@avieldr/react-native-rsa 1.0.0

package/src/index.ts

@@ -0,0 +1,305 @@
+import NativeRsa from './NativeRsa';
+import { getKeyInfo } from './keyInfo';
+import { utf8ToBase64 } from './encoding';
+import { DEFAULTS } from './constants';
+import {
+  requireString,
+  requirePrivateKey,
+  requirePublicKey,
+  validateKeySize,
+  validateEncryptionPadding,
+  validateSignaturePadding,
+  validateHash,
+  validateKeyFormat,
+  validateEncoding,
+  wrapNativeError,
+} from './errors';
+import type {
+  RSAKeyPair,
+  GenerateKeyPairOptions,
+  KeyFormat,
+  EncryptOptions,
+  DecryptOptions,
+  SignOptions,
+  VerifyOptions,
+} from './types';
+
+// Re-export all public types
+export type {
+  RSAKeyPair,
+  GenerateKeyPairOptions,
+  RSAKeyInfo,
+  KeyFormat,
+  EncryptOptions,
+  DecryptOptions,
+  SignOptions,
+  VerifyOptions,
+  EncryptionPadding,
+  SignaturePadding,
+  HashAlgorithm,
+  InputEncoding,
+} from './types';
+
+// Re-export error class, error code type, and utilities that consumers may need
+export { RsaError, type RsaErrorCode } from './errors';
+export { getKeyInfo } from './keyInfo';
+export { utf8ToBase64, base64ToUtf8 } from './encoding';
+
+// --- Key Generation ---
+
+/**
+ * Generate an RSA key pair (public + private) using native platform crypto.
+ *
+ * @param keySize RSA key size in bits. Default: 2048. Supported: 1024, 2048, 4096.
+ * @param options Optional configuration (format: 'pkcs1' | 'pkcs8')
+ * @returns Object with publicKey and privateKey in PEM format
+ * @throws {RsaError} INVALID_KEY_SIZE if keySize is not 1024, 2048, or 4096
+ * @throws {RsaError} INVALID_FORMAT if options.format is not 'pkcs1' or 'pkcs8'
+ * @throws {RsaError} KEY_GENERATION_FAILED if native key generation fails
+ */
+async function generateKeyPair(
+  keySize: number = 2048,
+  options?: GenerateKeyPairOptions
+): Promise<RSAKeyPair> {
+  validateKeySize(keySize);
+  const format = options?.format ?? DEFAULTS.KEY_FORMAT;
+  validateKeyFormat(format);
+
+  try {
+    return await NativeRsa.generateKeyPair(keySize, format);
+  } catch (error) {
+    throw wrapNativeError(error, 'KEY_GENERATION_FAILED');
+  }
+}
+
+/**
+ * Extract the public key from an RSA private key PEM string.
+ *
+ * @param privateKeyPEM RSA private key in PEM format (PKCS#1 or PKCS#8)
+ * @returns Public key in PEM format (SPKI/X.509)
+ * @throws {RsaError} INVALID_INPUT if privateKeyPEM is empty
+ * @throws {RsaError} INVALID_KEY if privateKeyPEM is not a valid private key
+ * @throws {RsaError} KEY_EXTRACTION_FAILED if native operation fails
+ */
+async function getPublicKeyFromPrivate(
+  privateKeyPEM: string
+): Promise<string> {
+  requirePrivateKey(privateKeyPEM);
+
+  try {
+    return await NativeRsa.getPublicKeyFromPrivate(privateKeyPEM);
+  } catch (error) {
+    throw wrapNativeError(error, 'KEY_EXTRACTION_FAILED');
+  }
+}
+
+// --- Encrypt / Decrypt ---
+
+/**
+ * Encrypt plaintext with an RSA public key.
+ *
+ * The input string is UTF-8 encoded to base64 by default before sending to native.
+ * Set `options.encoding = 'base64'` if the input is already base64-encoded binary.
