Compare commits
No commits in common. "master" and "v1.1.0" have entirely different histories.
91
README.md
91
README.md
@ -11,15 +11,13 @@ and [Rasha.js (RSA)](https://git.coolaj86.com/coolaj86/rasha.js/).
|
||||
* [x] Generate keypairs
|
||||
* [x] RSA
|
||||
* [x] ECDSA (P-256, P-384)
|
||||
* [x] PEM-to-JWK (and SSH-to-JWK)
|
||||
* [x] JWK-to-PEM (and JWK-to-SSH)
|
||||
* [x] PEM-to-JWK
|
||||
* [x] JWK-to-PEM
|
||||
* [x] Create JWTs (and sign JWS)
|
||||
* [x] SHA256 JWK Thumbprints
|
||||
* [ ] JWK fetching. See [Keyfetch.js](https://npmjs.com/packages/keyfetch/)
|
||||
* [ ] OIDC
|
||||
* [ ] Auth0
|
||||
* [ ] CLI
|
||||
* See [keypairs-cli](https://npmjs.com/packages/keypairs-cli/)
|
||||
|
||||
<!--
|
||||
|
||||
@ -29,49 +27,25 @@ and [Rasha.js (RSA)](https://git.coolaj86.com/coolaj86/rasha.js/).
|
||||
|
||||
# Usage
|
||||
|
||||
A brief introduction to the APIs:
|
||||
A brief (albeit somewhat nonsensical) introduction to the APIs:
|
||||
|
||||
```
|
||||
// generate a new keypair as jwk
|
||||
// (defaults to EC P-256 when no options are specified)
|
||||
Keypairs.generate().then(function (pair) {
|
||||
console.log(pair.private);
|
||||
console.log(pair.public);
|
||||
});
|
||||
```
|
||||
|
||||
```
|
||||
// JWK to PEM
|
||||
// (supports various 'format' and 'encoding' options)
|
||||
return Keypairs.export({ jwk: pair.private, format: 'pkcs8' }).then(function (pem) {
|
||||
console.log(pem);
|
||||
});
|
||||
```
|
||||
|
||||
```
|
||||
// PEM to JWK
|
||||
return Keypairs.import({ pem: pem }).then(function (jwk) {
|
||||
console.log(jwk);
|
||||
});
|
||||
```
|
||||
|
||||
```
|
||||
// Thumbprint a JWK (SHA256)
|
||||
return Keypairs.thumbprint({ jwk: jwk }).then(function (thumb) {
|
||||
console.log(thumb);
|
||||
});
|
||||
```
|
||||
|
||||
```
|
||||
// Sign a JWT (aka compact JWS)
|
||||
return Keypairs.signJwt({
|
||||
jwk: pair.private
|
||||
, iss: 'https://example.com'
|
||||
, exp: '1h'
|
||||
// optional claims
|
||||
, claims: {
|
||||
, sub: 'jon.doe@gmail.com'
|
||||
}
|
||||
return Keypairs.export({ jwk: pair.private }).then(function (pem) {
|
||||
return Keypairs.import({ pem: pem }).then(function (jwk) {
|
||||
return Keypairs.thumbprint({ jwk: jwk }).then(function (thumb) {
|
||||
console.log(thumb);
|
||||
return Keypairs.signJwt({
|
||||
jwk: keypair.private
|
||||
, claims: {
|
||||
iss: 'https://example.com'
|
||||
, sub: 'jon.doe@gmail.com'
|
||||
, exp: Math.round(Date.now()/1000) + (3 * 24 * 60 * 60)
|
||||
}
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
```
|
||||
|
||||
@ -80,9 +54,9 @@ _much_ longer than RSA has, and they're smaller, and faster to generate.
