@xiboplayer/crypto 0.3.3

package/README.md

@@ -0,0 +1,47 @@
+# @xiboplayer/crypto
+
+RSA key management for Xibo Player XMR registration.
+
+Generates RSA-1024 key pairs via the Web Crypto API for display registration with Xibo CMS. The public key is sent during `RegisterDisplay` so the CMS can associate it with the display record.
+
+## API
+
+### `generateRsaKeyPair()`
+
+Generate an RSA key pair (1024-bit, RSA-OAEP/SHA-256).
+
+```js
+import { generateRsaKeyPair } from '@xiboplayer/crypto';
+
+const { publicKeyPem, privateKeyPem } = await generateRsaKeyPair();
+// publicKeyPem:  -----BEGIN PUBLIC KEY-----\nMIGf...
+// privateKeyPem: -----BEGIN PRIVATE KEY-----\nMIIC...
+```
+
+Returns SPKI PEM (public) and PKCS8 PEM (private) strings compatible with PHP's `openssl_get_publickey()`.
+
+### `isValidPemKey(pem)`
+
+Validate that a string has correct PEM structure.
+
+```js
+import { isValidPemKey } from '@xiboplayer/crypto';
+
+isValidPemKey(publicKeyPem);  // true
+isValidPemKey('garbage');     // false
+```
+
+## Design
+
+- **Zero runtime dependencies** -- uses only the Web Crypto API (available in browsers, Electron, and Node.js 16+)
+- **RSA-1024** matches the upstream .NET player key format
+- WebSocket XMR messages are plain JSON (no encryption needed) -- the key is only for CMS registration
+- Key rotation is triggered by the CMS via the XMR `rekey` command
+
+## Usage in the SDK
+
+This package is used internally by `@xiboplayer/utils` (config) to generate and persist keys, and by `@xiboplayer/xmds` to send them during registration. You typically don't need to import it directly.
+
+## License
+
+AGPL-3.0-or-later

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@xiboplayer/crypto",
+  "version": "0.3.3",
+  "description": "RSA key management for Xibo Player XMR registration",
+  "type": "module",
+  "main": "./src/index.js",
+  "exports": {
+    ".": "./src/index.js"
+  },
+  "dependencies": {},
+  "devDependencies": {
+    "vitest": "^2.0.0"
+  },
+  "keywords": [
+    "xibo",
+    "digital-signage",
+    "crypto",
+    "rsa"
+  ],
+  "author": "Pau Aliagas <linuxnow@gmail.com>",
+  "license": "AGPL-3.0-or-later",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/xibo-players/xiboplayer.git",
+    "directory": "packages/crypto"
+  },
+  "scripts": {
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage"
+  }
+}

package/src/index.js

@@ -0,0 +1 @@
+export { generateRsaKeyPair, isValidPemKey } from './rsa.js';

package/src/rsa.js

@@ -0,0 +1,75 @@
+/**
+ * RSA key pair generation via Web Crypto API.
+ *
+ * Generates RSA-1024 keys compatible with the upstream .NET player.
+ * The SPKI PEM public key works with PHP's openssl_get_publickey().
+ *
+ * No runtime dependencies — uses only the Web Crypto API available
+ * in browsers, Electron, and Node.js 16+.
+ */
+
+/**
+ * Convert an ArrayBuffer (DER-encoded key) to PEM format.
+ * @param {ArrayBuffer} buffer - DER-encoded key data
+ * @param {string} type - Key type label ('PUBLIC KEY' or 'PRIVATE KEY')
+ * @returns {string} PEM-formatted key string
+ */
+export function arrayBufferToPem(buffer, type) {
+  const bytes = new Uint8Array(buffer);
+  let binary = '';
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  const base64 = btoa(binary);
+
+  // Split into 64-character lines per PEM spec
+  const lines = [];
+  for (let i = 0; i < base64.length; i += 64) {
+    lines.push(base64.substring(i, i + 64));
+  }
+
+  return `-----BEGIN ${type}-----\n${lines.join('\n')}\n-----END ${type}-----`;
+}
+
+/**
+ * Generate an RSA key pair for XMR registration.
+ *
+ * Uses RSA-OAEP with SHA-256 and a 1024-bit modulus to match
+ * the upstream .NET player's key format.
+ *
+ * @returns {Promise<{publicKeyPem: string, privateKeyPem: string}>}
+ */
+export async function generateRsaKeyPair() {
+  const keyPair = await crypto.subtle.generateKey(
+    {
+      name: 'RSA-OAEP',
+      modulusLength: 1024,
+      publicExponent: new Uint8Array([1, 0, 1]), // 65537
+      hash: 'SHA-256',
+    },
+    true, // extractable
+    ['encrypt', 'decrypt']
+  );
+
+  const publicKeyDer = await crypto.subtle.exportKey('spki', keyPair.publicKey);
+  const privateKeyDer = await crypto.subtle.exportKey('pkcs8', keyPair.privateKey);
+
+  return {
+    publicKeyPem: arrayBufferToPem(publicKeyDer, 'PUBLIC KEY'),
+    privateKeyPem: arrayBufferToPem(privateKeyDer, 'PRIVATE KEY'),
+  };
+}
+
+/**
+ * Validate that a string looks like a valid PEM key.
+ * Checks for proper BEGIN/END headers and base64 content.
+ *
+ * @param {string} pem - String to validate
+ * @returns {boolean} true if the string appears to be valid PEM
+ */
+export function isValidPemKey(pem) {
+  if (!pem || typeof pem !== 'string') return false;
+
+  const pemRegex = /^-----BEGIN (PUBLIC KEY|PRIVATE KEY)-----\n[A-Za-z0-9+/=\n]+\n-----END \1-----$/;
+  return pemRegex.test(pem.trim());
+}

