eccrypto/browser.js

/**
 * Browser eccrypto implementation.
 */

"use strict";

var EC = require("elliptic").ec;

var ec = new EC("secp256k1");
var cryptoObj = global.crypto || global.msCrypto || {};
var subtle = cryptoObj.subtle || cryptoObj.webkitSubtle;

function assert(condition, message) {
  if (!condition) {
    throw new Error(message || "Assertion failed");
  }
}

function randomBytes(size) {
  var arr = new Uint8Array(size);
  cryptoObj.getRandomValues(arr);
  return new Buffer(arr);
}

function sha512(msg) {
  return subtle.digest({name: "SHA-512"}, msg).then(function(hash) {
    return new Buffer(new Uint8Array(hash));
  });
}

function getAes(op) {
  return function(iv, key, data) {
    var importAlgorithm = {name: "AES-CBC"};
    var keyp = subtle.importKey("raw", key, importAlgorithm, false, [op]);
    return keyp.then(function(cryptoKey) {
      var encAlgorithm = {name: "AES-CBC", iv: iv};
      return subtle[op](encAlgorithm, cryptoKey, data);
    }).then(function(result) {
      return new Buffer(new Uint8Array(result));
    });
  };
}

var aesCbcEncrypt = getAes("encrypt");
var aesCbcDecrypt = getAes("decrypt");

function hmacSha256Sign(key, msg) {
  var algorithm = {name: "HMAC", hash: {name: "SHA-256"}};
  var keyp = subtle.importKey("raw", key, algorithm, false, ["sign"]);
  return keyp.then(function(cryptoKey) {
    return subtle.sign(algorithm, cryptoKey, msg);
  }).then(function(sig) {
    return new Buffer(new Uint8Array(sig));
  });
}

function hmacSha256Verify(key, msg, sig) {
  var algorithm = {name: "HMAC", hash: {name: "SHA-256"}};
  var keyp = subtle.importKey("raw", key, algorithm, false, ["verify"]);
  return keyp.then(function(cryptoKey) {
    return subtle.verify(algorithm, cryptoKey, sig, msg);
  });
}

var getPublic = exports.getPublic = function(privateKey) {
  // This function has sync API so we throw an error immediately.
  assert(privateKey.length === 32, "Bad private key");
  // XXX(Kagami): `elliptic.utils.encode` returns array for every
  // encoding except `hex`.
  return new Buffer(ec.keyFromPrivate(privateKey).getPublic("arr"));
};

// NOTE(Kagami): We don't use promise shim in Browser implementation
// because it's supported natively in new browsers (see
// <http://caniuse.com/#feat=promises>) and we can use only new browsers
// because of the WebCryptoAPI (see
// <http://caniuse.com/#feat=cryptography>).
exports.sign = function(privateKey, msg) {
  return new Promise(function(resolve) {
    assert(privateKey.length === 32, "Bad private key");
    assert(msg.length > 0, "Message should not be empty");
    assert(msg.length <= 32, "Message is too long");
    resolve(new Buffer(ec.sign(msg, privateKey, {canonical: true}).toDER()));
  });
};

exports.verify = function(publicKey, msg, sig) {
  return new Promise(function(resolve, reject) {
    assert(publicKey.length === 65, "Bad public key");
    assert(publicKey[0] === 4, "Bad public key");
    assert(msg.length > 0, "Message should not be empty");
    assert(msg.length <= 32, "Message is too long");
    if (ec.verify(msg, sig, publicKey)) {
      resolve(null);
    } else {
      reject(new Error("Bad signature"));
    }
  });
};

var derive = exports.derive = function(privateKeyA, publicKeyB) {
  return new Promise(function(resolve) {
    assert(Buffer.isBuffer(privateKeyA), "Bad input");
    assert(Buffer.isBuffer(publicKeyB), "Bad input");
    assert(privateKeyA.length === 32, "Bad private key");
    assert(publicKeyB.length === 65, "Bad public key");
    assert(publicKeyB[0] === 4, "Bad public key");
    var keyA = ec.keyFromPrivate(privateKeyA);
    var keyB = ec.keyFromPublic(publicKeyB);
    var Px = keyA.derive(keyB.getPublic());  // BN instance
    resolve(new Buffer(Px.toArray()));
  });
};

