AlexK/proxy-oidc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
proxy-oidc/node_modules/jose/dist/webapi/lib/asn1.js
Alexandre KIENTZ 7071452e66 first commit
2025-12-03 20:54:35 +01:00

244 lines
8.5 KiB
JavaScript
Raw Blame History

import { invalidKeyInput } from './invalid_key_input.js';
import { encodeBase64, decodeBase64 } from '../lib/base64.js';
import { JOSENotSupported } from '../util/errors.js';
import { isCryptoKey, isKeyObject } from './is_key_like.js';
const formatPEM = (b64, descriptor) => {
const newlined = (b64.match(/.{1,64}/g) || []).join('\n');
return `-----BEGIN ${descriptor}-----\n${newlined}\n-----END ${descriptor}-----`;
};
const genericExport = async (keyType, keyFormat, key) => {
if (isKeyObject(key)) {
if (key.type !== keyType) {
throw new TypeError(`key is not a ${keyType} key`);
}
return key.export({ format: 'pem', type: keyFormat });
}
if (!isCryptoKey(key)) {
throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject'));
}
if (!key.extractable) {
throw new TypeError('CryptoKey is not extractable');
}
if (key.type !== keyType) {
throw new TypeError(`key is not a ${keyType} key`);
}
return formatPEM(encodeBase64(new Uint8Array(await crypto.subtle.exportKey(keyFormat, key))), `${keyType.toUpperCase()} KEY`);
};
export const toSPKI = (key) => genericExport('public', 'spki', key);
export const toPKCS8 = (key) => genericExport('private', 'pkcs8', key);
const bytesEqual = (a, b) => {
if (a.byteLength !== b.length)
return false;
for (let i = 0; i < a.byteLength; i++) {
if (a[i] !== b[i])
return false;
}
return true;
};
const createASN1State = (data) => ({ data, pos: 0 });
const parseLength = (state) => {
const first = state.data[state.pos++];
if (first & 0x80) {
const lengthOfLen = first & 0x7f;
let length = 0;
for (let i = 0; i < lengthOfLen; i++) {
length = (length << 8) | state.data[state.pos++];
}
return length;
}
return first;
};
const skipElement = (state, count = 1) => {
if (count <= 0)
return;
state.pos++;
const length = parseLength(state);
state.pos += length;
if (count > 1) {
skipElement(state, count - 1);
}
};
const expectTag = (state, expectedTag, errorMessage) => {
if (state.data[state.pos++] !== expectedTag) {
throw new Error(errorMessage);
}
};
const getSubarray = (state, length) => {
const result = state.data.subarray(state.pos, state.pos + length);
state.pos += length;
return result;
};
const parseAlgorithmOID = (state) => {
expectTag(state, 0x06, 'Expected algorithm OID');
const oidLen = parseLength(state);
return getSubarray(state, oidLen);
};
function parsePKCS8Header(state) {
expectTag(state, 0x30, 'Invalid PKCS#8 structure');
parseLength(state);
expectTag(state, 0x02, 'Expected version field');
const verLen = parseLength(state);
state.pos += verLen;
expectTag(state, 0x30, 'Expected algorithm identifier');
const algIdLen = parseLength(state);
const algIdStart = state.pos;
return { algIdStart, algIdLength: algIdLen };
}
function parseSPKIHeader(state) {
expectTag(state, 0x30, 'Invalid SPKI structure');
parseLength(state);
expectTag(state, 0x30, 'Expected algorithm identifier');
const algIdLen = parseLength(state);
const algIdStart = state.pos;
return { algIdStart, algIdLength: algIdLen };
}
const parseECAlgorithmIdentifier = (state) => {
const algOid = parseAlgorithmOID(state);
if (bytesEqual(algOid, [0x2b, 0x65, 0x6e])) {
return 'X25519';
}
if (!bytesEqual(algOid, [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01])) {
throw new Error('Unsupported key algorithm');
}
expectTag(state, 0x06, 'Expected curve OID');
const curveOidLen = parseLength(state);
const curveOid = getSubarray(state, curveOidLen);
for (const { name, oid } of [
{ name: 'P-256', oid: [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07] },
{ name: 'P-384', oid: [0x2b, 0x81, 0x04, 0x00, 0x22] },