+ *
+ * @param data         The plaintext to encrypt (UTF-8 string or base64, depending on encoding option)
+ * @param publicKeyPEM The public key in SPKI PEM format
+ * @param options      Padding, hash, and encoding options (defaults: oaep, sha256, utf8)
+ * @returns Base64-encoded ciphertext
+ * @throws {RsaError} INVALID_INPUT if data or publicKeyPEM is empty
+ * @throws {RsaError} INVALID_KEY if publicKeyPEM is not a valid public key
+ * @throws {RsaError} INVALID_PADDING if options.padding is invalid
+ * @throws {RsaError} INVALID_HASH if options.hash is invalid
+ * @throws {RsaError} INVALID_ENCODING if options.encoding is invalid
+ * @throws {RsaError} ENCRYPTION_FAILED if native encryption fails
+ */
+async function encrypt(
+  data: string,
+  publicKeyPEM: string,
+  options?: EncryptOptions
+): Promise<string> {
+  requireString(data, 'data');
+  requirePublicKey(publicKeyPEM);
+
+  const padding = options?.padding ?? DEFAULTS.ENCRYPTION_PADDING;
+  const hash = options?.hash ?? DEFAULTS.HASH;
+  const encoding = options?.encoding ?? DEFAULTS.ENCODING;
+
+  validateEncryptionPadding(padding);
+  validateHash(hash);
+  validateEncoding(encoding);
+
+  // Convert UTF-8 text to base64 for the native bridge; pass through if already base64
+  const dataBase64 = encoding === 'utf8' ? utf8ToBase64(data) : data;
+
+  try {
+    return await NativeRsa.encrypt(dataBase64, publicKeyPEM, padding, hash);
+  } catch (error) {
+    throw wrapNativeError(error, 'ENCRYPTION_FAILED');
+  }
+}
+
+/**
+ * Decrypt ciphertext with an RSA private key.
+ *
+ * Always returns base64-encoded plaintext. If the original data was UTF-8 text,
+ * use `base64ToUtf8()` to decode the result.
+ *
+ * @param encrypted    Base64-encoded ciphertext (from encrypt())
+ * @param privateKeyPEM The private key in PEM format (PKCS#1 or PKCS#8)
+ * @param options      Padding and hash options — must match what was used for encryption
+ * @returns Base64-encoded decrypted plaintext
+ * @throws {RsaError} INVALID_INPUT if encrypted or privateKeyPEM is empty
+ * @throws {RsaError} INVALID_KEY if privateKeyPEM is not a valid private key
+ * @throws {RsaError} INVALID_PADDING if options.padding is invalid
+ * @throws {RsaError} INVALID_HASH if options.hash is invalid
+ * @throws {RsaError} DECRYPTION_FAILED if native decryption fails
+ */
+async function decrypt(
+  encrypted: string,
+  privateKeyPEM: string,
+  options?: DecryptOptions
+): Promise<string> {
+  requireString(encrypted, 'encrypted');
+  requirePrivateKey(privateKeyPEM);
+
+  const padding = options?.padding ?? DEFAULTS.ENCRYPTION_PADDING;
+  const hash = options?.hash ?? DEFAULTS.HASH;
+
+  validateEncryptionPadding(padding);
+  validateHash(hash);
+
+  try {
+    return await NativeRsa.decrypt(encrypted, privateKeyPEM, padding, hash);
+  } catch (error) {
+    throw wrapNativeError(error, 'DECRYPTION_FAILED');
+  }
+}
+
+// --- Sign / Verify ---
+
+/**
+ * Sign data with an RSA private key.
+ *
+ * The input string is UTF-8 encoded to base64 by default before sending to native.
+ * Set `options.encoding = 'base64'` if the input is already base64-encoded binary.
