cleanup (and JWK-to-PEM prep)
This commit is contained in:
parent
5ea00472c3
commit
f798abf2a6
4 changed files with 136 additions and 71 deletions
119
lib/rasha.js
119
lib/rasha.js
|
@ -5,7 +5,6 @@ var SSH = require('./ssh.js');
|
||||||
var PEM = require('./pem.js');
|
var PEM = require('./pem.js');
|
||||||
var x509 = require('./x509.js');
|
var x509 = require('./x509.js');
|
||||||
var ASN1 = require('./asn1.js');
|
var ASN1 = require('./asn1.js');
|
||||||
var Enc = require('./encoding.js');
|
|
||||||
|
|
||||||
/*global Promise*/
|
/*global Promise*/
|
||||||
RSA.parse = function parseRsa(opts) {
|
RSA.parse = function parseRsa(opts) {
|
||||||
|
@ -26,17 +25,13 @@ RSA.parse = function parseRsa(opts) {
|
||||||
var meta = x509.guess(block.der, asn1);
|
var meta = x509.guess(block.der, asn1);
|
||||||
|
|
||||||
if ('pkcs1' === meta.format) {
|
if ('pkcs1' === meta.format) {
|
||||||
jwk = RSA.parsePkcs1(block.der, asn1, jwk);
|
jwk = x509.parsePkcs1(block.der, asn1, jwk);
|
||||||
} else {
|
} else {
|
||||||
jwk = RSA.parsePkcs8(block.der, asn1, jwk);
|
jwk = x509.parsePkcs8(block.der, asn1, jwk);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (opts.public) {
|
if (opts.public) {
|
||||||
jwk = {
|
jwk = RSA.nueter(jwk);
|
||||||
kty: jwk.kty
|
|
||||||
, n: jwk.n
|
|
||||||
, e: jwk.e
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
return jwk;
|
return jwk;
|
||||||
});
|
});
|
||||||
|
@ -58,63 +53,65 @@ RSAPrivateKey ::= SEQUENCE {
|
||||||
}
|
}
|
||||||
*/
|
*/
|
||||||
|
|
||||||
RSA.parsePkcs1 = function parseRsaPkcs1(buf, asn1, jwk) {
|
RSA.pack = function (opts) {
|
||||||
if (!asn1.children.every(function(el) {
|
return Promise.resolve().then(function () {
|
||||||
return 0x02 === el.type;
|
if (!opts || !opts.jwk || 'object' !== typeof opts.jwk) {
|
||||||
})) {
|
throw new Error("must pass { jwk: jwk }");
|
||||||
throw new Error("not an RSA PKCS#1 public or private key (not all ints)");
|
|
||||||
}
|
}
|
||||||
|
var jwk = JSON.parse(JSON.stringify(opts.jwk));
|
||||||
if (2 === asn1.children.length) {
|
var format = opts.format;
|
||||||
|
var pub = opts.public;
|
||||||
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
|
if (pub || -1 !== [ 'spki', 'pkix', 'ssh', 'rfc4716' ].indexOf(format)) {
|
||||||
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
|
jwk = RSA.nueter(jwk);
|
||||||
return jwk;
|
}
|
||||||
|
if ('RSA' !== jwk.kty) {
|
||||||
} else if (asn1.children.length >= 9) {
|
throw new Error("options.jwk.kty must be 'RSA' for RSA keys");
|
||||||
// the standard allows for "otherPrimeInfos", hence at least 9
|
}
|
||||||
|
if (!jwk.p) {
|
||||||
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
|
// TODO test for n and e
|
||||||
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
|
pub = true;
|
||||||
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
|
if (!format || 'pkcs1' === format) {
|
||||||
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
|
format = 'pkcs1';
|
||||||
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
|
} else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) {
|
||||||
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
|
format = 'spki';
|
||||||
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
|
} else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {
|
||||||
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
|
format = 'ssh';
|
||||||
return jwk;
|
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
throw new Error("not an RSA PKCS#1 public or private key (wrong number of ints)");
|
throw new Error("options.format must be 'spki', 'pkcs1', or 'ssh' for public RSA keys, not ("
|
||||||
|
+ typeof format + ") " + format);
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
// TODO test for all necessary keys (d, p, q ...)
|
||||||
|
if (!format || 'pkcs1' === format) {
|
||||||
|
format = 'pkcs1';
|
||||||
|
} else if ('pkcs8' !== format) {
|
||||||
|
throw new Error("options.format must be 'pkcs1' or 'pkcs8' for private RSA keys");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ('pkcs1' === format) {
|
||||||
|
return PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: x509.packPkcs1(jwk) });
|
||||||
|
} else if ('pkcs8' === format) {
|
||||||
|
return PEM.packBlock({ type: "PRIVATE KEY", bytes: x509.packPkcs8(jwk) });
|
||||||
|
} else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) {
|
||||||
|
return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) });
|
||||||
|
} else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {
|
||||||
|
return SSH.packSsh(jwk);
|
||||||
|
} else {
|
||||||
|
throw new Error("Sanity Error: reached unreachable code block with format: " + format);
|
||||||
|
}
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
RSA.toPem = RSA.export = RSA.pack;
|
||||||
|
|
||||||
RSA.parsePkcs8 = function parseRsaPkcs8(buf, asn1, jwk) {
|
// snip the _private_ parts... hAHAHAHA!
