cleanup (and JWK-to-PEM prep)

This commit is contained in:
AJ ONeal 2018-11-22 04:32:33 -07:00
parent 5ea00472c3
commit f798abf2a6
4 changed files with 136 additions and 71 deletions

View file

@ -5,7 +5,6 @@ var SSH = require('./ssh.js');
var PEM = require('./pem.js'); var PEM = require('./pem.js');
var x509 = require('./x509.js'); var x509 = require('./x509.js');
var ASN1 = require('./asn1.js'); var ASN1 = require('./asn1.js');
var Enc = require('./encoding.js');
/*global Promise*/ /*global Promise*/
RSA.parse = function parseRsa(opts) { RSA.parse = function parseRsa(opts) {
@ -26,17 +25,13 @@ RSA.parse = function parseRsa(opts) {
var meta = x509.guess(block.der, asn1); var meta = x509.guess(block.der, asn1);
if ('pkcs1' === meta.format) { if ('pkcs1' === meta.format) {
jwk = RSA.parsePkcs1(block.der, asn1, jwk); jwk = x509.parsePkcs1(block.der, asn1, jwk);
} else { } else {
jwk = RSA.parsePkcs8(block.der, asn1, jwk); jwk = x509.parsePkcs8(block.der, asn1, jwk);
} }
if (opts.public) { if (opts.public) {
jwk = { jwk = RSA.nueter(jwk);
kty: jwk.kty
, n: jwk.n
, e: jwk.e
};
} }
return jwk; return jwk;
}); });
@ -58,63 +53,65 @@ RSAPrivateKey ::= SEQUENCE {
} }
*/ */
RSA.parsePkcs1 = function parseRsaPkcs1(buf, asn1, jwk) { RSA.pack = function (opts) {
if (!asn1.children.every(function(el) { return Promise.resolve().then(function () {
return 0x02 === el.type; if (!opts || !opts.jwk || 'object' !== typeof opts.jwk) {
})) { throw new Error("must pass { jwk: jwk }");
throw new Error("not an RSA PKCS#1 public or private key (not all ints)");
} }
var jwk = JSON.parse(JSON.stringify(opts.jwk));
if (2 === asn1.children.length) { var format = opts.format;
var pub = opts.public;
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value); if (pub || -1 !== [ 'spki', 'pkix', 'ssh', 'rfc4716' ].indexOf(format)) {
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value); jwk = RSA.nueter(jwk);
return jwk; }
if ('RSA' !== jwk.kty) {
} else if (asn1.children.length >= 9) { throw new Error("options.jwk.kty must be 'RSA' for RSA keys");
// the standard allows for "otherPrimeInfos", hence at least 9 }
if (!jwk.p) {
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value); // TODO test for n and e
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value); pub = true;
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value); if (!format || 'pkcs1' === format) {
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value); format = 'pkcs1';
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value); } else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) {
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value); format = 'spki';
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value); } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value); format = 'ssh';
return jwk;
} else { } else {
throw new Error("not an RSA PKCS#1 public or private key (wrong number of ints)"); throw new Error("options.format must be 'spki', 'pkcs1', or 'ssh' for public RSA keys, not ("
+ typeof format + ") " + format);
} }
} else {
// TODO test for all necessary keys (d, p, q ...)
if (!format || 'pkcs1' === format) {
format = 'pkcs1';
} else if ('pkcs8' !== format) {
throw new Error("options.format must be 'pkcs1' or 'pkcs8' for private RSA keys");
}
}
if ('pkcs1' === format) {
return PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: x509.packPkcs1(jwk) });
} else if ('pkcs8' === format) {
return PEM.packBlock({ type: "PRIVATE KEY", bytes: x509.packPkcs8(jwk) });
} else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) {
return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) });
} else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) {
return SSH.packSsh(jwk);
} else {
throw new Error("Sanity Error: reached unreachable code block with format: " + format);
}
});
}; };
RSA.toPem = RSA.export = RSA.pack;
RSA.parsePkcs8 = function parseRsaPkcs8(buf, asn1, jwk) { // snip the _private_ parts... hAHAHAHA!
if (2 === asn1.children.length RSA.nueter = function (jwk) {
&& 0x03 === asn1.children[1].type // (snip rather than new object to keep potential extra data)
&& 0x30 === asn1.children[1].value[0]) { // otherwise we could just do this:
// return { kty: jwk.kty, n: jwk.n, e: jwk.e };
asn1 = ASN1.parse(asn1.children[1].value); [ 'p', 'q', 'd', 'dp', 'dq', 'qi' ].forEach(function (key) {
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value); if (key in jwk) { jwk[key] = undefined; }
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value); return jwk;
});
} else if (3 === asn1.children.length
&& 0x04 === asn1.children[2].type
&& 0x30 === asn1.children[2].children[0].type
&& 0x02 === asn1.children[2].children[0].children[0].type) {
asn1 = asn1.children[2].children[0];
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
} else {
throw new Error("not an RSA PKCS#8 public or private key (wrong format)");
}
return jwk; return jwk;
}; };