+ *
+ * @param data         The data to sign (UTF-8 string or base64, depending on encoding option)
+ * @param privateKeyPEM The private key in PEM format (PKCS#1 or PKCS#8)
+ * @param options      Padding, hash, and encoding options (defaults: pss, sha256, utf8)
+ * @returns Base64-encoded signature
+ * @throws {RsaError} INVALID_INPUT if data or privateKeyPEM is empty
+ * @throws {RsaError} INVALID_KEY if privateKeyPEM is not a valid private key
+ * @throws {RsaError} INVALID_PADDING if options.padding is invalid
+ * @throws {RsaError} INVALID_HASH if options.hash is invalid
+ * @throws {RsaError} INVALID_ENCODING if options.encoding is invalid
+ * @throws {RsaError} SIGNING_FAILED if native signing fails
+ */
+async function sign(
+  data: string,
+  privateKeyPEM: string,
+  options?: SignOptions
+): Promise<string> {
+  requireString(data, 'data');
+  requirePrivateKey(privateKeyPEM);
+
+  const padding = options?.padding ?? DEFAULTS.SIGNATURE_PADDING;
+  const hash = options?.hash ?? DEFAULTS.HASH;
+  const encoding = options?.encoding ?? DEFAULTS.ENCODING;
+
+  validateSignaturePadding(padding);
+  validateHash(hash);
+  validateEncoding(encoding);
+
+  const dataBase64 = encoding === 'utf8' ? utf8ToBase64(data) : data;
+
+  try {
+    return await NativeRsa.sign(dataBase64, privateKeyPEM, padding, hash);
+  } catch (error) {
+    throw wrapNativeError(error, 'SIGNING_FAILED');
+  }
+}
+
+/**
+ * Verify a signature against data using an RSA public key.
+ *
+ * The input string encoding must match what was used during signing.
+ *
+ * @param data         The original data that was signed
+ * @param signature    Base64-encoded signature (from sign())
+ * @param publicKeyPEM The public key in SPKI PEM format
+ * @param options      Padding, hash, and encoding options — must match signing options
+ * @returns true if the signature is valid, false otherwise
+ * @throws {RsaError} INVALID_INPUT if data, signature, or publicKeyPEM is empty
+ * @throws {RsaError} INVALID_KEY if publicKeyPEM is not a valid public key
+ * @throws {RsaError} INVALID_PADDING if options.padding is invalid
+ * @throws {RsaError} INVALID_HASH if options.hash is invalid
+ * @throws {RsaError} INVALID_ENCODING if options.encoding is invalid
+ * @throws {RsaError} VERIFICATION_FAILED if native verification fails
+ */
+async function verify(
+  data: string,
+  signature: string,
+  publicKeyPEM: string,
+  options?: VerifyOptions
+): Promise<boolean> {
+  requireString(data, 'data');
+  requireString(signature, 'signature');
+  requirePublicKey(publicKeyPEM);
+
+  const padding = options?.padding ?? DEFAULTS.SIGNATURE_PADDING;
+  const hash = options?.hash ?? DEFAULTS.HASH;
+  const encoding = options?.encoding ?? DEFAULTS.ENCODING;
+
+  validateSignaturePadding(padding);
+  validateHash(hash);
+  validateEncoding(encoding);
+
+  const dataBase64 = encoding === 'utf8' ? utf8ToBase64(data) : data;
+
+  try {
+    return await NativeRsa.verify(dataBase64, signature, publicKeyPEM, padding, hash);
+  } catch (error) {
+    throw wrapNativeError(error, 'VERIFICATION_FAILED');
+  }
+}
+
+// --- Key Format Conversion ---
+
+/**
+ * Convert a private key PEM between PKCS#1 and PKCS#8 formats.
