@road-labs/ocmf-crypto-web 0.0.1

package/build/cjs/crypto.js

@@ -0,0 +1,25 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Crypto = void 0;
+const private_key_1 = require("./private-key");
+const public_key_1 = require("./public-key");
+const sign_1 = __importDefault(require("./sign"));
+const verify_1 = __importDefault(require("./verify"));
+class Crypto {
+    async decodeEcPrivateKey(value, format) {
+        return await private_key_1.EcPrivateKey.fromEncoded(value, format);
+    }
+    async decodeEcPublicKey(value, format) {
+        return await public_key_1.EcPublicKey.fromEncoded(value, format);
+    }
+    async sign(data, privateKey, hash, format) {
+        return (0, sign_1.default)(data, privateKey, hash, format);
+    }
+    async verify(signature, data, publicKey, hash, format) {
+        return (0, verify_1.default)(signature, data, publicKey, hash, format);
+    }
+}
+exports.Crypto = Crypto;

package/build/cjs/curve.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mapCurveToWebCryptoCurve = mapCurveToWebCryptoCurve;
+exports.getGroupOrderSize = getGroupOrderSize;
+const ocmf_crypto_1 = require("@road-labs/ocmf-crypto");
+function mapCurveToWebCryptoCurve(curve) {
+    switch (curve) {
+        case 'secp256r1':
+            return 'P-256';
+        case 'secp384r1':
+            return 'P-384';
+        default:
+            throw new ocmf_crypto_1.UnsupportedCurveError(`Curve ${curve} is not supported by webcrypto`);
+    }
+}
+function getGroupOrderSize(curve) {
+    switch (curve) {
+        case 'secp256r1':
+            return 32;
+        case 'secp384r1':
+            return 48;
+        default:
+            throw new ocmf_crypto_1.UnsupportedCurveError(`Curve ${curve} is not supported by webcrypto`);
+    }
+}

package/build/cjs/index.js

@@ -0,0 +1,28 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verify = exports.sign = void 0;
+__exportStar(require("./crypto"), exports);
+__exportStar(require("./curve"), exports);
+__exportStar(require("./private-key"), exports);
+__exportStar(require("./public-key"), exports);
+var sign_1 = require("./sign");
+Object.defineProperty(exports, "sign", { enumerable: true, get: function () { return __importDefault(sign_1).default; } });
+var verify_1 = require("./verify");
+Object.defineProperty(exports, "verify", { enumerable: true, get: function () { return __importDefault(verify_1).default; } });

package/build/cjs/private-key.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EcPrivateKey = void 0;
+const public_key_1 = require("./public-key");
+const ocmf_crypto_1 = require("@road-labs/ocmf-crypto");
+const curve_1 = require("./curve");
+class EcPrivateKey {
+    cryptoKey;
+    curve;
+    publicKey;
+    constructor(cryptoKey, curve, publicKey) {
+        this.cryptoKey = cryptoKey;
+        this.curve = curve;
+        this.publicKey = publicKey;
+    }
+    getCryptoKey() {
+        return this.cryptoKey;
+    }
+    getCurve() {
+        return this.curve;
+    }
+    getPublicKey() {
+        return this.publicKey;
+    }
+    static async fromEncoded(value, format) {
+        if (format !== 'pkcs8-der') {
+            throw new Error(`Unsupported format: ${format}`);
+        }
+        const keyInfo = (0, ocmf_crypto_1.decodePkcs8PrivateKeyInfo)(value);
+        const namedCurve = keyInfo?.privateKey?.parameters?.namedCurve;
+        if (!namedCurve) {
+            throw new Error(`Named curve not specified`);
+        }
+        const curve = ocmf_crypto_1.oidToCurve.get(namedCurve);
+        if (!curve) {
+            throw new ocmf_crypto_1.UnsupportedCurveError(`Unknown curve: oid=${namedCurve}`);
+        }
+        const webCryptoCurve = (0, curve_1.mapCurveToWebCryptoCurve)(curve);
+        const privateCryptoKey = await crypto.subtle.importKey('pkcs8', value, {
+            name: 'ECDSA',
+            namedCurve: webCryptoCurve,
+        }, true, ['sign']);
+        const publicCryptoKey = await EcPrivateKey.derivePublicKey(privateCryptoKey, webCryptoCurve);
+        let publicKey = null;
+        if (publicCryptoKey) {
+            publicKey = new public_key_1.EcPublicKey(publicCryptoKey, curve);
+        }
+        return new EcPrivateKey(privateCryptoKey, curve, publicKey);
+    }
+    static async derivePublicKey(privateCryptoKey, webCryptoCurve) {
+        const privateKeyInfo = (0, ocmf_crypto_1.decodePkcs8PrivateKeyInfo)(new Uint8Array(await crypto.subtle.exportKey('pkcs8', privateCryptoKey)));
+        if (!privateKeyInfo.privateKey.publicKey) {
+            return null;
+        }
+        return crypto.subtle.importKey('raw', privateKeyInfo.privateKey.publicKey, {
+            name: 'ECDSA',
+            namedCurve: webCryptoCurve,
+        }, true, ['verify']);
+    }
+}
+exports.EcPrivateKey = EcPrivateKey;