exports.encrypt = function(publicKeyTo, msg, opts) {
  assert(subtle, "WebCryptoAPI is not available");
  opts = opts || {};
  // Tmp variables to save context from flat promises;
  var iv, ephemPublicKey, ciphertext, macKey;
  return new Promise(function(resolve) {
    var ephemPrivateKey = opts.ephemPrivateKey || randomBytes(32);
    ephemPublicKey = getPublic(ephemPrivateKey);
    resolve(derive(ephemPrivateKey, publicKeyTo));
  }).then(function(Px) {
    return sha512(Px);
  }).then(function(hash) {
    iv = opts.iv || randomBytes(16);
    var encryptionKey = hash.slice(0, 32);
    macKey = hash.slice(32);
    return aesCbcEncrypt(iv, encryptionKey, msg);
  }).then(function(data) {
    ciphertext = data;
    var dataToMac = Buffer.concat([iv, ephemPublicKey, ciphertext]);
    return hmacSha256Sign(macKey, dataToMac);
  }).then(function(mac) {
    return {
      iv: iv,
      ephemPublicKey: ephemPublicKey,
      ciphertext: ciphertext,
      mac: mac,
    };
  });
};

exports.decrypt = function(privateKey, opts) {
  assert(subtle, "WebCryptoAPI is not available");
  // Tmp variable to save context from flat promises;
  var encryptionKey;
  return derive(privateKey, opts.ephemPublicKey).then(function(Px) {
    return sha512(Px);
  }).then(function(hash) {
    encryptionKey = hash.slice(0, 32);
    var macKey = hash.slice(32);
    var dataToMac = Buffer.concat([
      opts.iv,
      opts.ephemPublicKey,
      opts.ciphertext
    ]);
    return hmacSha256Verify(macKey, dataToMac, opts.mac);
  }).then(function(macGood) {
    assert(macGood, "Bad MAC");
    return aesCbcDecrypt(opts.iv, encryptionKey, opts.ciphertext);
  }).then(function(msg) {
    return new Buffer(new Uint8Array(msg));
  });
};
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			`/**`
			`* Browser eccrypto implementation.`
			`*/`

			`"use strict";`

			`var EC = require("elliptic").ec;`

			`var ec = new EC("secp256k1");`
add fallback to browser is secp256k1 2015-05-27 15:29:18 +00:00			`var cryptoObj = global.crypto \|\| global.msCrypto \|\| {};`
Better handling of crypto object 2015-01-21 17:25:45 +00:00			`var subtle = cryptoObj.subtle \|\| cryptoObj.webkitSubtle;`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00
Refactoring 2015-01-12 17:50:21 +00:00			`function assert(condition, message) {`
			`if (!condition) {`
			`throw new Error(message \|\| "Assertion failed");`
Do not use assert module 2015-01-05 23:49:32 +00:00			`}`
Refactoring 2015-01-12 17:50:21 +00:00			`}`

ECIES (Browser) 2015-01-13 13:21:11 +00:00			`function randomBytes(size) {`
			`var arr = new Uint8Array(size);`
Fix getRandomValues on ie11. Fixes #28 2018-11-16 03:14:40 +00:00			`cryptoObj.getRandomValues(arr);`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`return new Buffer(arr);`
			`}`

			`function sha512(msg) {`
			`return subtle.digest({name: "SHA-512"}, msg).then(function(hash) {`
			`return new Buffer(new Uint8Array(hash));`
			`});`
			`}`

			`function getAes(op) {`
ECIES (Node) 2015-01-13 23:29:39 +00:00			`return function(iv, key, data) {`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`var importAlgorithm = {name: "AES-CBC"};`
			`var keyp = subtle.importKey("raw", key, importAlgorithm, false, [op]);`
			`return keyp.then(function(cryptoKey) {`
			`var encAlgorithm = {name: "AES-CBC", iv: iv};`
ECIES (Node) 2015-01-13 23:29:39 +00:00			`return subtle[op](encAlgorithm, cryptoKey, data);`
			`}).then(function(result) {`
			`return new Buffer(new Uint8Array(result));`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`});`
			`};`
			`}`