package/src/rsa.test.js

@@ -0,0 +1,122 @@
+/**
+ * RSA Key Generation Tests
+ *
+ * Tests for Web Crypto API-based RSA key pair generation.
+ */
+
+import { describe, it, expect } from 'vitest';
+import { generateRsaKeyPair, isValidPemKey, arrayBufferToPem } from './rsa.js';
+
+describe('generateRsaKeyPair', () => {
+  it('should return publicKeyPem and privateKeyPem', async () => {
+    const keys = await generateRsaKeyPair();
+
+    expect(keys).toHaveProperty('publicKeyPem');
+    expect(keys).toHaveProperty('privateKeyPem');
+    expect(typeof keys.publicKeyPem).toBe('string');
+    expect(typeof keys.privateKeyPem).toBe('string');
+  });
+
+  it('should produce valid PEM public key with correct headers', async () => {
+    const { publicKeyPem } = await generateRsaKeyPair();
+
+    expect(publicKeyPem).toMatch(/^-----BEGIN PUBLIC KEY-----\n/);
+    expect(publicKeyPem).toMatch(/\n-----END PUBLIC KEY-----$/);
+  });
+
+  it('should produce valid PEM private key with correct headers', async () => {
+    const { privateKeyPem } = await generateRsaKeyPair();
+
+    expect(privateKeyPem).toMatch(/^-----BEGIN PRIVATE KEY-----\n/);
+    expect(privateKeyPem).toMatch(/\n-----END PRIVATE KEY-----$/);
+  });
+
+  it('should contain base64-encoded content between headers', async () => {
+    const { publicKeyPem } = await generateRsaKeyPair();
+
+    // Extract content between headers
+    const lines = publicKeyPem.split('\n');
+    const contentLines = lines.slice(1, -1); // Remove BEGIN/END lines
+
+    for (const line of contentLines) {
+      expect(line).toMatch(/^[A-Za-z0-9+/=]+$/);
+      expect(line.length).toBeLessThanOrEqual(64);
+    }
+  });
+
+  it('should generate different keys on each call', async () => {
+    const keys1 = await generateRsaKeyPair();
+    const keys2 = await generateRsaKeyPair();
+
+    expect(keys1.publicKeyPem).not.toBe(keys2.publicKeyPem);
+    expect(keys1.privateKeyPem).not.toBe(keys2.privateKeyPem);
+  });
+
+  it('should produce keys that pass isValidPemKey', async () => {
+    const { publicKeyPem, privateKeyPem } = await generateRsaKeyPair();
+
+    expect(isValidPemKey(publicKeyPem)).toBe(true);
+    expect(isValidPemKey(privateKeyPem)).toBe(true);
+  });
+});
+
+describe('isValidPemKey', () => {
+  it('should accept valid PUBLIC KEY PEM', () => {
+    const pem = '-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ==\n-----END PUBLIC KEY-----';
+    expect(isValidPemKey(pem)).toBe(true);
+  });
+
+  it('should accept valid PRIVATE KEY PEM', () => {
+    const pem = '-----BEGIN PRIVATE KEY-----\nMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAw\n-----END PRIVATE KEY-----';
+    expect(isValidPemKey(pem)).toBe(true);
+  });
+
+  it('should reject null', () => {
+    expect(isValidPemKey(null)).toBe(false);
+  });
+
+  it('should reject undefined', () => {
+    expect(isValidPemKey(undefined)).toBe(false);
+  });
+
+  it('should reject empty string', () => {
+    expect(isValidPemKey('')).toBe(false);
+  });
+
+  it('should reject random string', () => {
+    expect(isValidPemKey('not-a-pem-key')).toBe(false);
+  });
+
+  it('should reject mismatched headers', () => {
+    const pem = '-----BEGIN PUBLIC KEY-----\ndata\n-----END PRIVATE KEY-----';
+    expect(isValidPemKey(pem)).toBe(false);
+  });
+
+  it('should reject PEM with no content', () => {
+    const pem = '-----BEGIN PUBLIC KEY-----\n-----END PUBLIC KEY-----';
+    expect(isValidPemKey(pem)).toBe(false);
+  });
+});
+
+describe('arrayBufferToPem', () => {
+  it('should wrap DER data in PEM headers', () => {
+    const buffer = new Uint8Array([0x30, 0x82, 0x01, 0x0a]).buffer;
+    const pem = arrayBufferToPem(buffer, 'PUBLIC KEY');
+
+    expect(pem).toMatch(/^-----BEGIN PUBLIC KEY-----\n/);
+    expect(pem).toMatch(/\n-----END PUBLIC KEY-----$/);
+  });
+
+  it('should split base64 into 64-char lines', () => {
+    // Create a buffer large enough to produce multiple lines
+    const buffer = new Uint8Array(100).buffer;
+    const pem = arrayBufferToPem(buffer, 'PUBLIC KEY');
+
+    const lines = pem.split('\n');
+    // Skip first (BEGIN) and last (END) lines
+    const contentLines = lines.slice(1, -1);
+    for (const line of contentLines.slice(0, -1)) {
+      expect(line.length).toBe(64);
+    }
+  });
+});

package/vitest.config.js

@@ -0,0 +1,8 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    environment: 'node',
+    globals: true
+  }
+});