package/build/cjs/public-key.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EcPublicKey = void 0;
+const ocmf_crypto_1 = require("@road-labs/ocmf-crypto");
+const curve_1 = require("./curve");
+class EcPublicKey {
+    cryptoKey;
+    curve;
+    constructor(cryptoKey, curve) {
+        this.cryptoKey = cryptoKey;
+        this.curve = curve;
+    }
+    getCryptoKey() {
+        return this.cryptoKey;
+    }
+    getCurve() {
+        return this.curve;
+    }
+    static async fromEncoded(value, format) {
+        if (format !== 'spki-der') {
+            throw new ocmf_crypto_1.UnsupportedPublicKeyFormatError(`Unknown format: ${format}`);
+        }
+        const keyInfo = (0, ocmf_crypto_1.decodePkixSubjectPublicKeyInfo)(value);
+        const namedCurve = keyInfo.algorithm.parameters?.namedCurve;
+        if (!namedCurve) {
+            throw new Error(`Named curve not specified`);
+        }
+        const curve = ocmf_crypto_1.oidToCurve.get(namedCurve);
+        if (!curve) {
+            throw new ocmf_crypto_1.UnsupportedCurveError(`Unknown curve: oid=${namedCurve}`);
+        }
+        const cryptoKey = await crypto.subtle.importKey('spki', value, {
+            name: 'ECDSA',
+            namedCurve: (0, curve_1.mapCurveToWebCryptoCurve)(curve),
+        }, true, ['verify']);
+        return new EcPublicKey(cryptoKey, curve);
+    }
+    async encode(format) {
+        if (format !== 'spki-der') {
+            throw new ocmf_crypto_1.UnsupportedPublicKeyFormatError(`Unknown format: ${format}`);
+        }
+        const exportedKey = await crypto.subtle.exportKey('spki', this.cryptoKey);
+        return new Uint8Array(exportedKey);
+    }
+}
+exports.EcPublicKey = EcPublicKey;

package/build/cjs/sign.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = sign;
+const ocmf_crypto_1 = require("@road-labs/ocmf-crypto");
+async function sign(data, privateKey, hash, format) {
+    if (hash !== 'SHA-256') {
+        throw new ocmf_crypto_1.UnsupportedHashError(`Invalid hash: ${hash}`);
+    }
+    if (format !== 'sigvalue-der') {
+        throw new ocmf_crypto_1.UnsupportedSignatureFormatError(`Invalid signature format: ${format}`);
+    }
+    const result = await crypto.subtle.sign({ name: 'ECDSA', hash }, privateKey.getCryptoKey(), data);
+    if (result.byteLength === 0 || result.byteLength % 2 !== 0) {
+        throw new Error(`Unexpected signature length: ${result.byteLength}`);
+    }
+    const mid = result.byteLength / 2;
+    const r = addSignByte(new Uint8Array(result.slice(0, mid)));
+    const s = addSignByte(new Uint8Array(result.slice(mid, result.byteLength)));
+    return (0, ocmf_crypto_1.encodePkixEcdsaSigValue)({ r, s });
+}
+function addSignByte(bytes) {
+    if (bytes[0] < 0x80) {
+        return bytes;
+    }
+    const signed = new Uint8Array(bytes.length + 1);
+    signed.set(bytes, 1);
+    return signed;
+}

package/build/cjs/verify.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = verify;
+const ocmf_crypto_1 = require("@road-labs/ocmf-crypto");
+const curve_1 = require("./curve");
+async function verify(signature, data, key, hash, format) {
+    if (hash !== 'SHA-256') {
+        throw new ocmf_crypto_1.UnsupportedHashError(`Invalid hash: ${hash}`);
+    }
+    if (format !== 'sigvalue-der') {
+        throw new ocmf_crypto_1.UnsupportedSignatureFormatError(`Invalid signature format: ${format}`);
+    }
+    const sigValue = (0, ocmf_crypto_1.decodePkixEcdsaSigValue)(signature);
+    const size = (0, curve_1.getGroupOrderSize)(key.getCurve());
+    const r = padZeros(trimSignByte(sigValue.r), size);
+    const s = padZeros(trimSignByte(sigValue.s), size);
+    const rs = new Uint8Array(size * 2);
+    rs.set(r, 0);
+    rs.set(s, size);
+    return crypto.subtle.verify({ name: 'ECDSA', hash }, key.getCryptoKey(), rs, data);
+}
+function trimSignByte(bytes) {
+    if (bytes.length > 1 &&
+        bytes.length % 16 === 1 &&
+        bytes[0] === 0x00 &&
+        bytes[1] >= 0x80) {
+        return bytes.slice(1);
+    }
+    return bytes;
+}
+function padZeros(bytes, len) {
+    if (bytes.length > len) {
+        throw new Error(`Invalid signature size, expected <= ${len}, received ${bytes.length}`);
+    }
+    if (bytes.length === len) {
+        return bytes;
+    }
+    const padded = new Uint8Array(len);
+    padded.set(bytes, len - bytes.length);
+    return padded;
+}

package/build/es2022/crypto.js

@@ -0,0 +1,18 @@
+import { EcPrivateKey } from './private-key';
+import { EcPublicKey } from './public-key';
+import sign from './sign';
+import verify from './verify';
+export class Crypto {
+    async decodeEcPrivateKey(value, format) {
+        return await EcPrivateKey.fromEncoded(value, format);
+    }
+    async decodeEcPublicKey(value, format) {
+        return await EcPublicKey.fromEncoded(value, format);
+    }
+    async sign(data, privateKey, hash, format) {
+        return sign(data, privateKey, hash, format);
+    }
+    async verify(signature, data, publicKey, hash, format) {
+        return verify(signature, data, publicKey, hash, format);
+    }
+}

