@hg-ts/rsa 0.7.25 → 0.7.26

package/src/X25519/x25519.test.ts

@@ -0,0 +1,150 @@
+import { NotImplementedException } from '@hg-ts/exception';
+import {
+	Describe,
+	expect,
+	ExpectException,
+	Suite,
+	Test,
+} from '@hg-ts/tests';
+import { z } from '@hg-ts/validation';
+import sodium from 'libsodium-wrappers';
+
+import { InvalidDecryptionKeyExpection } from '../exceptions/index.js';
+import { X25519KeyPair } from './key-pair.js';
+import { X25519PrivateKey } from './private-key.js';
+import { X25519PublicKey } from './public-key.js';
+
+@Describe()
+export class X25519Test extends Suite {
+	@Test()
+	public async encryption(): Promise<void> {
+		const bob = new X25519KeyPair();
+		const alice = new X25519KeyPair();
+		const value = Math.random().toString();
+
+		const encrypted = alice.encrypt(value, bob.publicKeyInstance);
+
+		expect(bob.decrypt(encrypted.toString('base64'), alice.publicKeyInstance)).toBe(value);
+	}
+	@Test()
+	public async duplicateEncryptionDifferences(): Promise<void> {
+		const alice = new X25519KeyPair();
+		const bob = new X25519KeyPair();
+		const value = Math.random().toString();
+
+		const encryptedA = alice.publicKeyInstance.encrypt(value, bob.privateKeyInstance);
+		const encryptedB = alice.publicKeyInstance.encrypt(value, bob.privateKeyInstance);
+
+		expect(encryptedA).not.toMatchObject(encryptedB);
+		expect(alice.decrypt(encryptedA, bob.publicKeyInstance)).toBe(value);
+		expect(alice.decrypt(encryptedB, bob.publicKeyInstance)).toBe(value);
+	}
+
+	@Test()
+	@ExpectException(InvalidDecryptionKeyExpection)
+	public async encryptionFailsForAnotherRecipient(): Promise<void> {
+		const bob = new X25519KeyPair();
+		const alice = new X25519KeyPair();
+		const anotherRecipient = new X25519KeyPair();
+		const value = Math.random().toString();
+
+		const encrypted = alice.encrypt(value, bob.publicKeyInstance);
+
+		anotherRecipient.decrypt(encrypted, alice.publicKeyInstance);
+	}
+
+	@Test()
+	public async encryptionBuffer(): Promise<void> {
+		const bob = new X25519KeyPair();
+		const alice = new X25519KeyPair();
+		const value = Buffer.from(Math.random().toString(), 'utf8');
+
+		const encrypted = alice.encrypt(value, bob.publicKeyInstance);
+
+		expect(Buffer.from(bob.decrypt(encrypted, alice.publicKeyInstance))).toMatchObject(value);
+	}
+
+	@Test()
+	@ExpectException(NotImplementedException)
+	public async signature(): Promise<void> {
+		const x25519 = new X25519KeyPair();
+		const value = Math.random().toString();
+
+		x25519.sign(value);
+	}
+
+	@Test()
+	@ExpectException(NotImplementedException)
+	public async verify(): Promise<void> {
+		const x25519 = new X25519KeyPair();
+		const value = Math.random().toString();
+
+		x25519.verify(Buffer.from(value), value);
+	}
+
+	@Test()
+	public async keyPairFromPrivateKeyString(): Promise<void> {
+		const x25519 = new X25519KeyPair();
+
+		const keyPairFromKey = new X25519KeyPair({ privateKey: x25519.privateKey });
+
+		expect(keyPairFromKey.privateKey).toBe(x25519.privateKey);
+		expect(keyPairFromKey.publicKey).toBe(x25519.publicKey);
+	}
+
+	@Test()
+	public async seededWithNonScalarBytesLength(): Promise<void> {
+		const seed = Math.random().toString();
+		const x25519A = new X25519KeyPair({ seed });
+		const x25519B = new X25519KeyPair({ seed });
+
+		expect(Buffer.from(seed, 'utf8').length !== sodium.crypto_scalarmult_SCALARBYTES).toBeTruthy();
+		expect(x25519A.privateKey).toBe(x25519B.privateKey);
+		expect(x25519A.publicKey).toBe(x25519B.publicKey);
+	}
+
+	@Test()
+	public async seededWithScalarBytesLength(): Promise<void> {
+		const seed = 'a'.repeat(sodium.crypto_scalarmult_SCALARBYTES);
+		const x25519A = new X25519KeyPair({ seed });
+		const x25519B = new X25519KeyPair({ seed });
+
+		expect(Buffer.from(seed, 'utf8').length).toBe(sodium.crypto_scalarmult_SCALARBYTES);
+		expect(x25519A.privateKey).toBe(Buffer.from(seed, 'utf8').toString('base64'));
+		expect(x25519A.privateKey).toBe(x25519B.privateKey);
+		expect(x25519A.publicKey).toBe(x25519B.publicKey);
+	}
+
+	@Test()
+	public async privateKeyFromString(): Promise<void> {
+		const x25519 = new X25519KeyPair();
+		const privateKey = X25519PrivateKey.fromString(x25519.privateKey);
+
+		expect(privateKey.toString()).toBe(x25519.privateKey);
+	}
+
+	@Test()
+	public async publicKeyFromString(): Promise<void> {
+		const x25519 = new X25519KeyPair();
+		const publicKey = X25519PublicKey.fromString(x25519.publicKey);
+
+		expect(publicKey.toString()).toBe(x25519.publicKey);
+	}
+
+	@Test()
+	public async publicKeyValidationValid(): Promise<void> {
+		const x25519 = new X25519KeyPair();
+
+		X25519PublicKey.schema.parse(x25519.publicKey);
+	}
+
+	@Test()
+	@ExpectException(z.ZodError)
+	public async publicKeyValidationFails(): Promise<void> {
+		X25519PublicKey.schema.parse('{}');
+	}
+
+	public override async setUp(): Promise<void> {
+		await sodium.ready;
+	}
+}

