Merge pull request #19 from mrkvon/ES256

Add ES256 algorithm

Author: bourgeoa

src/algorithms/ECDSA.js

@@ -0,0 +1,129 @@
+'use strict'
+
+/**
+ * Dependencies
+ * @ignore
+ */
+const base64url = require('base64url')
+const crypto = require('isomorphic-webcrypto')
+const TextEncoder = require('../text-encoder')
+
+/**
+ * ECDSA with SHA-2 Functions and P Curves
+ */
+class ECDSA {
+
+  /**
+   * Constructor
+   *
+   * @param {string} bitlength
+   */
+  constructor (params) {
+    this.params = params
+  }
+
+  /**
+   * Sign
+   *
+   * @description
+   * Generate a hash-based message authentication code for a
+   * given input and key. Enforce the key length is equal to
+   * or greater than the bitlength.
+   *
+   * @param {CryptoKey} key
+   * @param {string} data
+   *
+   * @returns {string}
+   */
+  sign (key, data) {
+    let algorithm = this.params
+
+    // TODO: validate key length
+
+    data = new TextEncoder().encode(data)
+
+    return crypto.subtle
+      .sign(algorithm, key, data)
+      .then(signature => base64url(Buffer.from(signature)))
+  }
+
+  /**
+   * Verify
+   *
+   * @description
+   * Verify a digital signature for a given input and private key.
+   *
+   * @param {CryptoKey} key
+   * @param {string} signature
+   * @param {string} data
+   *
+   * @returns {Boolean}
+   */
+  verify (key, signature, data) {
+    let algorithm = this.params
+
+    if (typeof signature === 'string') {
+      signature = Uint8Array.from(base64url.toBuffer(signature))
+    }
+
+    if (typeof data === 'string') {
+      data = new TextEncoder().encode(data)
+    }
+
+    return crypto.subtle.verify(algorithm, key, signature, data)
+  }
+
+  /**
+   * Assert Sufficient Key Length
+   *
+   * @description Assert that the key length is sufficient
+   * @param {string} key
+   */
+  assertSufficientKeyLength (key) {
+    if (key.length < this.bitlength) {
+      throw new Error('The key is too short.')
+    }
+  }
+
+  /**
+   * importKey
+   * copied from ./RSASSA-PKCS1-v1_5.js, and it works!
+   *
+   * @param {JWK} key
+   * @returns {Promise}
+   */
+  async importKey (key) {
+    let jwk = Object.assign({}, key)
+    let algorithm = this.params
+    let usages = key['key_ops'] || []
+
+    if (key.use === 'sig') {
+      usages.push('verify')
+    }
+
+    if (key.use === 'enc') {
+      // TODO: handle encryption keys
+      return Promise.resolve(key)
+    }
+
+    if (key.key_ops) {
+      usages = key.key_ops
+    }
+
+    return crypto.subtle
+      .importKey('jwk', jwk, algorithm, true, usages)
+      .then(cryptoKey => {
+        Object.defineProperty(jwk, 'cryptoKey', {
+          enumerable: false,
+          value: cryptoKey
+        })
+
+        return jwk
+      })
+  }
+}
+
+/**
+ * Export
+ */
+module.exports = ECDSA

src/algorithms/index.js

@@ -4,6 +4,7 @@
 const None = require('./NONE')
 const HMAC = require('./HMAC')
 const RSASSA_PKCS1_v1_5 = require('./RSASSA-PKCS1-v1_5')
+const ECDSA = require('./ECDSA')
 const SupportedAlgorithms = require('./SupportedAlgorithms')
 
 /**
@@ -55,7 +56,14 @@ supportedAlgorithms.define('RS512', 'sign', new RSASSA_PKCS1_v1_5({
     name: 'SHA-512'
   }
 }))
-//supportedAlgorithms.define('ES256', 'sign', {})
+
+supportedAlgorithms.define('ES256', 'sign', new ECDSA({
+  name: 'ECDSA',
+  hash: {
+    name: 'SHA-256'
+  },
+  namedCurve: 'P-256'
+}))
 //supportedAlgorithms.define('ES384', 'sign', {})
 //supportedAlgorithms.define('ES512', 'sign', {})
 //supportedAlgorithms.define('PS256', 'sign', {})
@@ -110,7 +118,14 @@ supportedAlgorithms.define('RS512', 'verify', new RSASSA_PKCS1_v1_5({
     name: 'SHA-512'
   }
 }))
-//supportedAlgorithms.define('ES256', 'verify', {})
+
+supportedAlgorithms.define('ES256', 'verify', new ECDSA({
+  name: 'ECDSA',
+  hash: {
+    name: 'SHA-256'
+  },
+  namedCurve: 'P-256'
+}))
 //supportedAlgorithms.define('ES384', 'verify', {})
 //supportedAlgorithms.define('ES512', 'verify', {})
 //supportedAlgorithms.define('PS256', 'verify', {})
@@ -142,6 +157,14 @@ supportedAlgorithms.define('RS512', 'importKey', new RSASSA_PKCS1_v1_5({
   }
 }))
 
