5723e79 100644
--- a/lib/encoding.js
+++ b/lib/encoding.js
@@ -41,10 +41,10 @@ Enc.strToBin = function strToBin(str) {
 
 /*
 Enc.strToBase64 = function strToBase64(str) {
-	// node automatically can tell the difference
-	// between uc2 (utf-8) strings and binary strings
-	// so we don't have to re-encode the strings
-	return Buffer.from(str).toString('base64');
+  // node automatically can tell the difference
+  // between uc2 (utf-8) strings and binary strings
+  // so we don't have to re-encode the strings
+  return Buffer.from(str).toString('base64');
 };
 */
 
@@ -61,7 +61,7 @@ Enc.urlBase64ToBase64 = function urlsafeBase64ToBase64(str) {
 */
 
 Enc.base64ToBuf = function base64ToBuf(str) {
-	// always convert from urlsafe base64, just in case
-	//return Buffer.from(Enc.urlBase64ToBase64(str)).toString('base64');
-	return Buffer.from(str, 'base64');
+  // always convert from urlsafe base64, just in case
+  //return Buffer.from(Enc.urlBase64ToBase64(str)).toString('base64');
+  return Buffer.from(str, 'base64');
 };
diff --git a/lib/rasha.js b/lib/rasha.js
index 01e0714..6ace4b9 100644
--- a/lib/rasha.js
+++ b/lib/rasha.js
@@ -5,7 +5,6 @@ var SSH = require('./ssh.js');
 var PEM = require('./pem.js');
 var x509 = require('./x509.js');
 var ASN1 = require('./asn1.js');
-var Enc = require('./encoding.js');
 
 /*global Promise*/
 RSA.parse = function parseRsa(opts) {
@@ -26,17 +25,13 @@ RSA.parse = function parseRsa(opts) {
     var meta = x509.guess(block.der, asn1);
 
     if ('pkcs1' === meta.format) {
-      jwk = RSA.parsePkcs1(block.der, asn1, jwk);
+      jwk = x509.parsePkcs1(block.der, asn1, jwk);
     } else {
-      jwk = RSA.parsePkcs8(block.der, asn1, jwk);
+      jwk = x509.parsePkcs8(block.der, asn1, jwk);
     }
 
     if (opts.public) {
-      jwk = {
-        kty: jwk.kty
-      , n: jwk.n
-      , e: jwk.e
-      };
+      jwk = RSA.nueter(jwk);
     }
     return jwk;
   });
@@ -58,63 +53,65 @@ RSAPrivateKey ::= SEQUENCE {
 }
 */
 
-RSA.parsePkcs1 = function parseRsaPkcs1(buf, asn1, jwk) {
-  if (!asn1.children.every(function(el) {
-    return 0x02 === el.type;
-  })) {
-    throw new Error("not an RSA PKCS#1 public or private key (not all ints)");
-  }
+RSA.pack = function (opts) {
+  return Promise.resolve().then(function () {
+    if (!opts || !opts.jwk || 'object' !== typeof opts.jwk) {
+      throw new Error("must pass { jwk: jwk }");
+    }
+    var jwk = JSON.parse(JSON.stringify(opts.jwk));
+    var format = opts.format;
+    var pub = opts.public;
+    if (pub || -1 !== [ 'spki', 'pkix', 'ssh', 'rfc4716' ].indexOf(format)) {
+      jwk = RSA.nueter(jwk);
+    }
+    if ('RSA' !== jwk.kty) {
+      throw new Error("options.jwk.kty must be 'RSA' for RSA keys");
+    }
+    if (!jwk.p) {
+      // TODO test for n and e
+      pub = true;
+      if (!format || 'pkcs1' === format) {
+        format = 'pkcs1';
+      } else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) {
+        format = 'spki';
+      } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {
+        format = 'ssh';
+      } else {
+        throw new Error("options.format must be 'spki', 'pkcs1', or 'ssh' for public RSA keys, not ("
+          + typeof format + ") " + format);
+      }
+    } else {
+      // TODO test for all necessary keys (d, p, q ...)
+      if (!format || 'pkcs1' === format) {
+        format = 'pkcs1';
+      } else if ('pkcs8' !== format) {
+        throw new Error("options.format must be 'pkcs1' or 'pkcs8' for private RSA keys");
+      }
+    }
 