package/src/base/index.ts

@@ -0,0 +1,4 @@
+export * from './key.js';
+export * from './private-key.js';
+export * from './public-key.js';
+export * from './key-pair.js';

package/src/base/key-pair.ts

@@ -0,0 +1,75 @@
+import {
+	BasePrivateKey,
+	StaticPrivateKey,
+} from './private-key.js';
+import { BasePublicKey } from './public-key.js';
+
+export type NewKeyPairOptions = {
+	seed?: string;
+	bits?: number;
+};
+
+export type KeyPairOptions<TPrivateKey extends BasePrivateKey> = NewKeyPairOptions & {
+	privateKey?: TPrivateKey | string;
+};
+
+export type KeyPairResult<
+	TPrivateKey extends BasePrivateKey<unknown, TPublicKey>,
+	TPublicKey extends BasePublicKey,
+> = {
+	privateKey: TPrivateKey;
+	publicKey: TPublicKey;
+};
+
+export abstract class BaseKeyPair<
+	TPrivateKey extends BasePrivateKey<unknown, TPublicKey>,
+	TPublicKey extends BasePublicKey,
+	TOptions extends KeyPairOptions<TPrivateKey> = KeyPairOptions<TPrivateKey>,
+> {
+	public readonly privateKeyInstance: TPrivateKey;
+	public readonly publicKeyInstance: TPublicKey;
+
+	protected constructor(options: TOptions, privateKeyCtor: StaticPrivateKey<TPrivateKey>) {
+		const keyPair = this.generateKeys(options, privateKeyCtor);
+
+		this.privateKeyInstance = keyPair.privateKey;
+		this.publicKeyInstance = keyPair.publicKey;
+	}
+
+	public abstract encrypt(value: string | Buffer, ...additionalArguments: unknown[]): Buffer;
+
+	public abstract decrypt(value: string | Buffer, ...additionalArguments: unknown[]): string;
+
+	public abstract sign(value: string): Buffer;
+
+	public abstract verify(signature: string | Buffer, value: string): boolean;
+
+	public get publicKey(): string {
+		return this.publicKeyInstance.toString();
+	}
+
+	public get privateKey(): string {
+		return this.privateKeyInstance.toString();
+	}
+
+	protected generateKeys(
+		options: TOptions,
+		privateKeyCtor: StaticPrivateKey<TPrivateKey>,
+	): KeyPairResult<TPrivateKey, TPublicKey> {
+		const { privateKey, ...newKeyOptions } = options;
+
+		if (privateKey) {
+			const copyPrivateKey = typeof privateKey === 'string'
+				? privateKeyCtor.fromString(privateKey)
+				: privateKey;
+
+			return {
+				privateKey: copyPrivateKey,
+				publicKey: copyPrivateKey.toPublicKey(),
+			};
+		}
+
+		return this.generateNewKeys(newKeyOptions as NewKeyPairOptions);
+	}
+	protected abstract generateNewKeys(options: NewKeyPairOptions): KeyPairResult<TPrivateKey, TPublicKey>;
+}

