From 4fa8869f2487749a9f190cb3047f4f3e6d571f27 Mon Sep 17 00:00:00 2001
From: Luca Casonato <hello@lcas.dev>
Date: Wed, 7 Aug 2024 08:43:58 +0200
Subject: feat(ext/node): rewrite crypto keys (#24463)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This completely rewrites how we handle key material in ext/node. Changes
in this
PR:

- **Signing**
  - RSA
  - RSA-PSS 🆕
  - DSA 🆕
  - EC
  - ED25519 🆕
- **Verifying**
  - RSA
  - RSA-PSS 🆕
  - DSA 🆕
  - EC 🆕
  - ED25519 🆕
- **Private key import**
  - Passphrase encrypted private keys 🆕
  - RSA
    - PEM
    - DER (PKCS#1) 🆕
    - DER (PKCS#8) 🆕
  - RSA-PSS
    - PEM
    - DER (PKCS#1) 🆕
    - DER (PKCS#8) 🆕
  - DSA 🆕
  - EC
    - PEM
    - DER (SEC1) 🆕
    - DER (PKCS#8) 🆕
  - X25519 🆕
  - ED25519 🆕
  - DH
- **Public key import**
  - RSA
    - PEM
    - DER (PKCS#1) 🆕
    - DER (PKCS#8) 🆕
  - RSA-PSS 🆕
  - DSA 🆕
  - EC 🆕
  - X25519 🆕
  - ED25519 🆕
  - DH 🆕
- **Private key export**
  - RSA 🆕
  - DSA 🆕
  - EC 🆕
  - X25519 🆕
  - ED25519 🆕
  - DH 🆕
- **Public key export**
  - RSA
  - DSA 🆕
  - EC 🆕
  - X25519 🆕
  - ED25519 🆕
  - DH 🆕
- **Key pair generation**
  - Overhauled, but supported APIs unchanged

This PR adds a lot of new individual functionality. But most importantly
because
of the new key material representation, it is now trivial to add new
algorithms
(as shown by this PR).

Now, when adding a new algorithm, it is also widely supported - for
example
previously we supported ED25519 key pair generation, but we could not
import,
export, sign or verify with ED25519. We can now do all of those things.
---
 tests/unit_node/crypto/generate_keys.mjs | 147 +++++++++++++++++++++++++++++++
 1 file changed, 147 insertions(+)
 create mode 100644 tests/unit_node/crypto/generate_keys.mjs

(limited to 'tests/unit_node/crypto/generate_keys.mjs')

diff --git a/tests/unit_node/crypto/generate_keys.mjs b/tests/unit_node/crypto/generate_keys.mjs
new file mode 100644
index 000000000..8646fbcd1
--- /dev/null
+++ b/tests/unit_node/crypto/generate_keys.mjs
@@ -0,0 +1,147 @@
+import { writeFileSync } from "node:fs";
+import { join } from "node:path";
+import crypto from "node:crypto";
+import console from "node:console";
+
+const keyTypes = [
+  {
+    type: "rsa",
+    modulusLength: 2048,
+  },
+  {
+    type: "rsa",
+    modulusLength: 3072,
+  },
+  {
+    type: "rsa-pss",
+    modulusLength: 2048,
+  },
+  {
+    type: "rsa-pss",
+    modulusLength: 3072,
+  },
+  {
+    type: "rsa-pss",
+    modulusLength: 2048,
+    saltLength: 32,
+  },
+  {
+    type: "rsa-pss",
+    modulusLength: 2048,
+    hashAlgorithm: "sha512",
+  },
+  {
+    type: "dsa",
+    modulusLength: 2048,
+  },
+  {
+    type: "dsa",
+    modulusLength: 3072,
+  },
+  {
+    type: "ec",
+    namedCurve: "P-224",
+  },
+  {
+    type: "ec",
+    namedCurve: "P-256",
+  },
+  {
+    type: "ec",
+    namedCurve: "P-384",
+  },
+  {
+    type: "x25519",
+  },
+  {
+    type: "ed25519",
+  },
+  {
+    type: "dh",
+    group: "modp14",
+  },
+];
+
+const data = "Hello, World!";
+
+const entries = [];
+
+for (const keyType of keyTypes) {
+  console.log(keyType);
+  const { privateKey, publicKey } = crypto.generateKeyPairSync(keyType.type, {
+    modulusLength: keyType.modulusLength,
+    namedCurve: keyType.namedCurve,
+    group: keyType.group,
+    saltLength: keyType.saltLength,
+    hashAlgorithm: keyType.hashAlgorithm,
+  });
+
+  let name = keyType.type;
+  if (keyType.type === "rsa-pss") {
+    name += `_${keyType.modulusLength}_${keyType.saltLength ?? "nosalt"}_${
+      keyType.hashAlgorithm ?? "nohash"
+    }`;
+  } else if (keyType.type === "rsa" || keyType.type === "dsa") {
+    name += `_${keyType.modulusLength}`;
+  } else if (keyType.type === "ec") {
+    name += `_${keyType.namedCurve}`;
+  } else if (keyType.type === "dh") {
+    name += `_${keyType.group}`;
+  }
+
+  exportAndWrite(name, privateKey, "pem", "pkcs8");
+  exportAndWrite(name, privateKey, "der", "pkcs8");
+  exportAndWrite(name, publicKey, "pem", "spki");
+  exportAndWrite(name, publicKey, "der", "spki");
+
+  if (keyType.type === "rsa") {
+    exportAndWrite(name, privateKey, "pem", "pkcs1");
+    exportAndWrite(name, privateKey, "der", "pkcs1");
+    exportAndWrite(name, publicKey, "pem", "pkcs1");
+    exportAndWrite(name, publicKey, "der", "pkcs1");
+  }
+  if (keyType.type === "ec") {
+    exportAndWrite(name, privateKey, "pem", "sec1");
+    exportAndWrite(name, privateKey, "der", "sec1");
+  }
+
+  let signed;
+  if (keyType.type === "ed25519") {
+    signed = crypto
+      .sign(null, Buffer.from(data), privateKey)
+      .toString("base64");
+  } else if (keyType.type !== "x25519" && keyType.type !== "dh") {
+    console.log("signing", keyType.type);
+    signed = crypto
+      .createSign("sha512")
+      .update(data)
+      .sign(privateKey, "base64");
+  }
+
+  entries.push({
+    name,
+    keyType: keyType.type,
+    signed,
+  });
+}
+
+writeFileSync(
+  join("tests", "unit_node", "crypto", "testdata", "asymmetric.json"),
+  JSON.stringify(entries, null, 2),
+);
+
+function exportAndWrite(name, key, format, type) {
+  const pem = key.export({
+    format,
+    type,
+  });
+  const filename = join(
+    "tests",
+    "unit_node",
+    "crypto",
+    "testdata",
+    "asymmetric",
+    `${name}.${type}.${format}`,
+  );
+  writeFileSync(filename, pem);
+}
-- 
cgit v1.2.3