+ *
+ * @param pem          The private key in PEM format
+ * @param targetFormat 'pkcs1' or 'pkcs8'
+ * @returns The private key re-encoded in the target format
+ * @throws {RsaError} INVALID_INPUT if pem is empty
+ * @throws {RsaError} INVALID_KEY if pem is not a valid private key
+ * @throws {RsaError} INVALID_FORMAT if targetFormat is invalid
+ * @throws {RsaError} KEY_CONVERSION_FAILED if native conversion fails
+ */
+async function convertPrivateKey(
+  pem: string,
+  targetFormat: KeyFormat
+): Promise<string> {
+  requirePrivateKey(pem);
+  validateKeyFormat(targetFormat);
+
+  try {
+    return await NativeRsa.convertPrivateKey(pem, targetFormat);
+  } catch (error) {
+    throw wrapNativeError(error, 'KEY_CONVERSION_FAILED');
+  }
+}
+
+// --- Default Export ---
+
+const RSA = {
+  generateKeyPair,
+  getPublicKeyFromPrivate,
+  getKeyInfo,
+  encrypt,
+  decrypt,
+  sign,
+  verify,
+  convertPrivateKey,
+};
+export default RSA;

package/src/keyInfo.ts

@@ -0,0 +1,334 @@
+import type { RSAKeyInfo } from './types';
+
+const PEM_HEADERS = {
+  pkcs1Private: '-----BEGIN RSA PRIVATE KEY-----',
+  pkcs1PrivateEnd: '-----END RSA PRIVATE KEY-----',
+  pkcs8Private: '-----BEGIN PRIVATE KEY-----',
+  pkcs8PrivateEnd: '-----END PRIVATE KEY-----',
+  public: '-----BEGIN PUBLIC KEY-----',
+  publicEnd: '-----END PUBLIC KEY-----',
+};
+
+function parseASN1Length(
+  bytes: Uint8Array,
+  offset: number
+): { length: number | null; bytesRead: number } {
+  if (offset >= bytes.length) {
+    return { length: null, bytesRead: 0 };
+  }
+  const firstByte = bytes[offset]!;
+  if (firstByte < 128) {
+    return { length: firstByte, bytesRead: 1 };
+  }
+  const numLengthBytes = firstByte & 0x7f;
+  if (numLengthBytes === 0 || offset + numLengthBytes >= bytes.length) {
+    return { length: null, bytesRead: 0 };
+  }
+  let length = 0;
+  for (let i = 0; i < numLengthBytes; i++) {
+    length = (length << 8) | bytes[offset + 1 + i]!;
+  }
+  return { length, bytesRead: 1 + numLengthBytes };
+}
+
+function validatePKCS1Structure(derBytes: Uint8Array): string[] {
+  const errors: string[] = [];
+  let offset = 0;
+
+  if (derBytes[offset] !== 0x30) {
+    errors.push(
+      `Expected SEQUENCE tag (0x30), got 0x${derBytes[offset]?.toString(16)}`
+    );
+    return errors;
+  }
+  offset++;
+
+  const { length: seqLength, bytesRead } = parseASN1Length(derBytes, offset);
+  offset += bytesRead;
+
+  if (seqLength === null) {
+    errors.push('Invalid SEQUENCE length encoding');
+    return errors;
+  }
+
+  let integerCount = 0;
+  let tempOffset = offset;
+  const endOffset = offset + seqLength;
+
+  while (tempOffset < endOffset && tempOffset < derBytes.length) {
+    if (derBytes[tempOffset] !== 0x02) {
+      errors.push(
+        `Expected INTEGER tag (0x02) at position ${tempOffset}, got 0x${derBytes[tempOffset]?.toString(16)}`
+      );
+      break;
+    }
+    tempOffset++;
+    const { length: intLength, bytesRead: intBytesRead } = parseASN1Length(
+      derBytes,
+      tempOffset
+    );
+    if (intLength === null) {
+      errors.push('Invalid INTEGER length encoding');
+      break;
+    }
+    tempOffset += intBytesRead + intLength;
+    integerCount++;
+  }
+
+  if (integerCount !== 9) {
+    errors.push(
+      `Expected 9 INTEGER fields for PKCS#1, found ${integerCount}`
+    );
+  }
+  return errors;
+}
+
+function validatePKCS8Structure(derBytes: Uint8Array): string[] {
+  const errors: string[] = [];
+  let offset = 0;
+
+  // Outer SEQUENCE
+  if (derBytes[offset] !== 0x30) {
+    errors.push(
+      `Expected SEQUENCE tag (0x30), got 0x${derBytes[offset]?.toString(16)}`
+    );
+    return errors;
+  }
+  offset++;
+  const { length: seqLength, bytesRead } = parseASN1Length(derBytes, offset);
+  offset += bytesRead;