package/build/es2022/curve.js

@@ -0,0 +1,21 @@
+import { UnsupportedCurveError } from '@road-labs/ocmf-crypto';
+export function mapCurveToWebCryptoCurve(curve) {
+    switch (curve) {
+        case 'secp256r1':
+            return 'P-256';
+        case 'secp384r1':
+            return 'P-384';
+        default:
+            throw new UnsupportedCurveError(`Curve ${curve} is not supported by webcrypto`);
+    }
+}
+export function getGroupOrderSize(curve) {
+    switch (curve) {
+        case 'secp256r1':
+            return 32;
+        case 'secp384r1':
+            return 48;
+        default:
+            throw new UnsupportedCurveError(`Curve ${curve} is not supported by webcrypto`);
+    }
+}

package/build/es2022/index.js

@@ -0,0 +1,6 @@
+export * from './crypto';
+export * from './curve';
+export * from './private-key';
+export * from './public-key';
+export { default as sign } from './sign';
+export { default as verify } from './verify';

package/build/es2022/private-key.js

@@ -0,0 +1,57 @@
+import { EcPublicKey } from './public-key';
+import { decodePkcs8PrivateKeyInfo, oidToCurve, UnsupportedCurveError, } from '@road-labs/ocmf-crypto';
+import { mapCurveToWebCryptoCurve } from './curve';
+export class EcPrivateKey {
+    cryptoKey;
+    curve;
+    publicKey;
+    constructor(cryptoKey, curve, publicKey) {
+        this.cryptoKey = cryptoKey;
+        this.curve = curve;
+        this.publicKey = publicKey;
+    }
+    getCryptoKey() {
+        return this.cryptoKey;
+    }
+    getCurve() {
+        return this.curve;
+    }
+    getPublicKey() {
+        return this.publicKey;
+    }
+    static async fromEncoded(value, format) {
+        if (format !== 'pkcs8-der') {
+            throw new Error(`Unsupported format: ${format}`);
+        }
+        const keyInfo = decodePkcs8PrivateKeyInfo(value);
+        const namedCurve = keyInfo?.privateKey?.parameters?.namedCurve;
+        if (!namedCurve) {
+            throw new Error(`Named curve not specified`);
+        }
+        const curve = oidToCurve.get(namedCurve);
+        if (!curve) {
+            throw new UnsupportedCurveError(`Unknown curve: oid=${namedCurve}`);
+        }
+        const webCryptoCurve = mapCurveToWebCryptoCurve(curve);
+        const privateCryptoKey = await crypto.subtle.importKey('pkcs8', value, {
+            name: 'ECDSA',
+            namedCurve: webCryptoCurve,
+        }, true, ['sign']);
+        const publicCryptoKey = await EcPrivateKey.derivePublicKey(privateCryptoKey, webCryptoCurve);
+        let publicKey = null;
+        if (publicCryptoKey) {
+            publicKey = new EcPublicKey(publicCryptoKey, curve);
+        }
+        return new EcPrivateKey(privateCryptoKey, curve, publicKey);
+    }
+    static async derivePublicKey(privateCryptoKey, webCryptoCurve) {
+        const privateKeyInfo = decodePkcs8PrivateKeyInfo(new Uint8Array(await crypto.subtle.exportKey('pkcs8', privateCryptoKey)));
+        if (!privateKeyInfo.privateKey.publicKey) {
+            return null;
+        }
+        return crypto.subtle.importKey('raw', privateKeyInfo.privateKey.publicKey, {
+            name: 'ECDSA',
+            namedCurve: webCryptoCurve,
+        }, true, ['verify']);
+    }
+}

package/build/es2022/public-key.js

@@ -0,0 +1,42 @@
+import { decodePkixSubjectPublicKeyInfo, oidToCurve, UnsupportedCurveError, UnsupportedPublicKeyFormatError, } from '@road-labs/ocmf-crypto';
+import { mapCurveToWebCryptoCurve } from './curve';
+export class EcPublicKey {
+    cryptoKey;
+    curve;
+    constructor(cryptoKey, curve) {
+        this.cryptoKey = cryptoKey;
+        this.curve = curve;
+    }
+    getCryptoKey() {
+        return this.cryptoKey;
+    }
+    getCurve() {
+        return this.curve;
+    }
+    static async fromEncoded(value, format) {
+        if (format !== 'spki-der') {
+            throw new UnsupportedPublicKeyFormatError(`Unknown format: ${format}`);
+        }
+        const keyInfo = decodePkixSubjectPublicKeyInfo(value);
+        const namedCurve = keyInfo.algorithm.parameters?.namedCurve;
+        if (!namedCurve) {
+            throw new Error(`Named curve not specified`);
+        }
+        const curve = oidToCurve.get(namedCurve);
+        if (!curve) {
+            throw new UnsupportedCurveError(`Unknown curve: oid=${namedCurve}`);
+        }
+        const cryptoKey = await crypto.subtle.importKey('spki', value, {
+            name: 'ECDSA',
+            namedCurve: mapCurveToWebCryptoCurve(curve),
+        }, true, ['verify']);
+        return new EcPublicKey(cryptoKey, curve);
+    }
+    async encode(format) {
+        if (format !== 'spki-der') {
+            throw new UnsupportedPublicKeyFormatError(`Unknown format: ${format}`);
+        }
+        const exportedKey = await crypto.subtle.exportKey('spki', this.cryptoKey);
+        return new Uint8Array(exportedKey);
+    }
+}