|
||||
|
||||
## API Overview
|
||||
|
||||
* generate (JWK)
|
||||
* parse (PEM)
|
||||
* parseOrGenerate (PEM to JWK)
|
||||
* generate
|
||||
* parse
|
||||
* parseOrGenerate
|
||||
* import (PEM-to-JWK)
|
||||
* export (JWK-to-PEM, private or public)
|
||||
* publish (Private JWK to Public JWK)
|
||||
@ -165,22 +139,9 @@ Options
|
||||
}
|
||||
```
|
||||
|
||||
#### Keypairs.publish({ jwk: jwk, exp: '3d', use: 'sig' })
|
||||
#### Keypairs.publish({ jwk: jwk })
|
||||
|
||||
Promises a public key that adheres to the OIDC and Auth0 spec (plus expiry), suitable to be published to a JWKs URL:
|
||||
|
||||
```
|
||||
{ "kty": "EC"
|
||||
, "crv": "P-256"
|
||||
, "x": "..."
|
||||
, "y": "..."
|
||||
, "kid": "..."
|
||||
, "use": "sig"
|
||||
, "exp": 1552074208
|
||||
}
|
||||
```
|
||||
|
||||
In particular this adds "use" and "exp".
|
||||
**Synchronously** strips a key of its private parts and returns the public version.
|
||||
|
||||
#### Keypairs.thumbprint({ jwk: jwk })
|
||||
|
||||
@ -192,17 +153,11 @@ Returns a JWT (otherwise known as a protected JWS in "compressed" format).
|
||||
|
||||
```js
|
||||
{ jwk: jwk
|
||||
// required claims
|
||||
, iss: 'https://example.com'
|
||||
, exp: '15m'
|
||||
// all optional claims
|
||||
, claims: {
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Exp may be human readable duration (i.e. 1h, 15m, 30s) or a datetime in seconds.
|
||||
|
||||
Header defaults:
|
||||
|
||||
```js
|
||||
|
||||
@ -1,12 +0,0 @@
|
||||
#!/usr/bin/env node
|
||||
'use strict';
|
||||
|
||||
var cmd = "npm install --global keypairs-cli";
|
||||
console.error(cmd);
|
||||
require('child_process').exec(cmd, function (err) {
|
||||
if (err) {
|
||||
console.error(err);
|
||||
return;
|
||||
}
|
||||
console.info("Run 'keypairs help' to see what you can do!");
|
||||
});
|
||||
200
keypairs.js
200
keypairs.js
@ -10,19 +10,10 @@ var Keypairs = module.exports;
|
||||
Keypairs.generate = function (opts) {
|
||||
opts = opts || {};
|
||||
var kty = opts.kty || opts.type;
|
||||
var p;
|
||||
if ('RSA' === kty) {
|
||||
p = Rasha.generate(opts);
|
||||
} else {
|
||||
p = Eckles.generate(opts);
|
||||
return Rasha.generate(opts);
|
||||
}
|
||||
return p.then(function (pair) {
|
||||
return Keypairs.thumbprint({ jwk: pair.public }).then(function (thumb) {
|
||||
pair.private.kid = thumb; // maybe not the same id on the private key?
