signature : Change lib to allow import from password
ci/woodpecker/push/test Pipeline was successful
ci/woodpecker/push/test Pipeline was successful
This commit is contained in:
@@ -14,6 +14,7 @@
|
||||
},
|
||||
|
||||
"dependencies": {
|
||||
"@noble/ed25519": "^2.1.0",
|
||||
"jose": "^5.3.0",
|
||||
"log": "git+https://git.pband.ch/typescript/log.git",
|
||||
"misc": "git+https://git.pband.ch/typescript/misc.git",
|
||||
|
||||
+39
-31
@@ -1,45 +1,59 @@
|
||||
import {PBKDF_parameters} from './pbkdf'
|
||||
|
||||
import {Result} from 'rust'
|
||||
import logger from 'log'
|
||||
import * as ed from '@noble/ed25519'
|
||||
|
||||
export type PrivKey = CryptoKey
|
||||
export type PubKey = CryptoKey
|
||||
export type Signature = Uint8Array
|
||||
|
||||
export type PrivKey = Uint8Array
|
||||
export type PubKey = Uint8Array
|
||||
export type KeyPair = [PrivKey, PubKey]
|
||||
|
||||
const algorithm: EcdsaParams = {
|
||||
name: "ECDSA",
|
||||
hash: {name: "SHA-512"},
|
||||
}
|
||||
const log = logger('crypto:signature')
|
||||
|
||||
/**
|
||||
* Create a new keypair for signing
|
||||
* @param extractable if the keys must be extractable or not
|
||||
* @return [privkey, pubkey] keys
|
||||
*/
|
||||
export async function gen_keypair(extractable: boolean = false) : Promise<KeyPair> {
|
||||
export async function gen_keypair() : Promise<KeyPair> {
|
||||
log.trace('Generating keypair')
|
||||
log.debug('Extractable :', extractable ? 'yes' : 'no')
|
||||
|
||||
let key = await window.crypto.subtle.generateKey(
|
||||
{
|
||||
name: "ECDSA",
|
||||
namedCurve: "P-521"
|
||||
} as EcKeyGenParams,
|
||||
extractable,
|
||||
['sign', 'verify']
|
||||
const privkey = ed.utils.randomPrivateKey()
|
||||
const pubkey = await ed.getPublicKeyAsync(privkey)
|
||||
|
||||
return [privkey, pubkey]
|
||||
}
|
||||
export async function from_password(password: string, salt: Uint8Array) : Promise<KeyPair> {
|
||||
const keyMaterial = await window.crypto.subtle.importKey(
|
||||
"raw",
|
||||
new TextEncoder().encode(password),
|
||||
"PBKDF2",
|
||||
false,
|
||||
["deriveBits"],
|
||||
)
|
||||
|
||||
return [key.privateKey, key.publicKey]
|
||||
const privkey_buff = await window.crypto.subtle.deriveBits(
|
||||
{
|
||||
...PBKDF_parameters,
|
||||
salt,
|
||||
},
|
||||
keyMaterial,
|
||||
256,
|
||||
)
|
||||
|
||||
const privkey = new Uint8Array(privkey_buff)
|
||||
const pubkey = await ed.getPublicKeyAsync(privkey)
|
||||
|
||||
return [privkey, pubkey]
|
||||
}
|
||||
export async function sign(privkey: PrivKey, message: Uint8Array) : Promise<Result<ArrayBuffer>> {
|
||||
|
||||
export async function sign(privkey: PrivKey, message: Uint8Array) : Promise<Result<Signature>> {
|
||||
log.trace('sign')
|
||||
|
||||
try {
|
||||
return Result.ok(await window.crypto.subtle.sign(
|
||||
algorithm,
|
||||
privkey,
|
||||
message,
|
||||
))
|
||||
const signature = await ed.signAsync(message, privkey)
|
||||
return Result.ok(signature)
|
||||
} catch(e) {
|
||||
log.warn('Signature failed')
|
||||
log.debug(`Error : ${e}`)
|
||||
@@ -47,17 +61,11 @@ export async function sign(privkey: PrivKey, message: Uint8Array) : Promise<Resu
|
||||
|
||||
return Result.error([])
|
||||
}
|
||||
|
||||
export async function verify(pubkey: PubKey, message: Uint8Array, signature: ArrayBuffer): Promise<boolean> {
|
||||
export async function verify(pubkey: PubKey, message: Uint8Array, signature: Signature) : Promise<boolean> {
|
||||
log.trace('Verify signature')
|
||||
|
||||
try {
|
||||
return await window.crypto.subtle.verify(
|
||||
algorithm,
|
||||
pubkey,
|
||||
signature,
|
||||
message
|
||||
);
|
||||
return ed.verifyAsync(signature, message, pubkey)
|
||||
} catch (e) {
|
||||
log.warn('Verification failed')
|
||||
log.debug(`Error : ${e}`)
|
||||
|
||||
@@ -3,16 +3,11 @@ import {beforeAll, expect, test} from 'bun:test'
|
||||
import {PrivateWrap, type KeyPair} from 'boxes/private-wrap'