package/src/base/key.ts

@@ -0,0 +1,13 @@
+export abstract class BaseKey<TKey = unknown> {
+	protected readonly key: TKey;
+
+	public constructor(key: TKey) {
+		this.key = key;
+	}
+
+	public get nativeKey(): TKey {
+		return this.key;
+	}
+
+	public abstract toString(): string;
+}

package/src/base/private-key.ts

@@ -0,0 +1,17 @@
+import { BaseKey } from './key.js';
+import { BasePublicKey } from './public-key.js';
+
+export type StaticPrivateKey<T extends BasePrivateKey> = Class<T, any[]> & {
+	fromString(privateKey: string): T;
+}
+
+export abstract class BasePrivateKey<
+	TNativeKey = unknown,
+	TPublicKey extends BasePublicKey = BasePublicKey,
+> extends BaseKey<TNativeKey> {
+	public abstract decrypt(encrypted: string | Buffer, ...additionalArguments: unknown[]): string;
+
+	public abstract sign(value: string): Buffer;
+
+	public abstract toPublicKey(): TPublicKey;
+}

package/src/base/public-key.ts

@@ -0,0 +1,7 @@
+import { BaseKey } from './key.js';
+
+export abstract class BasePublicKey<TNativeKey = unknown> extends BaseKey<TNativeKey> {
+	public abstract encrypt(value: string | Buffer, ...additionalArguments: unknown[]): Buffer;
+
+	public abstract verify(signature: string | Buffer, value: string): boolean;
+}

package/src/exceptions/index.ts

@@ -0,0 +1 @@
+export * from './invalid-decryption-key.expection.js';

package/src/exceptions/invalid-decryption-key.expection.ts

@@ -0,0 +1,7 @@
+import { BaseException } from '@hg-ts/exception';
+
+export class InvalidDecryptionKeyExpection extends BaseException {
+	public constructor() {
+		super('Invalid decryption key');
+	}
+}

package/src/index.ts

@@ -1,3 +1,4 @@
-export * from './rsa.private-key.js';
-export * from './rsa.public-key.js';
-export * from './rsa.key-pair.js';
+export * from './base/index.js';
+export * from './exceptions/index.js';
+export * from './rsa/index.js';
+export * from './X25519/index.js';

package/src/rsa/index.ts

@@ -0,0 +1,3 @@
+export * from './private-key.js';
+export * from './public-key.js';
+export * from './key-pair.js';