|
||||||
if (2 === asn1.children.length
|
RSA.nueter = function (jwk) {
|
||||||
&& 0x03 === asn1.children[1].type
|
// (snip rather than new object to keep potential extra data)
|
||||||
&& 0x30 === asn1.children[1].value[0]) {
|
// otherwise we could just do this:
|
||||||
|
// return { kty: jwk.kty, n: jwk.n, e: jwk.e };
|
||||||
asn1 = ASN1.parse(asn1.children[1].value);
|
[ 'p', 'q', 'd', 'dp', 'dq', 'qi' ].forEach(function (key) {
|
||||||
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
|
if (key in jwk) { jwk[key] = undefined; }
|
||||||
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
|
return jwk;
|
||||||
|
});
|
||||||
} else if (3 === asn1.children.length
|
|
||||||
&& 0x04 === asn1.children[2].type
|
|
||||||
&& 0x30 === asn1.children[2].children[0].type
|
|
||||||
&& 0x02 === asn1.children[2].children[0].children[0].type) {
|
|
||||||
|
|
||||||
asn1 = asn1.children[2].children[0];
|
|
||||||
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
|
|
||||||
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
|
|
||||||
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
|
|
||||||
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
|
|
||||||
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
|
|
||||||
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
|
|
||||||
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
|
|
||||||
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
|
|
||||||
|
|
||||||
} else {
|
|
||||||
throw new Error("not an RSA PKCS#8 public or private key (wrong format)");
|
|
||||||
}
|
|
||||||
return jwk;
|
return jwk;
|
||||||
};
|
};
|
||||||
|
|
64
lib/x509.js
64
lib/x509.js
|
@ -1,7 +1,8 @@
|
||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
//var ASN1 = require('./asn1.js');
|
|
||||||
var x509 = module.exports;
|
var x509 = module.exports;
|
||||||
|
var ASN1 = require('./asn1.js');
|
||||||
|
var Enc = require('./encoding.js');
|
||||||
|
|
||||||
x509.guess = function (der, asn1) {
|
x509.guess = function (der, asn1) {
|
||||||
// accepting der for compatability with other usages
|
// accepting der for compatability with other usages
|
||||||
|
@ -29,3 +30,64 @@ x509.guess = function (der, asn1) {
|
||||||
|
|
||||||
return meta;
|
return meta;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
x509.parsePkcs1 = function parseRsaPkcs1(buf, asn1, jwk) {
|
||||||
|
if (!asn1.children.every(function(el) {
|
||||||
|
return 0x02 === el.type;
|
||||||
|
})) {
|
||||||
|
throw new Error("not an RSA PKCS#1 public or private key (not all ints)");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (2 === asn1.children.length) {
|
||||||
|
|
||||||
|
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
|
||||||
|
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
|
||||||
|
return jwk;
|
||||||
|
|
||||||
|
} else if (asn1.children.length >= 9) {
|
||||||
|
// the standard allows for "otherPrimeInfos", hence at least 9
|
||||||
|
|
||||||
|
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
|
||||||
|
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
|
||||||
|
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
|
||||||
|
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
|
||||||
|
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
|
||||||
|
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
|
||||||
|
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
|
||||||
|
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
|
||||||
|
return jwk;
|
||||||
|
|
||||||
|
} else {
|
||||||
|
throw new Error("not an RSA PKCS#1 public or private key (wrong number of ints)");
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
x509.parsePkcs8 = function parseRsaPkcs8(buf, asn1, jwk) {
|
||||||
|
if (2 === asn1.children.length
|
||||||
|
&& 0x03 === asn1.children[1].type
|
||||||
|
&& 0x30 === asn1.children[1].value[0]) {
|
||||||
|
|
||||||
|
asn1 = ASN1.parse(asn1.children[1].value);
|
||||||
|
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
|
||||||
|
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
|
||||||
|
|
||||||
|
} else if (3 === asn1.children.length
|
||||||
|
&& 0x04 === asn1.children[2].type
|
||||||
|
&& 0x30 === asn1.children[2].children[0].type
|
||||||
|
&& 0x02 === asn1.children[2].children[0].children[0].type) {
|
||||||
|
|
||||||
|
asn1 = asn1.children[2].children[0];
|
||||||
|
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
|
||||||
|
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
|
||||||
|
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
|
||||||
|
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
|
||||||
|
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
|
||||||
|
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
|
||||||
|
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
|
||||||
|
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
|
||||||
|
|
||||||
|
} else {
|
||||||
|
throw new Error("not an RSA PKCS#8 public or private key (wrong format)");
|
||||||
|
}
|
||||||
|
return jwk;
|
||||||
|
};
|
||||||
|
|
6
test.sh
Executable file
6
test.sh
Executable file
|
@ -0,0 +1,6 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
node bin/rasha.js ./fixtures/privkey-rsa-2048.pkcs1.pem
|
||||||
|
node bin/rasha.js ./fixtures/privkey-rsa-2048.pkcs8.pem
|
||||||
|
node bin/rasha.js ./fixtures/pub-rsa-2048.pkcs1.pem
|
||||||
|
node bin/rasha.js ./fixtures/pub-rsa-2048.spki.pem
|
Loading…
Reference in a new issue