2.0.0 (#3)

* rewrite * testing worklflow * sprcify version * config stuff * add hash as buffer * delete docs * use typedarray everywhere and docs * readme * aes * cleanup * rsa * testing with playwright * fix playwright * readme * docs * update deps * use headless * add prepublish * build pipeline * move types up * move types up * add types legacy * packaging * versions bump * cleanup * maybe this time * drop support for commonjs * version bump * cleanup
2026-04-02 15:35:26 +00:00 · 2022-10-18 15:53:43 +02:00
parent f1f5e44b54
commit 56a8103582
58 changed files with 2701 additions and 4705 deletions
--- a/src/crypto/aes.ts
+++ b/src/crypto/aes.ts
@@ -0,0 +1,144 @@
+import { type TypedArray } from '../utils/base.js'
+import { getCrypto } from './crypto.js'
+import { Base64, Bytes } from './encoding.js'
+import { Hashes } from './hash.js'
+import { getRandomBytes } from './random.js'
+
+const Params = {
+  GCM: {
+    ivLength: 12,
+    tagLength: 128,
+  },
+}
+
+export type KeyData = {
+  name: 'PBKDF2'
+  hash: Hashes
+  iterations: number
+  salt: TypedArray
+  length: number
+}
+
+/**
+ * AES operation modes.
+ */
+export enum Modes {
+  AES_GCM = 'AES-GCM',
+}
+
+export class AES {
+  static Modes = Modes
+
+  private static delimiter = '--' // delimiter with a character that is not allowed in base64 or hex
+  private static delimiterEasy = '---'
+
+  private static InvalidCiphertext = new Error('Invalid ciphertext')
+
+  private static async join(...args: TypedArray[]): Promise<string> {
+    const strings = await Promise.all(args.map(Base64.encode))
+    return strings.join(AES.delimiter)
+  }
+
+  private static async split(ciphertext: string): Promise<TypedArray[]> {
+    const splitted = ciphertext.split(AES.delimiter)
+    return Promise.all(splitted.map(Base64.decode))
+  }
+
+  /**
+   * Derive a key from a password.
+   * To be used if the password is not 128, 192 or 256 bits or human made, non generated keys.
+   */
+  static async derive(key: string, options?: KeyData): Promise<[TypedArray, KeyData]> {
+    options ??= {
+      name: 'PBKDF2',
+      hash: Hashes.SHA_512,
+      iterations: 100_000,
+      length: 256,
+      salt: await getRandomBytes(16),
+    }
+    const c = await getCrypto()
+    const keyBuffer = await c.subtle.importKey('raw', Bytes.encode(key), options.name, false, [
+      'deriveBits',
+      'deriveKey',
+    ])
+    const bits = await c.subtle.deriveBits(options, keyBuffer, options.length)
+    return [new Uint8Array(bits), options]
+  }
+
+  static async encrypt(data: TypedArray, key: TypedArray, mode: Modes = Modes.AES_GCM): Promise<string> {
+    const c = await getCrypto()
+
+    let iv: Uint8Array
+    let alg: AlgorithmIdentifier
+
+    switch (mode) {
+      case Modes.AES_GCM:
+        iv = c.getRandomValues(new Uint8Array(Params.GCM.ivLength))
+        alg = mode
+        break
+      default:
+        throw new Error('Unsupported mode')
+    }
+
+    const keyObj = await c.subtle.importKey('raw', key, alg, false, ['encrypt'])
+    const encrypted = await c.subtle.encrypt({ name: alg, iv }, keyObj, data)
+    const encryptedBuffer = new Uint8Array(encrypted)
+
+    return AES.join(Bytes.encode(alg), iv, encryptedBuffer)
+  }
+
+  static async decrypt(ciphertext: string, key: TypedArray): Promise<TypedArray> {
+    const c = await getCrypto()
+
+    const [alg, iv, data] = await AES.split(ciphertext)
+    if (!alg || !iv || !data) throw this.InvalidCiphertext