package/build/es2022/sign.js

@@ -0,0 +1,25 @@
+import { encodePkixEcdsaSigValue, UnsupportedHashError, UnsupportedSignatureFormatError, } from '@road-labs/ocmf-crypto';
+export default async function sign(data, privateKey, hash, format) {
+    if (hash !== 'SHA-256') {
+        throw new UnsupportedHashError(`Invalid hash: ${hash}`);
+    }
+    if (format !== 'sigvalue-der') {
+        throw new UnsupportedSignatureFormatError(`Invalid signature format: ${format}`);
+    }
+    const result = await crypto.subtle.sign({ name: 'ECDSA', hash }, privateKey.getCryptoKey(), data);
+    if (result.byteLength === 0 || result.byteLength % 2 !== 0) {
+        throw new Error(`Unexpected signature length: ${result.byteLength}`);
+    }
+    const mid = result.byteLength / 2;
+    const r = addSignByte(new Uint8Array(result.slice(0, mid)));
+    const s = addSignByte(new Uint8Array(result.slice(mid, result.byteLength)));
+    return encodePkixEcdsaSigValue({ r, s });
+}
+function addSignByte(bytes) {
+    if (bytes[0] < 0x80) {
+        return bytes;
+    }
+    const signed = new Uint8Array(bytes.length + 1);
+    signed.set(bytes, 1);
+    return signed;
+}

package/build/es2022/verify.js

@@ -0,0 +1,38 @@
+import { decodePkixEcdsaSigValue, UnsupportedHashError, UnsupportedSignatureFormatError, } from '@road-labs/ocmf-crypto';
+import { getGroupOrderSize } from './curve';
+export default async function verify(signature, data, key, hash, format) {
+    if (hash !== 'SHA-256') {
+        throw new UnsupportedHashError(`Invalid hash: ${hash}`);
+    }
+    if (format !== 'sigvalue-der') {
+        throw new UnsupportedSignatureFormatError(`Invalid signature format: ${format}`);
+    }
+    const sigValue = decodePkixEcdsaSigValue(signature);
+    const size = getGroupOrderSize(key.getCurve());
+    const r = padZeros(trimSignByte(sigValue.r), size);
+    const s = padZeros(trimSignByte(sigValue.s), size);
+    const rs = new Uint8Array(size * 2);
+    rs.set(r, 0);
+    rs.set(s, size);
+    return crypto.subtle.verify({ name: 'ECDSA', hash }, key.getCryptoKey(), rs, data);
+}
+function trimSignByte(bytes) {
+    if (bytes.length > 1 &&
+        bytes.length % 16 === 1 &&
+        bytes[0] === 0x00 &&
+        bytes[1] >= 0x80) {
+        return bytes.slice(1);
+    }
+    return bytes;
+}
+function padZeros(bytes, len) {
+    if (bytes.length > len) {
+        throw new Error(`Invalid signature size, expected <= ${len}, received ${bytes.length}`);
+    }
+    if (bytes.length === len) {
+        return bytes;
+    }
+    const padded = new Uint8Array(len);
+    padded.set(bytes, len - bytes.length);
+    return padded;
+}

package/build/types/crypto.d.ts

@@ -0,0 +1,9 @@
+import { CryptoAdapter, Hash, PrivateKeyFormat, PublicKeyFormat, SignatureFormat } from '@road-labs/ocmf-crypto';
+import { EcPrivateKey } from './private-key';
+import { EcPublicKey } from './public-key';
+export declare class Crypto implements CryptoAdapter {
+    decodeEcPrivateKey(value: Uint8Array, format: PrivateKeyFormat): Promise<EcPrivateKey>;
+    decodeEcPublicKey(value: Uint8Array, format: PublicKeyFormat): Promise<EcPublicKey>;
+    sign(data: Uint8Array, privateKey: EcPrivateKey, hash: Hash, format: SignatureFormat): Promise<Uint8Array>;
+    verify(signature: Uint8Array, data: Uint8Array, publicKey: EcPublicKey, hash: Hash, format: SignatureFormat): Promise<boolean>;
+}

package/build/types/curve.d.ts

@@ -0,0 +1,3 @@
+import { Curve } from '@road-labs/ocmf-crypto';
+export declare function mapCurveToWebCryptoCurve(curve: Curve): string;
+export declare function getGroupOrderSize(curve: Curve): number;

package/build/types/index.d.ts

@@ -0,0 +1,6 @@
+export * from './crypto';
+export * from './curve';
+export * from './private-key';
+export * from './public-key';
+export { default as sign } from './sign';
+export { default as verify } from './verify';

package/build/types/private-key.d.ts

@@ -0,0 +1,17 @@
+import { EcPublicKey } from './public-key';
+import { Curve, PrivateKeyFormat } from '@road-labs/ocmf-crypto';
+export declare class EcPrivateKey {
+    private readonly cryptoKey;
+    private readonly curve;
+    private readonly publicKey;
+    private constructor();
+    getCryptoKey(): CryptoKey;
+    getCurve(): Curve;
+    getPublicKey(): EcPublicKey | null;
+    /**
+     * @param value - Encoded private key value
+     * @param format - Encoding format
+     */
+    static fromEncoded(value: Uint8Array, format: PrivateKeyFormat): Promise<EcPrivateKey>;
+    private static derivePublicKey;
+}

package/build/types/public-key.d.ts

@@ -0,0 +1,17 @@
+import { Curve, PublicKeyFormat } from '@road-labs/ocmf-crypto';
+export declare class EcPublicKey {
+    private readonly cryptoKey;
+    private readonly curve;
+    constructor(cryptoKey: CryptoKey, curve: Curve);
+    getCryptoKey(): CryptoKey;
+    getCurve(): Curve;
+    /**
+     * @param value - The encoded value
+     * @param format - The format the value is encoded in
+     */
+    static fromEncoded(value: Uint8Array, format: PublicKeyFormat): Promise<EcPublicKey>;
+    /**
+     * @param format - Format for the public key to be encoded in
+     */
+    encode(format: PublicKeyFormat): Promise<Uint8Array>;
+}