|
||||
pair.public.kid = thumb;
|
||||
return pair;
|
||||
});
|
||||
});
|
||||
return Eckles.generate(opts);
|
||||
};
|
||||
|
||||
Keypairs.parse = function (opts) {
|
||||
@ -33,26 +24,22 @@ Keypairs.parse = function (opts) {
|
||||
var pem;
|
||||
var p;
|
||||
|
||||
if (!opts.key || !opts.key.kty) {
|
||||
try {
|
||||
jwk = JSON.parse(opts.key);
|
||||
p = Keypairs.export({ jwk: jwk }).catch(function (e) {
|
||||
pem = opts.key;
|
||||
err = new Error("Not a valid jwk '" + JSON.stringify(jwk) + "':" + e.message);
|
||||
err.code = "EINVALID";
|
||||
return Promise.reject(err);
|
||||
}).then(function () {
|
||||
return jwk;
|
||||
});
|
||||
} catch(e) {
|
||||
p = Keypairs.import({ pem: opts.key }).catch(function (e) {
|
||||
err = new Error("Could not parse key (type " + typeof opts.key + ") '" + opts.key + "': " + e.message);
|
||||
err.code = "EPARSE";
|
||||
return Promise.reject(err);
|
||||
});
|
||||
}
|
||||
} else {
|
||||
p = Promise.resolve(opts.key);
|
||||
try {
|
||||
jwk = JSON.parse(opts.key);
|
||||
p = Keypairs.export({ jwk: jwk }).catch(function (e) {
|
||||
pem = opts.key;
|
||||
err = new Error("Not a valid jwk '" + JSON.stringify(jwk) + "':" + e.message);
|
||||
err.code = "EINVALID";
|
||||
return Promise.reject(err);
|
||||
}).then(function () {
|
||||
return jwk;
|
||||
});
|
||||
} catch(e) {
|
||||
p = Keypairs.import({ pem: opts.key }).catch(function (e) {
|
||||
err = new Error("Could not parse key (type " + typeof opts.key + ") '" + opts.key + "': " + e.message);
|
||||
err.code = "EPARSE";
|
||||
return Promise.reject(err);
|
||||
});
|
||||
}
|
||||
|
||||
return p.then(function (jwk) {
|
||||
@ -87,11 +74,6 @@ Keypairs.parseOrGenerate = function (opts) {
|
||||
Keypairs.import = function (opts) {
|
||||
return Eckles.import(opts).catch(function () {
|
||||
return Rasha.import(opts);
|
||||
}).then(function (jwk) {
|
||||
return Keypairs.thumbprint({ jwk: jwk }).then(function (thumb) {
|
||||
jwk.kid = thumb;
|
||||
return jwk;
|
||||
});
|
||||
});
|
||||
};
|
||||
|
||||
@ -105,32 +87,20 @@ Keypairs.export = function (opts) {
|
||||
});
|
||||
};
|
||||
|
||||
// Chopping off the private parts is now part of the public API.
|
||||
// I thought it sounded a little too crude at first, but it really is the best name in every possible way.
|
||||
Keypairs.neuter = Keypairs._neuter = function (opts) {
|
||||
Keypairs.publish = function (opts) {
|
||||
if ('object' !== typeof opts.jwk || !opts.jwk.kty) { throw new Error("invalid jwk: " + JSON.stringify(opts.jwk)); }
|
||||
|
||||
// trying to find the best balance of an immutable copy with custom attributes
|
||||
var jwk = {};
|
||||
Object.keys(opts.jwk).forEach(function (k) {
|
||||
if ('undefined' === typeof opts.jwk[k]) { return; }
|
||||
// ignore RSA and EC private parts
|
||||
if (-1 !== ['d', 'p', 'q', 'dp', 'dq', 'qi'].indexOf(k)) { return; }
|
||||
jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k]));
|
||||
});
|
