pkcs1.js 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276
  1. /**
  2. * Partial implementation of PKCS#1 v2.2: RSA-OEAP
  3. *
  4. * Modified but based on the following MIT and BSD licensed code:
  5. *
  6. * https://github.com/kjur/jsjws/blob/master/rsa.js:
  7. *
  8. * The 'jsjws'(JSON Web Signature JavaScript Library) License
  9. *
  10. * Copyright (c) 2012 Kenji Urushima
  11. *
  12. * Permission is hereby granted, free of charge, to any person obtaining a copy
  13. * of this software and associated documentation files (the "Software"), to deal
  14. * in the Software without restriction, including without limitation the rights
  15. * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  16. * copies of the Software, and to permit persons to whom the Software is
  17. * furnished to do so, subject to the following conditions:
  18. *
  19. * The above copyright notice and this permission notice shall be included in
  20. * all copies or substantial portions of the Software.
  21. *
  22. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  23. * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  24. * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  25. * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  26. * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  27. * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  28. * THE SOFTWARE.
  29. *
  30. * http://webrsa.cvs.sourceforge.net/viewvc/webrsa/Client/RSAES-OAEP.js?content-type=text%2Fplain:
  31. *
  32. * RSAES-OAEP.js
  33. * $Id: RSAES-OAEP.js,v 1.1.1.1 2003/03/19 15:37:20 ellispritchard Exp $
  34. * JavaScript Implementation of PKCS #1 v2.1 RSA CRYPTOGRAPHY STANDARD (RSA Laboratories, June 14, 2002)
  35. * Copyright (C) Ellis Pritchard, Guardian Unlimited 2003.
  36. * Contact: ellis@nukinetics.com
  37. * Distributed under the BSD License.
  38. *
  39. * Official documentation: http://www.rsa.com/rsalabs/node.asp?id=2125
  40. *
  41. * @author Evan Jones (http://evanjones.ca/)
  42. * @author Dave Longley
  43. *
  44. * Copyright (c) 2013-2014 Digital Bazaar, Inc.
  45. */
  46. var forge = require('./forge');
  47. require('./util');
  48. require('./random');
  49. require('./sha1');
  50. // shortcut for PKCS#1 API
  51. var pkcs1 = module.exports = forge.pkcs1 = forge.pkcs1 || {};
  52. /**
  53. * Encode the given RSAES-OAEP message (M) using key, with optional label (L)
  54. * and seed.
  55. *
  56. * This method does not perform RSA encryption, it only encodes the message
  57. * using RSAES-OAEP.
  58. *
  59. * @param key the RSA key to use.
  60. * @param message the message to encode.
  61. * @param options the options to use:
  62. * label an optional label to use.
  63. * seed the seed to use.
  64. * md the message digest object to use, undefined for SHA-1.
  65. * mgf1 optional mgf1 parameters:
  66. * md the message digest object to use for MGF1.
  67. *
  68. * @return the encoded message bytes.
  69. */
  70. pkcs1.encode_rsa_oaep = function(key, message, options) {
  71. // parse arguments
  72. var label;
  73. var seed;
  74. var md;
  75. var mgf1Md;
  76. // legacy args (label, seed, md)
  77. if(typeof options === 'string') {
  78. label = options;
  79. seed = arguments[3] || undefined;
  80. md = arguments[4] || undefined;
  81. } else if(options) {
  82. label = options.label || undefined;
  83. seed = options.seed || undefined;
  84. md = options.md || undefined;
  85. if(options.mgf1 && options.mgf1.md) {
  86. mgf1Md = options.mgf1.md;
  87. }
  88. }
  89. // default OAEP to SHA-1 message digest
  90. if(!md) {
  91. md = forge.md.sha1.create();
  92. } else {
  93. md.start();
  94. }
  95. // default MGF-1 to same as OAEP
  96. if(!mgf1Md) {
  97. mgf1Md = md;
  98. }
  99. // compute length in bytes and check output
  100. var keyLength = Math.ceil(key.n.bitLength() / 8);
  101. var maxLength = keyLength - 2 * md.digestLength - 2;
  102. if(message.length > maxLength) {
  103. var error = new Error('RSAES-OAEP input message length is too long.');
  104. error.length = message.length;
  105. error.maxLength = maxLength;
  106. throw error;
  107. }
  108. if(!label) {
  109. label = '';
  110. }
  111. md.update(label, 'raw');
  112. var lHash = md.digest();
  113. var PS = '';
  114. var PS_length = maxLength - message.length;
  115. for(var i = 0; i < PS_length; i++) {
  116. PS += '\x00';
  117. }
  118. var DB = lHash.getBytes() + PS + '\x01' + message;
  119. if(!seed) {
  120. seed = forge.random.getBytes(md.digestLength);
  121. } else if(seed.length !== md.digestLength) {
  122. var error = new Error('Invalid RSAES-OAEP seed. The seed length must ' +
  123. 'match the digest length.');
  124. error.seedLength = seed.length;
  125. error.digestLength = md.digestLength;
  126. throw error;
  127. }
  128. var dbMask = rsa_mgf1(seed, keyLength - md.digestLength - 1, mgf1Md);
  129. var maskedDB = forge.util.xorBytes(DB, dbMask, DB.length);
  130. var seedMask = rsa_mgf1(maskedDB, md.digestLength, mgf1Md);
  131. var maskedSeed = forge.util.xorBytes(seed, seedMask, seed.length);
  132. // return encoded message
  133. return '\x00' + maskedSeed + maskedDB;
  134. };
  135. /**
  136. * Decode the given RSAES-OAEP encoded message (EM) using key, with optional
  137. * label (L).