package/build/types/sign.d.ts

@@ -0,0 +1,10 @@
+import { EcPrivateKey } from './private-key';
+import { Hash, SignatureFormat } from '@road-labs/ocmf-crypto';
+/**
+ * @param data - Data to be signed
+ * @param privateKey - Private key to use for signing
+ * @param hash - Hash to apply
+ * @param format - Signature format
+ * @return X.509 ECDSASigValue ASN.1 type DER encoded
+ */
+export default function sign(data: Uint8Array, privateKey: EcPrivateKey, hash: Hash, format: SignatureFormat): Promise<Uint8Array>;

package/build/types/verify.d.ts

@@ -0,0 +1,10 @@
+import { EcPublicKey } from './public-key';
+import { Hash, SignatureFormat } from '@road-labs/ocmf-crypto';
+/**
+ * @param signature - X.509 ECDSASigValue ASN.1 type DER encoded
+ * @param data - Raw value
+ * @param key - The public key to verify against
+ * @param hash - Hash to apply
+ * @param format - Signature format
+ */
+export default function verify(signature: Uint8Array, data: Uint8Array, key: EcPublicKey, hash: Hash, format: SignatureFormat): Promise<boolean>;

package/jest.config.js

@@ -0,0 +1,11 @@
+const { createDefaultPreset } = require('ts-jest');
+
+const tsJestTransformCfg = createDefaultPreset().transform;
+
+/** @type {import("jest").Config} **/
+module.exports = {
+  testEnvironment: 'node',
+  transform: {
+    ...tsJestTransformCfg,
+  },
+};

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@road-labs/ocmf-crypto-web",
+  "version": "0.0.1",
+  "main": "build/cjs/index.js",
+  "module": "build/es2022/index.js",
+  "types": "build/types/index.d.ts",
+  "keywords": [],
+  "author": "",
+  "license": "MIT",
+  "description": "",
+  "devDependencies": {
+    "@jest/globals": "^30.0.0",
+    "@types/node": "^22.15.30",
+    "jest": "^30.0.0",
+    "rimraf": "^6.0.1",
+    "ts-jest": "^29.4.0",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.8.3",
+    "test-commons": "0.0.1"
+  },
+  "dependencies": {
+    "@noble/curves": "^1.9.2",
+    "@noble/hashes": "^1.8.0",
+    "@road-labs/ocmf-crypto": "0.0.1"
+  },
+  "scripts": {
+    "clear": "rimraf build",
+    "build": "pnpm run build:module && pnpm run build:types",
+    "build:module": "pnpm run build:cjs && pnpm run build:es2022",
+    "build:cjs": "tsc -p tsconfig.json --removeComments --module commonjs --outDir build/cjs",
+    "build:es2022": "tsc -p tsconfig.json --removeComments --module es2022 --outDir build/es2022",
+    "prebuild:types": "rimraf build/types",
+    "build:types": "tsc -p tsconfig.json --outDir build/types --declaration --emitDeclarationOnly",
+    "rebuild": "pnpm run clear && pnpm run build",
+    "test": "jest"
+  }
+}

package/src/crypto.ts

@@ -0,0 +1,46 @@
+import {
+  CryptoAdapter,
+  Hash,
+  PrivateKeyFormat,
+  PublicKeyFormat,
+  SignatureFormat,
+} from '@road-labs/ocmf-crypto';
+import { EcPrivateKey } from './private-key';
+import { EcPublicKey } from './public-key';
+import sign from './sign';
+import verify from './verify';
+
+export class Crypto implements CryptoAdapter {
+  async decodeEcPrivateKey(
+    value: Uint8Array,
+    format: PrivateKeyFormat
+  ): Promise<EcPrivateKey> {
+    return await EcPrivateKey.fromEncoded(value, format);
+  }
+
+  async decodeEcPublicKey(
+    value: Uint8Array,
+    format: PublicKeyFormat
+  ): Promise<EcPublicKey> {
+    return await EcPublicKey.fromEncoded(value, format);
+  }
+
+  async sign(
+    data: Uint8Array,
+    privateKey: EcPrivateKey,
+    hash: Hash,
+    format: SignatureFormat
+  ): Promise<Uint8Array> {
+    return sign(data, privateKey, hash, format);
+  }
+
+  async verify(
+    signature: Uint8Array,
+    data: Uint8Array,
+    publicKey: EcPublicKey,
+    hash: Hash,
+    format: SignatureFormat
+  ): Promise<boolean> {
+    return verify(signature, data, publicKey, hash, format);
+  }
+}

package/src/curve.ts

@@ -0,0 +1,27 @@
+import { Curve, UnsupportedCurveError } from '@road-labs/ocmf-crypto';
+
+export function mapCurveToWebCryptoCurve(curve: Curve): string {
+  switch (curve) {
+    case 'secp256r1':
+      return 'P-256';
+    case 'secp384r1':
+      return 'P-384';
+    default:
+      throw new UnsupportedCurveError(
+        `Curve ${curve} is not supported by webcrypto`
+      );
+  }
+}
+
+export function getGroupOrderSize(curve: Curve): number {
+  switch (curve) {
+    case 'secp256r1':
+      return 32;
+    case 'secp384r1':
+      return 48;
+    default:
+      throw new UnsupportedCurveError(
+        `Curve ${curve} is not supported by webcrypto`
+      );
+  }
+}

package/src/index.ts

@@ -0,0 +1,6 @@
+export * from './crypto';
+export * from './curve';
+export * from './private-key';
+export * from './public-key';
+export { default as sign } from './sign';
+export { default as verify } from './verify';