+
+    const mode = Bytes.decode(alg)
+    switch (mode) {
+      case Modes.AES_GCM:
+        break
+      default:
+        throw new Error('Unsupported mode')
+    }
+
+    const keyObj = await c.subtle.importKey('raw', key, mode, false, ['decrypt'])
+    const decrypted = await c.subtle.decrypt({ name: mode, iv }, keyObj, data)
+    return new Uint8Array(decrypted)
+  }
+
+  static async encryptEasy(data: string | TypedArray, key: string, mode: Modes = Modes.AES_GCM): Promise<string> {
+    const dataBuffer = typeof data === 'string' ? Bytes.encode(data) : data
+    const [keyDerived, options] = await AES.derive(key)
+
+    const ciphertext = await this.encrypt(dataBuffer, keyDerived, mode)
+    const header = await this.join(
+      Bytes.encode(options.name),
+      Bytes.encode(options.hash),
+      Bytes.encode(options.iterations.toString()),
+      options.salt,
+      Bytes.encode(options.length.toString())
+    )
+
+    return [header, ciphertext].join(this.delimiterEasy)
+  }
+
+  static async decryptEasy(ciphertext: string, key: string): Promise<string> {
+    const [header, data] = ciphertext.split(this.delimiterEasy)
+    if (!header || !data) throw this.InvalidCiphertext
+    const [name, hash, iterations, salt, length] = await this.split(header)
+    if (!name || !hash || !iterations || !salt || !length) throw this.InvalidCiphertext
+
+    const options: KeyData = {
+      name: Bytes.decode(name) as any,
+      hash: Bytes.decode(hash) as any,
+      iterations: parseInt(Bytes.decode(iterations)),
+      salt,
+      length: parseInt(Bytes.decode(length)),
+    }
+    if (isNaN(options.iterations) || isNaN(options.length)) throw this.InvalidCiphertext
+
+    const [keyDerived] = await AES.derive(key, options)
+    const decrypted = await this.decrypt(data, keyDerived)
+    return Bytes.decode(decrypted)
+  }
+}
--- a/src/crypto/crypto.ts
+++ b/src/crypto/crypto.ts
@@ -0,0 +1,20 @@
+import { isBrowser } from '../utils/base.js'
+
+let crypto: typeof window.crypto | null = null
+
+export async function getCrypto(): Promise<typeof window.crypto> {
+  if (!crypto) {
+    if (isBrowser) crypto = window.crypto
+    else if (typeof require !== 'undefined') {
+      const { webcrypto } = await require('crypto')
+      crypto = webcrypto
+    } else {
+      // @ts-ignore
+      const { webcrypto } = await import('crypto')
+      crypto = webcrypto as any
+    }
+  }
+
+  if (!crypto) throw new Error('No crypto available')
+  return crypto
+}
--- a/src/crypto/encoding.ts
+++ b/src/crypto/encoding.ts
@@ -0,0 +1,83 @@
+import { split, type TypedArray } from '../utils/base.js'
+
+export class Base64 {
+  private static prefix = 'data:application/octet-stream;base64,'
+
+  static encode(s: TypedArray): Promise<string> {
+    return split({
+      async node() {
+        return Buffer.from(s).toString('base64')
+      },
+      async browser() {
+        return new Promise((resolve, reject) => {
+          const reader = new FileReader()
+          reader.onload = function (event) {
+            const data = event.target?.result
+            if (typeof data === 'string') resolve(data.slice(Base64.prefix.length))
+            else reject(new Error('Failed to read file'))
+          }
+          reader.readAsDataURL(new Blob([s]))
+        })
+      },
+    })
+  }
+
+  static decode(s: string): Promise<TypedArray> {
+    return split({
+      async node() {
+        return Buffer.from(s, 'base64')