View file

@ -1,7 +1,8 @@
'use strict'; 'use strict';
//var ASN1 = require('./asn1.js');
var x509 = module.exports; var x509 = module.exports;
var ASN1 = require('./asn1.js');
var Enc = require('./encoding.js');
x509.guess = function (der, asn1) { x509.guess = function (der, asn1) {
// accepting der for compatability with other usages // accepting der for compatability with other usages
@ -29,3 +30,64 @@ x509.guess = function (der, asn1) {
return meta; return meta;
}; };
x509.parsePkcs1 = function parseRsaPkcs1(buf, asn1, jwk) {
if (!asn1.children.every(function(el) {
return 0x02 === el.type;
})) {
throw new Error("not an RSA PKCS#1 public or private key (not all ints)");
}
if (2 === asn1.children.length) {
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
return jwk;
} else if (asn1.children.length >= 9) {
// the standard allows for "otherPrimeInfos", hence at least 9
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
return jwk;
} else {
throw new Error("not an RSA PKCS#1 public or private key (wrong number of ints)");
}
};
x509.parsePkcs8 = function parseRsaPkcs8(buf, asn1, jwk) {
if (2 === asn1.children.length
&& 0x03 === asn1.children[1].type
&& 0x30 === asn1.children[1].value[0]) {
asn1 = ASN1.parse(asn1.children[1].value);
jwk.n = Enc.bufToUrlBase64(asn1.children[0].value);
jwk.e = Enc.bufToUrlBase64(asn1.children[1].value);
} else if (3 === asn1.children.length
&& 0x04 === asn1.children[2].type
&& 0x30 === asn1.children[2].children[0].type
&& 0x02 === asn1.children[2].children[0].children[0].type) {
asn1 = asn1.children[2].children[0];
jwk.n = Enc.bufToUrlBase64(asn1.children[1].value);
jwk.e = Enc.bufToUrlBase64(asn1.children[2].value);
jwk.d = Enc.bufToUrlBase64(asn1.children[3].value);
jwk.p = Enc.bufToUrlBase64(asn1.children[4].value);
jwk.q = Enc.bufToUrlBase64(asn1.children[5].value);
jwk.dp = Enc.bufToUrlBase64(asn1.children[6].value);
jwk.dq = Enc.bufToUrlBase64(asn1.children[7].value);
jwk.qi = Enc.bufToUrlBase64(asn1.children[8].value);
} else {
throw new Error("not an RSA PKCS#8 public or private key (wrong format)");
}
return jwk;
};

6
test.sh Executable file
View file

@ -0,0 +1,6 @@
#!/bin/bash
node bin/rasha.js ./fixtures/privkey-rsa-2048.pkcs1.pem
node bin/rasha.js ./fixtures/privkey-rsa-2048.pkcs8.pem
node bin/rasha.js ./fixtures/pub-rsa-2048.pkcs1.pem
node bin/rasha.js ./fixtures/pub-rsa-2048.spki.pem