||||
return jwk;
|
||||
};
|
||||
|
||||
Keypairs.publish = function (opts) {
|
||||
if ('object' !== typeof opts.jwk || !opts.jwk.kty) { throw new Error("invalid jwk: " + JSON.stringify(opts.jwk)); }
|
||||
|
||||
// returns a copy
|
||||
var jwk = Keypairs.neuter(opts);
|
||||
|
||||
if (jwk.exp) {
|
||||
jwk.exp = setTime(jwk.exp);
|
||||
} else {
|
||||
if (opts.exp) { jwk.exp = setTime(opts.exp); }
|
||||
else if (opts.expiresIn) { jwk.exp = Math.round(Date.now()/1000) + opts.expiresIn; }
|
||||
else if (opts.expiresAt) { jwk.exp = opts.expiresAt; }
|
||||
if (!jwk.exp) {
|
||||
if (opts.expiresIn) { jwk.exp = Math.round(Date.now()/1000) + opts.expiresIn; }
|
||||
else { jwk.exp = opts.expiresAt; }
|
||||
}
|
||||
if (!jwk.use && false !== jwk.use) { jwk.use = "sig"; }
|
||||
|
||||
@ -154,25 +124,20 @@ Keypairs.signJwt = function (opts) {
|
||||
var header = opts.header || {};
|
||||
var claims = JSON.parse(JSON.stringify(opts.claims || {}));
|
||||
header.typ = 'JWT';
|
||||
|
||||
if (!header.kid) { header.kid = thumb; }
|
||||
if (!header.alg && opts.alg) { header.alg = opts.alg; }
|
||||
if (!claims.iat && (false === claims.iat || false === opts.iat)) {
|
||||
if (!header.kid) {
|
||||
header.kid = thumb;
|
||||
}
|
||||
if (false === claims.iat) {
|
||||
claims.iat = undefined;
|
||||
} else if (!claims.iat) {
|
||||
claims.iat = Math.round(Date.now()/1000);
|
||||
}
|
||||
|
||||
if (opts.exp) {
|
||||
claims.exp = setTime(opts.exp);
|
||||
} else if (!claims.exp && (false === claims.exp || false === opts.exp)) {
|
||||
if (false === claims.exp) {
|
||||
claims.exp = undefined;
|
||||
} else if (!claims.exp) {
|
||||
throw new Error("opts.claims.exp should be the expiration date as seconds, human form (i.e. '1h' or '15m') or false");
|
||||
throw new Error("opts.claims.exp should be the expiration date (as seconds since the Unix epoch) or false");
|
||||
}
|
||||
|
||||
if (opts.iss) { claims.iss = opts.iss; }
|
||||
if (!claims.iss && (false === claims.iss || false === opts.iss)) {
|
||||
if (false === claims.iss) {
|
||||
claims.iss = undefined;
|
||||
} else if (!claims.iss) {
|
||||
throw new Error("opts.claims.iss should be in the form of https://example.com/, a secure OIDC base url");
|
||||
@ -197,7 +162,7 @@ Keypairs.signJws = function (opts) {
|
||||
if (!opts.jwk) {
|
||||
throw new Error("opts.jwk must exist and must declare 'typ'");
|
||||
}
|
||||
return ('RSA' === opts.jwk.kty) ? "RS256" : "ES256";
|
||||
return ('RSA' === opts.jwk.typ) ? "RS256" : "ES256";
|
||||
}
|
||||
|
||||
function sign(pem) {
|
||||
@ -229,21 +194,13 @@ Keypairs.signJws = function (opts) {
|
||||
}
|
||||
|
||||
// node specifies RSA-SHAxxx even whet it's actually ecdsa (it's all encoded x509 shasums anyway)
|
||||
var nodeAlg = "SHA" + (((protect||header).alg||'').replace(/^[^\d]+/, '')||'256');
|
||||
var nodeAlg = "RSA-SHA" + (((protect||header).alg||'').replace(/^[^\d]+/, '')||'256');
|
||||