+  if (seqLength === null) {
+    errors.push('Invalid SEQUENCE length encoding');
+    return errors;
+  }
+
+  const endOffset = offset + seqLength;
+
+  // version INTEGER (should be 0)
+  if (offset >= endOffset || derBytes[offset] !== 0x02) {
+    errors.push(
+      `Expected INTEGER tag (0x02) for version, got 0x${derBytes[offset]?.toString(16)}`
+    );
+    return errors;
+  }
+  offset++;
+  const { length: verLen, bytesRead: verBytesRead } = parseASN1Length(
+    derBytes,
+    offset
+  );
+  if (verLen === null) {
+    errors.push('Invalid version INTEGER length');
+    return errors;
+  }
+  offset += verBytesRead + verLen;
+
+  // AlgorithmIdentifier SEQUENCE
+  if (offset >= endOffset || derBytes[offset] !== 0x30) {
+    errors.push(
+      `Expected SEQUENCE tag (0x30) for AlgorithmIdentifier, got 0x${derBytes[offset]?.toString(16)}`
+    );
+    return errors;
+  }
+  offset++;
+  const { length: algLen, bytesRead: algBytesRead } = parseASN1Length(
+    derBytes,
+    offset
+  );
+  if (algLen === null) {
+    errors.push('Invalid AlgorithmIdentifier length');
+    return errors;
+  }
+  offset += algBytesRead + algLen;
+
+  // privateKey OCTET STRING
+  if (offset >= endOffset || derBytes[offset] !== 0x04) {
+    errors.push(
+      `Expected OCTET STRING tag (0x04) for privateKey, got 0x${derBytes[offset]?.toString(16)}`
+    );
+    return errors;
+  }
+
+  return errors;
+}
+
+function validateSPKIStructure(derBytes: Uint8Array): string[] {
+  const errors: string[] = [];
+  let offset = 0;
+
+  // Outer SEQUENCE
+  if (derBytes[offset] !== 0x30) {
+    errors.push(
+      `Expected SEQUENCE tag (0x30), got 0x${derBytes[offset]?.toString(16)}`
+    );
+    return errors;
+  }
+  offset++;
+  const { length: seqLength, bytesRead } = parseASN1Length(derBytes, offset);
+  offset += bytesRead;
+  if (seqLength === null) {
+    errors.push('Invalid SEQUENCE length encoding');
+    return errors;
+  }
+
+  const endOffset = offset + seqLength;
+
+  // AlgorithmIdentifier SEQUENCE
+  if (offset >= endOffset || derBytes[offset] !== 0x30) {
+    errors.push(
+      `Expected SEQUENCE tag (0x30) for AlgorithmIdentifier, got 0x${derBytes[offset]?.toString(16)}`
+    );
+    return errors;
+  }
+  offset++;
+  const { length: algLen, bytesRead: algBytesRead } = parseASN1Length(
+    derBytes,
+    offset
+  );
+  if (algLen === null) {
+    errors.push('Invalid AlgorithmIdentifier length');
+    return errors;
+  }
+  offset += algBytesRead + algLen;
+
+  // subjectPublicKey BIT STRING
+  if (offset >= endOffset || derBytes[offset] !== 0x03) {
+    errors.push(
+      `Expected BIT STRING tag (0x03) for subjectPublicKey, got 0x${derBytes[offset]?.toString(16)}`
+    );
+    return errors;
+  }
+
+  return errors;
+}
+
+// Minimal base64 decoder (no external deps)
+const BASE64_CHARS =
+  'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
+
+function base64Decode(input: string): Uint8Array {
+  const cleaned = input.replace(/[^A-Za-z0-9+/=]/g, '');
+  const len = cleaned.length;
+  const byteLen = (len * 3) / 4 - (cleaned.endsWith('==') ? 2 : cleaned.endsWith('=') ? 1 : 0);
+  const bytes = new Uint8Array(byteLen);
+  let p = 0;
+
+  for (let i = 0; i < len; i += 4) {
+    const a = BASE64_CHARS.indexOf(cleaned[i]!);
+    const b = BASE64_CHARS.indexOf(cleaned[i + 1]!);
+    const c = cleaned[i + 2] === '=' ? 0 : BASE64_CHARS.indexOf(cleaned[i + 2]!);
+    const d = cleaned[i + 3] === '=' ? 0 : BASE64_CHARS.indexOf(cleaned[i + 3]!);
+
+    const bits = (a << 18) | (b << 12) | (c << 6) | d;
+
+    if (p < byteLen) bytes[p++] = (bits >> 16) & 0xff;
+    if (p < byteLen) bytes[p++] = (bits >> 8) & 0xff;
+    if (p < byteLen) bytes[p++] = bits & 0xff;
+  }
+  return bytes;
+}
+
+/**
+ * Analyze an RSA key PEM string and return metadata about it.