-  if (2 === asn1.children.length) {
-
-    jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
-    jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
-    return jwk;
-
-  } else if (asn1.children.length >= 9) {
-    // the standard allows for "otherPrimeInfos", hence at least 9
-
-    jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
-    jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
-    jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
-    jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
-    jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
-    jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
-    jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
-    jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
-    return jwk;
-
-  } else {
-    throw new Error("not an RSA PKCS#1 public or private key (wrong number of ints)");
-  }
+    if ('pkcs1' === format) {
+      return PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: x509.packPkcs1(jwk) });
+    } else if ('pkcs8' === format) {
+      return PEM.packBlock({ type: "PRIVATE KEY", bytes: x509.packPkcs8(jwk) });
+    } else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) {
+      return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) });
+    } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {
+      return SSH.packSsh(jwk);
+    } else {
+      throw new Error("Sanity Error: reached unreachable code block with format: " + format);
+    }
+  });
 };
+RSA.toPem = RSA.export = RSA.pack;
 
-RSA.parsePkcs8 = function parseRsaPkcs8(buf, asn1, jwk) {
-  if (2 === asn1.children.length
-    && 0x03 === asn1.children[1].type
-    && 0x30 === asn1.children[1].value[0]) {
-
-    asn1 = ASN1.parse(asn1.children[1].value);
-    jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
-    jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
-
-  } else if (3 === asn1.children.length
-    && 0x04 === asn1.children[2].type
-    && 0x30 === asn1.children[2].children[0].type
-    && 0x02 === asn1.children[2].children[0].children[0].type) {
-
-    asn1 = asn1.children[2].children[0];
-    jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
-    jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
-    jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
-    jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
-    jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
-    jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
-    jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
-    jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
-
-  } else {
-    throw new Error("not an RSA PKCS#8 public or private key (wrong format)");
-  }
+// snip the _private_ parts... hAHAHAHA!
+RSA.nueter = function (jwk) {
+  // (snip rather than new object to keep potential extra data)
+  // otherwise we could just do this:
+  // return { kty: jwk.kty, n: jwk.n, e: jwk.e };
+  [ 'p', 'q', 'd', 'dp', 'dq', 'qi' ].forEach(function (key) {
+    if (key in jwk) { jwk[key] = undefined; }
+    return jwk;
+  });
   return jwk;
 };
diff --git a/lib/x509.js b/lib/x509.js
index 54d1b33..32a2a87 100644
--- a/lib/x509.js
+++ b/lib/x509.js
@@ -1,7 +1,8 @@
 'use strict';
 
-//var ASN1 = require('./asn1.js');
 var x509 = module.exports;
+var ASN1 = require('./asn1.js');
+var Enc = require('./encoding.js');
 
 x509.guess = function (der, asn1) {
   // accepting der for compatability with other usages
@@ -29,3 +30,64 @@ x509.guess = function (der, asn1) {
 
   return meta;
 };
+
+x509.parsePkcs1 = function parseRsaPkcs1(buf, asn1, jwk) {
+  if (!asn1.children.every(function(el) {
+    return 0x02 === el.type;
+  })) {
+    throw new Error("not an RSA PKCS#1 public or private key (not all ints)");
+  }
+
+  if (2 === asn1.children.length) {
+
+    jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
+    jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
+    return jwk;
+
+  } else if (asn1.children.length >= 9) {
+    // the standard allows for "otherPrimeInfos", hence at least 9
+
+    jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
+    jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
+    jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
+    jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
+    jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
+    jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
+    jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
+    jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
+    return jwk;
+
+  } else {
+    throw new Error("not an RSA PKCS#1 public or private key (wrong number of ints)");
+  }
+};
+
+x509.parsePkcs8 = function parseRsaPkcs8(buf, asn1, jwk) {
+  if (2 === asn1.children.length
+    && 0x03 === asn1.children[1].type
+    && 0x30 === asn1.children[1].value[0]) {
+
+    asn1 = ASN1.parse(asn1.children[1].value);
+    jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
+    jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
+
+  } else if (3 === asn1.children.length
+    && 0x04 === asn1.children[2].type
+    && 0x30 === asn1.children[2].children[0].type
+    && 0x02 === asn1.children[2].children[0].children[0].type) {
+
+    asn1 = asn1.children[2].children[0];
+    jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
+    jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
+    jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
+    jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
+    jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
+    jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
+    jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
+    jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
+
+  } else {
+    throw new Error("not an RSA PKCS#8 public or private key (wrong format)");
+  }
+  return jwk;
+};
diff --git a/test.sh b/test.sh
new file mode 100755
index 0000000..2aa051b
--- /dev/null
+++ b/test.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+node bin/rasha.js ./fixtures/privkey-rsa-2048.pkcs1.pem
+node bin/rasha.js ./fixtures/privkey-rsa-2048.pkcs8.pem
+node bin/rasha.js ./fixtures/pub-rsa-2048.pkcs1.pem
+node bin/rasha.js ./fixtures/pub-rsa-2048.spki.pem