package/src/private-key.ts

@@ -0,0 +1,101 @@
+import { EcPublicKey } from './public-key';
+import {
+  Curve,
+  decodePkcs8PrivateKeyInfo,
+  oidToCurve,
+  PrivateKeyFormat,
+  UnsupportedCurveError,
+} from '@road-labs/ocmf-crypto';
+import { mapCurveToWebCryptoCurve } from './curve';
+
+export class EcPrivateKey {
+  private constructor(
+    private readonly cryptoKey: CryptoKey,
+    private readonly curve: Curve,
+    private readonly publicKey: EcPublicKey | null
+  ) {}
+
+  public getCryptoKey(): CryptoKey {
+    return this.cryptoKey;
+  }
+
+  public getCurve(): Curve {
+    return this.curve;
+  }
+
+  public getPublicKey(): EcPublicKey | null {
+    return this.publicKey;
+  }
+
+  /**
+   * @param value - Encoded private key value
+   * @param format - Encoding format
+   */
+  static async fromEncoded(
+    value: Uint8Array,
+    format: PrivateKeyFormat
+  ): Promise<EcPrivateKey> {
+    if (format !== 'pkcs8-der') {
+      throw new Error(`Unsupported format: ${format}`);
+    }
+
+    const keyInfo = decodePkcs8PrivateKeyInfo(value);
+
+    const namedCurve = keyInfo?.privateKey?.parameters?.namedCurve;
+    if (!namedCurve) {
+      throw new Error(`Named curve not specified`);
+    }
+
+    const curve = oidToCurve.get(namedCurve);
+    if (!curve) {
+      throw new UnsupportedCurveError(`Unknown curve: oid=${namedCurve}`);
+    }
+
+    const webCryptoCurve = mapCurveToWebCryptoCurve(curve);
+
+    const privateCryptoKey = await crypto.subtle.importKey(
+      'pkcs8',
+      value,
+      {
+        name: 'ECDSA',
+        namedCurve: webCryptoCurve,
+      },
+      true,
+      ['sign']
+    );
+
+    const publicCryptoKey = await EcPrivateKey.derivePublicKey(
+      privateCryptoKey,
+      webCryptoCurve
+    );
+
+    let publicKey: EcPublicKey | null = null;
+    if (publicCryptoKey) {
+      publicKey = new EcPublicKey(publicCryptoKey, curve);
+    }
+
+    return new EcPrivateKey(privateCryptoKey, curve, publicKey);
+  }
+
+  private static async derivePublicKey(
+    privateCryptoKey: CryptoKey,
+    webCryptoCurve: string
+  ): Promise<CryptoKey | null> {
+    const privateKeyInfo = decodePkcs8PrivateKeyInfo(
+      new Uint8Array(await crypto.subtle.exportKey('pkcs8', privateCryptoKey))
+    );
+    if (!privateKeyInfo.privateKey.publicKey) {
+      return null;
+    }
+    return crypto.subtle.importKey(
+      'raw',
+      privateKeyInfo.privateKey.publicKey,
+      {
+        name: 'ECDSA',
+        namedCurve: webCryptoCurve,
+      },
+      true,
+      ['verify']
+    );
+  }
+}

package/src/public-key.ts

@@ -0,0 +1,75 @@
+import {
+  Curve,
+  decodePkixSubjectPublicKeyInfo,
+  oidToCurve,
+  PublicKeyFormat,
+  UnsupportedCurveError,
+  UnsupportedPublicKeyFormatError,
+} from '@road-labs/ocmf-crypto';
+import { mapCurveToWebCryptoCurve } from './curve';
+
+export class EcPublicKey {
+  constructor(
+    private readonly cryptoKey: CryptoKey,
+    private readonly curve: Curve
+  ) {}
+
+  public getCryptoKey(): CryptoKey {
+    return this.cryptoKey;
+  }
+
+  public getCurve(): Curve {
+    return this.curve;
+  }
+
+  /**
+   * @param value - The encoded value
+   * @param format - The format the value is encoded in
+   */
+  static async fromEncoded(
+    value: Uint8Array,
+    format: PublicKeyFormat
+  ): Promise<EcPublicKey> {
+    if (format !== 'spki-der') {
+      throw new UnsupportedPublicKeyFormatError(`Unknown format: ${format}`);
+    }
+
+    const keyInfo = decodePkixSubjectPublicKeyInfo(value);
+
+    const namedCurve = keyInfo.algorithm.parameters?.namedCurve;
+    if (!namedCurve) {
+      throw new Error(`Named curve not specified`);
+    }
+
+    const curve = oidToCurve.get(namedCurve);
+    if (!curve) {
+      throw new UnsupportedCurveError(`Unknown curve: oid=${namedCurve}`);
+    }
+
+    const cryptoKey = await crypto.subtle.importKey(
+      'spki',
+      value,
+      {
+        name: 'ECDSA',
+        namedCurve: mapCurveToWebCryptoCurve(curve),
+      },
+      true,
+      ['verify']
+    );
+
+    return new EcPublicKey(cryptoKey, curve);
+  }
+
+  /**
+   * @param format - Format for the public key to be encoded in
+   */
+  public async encode(format: PublicKeyFormat): Promise<Uint8Array> {
+    if (format !== 'spki-der') {
+      throw new UnsupportedPublicKeyFormatError(`Unknown format: ${format}`);
+    }
+
+    const exportedKey = await crypto.subtle.exportKey('spki', this.cryptoKey);
+
+    return new Uint8Array(exportedKey);
+  }
+}

