eccrypto/browser.js

/**
 * Browser eccrypto implementation.
 */

// NOTE(Kagami): We don't use promise shim in Browser implementation
// because it's supported natively in new browsers (see
// <http://caniuse.com/#feat=promises>) and we can use only new browsers
// because of the WebCryptoAPI (see
// <http://caniuse.com/#feat=cryptography>).

"use strict";

var EC = require("elliptic").ec;

var ec = new EC("secp256k1");
// TODO(Kagami): Try to support IE11.
var subtle = window.crypto.subtle || window.crypto.webkitSubtle;

function assert(condition, message) {
  if (!condition) {
    throw new Error(message || "Assertion failed");
  }
}

function randomBytes(size) {
  var arr = new Uint8Array(size);
  window.crypto.getRandomValues(arr);
  return new Buffer(arr);
}

function sha512(msg) {
  return subtle.digest({name: "SHA-512"}, msg).then(function(hash) {
    return new Buffer(new Uint8Array(hash));
  });
}

function getAes(op) {
  return function(iv, key, msg) {
    var importAlgorithm = {name: "AES-CBC"};
    var keyp = subtle.importKey("raw", key, importAlgorithm, false, [op]);
    return keyp.then(function(cryptoKey) {
      var encAlgorithm = {name: "AES-CBC", iv: iv};
      return subtle[op](encAlgorithm, cryptoKey, msg);
    }).then(function(cipherText) {
      return new Buffer(new Uint8Array(cipherText));
    });
  };
}

var aesCbcEncrypt = getAes("encrypt");
var aesCbcDecrypt = getAes("decrypt");

function hmacSha256Sign(key, msg) {
  var algorithm = {name: "HMAC", hash: {name: "SHA-256"}};
  var keyp = subtle.importKey("raw", key, algorithm, false, ["sign"]);
  return keyp.then(function(cryptoKey) {
    return subtle.sign(algorithm, cryptoKey, msg);
  }).then(function(sig) {
    return new Buffer(new Uint8Array(sig));
  });
}

function hmacSha256Verify(key, msg, sig) {
  var algorithm = {name: "HMAC", hash: {name: "SHA-256"}};
  var keyp = subtle.importKey("raw", key, algorithm, false, ["verify"]);
  return keyp.then(function(cryptoKey) {
    return subtle.verify(algorithm, cryptoKey, sig, msg);
  });
}

var getPublic = exports.getPublic = function(privateKey) {
  // This function has sync API so we throw an error immediately.
  assert(privateKey.length === 32, "Bad private key");
  // XXX(Kagami): `elliptic.utils.encode` returns array for every
  // encoding except `hex`.
  return new Buffer(ec.keyPair(privateKey).getPublic("arr"));
};

exports.sign = function(privateKey, msg) {
  return new Promise(function(resolve) {
    assert(privateKey.length === 32, "Bad private key");
    var key = ec.keyPair(privateKey);
    resolve(new Buffer(key.sign(msg).toDER()));
  });
};

exports.verify = function(publicKey, msg, sig) {
  return new Promise(function(resolve, reject) {
    assert(publicKey.length === 65, "Bad public key");
    assert(publicKey[0] === 4, "Bad public key");
    var key = ec.keyPair(publicKey);
    return key.verify(msg, sig) ? resolve() : reject();
  });
};

var derive = exports.derive = function(privateKeyA, publicKeyB) {
  return new Promise(function(resolve) {
    assert(privateKeyA.length === 32, "Bad private key");
    assert(publicKeyB.length === 65, "Bad public key");
    assert(publicKeyB[0] === 4, "Bad public key");
    var keyA = ec.keyPair(privateKeyA);
    var keyB = ec.keyPair(publicKeyB);
    var Px = keyA.derive(keyB.getPublic());  // BN instance
    resolve(new Buffer(Px.toString(16, 2), "hex"));
  });
};

exports.encrypt = function(publicKeyTo, msg, opts) {
  assert(subtle, "WebCryptoAPI is not supported");
  opts = opts || {};
  // Tmp variables to save context from flat promises;
  var iv, ephemPublicKey, cipherText, macKey;
  return new Promise(function(resolve) {
    var ephemPrivateKey = opts.ephemPrivateKey || randomBytes(32);
    ephemPublicKey = getPublic(ephemPrivateKey);
    resolve(derive(ephemPrivateKey, publicKeyTo));
  }).then(function(Px) {
    return sha512(Px);
  }).then(function(hash) {
    iv = opts.iv || randomBytes(16);
    var encryptionKey = hash.slice(0, 32);
    macKey = hash.slice(32);
    return aesCbcEncrypt(iv, encryptionKey, msg);
  }).then(function(encrypted) {
    cipherText = encrypted;
    var dataToMac = Buffer.concat([iv, ephemPublicKey, cipherText]);
    return hmacSha256Sign(macKey, dataToMac);
  }).then(function(mac) {
    return {
      iv: iv,
      ephemPublicKey: ephemPublicKey,
      cipherText: cipherText,
      mac: mac,
    };
  });
};