package/src/rsa/key-pair.ts

@@ -0,0 +1,55 @@
+import forge from 'node-forge';
+import {
+	BaseKeyPair,
+	KeyPairOptions,
+	KeyPairResult,
+	NewKeyPairOptions,
+} from '../base/index.js';
+import { RsaPrivateKey } from './private-key.js';
+import { RsaPublicKey } from './public-key.js';
+
+export class RsaKeyPair extends BaseKeyPair<RsaPrivateKey, RsaPublicKey> {
+	public constructor(options: KeyPairOptions<RsaPrivateKey> = {}) {
+		super(options, RsaPrivateKey);
+	}
+
+	public override encrypt(value: string | Buffer): Buffer {
+		return this.publicKeyInstance.encrypt(value);
+	}
+
+	public override decrypt(value: string | Buffer): string {
+		return this.privateKeyInstance.decrypt(value);
+	}
+
+	public override sign(value: string): Buffer {
+		return this.privateKeyInstance.sign(value);
+	}
+
+	public override verify(signature: string | Buffer, value: string): boolean {
+		return this.publicKeyInstance.verify(signature, value);
+	}
+
+	protected generateNewKeys(options: NewKeyPairOptions): KeyPairResult<RsaPrivateKey, RsaPublicKey> {
+		const { seed, bits } = options;
+		const keyPairOptions: forge.pki.rsa.GenerateKeyPairOptions = {};
+
+		if (bits) {
+			keyPairOptions.bits = bits;
+		}
+
+		if (seed) {
+			const prng = forge.random.createInstance();
+			prng.seedFileSync = (): string => seed;
+			prng.seedFile = (): string => seed;
+
+			keyPairOptions.prng = prng;
+		}
+
+		const keyPair = forge.pki.rsa.generateKeyPair(keyPairOptions);
+
+		return {
+			privateKey: new RsaPrivateKey(keyPair.privateKey),
+			publicKey: new RsaPublicKey(keyPair.publicKey),
+		};
+	}
+}

package/src/rsa/private-key.ts

@@ -0,0 +1,82 @@
+import forge from 'node-forge';
+import { BasePrivateKey } from '../base/index.js';
+import { InvalidDecryptionKeyExpection } from '../exceptions/index.js';
+import { RsaPublicKey } from './public-key.js';
+
+export class RsaPrivateKey extends BasePrivateKey<forge.pki.rsa.PrivateKey, RsaPublicKey> {
+	public decrypt(encrypted: string | Buffer): string {
+		const md = this.getMd();
+		const chunks = this.prepareToDecrypt(encrypted);
+
+		try {
+			const decryptedChunks = chunks.map(chunk => this.key.decrypt(chunk, 'RSAES-PKCS1-V1_5', { md }));
+
+			return this.formatDecryptedOutput(decryptedChunks.join(''));
+		} catch {
+			throw new InvalidDecryptionKeyExpection();
+		}
+	}
+
+	public sign(value: string): Buffer {
+		const hash = this.getMd();
+		hash.update(value, 'utf8');
+
+		const pss = forge.pss.create({
+			md: this.getMd(),
+			mgf: forge.mgf.mgf1.create(this.getMd()),
+			saltLength: 20,
+		});
+		const signedId = this.key.sign(hash, pss);
+
+		return Buffer.from(signedId, 'binary');
+	}
+
+	public toPublicKey(): RsaPublicKey {
+		return new RsaPublicKey(forge.pki.rsa.setPublicKey(this.key.n, this.key.e));
+	}
+
+	public override toString(): string {
+		return forge.pki.privateKeyToPem(this.key);
+	}
+
+	public static fromString(pemKey: string): RsaPrivateKey {
+		const key = forge.pki.privateKeyFromPem(pemKey);
+
+		return new RsaPrivateKey(key);
+	}
+
+	private prepareToDecrypt(data: string | Buffer): string[] {
+		const encryptedLength = this.keyLength * 2;
+		const encrypted = typeof data === 'string' ? data : data.toString('hex');
+
+		return this.splitBinaryInput(encrypted, encryptedLength)
+			.map(chunk => Buffer
+				.from(chunk, 'hex')
+				.toString('binary'),
+			);
+	}
+
+	private formatDecryptedOutput(data: string): string {
+		return forge.util.decodeUtf8(data);
+	}
+
+	private getMd(): forge.md.MessageDigest {
+		return forge.md.sha256.create();
+	}
+
+	private get keyLength(): number {
+		return Math.ceil(this.key.n.bitLength() / 8);
+	}
+
+	private splitBinaryInput(value: string, length: number): string[] {
+		const chunks: string[] = [];
+		let index = 0;
+
+		while (index < value.length) {
+			chunks.push(value.slice(index, index + length));
+			index += length;
+		}
+
+		return chunks;
+	}
+}