|
||||
|
||||
import * as sym from 'boxes/symmetric'
|
||||
import * as signature from 'signature'
|
||||
|
||||
let k1!: KeyPair;
|
||||
let k2!: KeyPair;
|
||||
|
||||
let kw_sym!: sym.Key;
|
||||
let kw_sig!: signature.KeyPair;
|
||||
|
||||
let kw_sym_non!: sym.Key;
|
||||
let kw_sig_non!: signature.KeyPair;
|
||||
|
||||
beforeAll(async () => {
|
||||
k1 = await PrivateWrap.gen_key(false)
|
||||
@@ -25,13 +20,9 @@ beforeAll(async () => {
|
||||
|
||||
kw_sym = await sym.SecretBox.gen_key(true)
|
||||
expect(kw_sym.extractable).toBe(true)
|
||||
kw_sig = await signature.gen_keypair(true)
|
||||
expect(kw_sig[0].extractable).toBe(true)
|
||||
|
||||
kw_sym_non = await sym.SecretBox.gen_key(false)
|
||||
expect(kw_sym_non.extractable).toBe(false)
|
||||
kw_sig_non = await signature.gen_keypair(false)
|
||||
expect(kw_sig_non[0].extractable).toBe(false)
|
||||
})
|
||||
|
||||
test('base case', async () => {
|
||||
@@ -42,10 +33,6 @@ test('base case', async () => {
|
||||
const sym = (await PrivateWrap.wrap(pub, kw_sym)).expect("Should wrap the sym key")
|
||||
const rsym = (await sym.unwrap(priv)).expect("Should unwrap the sym key")
|
||||
expect(rsym).toEqual(kw_sym)
|
||||
|
||||
const sig = (await PrivateWrap.wrap(pub, kw_sig[0])).expect("Should wrap the signature key")
|
||||
const rsig = (await sig.unwrap(priv)).expect("Should unwrap the signature key")
|
||||
expect(rsig).toEqual(kw_sig[0])
|
||||
})
|
||||
test('toString and fromString and inverses', async () => {
|
||||
const [_priv, pub] = k1
|
||||
@@ -54,11 +41,6 @@ test('toString and fromString and inverses', async () => {
|
||||
const sym_str = sym.toString()
|
||||
const rsym = (PrivateWrap.fromString(sym_str)).expect("Should parse the sym key")
|
||||
expect(rsym).toEqual(sym)
|
||||
|
||||
const sig = (await PrivateWrap.wrap(pub, kw_sig[0])).expect("Should wrap the signature key")
|
||||
const sig_str = sig.toString()
|
||||
const rsig = (PrivateWrap.fromString(sig_str)).expect("Should parse the signature key")
|
||||
expect(rsig).toEqual(sig)
|
||||
})
|
||||
test("Can't wrap with private key", async () => {
|
||||
const [priv, _pub] = k1
|
||||
@@ -82,5 +64,4 @@ test("Can't wrap if not extractable", async () => {
|
||||
const [_priv, pub] = k1
|
||||
|
||||
;(await PrivateWrap.wrap(pub, kw_sym_non)).expect_err("Shouldn't wrap if not extractable")
|
||||
;(await PrivateWrap.wrap(pub, kw_sig_non[0])).expect_err("Shouldn't wrap if not extractable")
|
||||
})
|
||||
|
||||
@@ -4,7 +4,6 @@ import {SecretWrap, type Key} from 'boxes/secret-wrap'
|
||||
|
||||
import * as sym from 'boxes/symmetric'
|
||||
import * as asym from 'boxes/asymmetric'
|
||||
import * as signature from 'signature'
|
||||
import * as pwrap from 'boxes/private-wrap'
|
||||
|
||||
let k1!: Key;
|
||||
@@ -12,13 +11,11 @@ let k2!: Key;
|
||||
|
||||
let kw_wrap!: sym.Key;
|
||||
let kw_sym!: sym.Key;
|
||||
let kw_sig!: signature.KeyPair;
|
||||
let kw_asym!: asym.KeyPair;
|
||||
let kw_priv!: pwrap.KeyPair;
|
||||
|
||||
let kw_wrap_non!: sym.Key;
|
||||
let kw_sym_non!: sym.Key;
|
||||
let kw_sig_non!: signature.KeyPair;
|
||||
let kw_asym_non!: asym.KeyPair;
|
||||
let kw_priv_non!: pwrap.KeyPair;
|
||||
|
||||
@@ -37,8 +34,6 @@ beforeAll(async () => {
|
||||
expect(kw_priv[0].extractable).toBe(true)
|
||||
kw_sym = await sym.SecretBox.gen_key(true)
|
||||
expect(kw_sym.extractable).toBe(true)
|
||||
kw_sig = await signature.gen_keypair(true)
|
||||
expect(kw_sig[0].extractable).toBe(true)
|
||||
|
||||
kw_wrap_non = await sym.SecretBox.gen_key(false)
|
||||
expect(kw_wrap_non.extractable).toBe(false)
|
||||
@@ -48,8 +43,6 @@ beforeAll(async () => {
|
||||
expect(kw_priv_non[0].extractable).toBe(false)
|
||||
kw_sym_non = await sym.SecretBox.gen_key(false)
|
||||
expect(kw_sym_non.extractable).toBe(false)
|
||||
kw_sig_non = await signature.gen_keypair(false)
|
||||
expect(kw_sig_non[0].extractable).toBe(false)