exports.decrypt = function(privateKey, opts) {
  assert(subtle, "WebCryptoAPI is not supported");
  // Tmp variables to save context from flat promises;
  var encryptionKey;
  return derive(privateKey, opts.ephemPublicKey).then(function(Px) {
    return sha512(Px);
  }).then(function(hash) {
    encryptionKey = hash.slice(0, 32);
    var macKey = hash.slice(32);
    var dataToMac = Buffer.concat([
      opts.iv,
      opts.ephemPublicKey,
      opts.cipherText
    ]);
    return hmacSha256Verify(macKey, dataToMac, opts.mac);
  }).then(function(goodMac) {
    assert(goodMac, "Bad MAC");
    return aesCbcDecrypt(opts.iv, encryptionKey, opts.cipherText);
  }).then(function(msg) {
    return new Buffer(new Uint8Array(msg));
  });
};
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			`/**`
			`* Browser eccrypto implementation.`
			`*/`

Add comment about promises 2015-01-07 18:47:41 +00:00			`// NOTE(Kagami): We don't use promise shim in Browser implementation`
			`// because it's supported natively in new browsers (see`
			`// <http://caniuse.com/#feat=promises>) and we can use only new browsers`
			`// because of the WebCryptoAPI (see`
			`// <http://caniuse.com/#feat=cryptography>).`

Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			`"use strict";`

			`var EC = require("elliptic").ec;`

			`var ec = new EC("secp256k1");`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`// TODO(Kagami): Try to support IE11.`
			`var subtle = window.crypto.subtle \|\| window.crypto.webkitSubtle;`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00
Refactoring 2015-01-12 17:50:21 +00:00			`function assert(condition, message) {`
			`if (!condition) {`
			`throw new Error(message \|\| "Assertion failed");`
Do not use assert module 2015-01-05 23:49:32 +00:00			`}`
Refactoring 2015-01-12 17:50:21 +00:00			`}`

ECIES (Browser) 2015-01-13 13:21:11 +00:00			`function randomBytes(size) {`
			`var arr = new Uint8Array(size);`
			`window.crypto.getRandomValues(arr);`
			`return new Buffer(arr);`
			`}`

			`function sha512(msg) {`
			`return subtle.digest({name: "SHA-512"}, msg).then(function(hash) {`
			`return new Buffer(new Uint8Array(hash));`
			`});`
			`}`

			`function getAes(op) {`
			`return function(iv, key, msg) {`
			`var importAlgorithm = {name: "AES-CBC"};`
			`var keyp = subtle.importKey("raw", key, importAlgorithm, false, [op]);`
			`return keyp.then(function(cryptoKey) {`
			`var encAlgorithm = {name: "AES-CBC", iv: iv};`
			`return subtle[op](encAlgorithm, cryptoKey, msg);`
			`}).then(function(cipherText) {`
			`return new Buffer(new Uint8Array(cipherText));`
			`});`
			`};`
			`}`

			`var aesCbcEncrypt = getAes("encrypt");`
			`var aesCbcDecrypt = getAes("decrypt");`

			`function hmacSha256Sign(key, msg) {`
			`var algorithm = {name: "HMAC", hash: {name: "SHA-256"}};`
			`var keyp = subtle.importKey("raw", key, algorithm, false, ["sign"]);`
			`return keyp.then(function(cryptoKey) {`
			`return subtle.sign(algorithm, cryptoKey, msg);`
			`}).then(function(sig) {`
			`return new Buffer(new Uint8Array(sig));`
			`});`
			`}`

			`function hmacSha256Verify(key, msg, sig) {`
			`var algorithm = {name: "HMAC", hash: {name: "SHA-256"}};`
			`var keyp = subtle.importKey("raw", key, algorithm, false, ["verify"]);`
			`return keyp.then(function(cryptoKey) {`
			`return subtle.verify(algorithm, cryptoKey, sig, msg);`
			`});`
			`}`

			`var getPublic = exports.getPublic = function(privateKey) {`
ECDH (Browser) 2015-01-12 19:17:29 +00:00			`// This function has sync API so we throw an error immediately.`
Refactoring 2015-01-12 17:50:21 +00:00			`assert(privateKey.length === 32, "Bad private key");`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			// XXX(Kagami): `elliptic.utils.encode` returns array for every
			// encoding except `hex`.
			`return new Buffer(ec.keyPair(privateKey).getPublic("arr"));`
			`};`