+supportedAlgorithms.define('ES256', 'importKey', new ECDSA({
+  name: 'ECDSA',
+  hash: {
+    name: 'SHA-256'
+  },
+  namedCurve: 'P-256'
+}))
+
 /**
  * Export
  */

test/algorithms/ECDSASpec.js

@@ -0,0 +1,139 @@
+'use strict'
+
+/**
+ * Test dependencies
+ */
+const chai = require('chai')
+
+/**
+ * Assertions
+ */
+chai.should()
+let expect = chai.expect
+
+/**
+ * Code under test
+ */
+const ECDSA = require('../../src/algorithms/ECDSA')
+const {TextEncoder} = require('@sinonjs/text-encoding')
+const crypto = require('isomorphic-webcrypto')
+const base64url = require('base64url')
+const { getPublicKey, getPrivateKey } = require('../keys/ES256')
+const { should } = require('chai')
+
+/**
+ * Reused test constants
+ */
+const alg = { name: 'ECDSA', hash: { name: 'SHA-256' }, namedCurve: "P-256" }
+
+const data = 'signed with Chrome generated webcrypto key'
+
+/**
+ * Tests
+ */
+describe('ECDSA', () => {
+
+  /**
+   * constructor
+   */
+  describe('constructor', () => {
+    it('should set params', () => {
+      let alg = { name: 'ECDSA' }
+      let ecdsa = new ECDSA(alg)
+      ecdsa.params.should.equal(alg)
+    })
+  })
+
+  /**
+   * sign
+   */
+  describe('sign', () => {
+    let importedEcdsaPrivateKey, importedEcdsaPublicKey
+
+    before(async () => {
+      importedEcdsaPrivateKey = await getPrivateKey()
+      importedEcdsaPublicKey = await getPublicKey()
+    })
+
+    it('should return a promise', () => {
+      let ecdsa = new ECDSA(alg)
+      return ecdsa.sign(importedEcdsaPrivateKey, data).should.be.instanceof(Promise)
+    })
+
+    it('should reject an insufficient key length')
+
+    it('should resolve a base64url encoded value and verification should pass', async () => {
+      const ecdsa = new ECDSA(alg)
+      const signature = await ecdsa.sign(importedEcdsaPrivateKey, data)
+
+      // this will fail if signature is anything but base64 string
+      expect(base64url(base64url.toBuffer(signature))).to.equal(signature)
+
+      // ECDSA is non-deterministic. Therefore we test that the generated signature gets verified with crypto library
+      const verified = await crypto.subtle.verify(
+        {
+          name: 'ECDSA',
+          hash: { name: 'SHA-256' },
+          namedCurve: "P-256"
+        },
+        importedEcdsaPublicKey,
+        base64url.toBuffer(signature),
+        new TextEncoder().encode(data)
+      )
+
+      verified.should.eql(true)
+    })
+  })
+
+  /**
+   * verify
+   */
+  describe('verify', () => {
+    let importedEcdsaPublicKey, signature
+
+    before(async () => {
+      /**
+       * This signature was produced in Chromium
+       * deails can be found in comments of ../keys/ES256.js
+       */
+      signature = 'AUNkOnr//z999flIoTMebaf5EQC56WVQizK3GXW/u4EOQBvs9CtvfgWi0pQ3bi0k8p357ajtNvN/dJ1Vr8gbYg=='
+
+      importedEcdsaPublicKey = await getPublicKey()
+    })
+
+    it('should return a promise', () => {
+      let ecdsa = new ECDSA(alg)
+      ecdsa.verify(importedEcdsaPublicKey, signature, data).should.be.instanceof(Promise)
+    })
+
+    it('should resolve to true', async () => {
+      const ecdsa = new ECDSA(alg)
+      const verified = await ecdsa.verify(importedEcdsaPublicKey, signature, data)
+      expect(verified).to.equal(true)
+    })
+  })
+
+  /**
+   * importKey
+   */
+  describe('importKey', () => {
+    let exampleJwkPublicKey
+
+    before(() => {
+      exampleJwkPublicKey = {
+        crv: 'P-256',
+        kty: 'EC',
+        x: '-c0_z0ly3xRDR0XQuvIirfgal59hq7BzF9ObdUXrgmI',
+        y: '_7QdnDYKrkrkYaCqZko0ebDQ1L1RpHLtzg8YwdT79n8',
+        alg: 'ES256'
+      }
+    })
+
+    it('should successfully import public jwk key', async () => {
+      const ecdsa = new ECDSA(alg)
+      const key = await ecdsa.importKey(exampleJwkPublicKey)
+      key.cryptoKey.constructor.name.should.equal('CryptoKey')
+    })
+  })
+})
+