2014-12-24 00:14:28 +01:00
|
|
|
/**
|
|
|
|
* Node.js eccrypto implementation.
|
|
|
|
* @module eccrypto
|
|
|
|
*/
|
|
|
|
|
|
|
|
"use strict";
|
|
|
|
|
2018-12-11 15:47:43 +01:00
|
|
|
const EC_GROUP_ORDER = Buffer.from('fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141', 'hex');
|
|
|
|
const ZERO32 = Buffer.alloc(32, 0);
|
|
|
|
|
2015-01-06 12:21:46 +01:00
|
|
|
var promise = typeof Promise === "undefined" ?
|
|
|
|
require("es6-promise").Promise :
|
|
|
|
Promise;
|
2015-01-14 00:29:39 +01:00
|
|
|
var crypto = require("crypto");
|
2015-05-27 17:29:18 +02:00
|
|
|
// try to use secp256k1, fallback to browser implementation
|
|
|
|
try {
|
|
|
|
var secp256k1 = require("secp256k1");
|
2015-05-28 15:57:06 +02:00
|
|
|
var ecdh = require("./build/Release/ecdh");
|
2015-05-27 17:29:18 +02:00
|
|
|
} catch (e) {
|
2015-05-28 15:57:06 +02:00
|
|
|
if (process.env.ECCRYPTO_NO_FALLBACK) {
|
|
|
|
throw e;
|
|
|
|
} else {
|
2019-09-25 22:54:02 +02:00
|
|
|
console.info('secp256k1 unavailable, reverting to browser version');
|
2015-05-28 15:57:06 +02:00
|
|
|
return (module.exports = require("./browser"));
|
|
|
|
}
|
2015-05-27 17:29:18 +02:00
|
|
|
}
|
2014-12-23 21:28:40 +01:00
|
|
|
|
2018-12-11 15:47:43 +01:00
|
|
|
function isScalar (x) {
|
|
|
|
return Buffer.isBuffer(x) && x.length === 32;
|
|
|
|
}
|
|
|
|
|
|
|
|
function isValidPrivateKey(privateKey) {
|
|
|
|
if (!isScalar(privateKey))
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return privateKey.compare(ZERO32) > 0 && // > 0
|
|
|
|
privateKey.compare(EC_GROUP_ORDER) < 0; // < G
|
|
|
|
}
|
|
|
|
|
2015-01-14 00:29:39 +01:00
|
|
|
function assert(condition, message) {
|
|
|
|
if (!condition) {
|
|
|
|
throw new Error(message || "Assertion failed");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
function sha512(msg) {
|
|
|
|
return crypto.createHash("sha512").update(msg).digest();
|
|
|
|
}
|
|
|
|
|
|
|
|
function aes256CbcEncrypt(iv, key, plaintext) {
|
|
|
|
var cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
|
|
|
|
var firstChunk = cipher.update(plaintext);
|
|
|
|
var secondChunk = cipher.final();
|
|
|
|
return Buffer.concat([firstChunk, secondChunk]);
|
|
|
|
}
|
|
|
|
|
|
|
|
function aes256CbcDecrypt(iv, key, ciphertext) {
|
|
|
|
var cipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
|
|
|
|
var firstChunk = cipher.update(ciphertext);
|
|
|
|
var secondChunk = cipher.final();
|
|
|
|
return Buffer.concat([firstChunk, secondChunk]);
|
|
|
|
}
|
|
|
|
|
|
|
|
function hmacSha256(key, msg) {
|
|
|
|
return crypto.createHmac("sha256", key).update(msg).digest();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Compare two buffers in constant time to prevent timing attacks.