{ name: 'P-521', oid: [0x2b, 0x81, 0x04, 0x00, 0x23] },
]) {
if (bytesEqual(curveOid, oid)) {
return name;
}
}
throw new Error('Unsupported named curve');
};
const genericImport = async (keyFormat, keyData, alg, options) => {
let algorithm;
let keyUsages;
const isPublic = keyFormat === 'spki';
const getSigUsages = () => (isPublic ? ['verify'] : ['sign']);
const getEncUsages = () => isPublic ? ['encrypt', 'wrapKey'] : ['decrypt', 'unwrapKey'];
switch (alg) {
case 'PS256':
case 'PS384':
case 'PS512':
algorithm = { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };
keyUsages = getSigUsages();
break;
case 'RS256':
case 'RS384':
case 'RS512':
algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };
keyUsages = getSigUsages();
break;
case 'RSA-OAEP':
case 'RSA-OAEP-256':
case 'RSA-OAEP-384':
case 'RSA-OAEP-512':
algorithm = {
name: 'RSA-OAEP',
hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,
};
keyUsages = getEncUsages();
break;
case 'ES256':
case 'ES384':
case 'ES512': {
const curveMap = { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' };
algorithm = { name: 'ECDSA', namedCurve: curveMap[alg] };
keyUsages = getSigUsages();
break;
}
case 'ECDH-ES':
case 'ECDH-ES+A128KW':
case 'ECDH-ES+A192KW':
case 'ECDH-ES+A256KW': {
try {
const namedCurve = options.getNamedCurve(keyData);
algorithm = namedCurve === 'X25519' ? { name: 'X25519' } : { name: 'ECDH', namedCurve };
}
catch (cause) {
throw new JOSENotSupported('Invalid or unsupported key format');
}
keyUsages = isPublic ? [] : ['deriveBits'];
break;
}
case 'Ed25519':
case 'EdDSA':
algorithm = { name: 'Ed25519' };
keyUsages = getSigUsages();
break;
case 'ML-DSA-44':
case 'ML-DSA-65':
case 'ML-DSA-87':
algorithm = { name: alg };
keyUsages = getSigUsages();
break;
default:
throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
}
return crypto.subtle.importKey(keyFormat, keyData, algorithm, options?.extractable ?? (isPublic ? true : false), keyUsages);
};
const processPEMData = (pem, pattern) => {
return decodeBase64(pem.replace(pattern, ''));
};
export const fromPKCS8 = (pem, alg, options) => {
const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
let opts = options;
if (alg?.startsWith?.('ECDH-ES')) {
opts ||= {};
opts.getNamedCurve = (keyData) => {
const state = createASN1State(keyData);
parsePKCS8Header(state);
return parseECAlgorithmIdentifier(state);
};
}
return genericImport('pkcs8', keyData, alg, opts);
};
export const fromSPKI = (pem, alg, options) => {
const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g);
let opts = options;
if (alg?.startsWith?.('ECDH-ES')) {
opts ||= {};
opts.getNamedCurve = (keyData) => {
const state = createASN1State(keyData);
parseSPKIHeader(state);
return parseECAlgorithmIdentifier(state);
};
}
return genericImport('spki', keyData, alg, opts);
};
function spkiFromX509(buf) {
const state = createASN1State(buf);
expectTag(state, 0x30, 'Invalid certificate structure');
parseLength(state);
expectTag(state, 0x30, 'Invalid tbsCertificate structure');
parseLength(state);
if (buf[state.pos] === 0xa0) {
skipElement(state, 6);
}
else {
skipElement(state, 5);
}
const spkiStart = state.pos;
expectTag(state, 0x30, 'Invalid SPKI structure');
const spkiContentLen = parseLength(state);
return buf.subarray(spkiStart, spkiStart + spkiContentLen + (state.pos - spkiStart));
}
function extractX509SPKI(x509) {
const derBytes = processPEMData(x509, /(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g);
return spkiFromX509(derBytes);
}
export const fromX509 = (pem, alg, options) => {
let spki;
try {
spki = extractX509SPKI(pem);
}
catch (cause) {
throw new TypeError('Failed to parse the X.509 certificate', { cause });
}
return fromSPKI(formatPEM(encodeBase64(spki), 'PUBLIC KEY'), alg, options);
};
Reference in New Issue View Git Blame Copy Permalink