+      },
+      async browser() {
+        const ab = await fetch(Base64.prefix + s)
+          .then((r) => r.blob())
+          .then((b) => b.arrayBuffer())
+        return new Uint8Array(ab)
+      },
+    })
+  }
+}
+
+export class Hex {
+  static encode(buffer: TypedArray): string {
+    let s = ''
+    for (const i of new Uint8Array(buffer)) {
+      s += i.toString(16).padStart(2, '0')
+    }
+    return s
+  }
+
+  static decode(s: string): TypedArray {
+    const size = s.length / 2
+    const buffer = new Uint8Array(size)
+    for (let i = 0; i < size; i++) {
+      const idx = i * 2
+      const segment = s.slice(idx, idx + 2)
+      buffer[i] = parseInt(segment, 16)
+    }
+    return buffer
+  }
+}
+
+export class Bytes {
+  static decode(data: TypedArray): string {
+    return split({
+      node() {
+        return Buffer.from(data).toString('utf-8')
+      },
+      browser() {
+        return new TextDecoder().decode(data)
+      },
+    })
+  }
+
+  static encode(data: string): TypedArray {
+    return split({
+      node() {
+        return Buffer.from(data)
+      },
+      browser() {
+        return new TextEncoder().encode(data)
+      },
+    })
+  }
+}
--- a/src/crypto/hash.ts
+++ b/src/crypto/hash.ts
@@ -0,0 +1,32 @@
+import { type TypedArray } from '../utils/base.js'
+import { getCrypto } from './crypto.js'
+import { Bytes, Hex } from './encoding.js'
+
+/**
+ * List of available hash functions.
+ *
+ * @remarks
+ * For cryptographic details refer to: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest#supported_algorithms
+ * Reference: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
+ */
+export enum Hashes {
+  /**
+   * @remarks SHA-1 is not recommended for new applications as it's not cryptographically secure.
+   */
+  SHA_1 = 'SHA-1',
+  SHA_256 = 'SHA-256',
+  SHA_384 = 'SHA-384',
+  SHA_512 = 'SHA-512',
+}
+
+export class Hash {
+  static async hash(data: string, hash: Hashes): Promise<string>
+  static async hash(data: TypedArray, hash: Hashes): Promise<TypedArray>
+  static async hash(data: string | TypedArray, hash: Hashes): Promise<string | TypedArray> {
+    const isString = typeof data === 'string'
+    const c = await getCrypto()
+    const result = await c.subtle.digest(hash, isString ? Bytes.encode(data) : data)
+    const buf = new Uint8Array(result)
+    return isString ? Hex.encode(buf) : buf
+  }
+}
--- a/src/crypto/random.ts
+++ b/src/crypto/random.ts
@@ -0,0 +1,11 @@
+import { type TypedArray } from '../utils/base.js'
+import { getCrypto } from './crypto.js'
+
+export async function getRandomBytes(bytes: number): Promise<TypedArray> {
+  if (bytes <= 0) throw new Error('Invalid number of bytes')
+
+  const buffer = new Uint8Array(bytes)
+  const crypto = await getCrypto()
+  crypto.getRandomValues(buffer)
+  return buffer
+}
--- a/src/crypto/rsa.ts
+++ b/src/crypto/rsa.ts
@@ -0,0 +1,137 @@
+import type { TypedArray } from '../utils/base.js'
+import { getCrypto } from './crypto.js'
+import { Base64 } from './encoding.js'
+
+const Constants = Object.freeze({
+  name: 'RSA-OAEP',
+  hash: 'SHA-512',
+  exponent: new Uint8Array([1, 0, 1]),
+  error: {
+    invalidKey: new Error('invalid key'),
+    shouldBePublicKey: new Error('should be a public key'),
+    shouldBePrivateKey: new Error('should be a private key'),
+    dataTooLong: new Error('data too long'),
+  },
+})
+
+class Key {
+  /**
+   * Exports a key to a PEM string.