|
|
|
|
function equalConstTime(b1, b2) {
|
|
|
|
if (b1.length !== b2.length) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
var res = 0;
|
|
|
|
for (var i = 0; i < b1.length; i++) {
|
|
|
|
res |= b1[i] ^ b2[i]; // jshint ignore:line
|
|
|
|
}
|
|
|
|
return res === 0;
|
|
|
|
}
|
|
|
|
|
2015-11-08 14:28:45 +01:00
|
|
|
function pad32(msg){
|
|
|
|
var buf;
|
|
|
|
if (msg.length < 32) {
|
2018-12-11 15:47:43 +01:00
|
|
|
buf = Buffer.alloc(32);
|
2015-11-08 14:28:45 +01:00
|
|
|
buf.fill(0);
|
|
|
|
msg.copy(buf, 32 - msg.length);
|
|
|
|
return buf;
|
|
|
|
} else {
|
|
|
|
return msg;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-03-24 02:02:32 +01:00
|
|
|
/**
|
|
|
|
* Generate a new valid private key. Will use crypto.randomBytes as source.
|
|
|
|
* @return {Buffer} A 32-byte private key.
|
|
|
|
* @function
|
|
|
|
*/
|
|
|
|
exports.generatePrivate = function() {
|
|
|
|
var privateKey = crypto.randomBytes(32);
|
|
|
|
while (!isValidPrivateKey(privateKey)) {
|
|
|
|
privateKey = crypto.randomBytes(32);
|
|
|
|
}
|
|
|
|
return privateKey;
|
|
|
|
};
|
|
|
|
|
2014-12-24 00:14:28 +01:00
|
|
|
/**
|
|
|
|
* Compute the public key for a given private key.
|
2015-01-02 16:21:24 +01:00
|
|
|
* @param {Buffer} privateKey - A 32-byte private key
|
|
|
|
* @return {Buffer} A 65-byte public key.
|
2015-01-02 14:47:09 +01:00
|
|
|
* @function
|
2014-12-24 00:14:28 +01:00
|
|
|
*/
|
2015-11-08 14:28:45 +01:00
|
|
|
var getPublic = exports.getPublic = function(privateKey) {
|
|
|
|
assert(privateKey.length === 32, "Bad private key");
|
2018-12-11 15:47:43 +01:00
|
|
|
assert(isValidPrivateKey(privateKey), "Bad private key");
|
2015-11-08 14:28:45 +01:00
|
|
|
// See https://github.com/wanderer/secp256k1-node/issues/46
|
|
|
|
var compressed = secp256k1.publicKeyCreate(privateKey);
|
|
|
|
return secp256k1.publicKeyConvert(compressed, false);
|
|
|
|
};
|
2014-12-24 00:14:28 +01:00
|
|
|
|
2018-12-11 15:47:43 +01:00
|
|
|
/**
|
|
|
|
* Get compressed version of public key.
|
|
|
|
*/
|
|
|
|
var getPublicCompressed = exports.getPublicCompressed = function(privateKey) { // jshint ignore:line
|
|
|
|
assert(privateKey.length === 32, "Bad private key");
|
|
|
|
assert(isValidPrivateKey(privateKey), "Bad private key");
|
|
|
|
// See https://github.com/wanderer/secp256k1-node/issues/46
|
|
|
|
return secp256k1.publicKeyCreate(privateKey);
|
|
|
|
};
|
|
|
|
|
2014-12-24 00:14:28 +01:00
|
|
|
/**
|
|
|
|
* Create an ECDSA signature.
|
2015-01-02 16:21:24 +01:00
|
|
|
* @param {Buffer} privateKey - A 32-byte private key
|
|
|
|
* @param {Buffer} msg - The message being signed
|
|
|
|
* @return {Promise.<Buffer>} A promise that resolves with the
|
|
|
|
* signature and rejects on bad key or message.
|
2014-12-24 00:14:28 +01:00
|
|
|
*/
|
|
|
|
exports.sign = function(privateKey, msg) {
|
2015-01-12 18:50:21 +01:00
|
|
|
return new promise(function(resolve) {
|
2018-12-11 15:47:43 +01:00
|
|
|
assert(privateKey.length === 32, "Bad private key");
|
|
|
|
assert(isValidPrivateKey(privateKey), "Bad private key");
|
2015-01-21 01:04:56 +01:00
|
|
|
assert(msg.length > 0, "Message should not be empty");
|
|
|
|
assert(msg.length <= 32, "Message is too long");
|
2015-11-08 14:28:45 +01:00
|
|
|
msg = pad32(msg);
|
2019-09-25 22:54:02 +02:00
|
|
|
var sig = secp256k1.sign(msg, privateKey).signature;
|
2015-11-08 14:28:45 +01:00
|
|
|
resolve(secp256k1.signatureExport(sig));
|
2014-12-24 00:14:28 +01:00
|
|
|
});
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Verify an ECDSA signature.