package/src/sign.ts

@@ -0,0 +1,56 @@
+import { EcPrivateKey } from './private-key';
+import {
+  encodePkixEcdsaSigValue,
+  Hash,
+  SignatureFormat,
+  UnsupportedHashError,
+  UnsupportedSignatureFormatError,
+} from '@road-labs/ocmf-crypto';
+
+/**
+ * @param data - Data to be signed
+ * @param privateKey - Private key to use for signing
+ * @param hash - Hash to apply
+ * @param format - Signature format
+ * @return X.509 ECDSASigValue ASN.1 type DER encoded
+ */
+export default async function sign(
+  data: Uint8Array,
+  privateKey: EcPrivateKey,
+  hash: Hash,
+  format: SignatureFormat
+): Promise<Uint8Array> {
+  if (hash !== 'SHA-256') {
+    throw new UnsupportedHashError(`Invalid hash: ${hash}`);
+  }
+  if (format !== 'sigvalue-der') {
+    throw new UnsupportedSignatureFormatError(
+      `Invalid signature format: ${format}`
+    );
+  }
+
+  const result = await crypto.subtle.sign(
+    { name: 'ECDSA', hash },
+    privateKey.getCryptoKey(),
+    data
+  );
+
+  if (result.byteLength === 0 || result.byteLength % 2 !== 0) {
+    throw new Error(`Unexpected signature length: ${result.byteLength}`);
+  }
+
+  const mid = result.byteLength / 2;
+  const r = addSignByte(new Uint8Array(result.slice(0, mid)));
+  const s = addSignByte(new Uint8Array(result.slice(mid, result.byteLength)));
+
+  return encodePkixEcdsaSigValue({ r, s });
+}
+
+function addSignByte(bytes: Uint8Array): Uint8Array {
+  if (bytes[0] < 0x80) {
+    return bytes;
+  }
+  const signed = new Uint8Array(bytes.length + 1);
+  signed.set(bytes, 1);
+  return signed;
+}

package/src/verify.ts

@@ -0,0 +1,79 @@
+import { EcPublicKey } from './public-key';
+import {
+  decodePkixEcdsaSigValue,
+  Hash,
+  SignatureFormat,
+  UnsupportedHashError,
+  UnsupportedSignatureFormatError,
+} from '@road-labs/ocmf-crypto';
+import { getGroupOrderSize } from './curve';
+
+/**
+ * @param signature - X.509 ECDSASigValue ASN.1 type DER encoded
+ * @param data - Raw value
+ * @param key - The public key to verify against
+ * @param hash - Hash to apply
+ * @param format - Signature format
+ */
+export default async function verify(
+  signature: Uint8Array,
+  data: Uint8Array,
+  key: EcPublicKey,
+  hash: Hash,
+  format: SignatureFormat
+): Promise<boolean> {
+  if (hash !== 'SHA-256') {
+    throw new UnsupportedHashError(`Invalid hash: ${hash}`);
+  }
+  if (format !== 'sigvalue-der') {
+    throw new UnsupportedSignatureFormatError(
+      `Invalid signature format: ${format}`
+    );
+  }
+
+  // Convert to IEEE P1363 concatenated R|S format.
+  // Ref:
+  // - https://crypto.stackexchange.com/a/1797
+  // - https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/util/ECUtil.java#L290-L299
+  // - https://chromium.googlesource.com/chromium/src/+/master/components/webcrypto/algorithms/ecdsa.cc#74
+  const sigValue = decodePkixEcdsaSigValue(signature);
+  const size = getGroupOrderSize(key.getCurve());
+  const r = padZeros(trimSignByte(sigValue.r), size);
+  const s = padZeros(trimSignByte(sigValue.s), size);
+  const rs = new Uint8Array(size * 2);
+  rs.set(r, 0);
+  rs.set(s, size);
+
+  return crypto.subtle.verify(
+    { name: 'ECDSA', hash },
+    key.getCryptoKey(),
+    rs,
+    data
+  );
+}
+
+function trimSignByte(bytes: Uint8Array): Uint8Array {
+  if (
+    bytes.length > 1 &&
+    bytes.length % 16 === 1 &&
+    bytes[0] === 0x00 &&
+    bytes[1] >= 0x80
+  ) {
+    return bytes.slice(1);
+  }
+  return bytes;
+}
+
+function padZeros(bytes: Uint8Array, len: number): Uint8Array {
+  if (bytes.length > len) {
+    throw new Error(
+      `Invalid signature size, expected <= ${len}, received ${bytes.length}`
+    );
+  }
+  if (bytes.length === len) {
+    return bytes;
+  }
+  const padded = new Uint8Array(len);
+  padded.set(bytes, len - bytes.length);
+  return padded;
+}

package/test/curve.spec.ts

@@ -0,0 +1,41 @@
+import { getGroupOrderSize, mapCurveToWebCryptoCurve } from '../src';
+import { Curve } from '@road-labs/ocmf-crypto';
+import { describe, expect, it } from '@jest/globals';
+
+describe('mapCurveToWebCryptoCurve', () => {
+  const testCases: { curve: Curve; expected: string }[] = [
+    { curve: 'secp256r1', expected: 'P-256' },
+    { curve: 'secp384r1', expected: 'P-384' },
+  ];
+
+  it.each(testCases)(
+    'should return $expected for curve $curve',
+    ({ curve, expected }) => {
+      const actual = mapCurveToWebCryptoCurve(curve);
+      expect(actual).toBe(expected);
+    }
+  );
+
+  it('throws if the curve is not supported', () => {
+    expect(() => mapCurveToWebCryptoCurve('brainpool384r1')).toThrow();
+  });
+});
+
+describe('getGroupOrderSize', () => {
+  const testCases: { curve: Curve; expected: number }[] = [
+    { curve: 'secp256r1', expected: 32 },
+    { curve: 'secp384r1', expected: 48 },
+  ];
+
+  it.each(testCases)(
+    'should return $expected for curve $curve',
+    ({ curve, expected }) => {
+      const actual = getGroupOrderSize(curve);
+      expect(actual).toBe(expected);
+    }
+  );
+
+  it('throws if the curve is not supported', () => {
+    expect(() => getGroupOrderSize('brainpool384r1')).toThrow();
+  });
+});