  138. *
  139. * This method does not perform RSA decryption, it only decodes the message
  140. * using RSAES-OAEP.
  141. *
  142. * @param key the RSA key to use.
  143. * @param em the encoded message to decode.
  144. * @param options the options to use:
  145. * label an optional label to use.
  146. * md the message digest object to use for OAEP, undefined for SHA-1.
  147. * mgf1 optional mgf1 parameters:
  148. * md the message digest object to use for MGF1.
  149. *
  150. * @return the decoded message bytes.
  151. */
  152. pkcs1.decode_rsa_oaep = function(key, em, options) {
  153. // parse args
  154. var label;
  155. var md;
  156. var mgf1Md;
  157. // legacy args
  158. if(typeof options === 'string') {
  159. label = options;
  160. md = arguments[3] || undefined;
  161. } else if(options) {
  162. label = options.label || undefined;
  163. md = options.md || undefined;
  164. if(options.mgf1 && options.mgf1.md) {
  165. mgf1Md = options.mgf1.md;
  166. }
  167. }
  168. // compute length in bytes
  169. var keyLength = Math.ceil(key.n.bitLength() / 8);
  170. if(em.length !== keyLength) {
  171. var error = new Error('RSAES-OAEP encoded message length is invalid.');
  172. error.length = em.length;
  173. error.expectedLength = keyLength;
  174. throw error;
  175. }
  176. // default OAEP to SHA-1 message digest
  177. if(md === undefined) {
  178. md = forge.md.sha1.create();
  179. } else {
  180. md.start();
  181. }
  182. // default MGF-1 to same as OAEP
  183. if(!mgf1Md) {
  184. mgf1Md = md;
  185. }
  186. if(keyLength < 2 * md.digestLength + 2) {
  187. throw new Error('RSAES-OAEP key is too short for the hash function.');
  188. }
  189. if(!label) {
  190. label = '';
  191. }
  192. md.update(label, 'raw');
  193. var lHash = md.digest().getBytes();
  194. // split the message into its parts
  195. var y = em.charAt(0);
  196. var maskedSeed = em.substring(1, md.digestLength + 1);
  197. var maskedDB = em.substring(1 + md.digestLength);
  198. var seedMask = rsa_mgf1(maskedDB, md.digestLength, mgf1Md);
  199. var seed = forge.util.xorBytes(maskedSeed, seedMask, maskedSeed.length);
  200. var dbMask = rsa_mgf1(seed, keyLength - md.digestLength - 1, mgf1Md);
  201. var db = forge.util.xorBytes(maskedDB, dbMask, maskedDB.length);
  202. var lHashPrime = db.substring(0, md.digestLength);
  203. // constant time check that all values match what is expected
  204. var error = (y !== '\x00');
  205. // constant time check lHash vs lHashPrime
  206. for(var i = 0; i < md.digestLength; ++i) {
  207. error |= (lHash.charAt(i) !== lHashPrime.charAt(i));
  208. }
  209. // "constant time" find the 0x1 byte separating the padding (zeros) from the
  210. // message
  211. // TODO: It must be possible to do this in a better/smarter way?
  212. var in_ps = 1;
  213. var index = md.digestLength;
  214. for(var j = md.digestLength; j < db.length; j++) {
  215. var code = db.charCodeAt(j);
  216. var is_0 = (code & 0x1) ^ 0x1;
  217. // non-zero if not 0 or 1 in the ps section
  218. var error_mask = in_ps ? 0xfffe : 0x0000;
  219. error |= (code & error_mask);
  220. // latch in_ps to zero after we find 0x1
  221. in_ps = in_ps & is_0;
  222. index += in_ps;
  223. }
  224. if(error || db.charCodeAt(index) !== 0x1) {
  225. throw new Error('Invalid RSAES-OAEP padding.');
  226. }
  227. return db.substring(index + 1);
  228. };
  229. function rsa_mgf1(seed, maskLength, hash) {
  230. // default to SHA-1 message digest
  231. if(!hash) {
  232. hash = forge.md.sha1.create();
  233. }
  234. var t = '';
  235. var count = Math.ceil(maskLength / hash.digestLength);
  236. for(var i = 0; i < count; ++i) {
  237. var c = String.fromCharCode(
  238. (i >> 24) & 0xFF, (i >> 16) & 0xFF, (i >> 8) & 0xFF, i & 0xFF);
  239. hash.start();
  240. hash.update(seed + c);
  241. t += hash.digest().getBytes();
  242. }
  243. return t.substring(0, maskLength);
  244. }