diff --git a/package.json b/package.json index bd12718..586242d 100644 --- a/package.json +++ b/package.json @@ -14,6 +14,7 @@ }, "dependencies": { + "@noble/ed25519": "^2.1.0", "jose": "^5.3.0", "log": "git+https://git.pband.ch/typescript/log.git", "misc": "git+https://git.pband.ch/typescript/misc.git", diff --git a/src/signature.ts b/src/signature.ts index 94cfbd0..9252e48 100644 --- a/src/signature.ts +++ b/src/signature.ts @@ -1,45 +1,59 @@ +import {PBKDF_parameters} from './pbkdf' + import {Result} from 'rust' import logger from 'log' +import * as ed from '@noble/ed25519' -export type PrivKey = CryptoKey -export type PubKey = CryptoKey +export type Signature = Uint8Array + +export type PrivKey = Uint8Array +export type PubKey = Uint8Array export type KeyPair = [PrivKey, PubKey] -const algorithm: EcdsaParams = { - name: "ECDSA", - hash: {name: "SHA-512"}, -} const log = logger('crypto:signature') /** * Create a new keypair for signing - * @param extractable if the keys must be extractable or not * @return [privkey, pubkey] keys */ -export async function gen_keypair(extractable: boolean = false) : Promise { +export async function gen_keypair() : Promise { log.trace('Generating keypair') - log.debug('Extractable :', extractable ? 'yes' : 'no') - let key = await window.crypto.subtle.generateKey( - { - name: "ECDSA", - namedCurve: "P-521" - } as EcKeyGenParams, - extractable, - ['sign', 'verify'] + const privkey = ed.utils.randomPrivateKey() + const pubkey = await ed.getPublicKeyAsync(privkey) + + return [privkey, pubkey] +} +export async function from_password(password: string, salt: Uint8Array) : Promise { + const keyMaterial = await window.crypto.subtle.importKey( + "raw", + new TextEncoder().encode(password), + "PBKDF2", + false, + ["deriveBits"], ) - return [key.privateKey, key.publicKey] + const privkey_buff = await window.crypto.subtle.deriveBits( + { + ...PBKDF_parameters, + salt, + }, + keyMaterial, + 256, + ) + + const privkey = new Uint8Array(privkey_buff) + const pubkey = await ed.getPublicKeyAsync(privkey) + + return [privkey, pubkey] } -export async function sign(privkey: PrivKey, message: Uint8Array) : Promise> { + +export async function sign(privkey: PrivKey, message: Uint8Array) : Promise> { log.trace('sign') try { - return Result.ok(await window.crypto.subtle.sign( - algorithm, - privkey, - message, - )) + const signature = await ed.signAsync(message, privkey) + return Result.ok(signature) } catch(e) { log.warn('Signature failed') log.debug(`Error : ${e}`) @@ -47,17 +61,11 @@ export async function sign(privkey: PrivKey, message: Uint8Array) : Promise { +export async function verify(pubkey: PubKey, message: Uint8Array, signature: Signature) : Promise { log.trace('Verify signature') try { - return await window.crypto.subtle.verify( - algorithm, - pubkey, - signature, - message - ); + return ed.verifyAsync(signature, message, pubkey) } catch (e) { log.warn('Verification failed') log.debug(`Error : ${e}`) diff --git a/test/boxes/private-wrap.test.ts b/test/boxes/private-wrap.test.ts index 17b4660..ce3b118 100644 --- a/test/boxes/private-wrap.test.ts +++ b/test/boxes/private-wrap.test.ts @@ -3,16 +3,11 @@ import {beforeAll, expect, test} from 'bun:test' import {PrivateWrap, type KeyPair} from 'boxes/private-wrap' import * as sym from 'boxes/symmetric' -import * as signature from 'signature' let k1!: KeyPair; let k2!: KeyPair; - let