+   */
+  static async encode(key: CryptoKey): Promise<string> {
+    const c = await getCrypto()
+
+    let type: 'pkcs8' | 'spki'
+    let label: string
+    switch (key.type) {
+      case 'private':
+        type = 'pkcs8'
+        label = 'PRIVATE'
+        break
+      case 'public':
+        type = 'spki'
+        label = 'PUBLIC'
+        break
+
+      default:
+        throw new Error('invalid key type')
+    }
+    const exported = await c.subtle.exportKey(type, key)
+
+    // Export in PEM format
+    const base64 = await Base64.encode(new Uint8Array(exported))
+    const formatted = base64.match(/.{1,64}/g)?.join('\n')
+    return `-----BEGIN ${label} KEY-----\n${formatted}\n-----END ${label} KEY-----`
+  }
+
+  static async decode(s: string): Promise<CryptoKey> {
+    const isPrivate = s.includes('BEGIN PRIVATE KEY')
+    const cleaned = s.replace(/-----.*?-----/g, '').replace(/\s/g, '')
+    const bytes = await Base64.decode(cleaned)
+    const c = await getCrypto()
+    return await c.subtle.importKey(
+      isPrivate ? 'pkcs8' : 'spki',
+      bytes,
+      {
+        name: Constants.name,
+        hash: Constants.hash,
+      },
+      true,
+      isPrivate ? ['decrypt'] : ['encrypt']
+    )
+  }
+
+  /**
+   * Get max size of payload to be encrypted.
+   * The size depends on the key size and the hash function used.
+   * https://www.rfc-editor.org/rfc/rfc2437#section-7.1.1
+   */
+  static getMaxMessageSize(key: CryptoKey): number {
+    if (key.type !== 'public') throw Constants.error.shouldBePublicKey
+    // @ts-ignore
+    const mod = key?.algorithm?.modulusLength
+    if (isNaN(mod)) throw Constants.error.invalidKey
+    return mod / 8 - (2 * 512) / 8 - 2
+  }
+}
+
+export class RSA {
+  static async generateKeyPair(bits: number = 2 ** 12): Promise<{ private: string; public: string }> {
+    const c = await getCrypto()
+
+    if (bits < 2 ** 11) {
+      throw new Error('bit sizes below 2048 are considered insecure.')
+    }
+
+    const pair = await c.subtle.generateKey(
+      {
+        name: Constants.name,
+        modulusLength: bits,
+        publicExponent: Constants.exponent,
+        hash: Constants.hash,
+      },
+      true,
+      ['encrypt', 'decrypt']
+    )
+
+    return {
+      private: await Key.encode(pair.privateKey),
+      public: await Key.encode(pair.publicKey),
+    }
+  }
+
+  static async encrypt(data: TypedArray, key: string): Promise<TypedArray> {
+    let keyObj: CryptoKey
+    try {
+      keyObj = await Key.decode(key)
+    } catch (e) {
+      throw Constants.error.invalidKey
+    }
+    if (keyObj.type !== 'public') {
+      throw Constants.error.shouldBePublicKey
+    }
+
+    // Check if data is too large
+    if (data.length > Key.getMaxMessageSize(keyObj)) throw Constants.error.dataTooLong
+
+    const c = await getCrypto()
+    const encrypted = await c.subtle.encrypt({ name: Constants.name }, keyObj, data)
+    return new Uint8Array(encrypted)
+  }
+
+  static async decrypt(data: TypedArray, key: string): Promise<TypedArray> {
+    let keyObj: CryptoKey
+    try {
+      keyObj = await Key.decode(key)
+    } catch (e) {
+      throw Constants.error.invalidKey
+    }
+    if (keyObj.type !== 'private') {
+      throw Constants.error.shouldBePrivateKey
+    }
+
+    const c = await getCrypto()
+    const decrypted = await c.subtle.decrypt({ name: Constants.name }, keyObj, data)
+    return new Uint8Array(decrypted)
+  }
+}