			`var aesCbcEncrypt = getAes("encrypt");`
			`var aesCbcDecrypt = getAes("decrypt");`

			`function hmacSha256Sign(key, msg) {`
			`var algorithm = {name: "HMAC", hash: {name: "SHA-256"}};`
			`var keyp = subtle.importKey("raw", key, algorithm, false, ["sign"]);`
			`return keyp.then(function(cryptoKey) {`
			`return subtle.sign(algorithm, cryptoKey, msg);`
			`}).then(function(sig) {`
			`return new Buffer(new Uint8Array(sig));`
			`});`
			`}`

			`function hmacSha256Verify(key, msg, sig) {`
			`var algorithm = {name: "HMAC", hash: {name: "SHA-256"}};`
			`var keyp = subtle.importKey("raw", key, algorithm, false, ["verify"]);`
			`return keyp.then(function(cryptoKey) {`
			`return subtle.verify(algorithm, cryptoKey, sig, msg);`
			`});`
			`}`

			`var getPublic = exports.getPublic = function(privateKey) {`
ECDH (Browser) 2015-01-12 19:17:29 +00:00			`// This function has sync API so we throw an error immediately.`
Refactoring 2015-01-12 17:50:21 +00:00			`assert(privateKey.length === 32, "Bad private key");`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			// XXX(Kagami): `elliptic.utils.encode` returns array for every
			// encoding except `hex`.
Update for elliptic 2.0 2015-01-18 20:23:16 +00:00			`return new Buffer(ec.keyFromPrivate(privateKey).getPublic("arr"));`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			`};`

Docs, cosmetics 2015-01-14 00:09:37 +00:00			`// NOTE(Kagami): We don't use promise shim in Browser implementation`
			`// because it's supported natively in new browsers (see`
			`// <http://caniuse.com/#feat=promises>) and we can use only new browsers`
			`// because of the WebCryptoAPI (see`
			`// <http://caniuse.com/#feat=cryptography>).`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			`exports.sign = function(privateKey, msg) {`
Refactoring 2015-01-12 17:50:21 +00:00			`return new Promise(function(resolve) {`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`assert(privateKey.length === 32, "Bad private key");`
Add more input checkings 2015-01-21 00:04:56 +00:00			`assert(msg.length > 0, "Message should not be empty");`
			`assert(msg.length <= 32, "Message is too long");`
Enable canonical mode in elliptic See indutny/elliptic#24 for details. 2015-01-20 23:20:28 +00:00			`resolve(new Buffer(ec.sign(msg, privateKey, {canonical: true}).toDER()));`
Refactoring 2015-01-12 17:50:21 +00:00			`});`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			`};`