|
2015-01-13 13:11:53 +01:00
|
|
|
* @param {Buffer} publicKey - A 65-byte public key
|
2015-01-02 16:21:24 +01:00
|
|
|
* @param {Buffer} msg - The message being verified
|
|
|
|
* @param {Buffer} sig - The signature
|
2015-02-10 14:52:38 +01:00
|
|
|
* @return {Promise.<null>} A promise that resolves on correct signature
|
|
|
|
* and rejects on bad key or signature.
|
2014-12-24 00:14:28 +01:00
|
|
|
*/
|
2015-01-13 13:11:53 +01:00
|
|
|
exports.verify = function(publicKey, msg, sig) {
|
2015-01-06 12:21:46 +01:00
|
|
|
return new promise(function(resolve, reject) {
|
2015-01-21 01:04:56 +01:00
|
|
|
assert(msg.length > 0, "Message should not be empty");
|
|
|
|
assert(msg.length <= 32, "Message is too long");
|
2015-11-08 14:28:45 +01:00
|
|
|
msg = pad32(msg);
|
|
|
|
sig = secp256k1.signatureImport(sig);
|
2019-09-25 22:54:02 +02:00
|
|
|
if (secp256k1.verify(msg, sig, publicKey)) {
|
2015-02-10 14:52:38 +01:00
|
|
|
resolve(null);
|
2015-01-20 21:17:25 +01:00
|
|
|
} else {
|
|
|
|
reject(new Error("Bad signature"));
|
|
|
|
}
|
2014-12-24 00:14:28 +01:00
|
|
|
});
|
|
|
|
};
|
2015-01-13 20:39:37 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Derive shared secret for given private and public keys.
|
2015-01-14 00:29:39 +01:00
|
|
|
* @param {Buffer} privateKeyA - Sender's private key (32 bytes)
|
|
|
|
* @param {Buffer} publicKeyB - Recipient's public key (65 bytes)
|
2015-01-13 20:39:37 +01:00
|
|
|
* @return {Promise.<Buffer>} A promise that resolves with the derived
|
2015-01-14 00:29:39 +01:00
|
|
|
* shared secret (Px, 32 bytes) and rejects on bad key.
|
2015-01-13 20:39:37 +01:00
|
|
|
*/
|
2015-01-14 00:29:39 +01:00
|
|
|
var derive = exports.derive = function(privateKeyA, publicKeyB) {
|
2015-01-13 20:39:37 +01:00
|
|
|
return new promise(function(resolve) {
|
2018-12-11 15:47:43 +01:00
|
|
|
assert(privateKeyA.length === 32, "Bad private key");
|
|
|
|
assert(isValidPrivateKey(privateKeyA), "Bad private key");
|
2015-01-13 20:39:37 +01:00
|
|
|
resolve(ecdh.derive(privateKeyA, publicKeyB));
|
|
|
|
});
|
|
|
|
};
|
2015-01-14 00:29:39 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Input/output structure for ECIES operations.
|
|
|
|
* @typedef {Object} Ecies
|
|
|
|
* @property {Buffer} iv - Initialization vector (16 bytes)
|
|
|
|
* @property {Buffer} ephemPublicKey - Ephemeral public key (65 bytes)
|
|
|
|
* @property {Buffer} ciphertext - The result of encryption (variable size)
|
|
|
|
* @property {Buffer} mac - Message authentication code (32 bytes)
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Encrypt message for given recepient's public key.