var protected64 = Enc.strToUrlBase64(protectedHeader);
|
||||
var payload64 = Enc.bufToUrlBase64(payload);
|
||||
var binsig = require('crypto')
|
||||
var sig = require('crypto')
|
||||
.createSign(nodeAlg)
|
||||
.update(protect ? (protected64 + "." + payload64) : payload64)
|
||||
.sign(pem)
|
||||
;
|
||||
if ('EC' === opts.jwk.kty) {
|
||||
// ECDSA JWT signatures differ from "normal" ECDSA signatures
|
||||
// https://tools.ietf.org/html/rfc7518#section-3.4
|
||||
binsig = ecdsaAsn1SigToJoseSig(binsig);
|
||||
}
|
||||
|
||||
var sig = binsig.toString('base64')
|
||||
.sign(pem, 'base64')
|
||||
.replace(/\+/g, '-')
|
||||
.replace(/\//g, '_')
|
||||
.replace(/=/g, '')
|
||||
@ -257,41 +214,6 @@ Keypairs.signJws = function (opts) {
|
||||
};
|
||||
}
|
||||
|
||||
function ecdsaAsn1SigToJoseSig(binsig) {
|
||||
// should have asn1 sequence header of 0x30
|
||||
if (0x30 !== binsig[0]) { throw new Error("Impossible EC SHA head marker"); }
|
||||
var index = 2; // first ecdsa "R" header byte
|
||||
var len = binsig[1];
|
||||
var lenlen = 0;
|
||||
// Seek length of length if length is greater than 127 (i.e. two 512-bit / 64-byte R and S values)
|
||||
if (0x80 & len) {
|
||||
lenlen = len - 0x80; // should be exactly 1
|
||||
len = binsig[2]; // should be <= 130 (two 64-bit SHA-512s, plus padding)
|
||||
index += lenlen;
|
||||
}
|
||||
// should be of BigInt type
|
||||
if (0x02 !== binsig[index]) { throw new Error("Impossible EC SHA R marker"); }
|
||||
index += 1;
|
||||
|
||||
var rlen = binsig[index];
|
||||
var bits = 32;
|
||||
if (rlen > 49) {
|
||||
bits = 64;
|
||||
} else if (rlen > 33) {
|
||||
bits = 48;
|
||||
}
|
||||
var r = binsig.slice(index + 1, index + 1 + rlen).toString('hex');
|
||||
var slen = binsig[index + 1 + rlen + 1]; // skip header and read length
|
||||
var s = binsig.slice(index + 1 + rlen + 1 + 1).toString('hex');
|
||||
if (2 *slen !== s.length) { throw new Error("Impossible EC SHA S length"); }
|
||||
// There may be one byte of padding on either
|
||||
while (r.length < 2*bits) { r = '00' + r; }
|
||||
while (s.length < 2*bits) { s = '00' + s; }
|
||||
if (2*(bits+1) === r.length) { r = r.slice(2); }
|
||||
if (2*(bits+1) === s.length) { s = s.slice(2); }
|
||||
return Buffer.concat([Buffer.from(r, 'hex'), Buffer.from(s, 'hex')]);
|
||||
}
|
||||
|
||||
if (opts.pem && opts.jwk) {
|
||||
return sign(opts.pem);
|
||||
} else {
|
||||
@ -300,36 +222,6 @@ Keypairs.signJws = function (opts) {
|
||||
});
|
||||
};
|
||||
|
||||
function setTime(time) {
|
||||
if ('number' === typeof time) { return time; }
|
||||
|
||||
var t = time.match(/^(\-?\d+)([dhms])$/i);
|
||||
if (!t || !t[0]) {
|
||||
throw new Error("'" + time + "' should be datetime in seconds or human-readable format (i.e. 3d, 1h, 15m, 30s");
|
||||
}
|
||||
|
||||
var now = Math.round(Date.now()/1000);
|
||||
var num = parseInt(t[1], 10);
|
||||
var unit = t[2];
|
||||
var mult = 1;
|
||||
switch(unit) {
|
||||
// fancy fallthrough, what fun!