ECIES (Browser) 2015-01-13 13:21:11 +00:00			`exports.verify = function(publicKey, msg, sig) {`
Refactoring 2015-01-12 17:50:21 +00:00			`return new Promise(function(resolve, reject) {`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`assert(publicKey.length === 65, "Bad public key");`
			`assert(publicKey[0] === 4, "Bad public key");`
Add more input checkings 2015-01-21 00:04:56 +00:00			`assert(msg.length > 0, "Message should not be empty");`
			`assert(msg.length <= 32, "Message is too long");`
Some fixes 2015-01-20 20:18:03 +00:00			`if (ec.verify(msg, sig, publicKey)) {`
Pass `null` instead of `undefined` on `.verify` 2015-02-10 13:52:38 +00:00			`resolve(null);`
Some fixes 2015-01-20 20:18:03 +00:00			`} else {`
			`reject(new Error("Bad signature"));`
			`}`
Refactoring 2015-01-12 17:50:21 +00:00			`});`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			`};`
ECDH (Browser) 2015-01-12 19:17:29 +00:00
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`var derive = exports.derive = function(privateKeyA, publicKeyB) {`
ECDH (Browser) 2015-01-12 19:17:29 +00:00			`return new Promise(function(resolve) {`
Better check for input args in `derive` 2015-07-13 19:03:42 +00:00			`assert(Buffer.isBuffer(privateKeyA), "Bad input");`
			`assert(Buffer.isBuffer(publicKeyB), "Bad input");`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`assert(privateKeyA.length === 32, "Bad private key");`
			`assert(publicKeyB.length === 65, "Bad public key");`
			`assert(publicKeyB[0] === 4, "Bad public key");`
Update for elliptic 2.0 2015-01-18 20:23:16 +00:00			`var keyA = ec.keyFromPrivate(privateKeyA);`
			`var keyB = ec.keyFromPublic(publicKeyB);`
ECDH (Browser) 2015-01-12 19:17:29 +00:00			`var Px = keyA.derive(keyB.getPublic()); // BN instance`
Some fixes 2015-01-20 20:18:03 +00:00			`resolve(new Buffer(Px.toArray()));`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`});`
			`};`

			`exports.encrypt = function(publicKeyTo, msg, opts) {`
Better handling of crypto object 2015-01-21 17:25:45 +00:00			`assert(subtle, "WebCryptoAPI is not available");`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`opts = opts \|\| {};`
			`// Tmp variables to save context from flat promises;`
ECIES (Node) 2015-01-13 23:29:39 +00:00			`var iv, ephemPublicKey, ciphertext, macKey;`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`return new Promise(function(resolve) {`
			`var ephemPrivateKey = opts.ephemPrivateKey \|\| randomBytes(32);`
			`ephemPublicKey = getPublic(ephemPrivateKey);`
			`resolve(derive(ephemPrivateKey, publicKeyTo));`
			`}).then(function(Px) {`
			`return sha512(Px);`
			`}).then(function(hash) {`
			`iv = opts.iv \|\| randomBytes(16);`
			`var encryptionKey = hash.slice(0, 32);`
			`macKey = hash.slice(32);`
			`return aesCbcEncrypt(iv, encryptionKey, msg);`
ECIES (Node) 2015-01-13 23:29:39 +00:00			`}).then(function(data) {`
			`ciphertext = data;`
			`var dataToMac = Buffer.concat([iv, ephemPublicKey, ciphertext]);`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`return hmacSha256Sign(macKey, dataToMac);`
			`}).then(function(mac) {`
			`return {`
			`iv: iv,`
			`ephemPublicKey: ephemPublicKey,`
ECIES (Node) 2015-01-13 23:29:39 +00:00			`ciphertext: ciphertext,`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`mac: mac,`
			`};`
			`});`
			`};`

			`exports.decrypt = function(privateKey, opts) {`
Better handling of crypto object 2015-01-21 17:25:45 +00:00			`assert(subtle, "WebCryptoAPI is not available");`
ECIES (Node) 2015-01-13 23:29:39 +00:00			`// Tmp variable to save context from flat promises;`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`var encryptionKey;`
			`return derive(privateKey, opts.ephemPublicKey).then(function(Px) {`
			`return sha512(Px);`
			`}).then(function(hash) {`
			`encryptionKey = hash.slice(0, 32);`
			`var macKey = hash.slice(32);`
			`var dataToMac = Buffer.concat([`
			`opts.iv,`
			`opts.ephemPublicKey,`
ECIES (Node) 2015-01-13 23:29:39 +00:00			`opts.ciphertext`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`]);`
			`return hmacSha256Verify(macKey, dataToMac, opts.mac);`
ECIES (Node) 2015-01-13 23:29:39 +00:00			`}).then(function(macGood) {`
			`assert(macGood, "Bad MAC");`
			`return aesCbcDecrypt(opts.iv, encryptionKey, opts.ciphertext);`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`}).then(function(msg) {`
			`return new Buffer(new Uint8Array(msg));`
ECDH (Browser) 2015-01-12 19:17:29 +00:00			`});`
			`};`