package/src/rsa/public-key.ts

@@ -0,0 +1,110 @@
+import { z } from '@hg-ts/validation';
+import forge from 'node-forge';
+import { BasePublicKey } from '../base/index.js';
+
+const schema = z.string().transform((value, ctx) => {
+	try {
+		const publicKey = forge.pki.publicKeyFromPem(value);
+
+		return forge.pki.publicKeyToPem(publicKey);
+	} catch (error) {
+		ctx.issues.push({
+			message: 'Invalid public key',
+			fatal: true,
+			code: 'invalid_format',
+			input: value,
+			format: 'RSA Public Key',
+		});
+		return value;
+	}
+}).pipe(z.string());
+
+export class RsaPublicKey extends BasePublicKey<forge.pki.rsa.PublicKey> {
+	public static schema = schema;
+
+	public encrypt(value: string | Buffer): Buffer {
+		const md = this.getMd();
+		const chunks = this.prepareToEncrypt(value);
+
+		const encryptedChunks = chunks.map(chunk => this.key.encrypt(chunk, 'RSAES-PKCS1-V1_5', { md }));
+
+		return this.formatEncrypted(encryptedChunks);
+	}
+
+	public verify(signature: string | Buffer, value: string): boolean {
+		const hash = this.getMd();
+		hash.update(value, 'utf8');
+
+		const pss = forge.pss.create({
+			md: this.getMd(),
+			mgf: forge.mgf.mgf1.create(this.getMd()),
+			saltLength: 20,
+		});
+
+		const formattedSignature = this.formatSignature(signature);
+
+		return this.key.verify(hash.digest().bytes(), formattedSignature, pss);
+	}
+
+	public override toString(): string {
+		return forge.pki.publicKeyToPem(this.key);
+	}
+
+	public static fromString(pemKey: string): RsaPublicKey {
+		const key = forge.pki.publicKeyFromPem(pemKey);
+
+		return new RsaPublicKey(key);
+	}
+
+	private prepareToEncrypt(data: string | Buffer): string[] {
+		const input = this.formatDecryptedInputToBinary(data);
+
+		return this.splitBinaryInput(input, this.maxLength);
+	}
+
+	private formatDecryptedInputToBinary(data: string | Buffer): string {
+		if (typeof data === 'string') {
+			return forge.util.encodeUtf8(data);
+		}
+
+		return Buffer.from(data).toString('hex');
+	}
+
+	private formatSignature(data: string | Buffer): string {
+		if (typeof data === 'string') {
+			return data;
+		}
+
+		return Buffer.from(data).toString('binary');
+	}
+
+	private formatEncrypted(data: string[]): Buffer {
+		const chunks = data.map(chunk => Buffer.from(chunk, 'binary').toString('hex'));
+
+		return Buffer.from(chunks.join(''), 'hex');
+	}
+
+	private getMd(): forge.md.MessageDigest {
+		return forge.md.sha256.create();
+	}
+
+	private get maxLength(): number {
+		return this.keyLength - (this.getMd().digestLength * 2) - 2;
+	}
+
+	private get keyLength(): number {
+		return Math.ceil(this.key.n.bitLength() / 8);
+	}
+
+	private splitBinaryInput(value: string, length: number): string[] {
+		const chunks: string[] = [];
+		let index = 0;
+
+		while (index < value.length) {
+			chunks.push(value.slice(index, index + length));
+			index += length;
+		}
+
+		return chunks;
+	}
+}