kw_sym!: sym.Key; -let kw_sig!: signature.KeyPair; - let kw_sym_non!: sym.Key; -let kw_sig_non!: signature.KeyPair; beforeAll(async () => { k1 = await PrivateWrap.gen_key(false) @@ -25,13 +20,9 @@ beforeAll(async () => { kw_sym = await sym.SecretBox.gen_key(true) expect(kw_sym.extractable).toBe(true) - kw_sig = await signature.gen_keypair(true) - expect(kw_sig[0].extractable).toBe(true) kw_sym_non = await sym.SecretBox.gen_key(false) expect(kw_sym_non.extractable).toBe(false) - kw_sig_non = await signature.gen_keypair(false) - expect(kw_sig_non[0].extractable).toBe(false) }) test('base case', async () => { @@ -42,10 +33,6 @@ test('base case', async () => { const sym = (await PrivateWrap.wrap(pub, kw_sym)).expect("Should wrap the sym key") const rsym = (await sym.unwrap(priv)).expect("Should unwrap the sym key") expect(rsym).toEqual(kw_sym) - - const sig = (await PrivateWrap.wrap(pub, kw_sig[0])).expect("Should wrap the signature key") - const rsig = (await sig.unwrap(priv)).expect("Should unwrap the signature key") - expect(rsig).toEqual(kw_sig[0]) }) test('toString and fromString and inverses', async () => { const [_priv, pub] = k1 @@ -54,11 +41,6 @@ test('toString and fromString and inverses', async () => { const sym_str = sym.toString() const rsym = (PrivateWrap.fromString(sym_str)).expect("Should parse the sym key") expect(rsym).toEqual(sym) - - const sig = (await PrivateWrap.wrap(pub, kw_sig[0])).expect("Should wrap the signature key") - const sig_str = sig.toString() - const rsig = (PrivateWrap.fromString(sig_str)).expect("Should parse the signature key") - expect(rsig).toEqual(sig) }) test("Can't wrap with private key", async () => { const [priv, _pub] = k1 @@ -82,5 +64,4 @@ test("Can't wrap if not extractable", async () => { const [_priv, pub] = k1 ;(await PrivateWrap.wrap(pub, kw_sym_non)).expect_err("Shouldn't wrap if not extractable") - ;(await PrivateWrap.wrap(pub, kw_sig_non[0])).expect_err("Shouldn't wrap if not extractable") }) diff --git a/test/boxes/secret-wrap.test.ts b/test/boxes/secret-wrap.test.ts index 07fd5d7..4364dcf 100644 --- a/test/boxes/secret-wrap.test.ts +++ b/test/boxes/secret-wrap.test.ts @@ -4,7 +4,6 @@ import {SecretWrap, type Key} from 'boxes/secret-wrap' import * as sym from 'boxes/symmetric' import * as asym from 'boxes/asymmetric' -import * as signature from 'signature' import * as pwrap from 'boxes/private-wrap' let k1!: Key; @@ -12,13 +11,11 @@ let k2!: Key; let kw_wrap!: sym.Key; let kw_sym!: sym.Key; -let kw_sig!: signature.KeyPair; let kw_asym!: asym.KeyPair; let kw_priv!: pwrap.KeyPair; let kw_wrap_non!: sym.Key; let kw_sym_non!: sym.Key; -let kw_sig_non!: signature.KeyPair; let kw_asym_non!: asym.KeyPair; let kw_priv_non!: pwrap.KeyPair; @@ -37,8 +34,6 @@ beforeAll(async () => { expect(kw_priv[0].extractable).toBe(true) kw_sym = await sym.SecretBox.gen_key(true) expect(kw_sym.extractable).toBe(true) - kw_sig = await signature.gen_keypair(true) - expect(kw_sig[0].extractable).toBe(true) kw_wrap_non = await sym.SecretBox.gen_key(false) expect(kw_wrap_non.extractable).toBe(false) @@ -48,8 +43,6 @@ beforeAll(async () => { expect(kw_priv_non[0].extractable).toBe(false) kw_sym_non = await sym.SecretBox.gen_key(false) expect(kw_sym_non.extractable).toBe(false) - kw_sig_non = await signature.gen_keypair(false) - expect(kw_sig_non[0].extractable).toBe(false) }) test('base case', async () => { @@ -64,7 +57,6 @@ test('base case', async () => { await testit(kw_asym[0]) await testit(kw_priv[0]) await testit(kw_sym) - await testit(kw_sig[0]) }) test("toString and fromString and inverses", async () => { const testit = async (key: CryptoKey) => { @@ -79,7 +71,6 @@ test("toString and fromString and inverses", async () => { await testit(kw_asym[0]) await testit(kw_priv[0]) await testit(kw_sym) - await testit(kw_sig[0]) }) test("Can't unwrap with wrong key", async () => { const wrapped = (await SecretWrap.wrap_key(k1, kw_wrap)).expect("Should wrap the key") @@ -90,7 +81,6 @@ test("Can't wrap if key is not extractable", async () => { ;(await SecretWrap.wrap_key(k1, kw_asym_non[0])).expect_err("Shouldn't wrap if key is not extractable") ;(await SecretWrap.wrap_key(k1, kw_priv_non[0])).expect_err("Shouldn't wrap if key is not extractable") ;(await SecretWrap.wrap_key(k1, kw_sym_non)).expect_err("Shouldn't wrap if key is not extractable") - ;(await SecretWrap.wrap_key(k1, kw_sig_non[0])).expect_err("Shouldn't wrap if key is not extractable") }) test("tampered IV", async () => { const wrapped = (await SecretWrap.wrap_key(k1, kw_wrap)).expect("Should wrap the key") diff --git a/test/signature.test.ts b/test/signature.test.ts index f80e84d..f755bab 100644 --- a/test/signature.test.ts +++ b/test/signature.test.ts @@ -2,25 +2,40 @@ import {test, expect} from 'bun:test' import {signature} from '../index' -test('base case', async () => { - let keypair = await signature.gen_keypair() +async function base_case(keypair: signature.KeyPair) { let data = new TextEncoder().encode("Message 123 !") const sig = (await signature.sign(keypair[0], data)).expect("Should sign the message") let verification = await signature.verify(keypair[1], data, sig) expect(verification).toBe(true) +} +async function inverted(keypair: signature.KeyPair) { + let data = new TextEncoder().encode("Message 123 !") + + const sig = (await signature.sign(keypair[1], data)).expect("Should sign the message") + let verification = await signature.verify(keypair[0], data, sig) + expect(verification).toBe(false) +} + +test('base case', async () => { + let keypair = await signature.gen_keypair() + return base_case(keypair) +}) + +test('base case with password', async () => { + let keypair = await signature.from_password("Yeet", new Uint8Array(16)) + return base_case(keypair) +}) + +test('inverted with password', async () => { + let keypair = await signature.from_password("Yeet", new Uint8Array(16)) + return inverted(keypair) }) test('inverted keys', async () => { let keypair = await signature.gen_keypair() - let data = new TextEncoder().encode("Message 123 !") - - ;(await signature.sign(keypair[1], data)).expect_err("Shouldn't sign the message with the wrong key") - - const sig = (await signature.sign(keypair[0], data)).expect("Should sign the message") - let verification = await signature.verify(keypair[0], data, sig) - expect(verification).toBe(false) + return inverted(keypair) }) test('tampered message', async () => { @@ -51,7 +66,8 @@ test('tampered signature', async () => { let data = new TextEncoder().encode("Message 123 !") const sig = (await signature.sign(keypair[0], data)).expect("Should sign the message") - let verification = await signature.verify(keypair[1], data, sig.slice(0, -1)) + sig[0] ^= 1 + let verification = await signature.verify(keypair[1], data, sig) expect(verification).toBe(false) })