+ * Runs entirely in JS — no native bridge call needed.
+ */
+export function getKeyInfo(keyString: string): RSAKeyInfo {
+  const errors: string[] = [];
+  let format: RSAKeyInfo['format'] = 'unknown';
+  let keyType: RSAKeyInfo['keyType'] = 'unknown';
+  let base64Content = '';
+  let base64Lines: string[] = [];
+
+  if (
+    keyString.includes(PEM_HEADERS.pkcs1Private) &&
+    keyString.includes(PEM_HEADERS.pkcs1PrivateEnd)
+  ) {
+    format = 'pkcs1';
+    keyType = 'private';
+    const start =
+      keyString.indexOf(PEM_HEADERS.pkcs1Private) +
+      PEM_HEADERS.pkcs1Private.length;
+    const end = keyString.indexOf(PEM_HEADERS.pkcs1PrivateEnd);
+    const raw = keyString.substring(start, end).trim();
+    base64Lines = raw
+      .split('\n')
+      .map((l) => l.trim())
+      .filter((l) => l.length > 0);
+    base64Content = raw.replace(/\s/g, '');
+  } else if (
+    keyString.includes(PEM_HEADERS.pkcs8Private) &&
+    keyString.includes(PEM_HEADERS.pkcs8PrivateEnd)
+  ) {
+    format = 'pkcs8';
+    keyType = 'private';
+    const start =
+      keyString.indexOf(PEM_HEADERS.pkcs8Private) +
+      PEM_HEADERS.pkcs8Private.length;
+    const end = keyString.indexOf(PEM_HEADERS.pkcs8PrivateEnd);
+    const raw = keyString.substring(start, end).trim();
+    base64Lines = raw
+      .split('\n')
+      .map((l) => l.trim())
+      .filter((l) => l.length > 0);
+    base64Content = raw.replace(/\s/g, '');
+  } else if (
+    keyString.includes(PEM_HEADERS.public) &&
+    keyString.includes(PEM_HEADERS.publicEnd)
+  ) {
+    format = 'public';
+    keyType = 'public';
+    const start =
+      keyString.indexOf(PEM_HEADERS.public) + PEM_HEADERS.public.length;
+    const end = keyString.indexOf(PEM_HEADERS.publicEnd);
+    const raw = keyString.substring(start, end).trim();
+    base64Lines = raw
+      .split('\n')
+      .map((l) => l.trim())
+      .filter((l) => l.length > 0);
+    base64Content = raw.replace(/\s/g, '');
+  } else {
+    errors.push('Missing or invalid PEM headers');
+  }
+
+  // Validate line formatting (PEM standard: 64 chars per line)
+  if (base64Lines.length > 0) {
+    for (let i = 0; i < base64Lines.length - 1; i++) {
+      if (base64Lines[i]!.length !== 64) {
+        errors.push(
+          `Line ${i + 1} has ${base64Lines[i]!.length} chars, expected 64`
+        );
+        break;
+      }
+    }
+    const lastLine = base64Lines[base64Lines.length - 1]!;
+    if (lastLine.length > 64) {
+      errors.push(`Last line has ${lastLine.length} chars, expected <= 64`);
+    }
+  }
+
+  // Decode and validate structure
+  let derBytes: Uint8Array | null = null;
+  if (base64Content.length > 0) {
+    try {
+      derBytes = base64Decode(base64Content);
+    } catch {
+      errors.push('Invalid base64 encoding');
+    }
+  }
+
+  if (derBytes && format === 'pkcs1') {
+    errors.push(...validatePKCS1Structure(derBytes));
+  } else if (derBytes && format === 'pkcs8') {
+    errors.push(...validatePKCS8Structure(derBytes));
+  } else if (derBytes && format === 'public') {
+    errors.push(...validateSPKIStructure(derBytes));
+  }
+
+  return {
+    isValid: errors.length === 0,
+    format,
+    keyType,
+    pemLineCount: base64Lines.length,
+    derByteLength: derBytes?.length ?? 0,
+    errors,
+  };
+}