package/test/private-key.spec.ts

@@ -0,0 +1,47 @@
+import { describe, expect, it } from '@jest/globals';
+import { Curve, UnsupportedCurveError } from '@road-labs/ocmf-crypto';
+import { buildPrivateKeyTestCases } from 'test-commons';
+import { EcPrivateKey } from '../src';
+
+const unsupported: Curve[] = [
+  'brainpool256r1',
+  'brainpool384r1',
+  'secp192r1',
+  'secp192k1',
+  'secp256k1',
+];
+const curves: Curve[] = ['secp256r1', 'secp384r1'];
+
+describe('EcPrivateKey', () => {
+  describe('fromEncoded', () => {
+    it.each(buildPrivateKeyTestCases(curves))(
+      'supports $name',
+      async ({ curve, pkcs8 }) => {
+        const privateKey = await EcPrivateKey.fromEncoded(pkcs8, 'pkcs8-der');
+        expect(privateKey.getCurve()).toEqual(curve);
+      }
+    );
+
+    it.each(buildPrivateKeyTestCases(unsupported))(
+      'does not support $name',
+      async ({ curve, pkcs8 }) => {
+        await expect(
+          EcPrivateKey.fromEncoded(pkcs8, 'pkcs8-der')
+        ).rejects.toThrow(UnsupportedCurveError);
+      }
+    );
+  });
+
+  describe('getPublicKey', () => {
+    it.each(buildPrivateKeyTestCases(curves))(
+      'can derive a public key for $name',
+      async ({ curve, pkcs8, spki }) => {
+        const publicKey = (
+          await EcPrivateKey.fromEncoded(pkcs8, 'pkcs8-der')
+        ).getPublicKey();
+        expect(publicKey?.getCurve()).toEqual(curve);
+        expect(await publicKey?.encode('spki-der')).toEqual(spki);
+      }
+    );
+  });
+});

package/test/public-key.spec.ts

@@ -0,0 +1,47 @@
+import { describe, expect, it } from '@jest/globals';
+import { Curve, UnsupportedCurveError } from '@road-labs/ocmf-crypto';
+import { buildPublicKeyTestCases, isValidPublicKey } from 'test-commons';
+import { EcPublicKey } from '../src';
+
+const unsupported: Curve[] = [
+  'brainpool256r1',
+  'brainpool384r1',
+  'secp192r1',
+  'secp192k1',
+  'secp256k1',
+];
+const curves: Curve[] = ['secp256r1', 'secp384r1'];
+
+describe('EcPublicKey', () => {
+  describe('fromEncoded', () => {
+    it.each(buildPublicKeyTestCases(curves))(
+      'supports $name',
+      async ({ curve, spki }) => {
+        const publicKey = await EcPublicKey.fromEncoded(spki, 'spki-der');
+        expect(publicKey.getCurve()).toEqual(curve);
+      }
+    );
+
+    it.each(buildPublicKeyTestCases(unsupported))(
+      'does not support $name',
+      async ({ curve, spki }) => {
+        await expect(EcPublicKey.fromEncoded(spki, 'spki-der')).rejects.toThrow(
+          UnsupportedCurveError
+        );
+      }
+    );
+  });
+
+  describe('encode', () => {
+    it.each(buildPublicKeyTestCases(curves))(
+      'encodes $name',
+      async ({ spki, curve }) => {
+        const publicKey = await (
+          await EcPublicKey.fromEncoded(spki, 'spki-der')
+        ).encode('spki-der');
+        expect(publicKey).toEqual(spki);
+        expect(isValidPublicKey(publicKey, curve)).toEqual(true);
+      }
+    );
+  });
+});

package/test/sign.spec.ts

@@ -0,0 +1,18 @@
+import { describe, expect, it } from '@jest/globals';
+import { buildSignTestCases, isValidSignature } from 'test-commons';
+import { EcPrivateKey, sign } from '../src';
+import { Curve } from '@road-labs/ocmf-crypto';
+
+const format = 'sigvalue-der';
+const curves: Curve[] = ['secp256r1', 'secp384r1'];
+
+describe('verify', () => {
+  it.each(buildSignTestCases(curves))(
+    '$name',
+    async ({ curve, data, hash, pkcs8 }) => {
+      const privateKey = await EcPrivateKey.fromEncoded(pkcs8, 'pkcs8-der');
+      const signature = await sign(data, privateKey, hash, format);
+      expect(isValidSignature(signature, curve)).toEqual(true);
+    }
+  );
+});

package/test/verify.spec.ts

@@ -0,0 +1,18 @@
+import { describe, expect, it } from '@jest/globals';
+import { buildVerifyTestCases } from 'test-commons';
+import { EcPublicKey, verify } from '../src';
+import { Curve } from '@road-labs/ocmf-crypto';
+
+const format = 'sigvalue-der';
+const curves: Curve[] = ['secp256r1', 'secp384r1'];
+
+describe('verify', () => {
+  it.each(buildVerifyTestCases(curves))(
+    '$name',
+    async ({ curve, signature, data, hash, spki, expected }) => {
+      const publicKey = await EcPublicKey.fromEncoded(spki, 'spki-der');
+      const actual = await verify(signature, data, publicKey, hash, format);
+      expect(actual).toEqual(expected);
+    }
+  );
+});

package/tsconfig.json

@@ -0,0 +1,4 @@
+{
+  "extends": "../../tsconfig.json",
+  "include": ["src/**/*"]
+}