|
||||
})
|
||||
|
||||
test('base case', async () => {
|
||||
@@ -64,7 +57,6 @@ test('base case', async () => {
|
||||
await testit(kw_asym[0])
|
||||
await testit(kw_priv[0])
|
||||
await testit(kw_sym)
|
||||
await testit(kw_sig[0])
|
||||
})
|
||||
test("toString and fromString and inverses", async () => {
|
||||
const testit = async (key: CryptoKey) => {
|
||||
@@ -79,7 +71,6 @@ test("toString and fromString and inverses", async () => {
|
||||
await testit(kw_asym[0])
|
||||
await testit(kw_priv[0])
|
||||
await testit(kw_sym)
|
||||
await testit(kw_sig[0])
|
||||
})
|
||||
test("Can't unwrap with wrong key", async () => {
|
||||
const wrapped = (await SecretWrap.wrap_key(k1, kw_wrap)).expect("Should wrap the key")
|
||||
@@ -90,7 +81,6 @@ test("Can't wrap if key is not extractable", async () => {
|
||||
;(await SecretWrap.wrap_key(k1, kw_asym_non[0])).expect_err("Shouldn't wrap if key is not extractable")
|
||||
;(await SecretWrap.wrap_key(k1, kw_priv_non[0])).expect_err("Shouldn't wrap if key is not extractable")
|
||||
;(await SecretWrap.wrap_key(k1, kw_sym_non)).expect_err("Shouldn't wrap if key is not extractable")
|
||||
;(await SecretWrap.wrap_key(k1, kw_sig_non[0])).expect_err("Shouldn't wrap if key is not extractable")
|
||||
})
|
||||
test("tampered IV", async () => {
|
||||
const wrapped = (await SecretWrap.wrap_key(k1, kw_wrap)).expect("Should wrap the key")
|
||||
|
||||
+26
-10
@@ -2,25 +2,40 @@ import {test, expect} from 'bun:test'
|
||||
|
||||
import {signature} from '../index'
|
||||
|
||||
test('base case', async () => {
|
||||
let keypair = await signature.gen_keypair()
|
||||
async function base_case(keypair: signature.KeyPair) {
|
||||
let data = new TextEncoder().encode("Message 123 !")
|
||||
|
||||
const sig = (await signature.sign(keypair[0], data)).expect("Should sign the message")
|
||||
let verification = await signature.verify(keypair[1], data, sig)
|
||||
|
||||
expect(verification).toBe(true)
|
||||
}
|
||||
async function inverted(keypair: signature.KeyPair) {
|
||||
let data = new TextEncoder().encode("Message 123 !")
|
||||
|
||||
const sig = (await signature.sign(keypair[1], data)).expect("Should sign the message")
|
||||
let verification = await signature.verify(keypair[0], data, sig)
|
||||
expect(verification).toBe(false)
|
||||
}
|
||||
|
||||
test('base case', async () => {
|
||||
let keypair = await signature.gen_keypair()
|
||||
return base_case(keypair)
|
||||
})
|
||||
|
||||
test('base case with password', async () => {
|
||||
let keypair = await signature.from_password("Yeet", new Uint8Array(16))
|
||||
return base_case(keypair)
|
||||
})
|
||||
|
||||
test('inverted with password', async () => {
|
||||
let keypair = await signature.from_password("Yeet", new Uint8Array(16))
|
||||
return inverted(keypair)
|
||||
})
|
||||
|
||||
test('inverted keys', async () => {
|
||||
let keypair = await signature.gen_keypair()
|
||||
let data = new TextEncoder().encode("Message 123 !")
|
||||
|
||||
;(await signature.sign(keypair[1], data)).expect_err("Shouldn't sign the message with the wrong key")
|
||||
|
||||
const sig = (await signature.sign(keypair[0], data)).expect("Should sign the message")
|
||||
let verification = await signature.verify(keypair[0], data, sig)
|
||||
expect(verification).toBe(false)
|
||||
return inverted(keypair)
|
||||
})
|
||||
|
||||
test('tampered message', async () => {
|
||||
@@ -51,7 +66,8 @@ test('tampered signature', async () => {
|
||||
let data = new TextEncoder().encode("Message 123 !")
|
||||
|
||||
const sig = (await signature.sign(keypair[0], data)).expect("Should sign the message")
|
||||
let verification = await signature.verify(keypair[1], data, sig.slice(0, -1))
|
||||
sig[0] ^= 1
|
||||
let verification = await signature.verify(keypair[1], data, sig)
|
||||
|
||||
expect(verification).toBe(false)
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user