			`exports.sign = function(privateKey, msg) {`
Refactoring 2015-01-12 17:50:21 +00:00			`return new Promise(function(resolve) {`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`assert(privateKey.length === 32, "Bad private key");`
ECDH (Browser) 2015-01-12 19:17:29 +00:00			`var key = ec.keyPair(privateKey);`
Refactoring 2015-01-12 17:50:21 +00:00			`resolve(new Buffer(key.sign(msg).toDER()));`
			`});`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			`};`

ECIES (Browser) 2015-01-13 13:21:11 +00:00			`exports.verify = function(publicKey, msg, sig) {`
Refactoring 2015-01-12 17:50:21 +00:00			`return new Promise(function(resolve, reject) {`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`assert(publicKey.length === 65, "Bad public key");`
			`assert(publicKey[0] === 4, "Bad public key");`
			`var key = ec.keyPair(publicKey);`
Refactoring 2015-01-12 17:50:21 +00:00			`return key.verify(msg, sig) ? resolve() : reject();`
			`});`
Browser ECDSA with the help of elliptic 2014-12-25 15:45:43 +00:00			`};`
ECDH (Browser) 2015-01-12 19:17:29 +00:00
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`var derive = exports.derive = function(privateKeyA, publicKeyB) {`
ECDH (Browser) 2015-01-12 19:17:29 +00:00			`return new Promise(function(resolve) {`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`assert(privateKeyA.length === 32, "Bad private key");`
			`assert(publicKeyB.length === 65, "Bad public key");`
			`assert(publicKeyB[0] === 4, "Bad public key");`
ECDH (Browser) 2015-01-12 19:17:29 +00:00			`var keyA = ec.keyPair(privateKeyA);`
			`var keyB = ec.keyPair(publicKeyB);`
			`var Px = keyA.derive(keyB.getPublic()); // BN instance`
ECIES (Browser) 2015-01-13 13:21:11 +00:00			`resolve(new Buffer(Px.toString(16, 2), "hex"));`
			`});`
			`};`

			`exports.encrypt = function(publicKeyTo, msg, opts) {`
			`assert(subtle, "WebCryptoAPI is not supported");`
			`opts = opts \|\| {};`
			`// Tmp variables to save context from flat promises;`
			`var iv, ephemPublicKey, cipherText, macKey;`
			`return new Promise(function(resolve) {`
			`var ephemPrivateKey = opts.ephemPrivateKey \|\| randomBytes(32);`
			`ephemPublicKey = getPublic(ephemPrivateKey);`
			`resolve(derive(ephemPrivateKey, publicKeyTo));`
			`}).then(function(Px) {`
			`return sha512(Px);`
			`}).then(function(hash) {`
			`iv = opts.iv \|\| randomBytes(16);`
			`var encryptionKey = hash.slice(0, 32);`
			`macKey = hash.slice(32);`
			`return aesCbcEncrypt(iv, encryptionKey, msg);`
			`}).then(function(encrypted) {`
			`cipherText = encrypted;`
			`var dataToMac = Buffer.concat([iv, ephemPublicKey, cipherText]);`
			`return hmacSha256Sign(macKey, dataToMac);`
			`}).then(function(mac) {`
			`return {`
			`iv: iv,`
			`ephemPublicKey: ephemPublicKey,`
			`cipherText: cipherText,`
			`mac: mac,`
			`};`
			`});`
			`};`

			`exports.decrypt = function(privateKey, opts) {`
			`assert(subtle, "WebCryptoAPI is not supported");`
			`// Tmp variables to save context from flat promises;`
			`var encryptionKey;`
			`return derive(privateKey, opts.ephemPublicKey).then(function(Px) {`
			`return sha512(Px);`
			`}).then(function(hash) {`
			`encryptionKey = hash.slice(0, 32);`
			`var macKey = hash.slice(32);`
			`var dataToMac = Buffer.concat([`
			`opts.iv,`
			`opts.ephemPublicKey,`
			`opts.cipherText`
			`]);`
			`return hmacSha256Verify(macKey, dataToMac, opts.mac);`
			`}).then(function(goodMac) {`
			`assert(goodMac, "Bad MAC");`
			`return aesCbcDecrypt(opts.iv, encryptionKey, opts.cipherText);`
			`}).then(function(msg) {`
			`return new Buffer(new Uint8Array(msg));`
ECDH (Browser) 2015-01-12 19:17:29 +00:00			`});`
			`};`