|
||||
case 'd':
|
||||
mult *= 24;
|
||||
/*falls through*/
|
||||
case 'h':
|
||||
mult *= 60;
|
||||
/*falls through*/
|
||||
case 'm':
|
||||
mult *= 60;
|
||||
/*falls through*/
|
||||
case 's':
|
||||
mult *= 1;
|
||||
}
|
||||
|
||||
return now + (mult * num);
|
||||
}
|
||||
|
||||
Enc.strToUrlBase64 = function (str) {
|
||||
// node automatically can tell the difference
|
||||
// between uc2 (utf-8) strings and binary strings
|
||||
@ -342,25 +234,3 @@ Enc.bufToUrlBase64 = function (buf) {
|
||||
return Buffer.from(buf).toString('base64')
|
||||
.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
|
||||
};
|
||||
|
||||
// For 'rsa-compat' module only
|
||||
// PLEASE do not use these sync methods, they are deprecated
|
||||
Keypairs._importSync = function (opts) {
|
||||
try {
|
||||
return Eckles.importSync(opts);
|
||||
} catch(e) {
|
||||
try {
|
||||
return Rasha.importSync(opts);
|
||||
} catch(e) {
|
||||
console.error("options.pem does not appear to be a valid RSA or ECDSA public or private key");
|
||||
}
|
||||
}
|
||||
};
|
||||
// PLEASE do not use these, they are deprecated
|
||||
Keypairs._exportSync = function (opts) {
|
||||
if ('RSA' === opts.jwk.kty) {
|
||||
return Rasha.exportSync(opts);
|
||||
} else {
|
||||
return Eckles.exportSync(opts);
|
||||
}
|
||||
};
|
||||
|
||||
2
package-lock.json
generated
2
package-lock.json
generated
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "keypairs",
|
||||
"version": "1.2.0",
|
||||
"version": "1.1.0",
|
||||
"lockfileVersion": 1,
|
||||
"requires": true,
|
||||
"dependencies": {
|
||||
|
||||
17
package.json
17
package.json
@ -1,17 +1,12 @@
|
||||
{
|
||||
"name": "keypairs",
|
||||
"version": "1.2.14",
|
||||
"description": "Lightweight RSA/ECDSA keypair generation and JWK <-> PEM using node's native RSA and ECDSA support",
|
||||
"version": "1.1.0",
|
||||
"description": "Lightweight RSA/ECDSA keypair generation and JWK <-> PEM",
|
||||
"main": "keypairs.js",
|
||||
"files": [
|
||||
"bin/keypairs.js"
|
||||
],
|
||||
"files": [],
|
||||
"scripts": {
|
||||
"test": "node test.js"
|
||||
},
|
||||
"bin": {
|
||||
"keypairs-install": "bin/keypairs.js"
|
||||
},
|
||||
"repository": {
|
||||
"type": "git",
|
||||
"url": "https://git.coolaj86.com/coolaj86/keypairs.js"
|
||||
@ -21,11 +16,7 @@
|
||||
"RSA",
|
||||
"ECDSA",
|
||||
"PEM",
|
||||
"JWK",
|
||||
"keypair",
|
||||
"crypto",
|
||||
"sign",
|
||||
"verify"
|
||||
"JWK"
|
||||
],
|
||||
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
|
||||
"license": "MPL-2.0",
|
||||
|
||||
15
test.js
15
test.js
@ -1,7 +1,6 @@
|
||||
var Keypairs = require('./');
|
||||
|
||||
/* global Promise*/
|
||||
console.info("This SHOULD result in an error message:");
|
||||
Keypairs.parseOrGenerate({ key: '' }).then(function (pair) {
|
||||
// should NOT have any warning output
|
||||
if (!pair.private || !pair.public) {
|
||||
@ -91,20 +90,6 @@ Keypairs.parseOrGenerate({ key: '' }).then(function (pair) {
|
||||
if ('NOERR' === e.code) { throw e; }
|
||||
return true;
|
||||
})
|
||||
, Keypairs.signJwt({ jwk: pair.private, alg: 'ES512', iss: 'https://example.com/', exp: '1h' }).then(function (jwt) {
|
||||
var parts = jwt.split('.');
|
||||
var now = Math.round(Date.now()/1000);
|
||||
var token = {
|
||||
header: JSON.parse(Buffer.from(parts[0], 'base64'))
|
||||
, payload: JSON.parse(Buffer.from(parts[1], 'base64'))
|
||||
, signature: parts[2] //Buffer.from(parts[2], 'base64')
|
||||
};
|
||||
// allow some leeway just in case we happen to hit a 1ms boundary
|
||||
if (token.payload.exp - now > 60 * 59.99) {
|
||||
return true;
|
||||
}
|
||||
throw new Error("token was not properly generated");
|
||||
})
|
||||
]).then(function (results) {
|
||||
if (results.length && results.every(function (v) { return true === v; })) {
|
||||
console.info("If a warning prints right above this, it's a pass");
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user