From 5cc375bd5a8338205cc8786b106119008414761b Mon Sep 17 00:00:00 2001 From: Pascal Perrenoud Date: Tue, 11 Jun 2024 14:32:23 +0200 Subject: [PATCH] Allow to choose if extractable or not --- src/private-wrap.ts | 4 ++-- src/secret-box.ts | 4 ++-- src/secret-wrap.ts | 4 ++-- src/signature.ts | 4 ++-- test/kdf.test.ts | 2 ++ test/signature.test.ts | 16 ++++++++++++++++ 6 files changed, 26 insertions(+), 8 deletions(-) diff --git a/src/private-wrap.ts b/src/private-wrap.ts index 5352079..90ea112 100644 --- a/src/private-wrap.ts +++ b/src/private-wrap.ts @@ -17,11 +17,11 @@ export class PrivateWrap { private readonly pubkey: CryptoKey, ) {} - public static gen_keypair() : Promise { + public static gen_keypair(extractable : boolean = true) : Promise { log.trace("generate keypair") return crypto.subtle.generateKey( algorithm, - true, + extractable, ["deriveKey"], ) } diff --git a/src/secret-box.ts b/src/secret-box.ts index 3ceadfd..1d3b53d 100644 --- a/src/secret-box.ts +++ b/src/secret-box.ts @@ -9,14 +9,14 @@ export class SecretBox { private readonly cipher: Uint8Array, ) {} - public static gen_key() : Promise { + public static gen_key(extractable : boolean = true) : Promise { log.trace("generate key") return crypto.subtle.generateKey( { name: "AES-GCM", length: 256, }, - true, + extractable, ["encrypt", "decrypt"], ) } diff --git a/src/secret-wrap.ts b/src/secret-wrap.ts index 7f39aa5..0004bf9 100644 --- a/src/secret-wrap.ts +++ b/src/secret-wrap.ts @@ -12,14 +12,14 @@ export class SecretWrap { private readonly iv: Uint8Array, ) {} - public static gen_key() : Promise { + public static gen_key(extractable : boolean = true) : Promise { log.trace("generate key") return crypto.subtle.generateKey( { name: "AES-GCM", length: 256, }, - true, + extractable, ["wrapKey", "unwrapKey"], ) } diff --git a/src/signature.ts b/src/signature.ts index 6e0fadf..845d758 100644 --- a/src/signature.ts +++ b/src/signature.ts @@ -1,13 +1,13 @@ import logger from 'log' const log = logger('crypto:signature') -export async function gen_keypair() : Promise { +export async function gen_keypair(extractable : boolean = true) : Promise { return crypto.subtle.generateKey( { name: "ECDSA", namedCurve: "P-521", }, - true, + extractable, ["sign", "verify"] ) } diff --git a/test/kdf.test.ts b/test/kdf.test.ts index 0ab4b23..c9d95ad 100644 --- a/test/kdf.test.ts +++ b/test/kdf.test.ts @@ -74,7 +74,9 @@ describe('ECDH', () => { const k2 = await PrivateWrap.gen_keypair() const kd1 = await ecdh(k1.privateKey, k2.publicKey) + expect(kd1.extractable).toBe(false) const kd2 = await ecdh(k2.privateKey, k1.publicKey) + expect(kd2.extractable).toBe(false) expect(kd1).toEqual(kd2) }) diff --git a/test/signature.test.ts b/test/signature.test.ts index 89c316e..fcb56c2 100644 --- a/test/signature.test.ts +++ b/test/signature.test.ts @@ -5,6 +5,8 @@ import {derive_keypair, gen_keypair, sign, verify} from "../src/signature"; test('base case', async () => { const keypair = await gen_keypair() + expect(keypair.privateKey.extractable).toBeTrue() + expect(keypair.publicKey.extractable).toBeTrue() const data = new TextEncoder().encode("Message 123 !") const sig = await sign(data, keypair.privateKey) @@ -13,6 +15,20 @@ test('base case', async () => { expect(verification).toBe(true) }) +test('extractable or not', async () => { + const kp1 = await gen_keypair() + const kp2 = await gen_keypair(true) + const kp3 = await gen_keypair(false) + + expect(kp1.privateKey.extractable).toBeTrue() + expect(kp2.privateKey.extractable).toBeTrue() + expect(kp3.privateKey.extractable).toBeFalse() + + expect(kp1.publicKey.extractable).toBeTrue() + expect(kp2.publicKey.extractable).toBeTrue() + expect(kp3.publicKey.extractable).toBeTrue() +}) + test('inverted keys', async () => { const keypair = await signature.gen_keypair() const data = new TextEncoder().encode("Message 123 !")