|
|
|
|
* @param {Buffer} publicKeyTo - Recipient's public key (65 bytes)
|
|
|
|
* @param {Buffer} msg - The message being encrypted
|
|
|
|
* @param {?{?iv: Buffer, ?ephemPrivateKey: Buffer}} opts - You may also
|
|
|
|
* specify initialization vector (16 bytes) and ephemeral private key
|
|
|
|
* (32 bytes) to get deterministic results.
|
|
|
|
* @return {Promise.<Ecies>} - A promise that resolves with the ECIES
|
|
|
|
* structure on successful encryption and rejects on failure.
|
|
|
|
*/
|
|
|
|
exports.encrypt = function(publicKeyTo, msg, opts) {
|
|
|
|
opts = opts || {};
|
|
|
|
// Tmp variable to save context from flat promises;
|
|
|
|
var ephemPublicKey;
|
|
|
|
return new promise(function(resolve) {
|
|
|
|
var ephemPrivateKey = opts.ephemPrivateKey || crypto.randomBytes(32);
|
2018-12-11 15:47:43 +01:00
|
|
|
// There is a very unlikely possibility that it is not a valid key
|
|
|
|
while(!isValidPrivateKey(ephemPrivateKey))
|
|
|
|
{
|
|
|
|
ephemPrivateKey = opts.ephemPrivateKey || crypto.randomBytes(32);
|
|
|
|
}
|
2015-01-14 00:29:39 +01:00
|
|
|
ephemPublicKey = getPublic(ephemPrivateKey);
|
|
|
|
resolve(derive(ephemPrivateKey, publicKeyTo));
|
|
|
|
}).then(function(Px) {
|
|
|
|
var hash = sha512(Px);
|
|
|
|
var iv = opts.iv || crypto.randomBytes(16);
|
|
|
|
var encryptionKey = hash.slice(0, 32);
|
|
|
|
var macKey = hash.slice(32);
|
|
|
|
var ciphertext = aes256CbcEncrypt(iv, encryptionKey, msg);
|
|
|
|
var dataToMac = Buffer.concat([iv, ephemPublicKey, ciphertext]);
|
2018-12-11 15:47:43 +01:00
|
|
|
var mac = Buffer.from(hmacSha256(macKey, dataToMac));
|
2015-01-14 00:29:39 +01:00
|
|
|
return {
|
|
|
|
iv: iv,
|
|
|
|
ephemPublicKey: ephemPublicKey,
|
|
|
|
ciphertext: ciphertext,
|
|
|
|
mac: mac,
|
|
|
|
};
|
|
|
|
});
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Decrypt message using given private key.
|
|
|
|
* @param {Buffer} privateKey - A 32-byte private key of recepient of
|
|
|
|
* the mesage
|
|
|
|
* @param {Ecies} opts - ECIES structure (result of ECIES encryption)
|
|
|
|
* @return {Promise.<Buffer>} - A promise that resolves with the
|
|
|
|
* plaintext on successful decryption and rejects on failure.
|
|
|
|
*/
|
|
|
|
exports.decrypt = function(privateKey, opts) {
|
|
|
|
return derive(privateKey, opts.ephemPublicKey).then(function(Px) {
|
2018-12-11 15:47:43 +01:00
|
|
|
assert(privateKey.length === 32, "Bad private key");
|
|
|
|
assert(isValidPrivateKey(privateKey), "Bad private key");
|
2015-01-14 00:29:39 +01:00
|
|
|
var hash = sha512(Px);
|
|
|
|
var encryptionKey = hash.slice(0, 32);
|
|
|
|
var macKey = hash.slice(32);
|
|
|
|
var dataToMac = Buffer.concat([
|
|
|
|
opts.iv,
|
|
|
|
opts.ephemPublicKey,
|
|
|
|
opts.ciphertext
|
|
|
|
]);
|
|
|
|
var realMac = hmacSha256(macKey, dataToMac);
|
2018-12-11 15:47:43 +01:00
|
|
|
assert(equalConstTime(opts.mac, realMac), "Bad MAC"); return aes256CbcDecrypt(opts.iv, encryptionKey, opts.ciphertext);
|
2015-01-14 00:29:39 +01:00
|
|
|
});
|
|
|
|
};
|