lemon-tls 0.1.0 → 0.2.0

package/src/session/ecdh.js

@@ -0,0 +1,61 @@
+/**
+ * ECDH key generation and shared secret helpers using node:crypto.
+ * Supports X25519 and P-256 (secp256r1).
+ */
+
+import * as crypto from 'crypto';
+
+// DER prefixes for raw X25519 key import/export
+let X25519_PKCS8_PREFIX = Buffer.from('302e020100300506032b656e04220420', 'hex');
+let X25519_SPKI_PREFIX  = Buffer.from('302a300506032b656e032100', 'hex');
+
+/**
+ * Derive the X25519 public key from a 32-byte private key.
+ */
+function x25519_get_public_key(privateKeyRaw) {
+  let der = Buffer.concat([X25519_PKCS8_PREFIX, Buffer.from(privateKeyRaw)]);
+  let privObj = crypto.createPrivateKey({ key: der, format: 'der', type: 'pkcs8' });
+  let pubObj = crypto.createPublicKey(privObj);
+  let spki = pubObj.export({ type: 'spki', format: 'der' });
+  return new Uint8Array(spki.subarray(X25519_SPKI_PREFIX.length));
+}
+
+/**
+ * Compute X25519 shared secret from local private key and remote public key (both raw 32 bytes).
+ */
+function x25519_get_shared_secret(localPrivateRaw, remotePublicRaw) {
+  let privDer = Buffer.concat([X25519_PKCS8_PREFIX, Buffer.from(localPrivateRaw)]);
+  let pubDer  = Buffer.concat([X25519_SPKI_PREFIX, Buffer.from(remotePublicRaw)]);
+  let privObj = crypto.createPrivateKey({ key: privDer, format: 'der', type: 'pkcs8' });
+  let pubObj  = crypto.createPublicKey({ key: pubDer, format: 'der', type: 'spki' });
+  return new Uint8Array(crypto.diffieHellman({ privateKey: privObj, publicKey: pubObj }));
+}
+
+/**
+ * Generate a P-256 keypair. Returns { private_key: Uint8Array, public_key: Uint8Array(65) }.
+ * Public key is uncompressed format (0x04 || x || y).
+ */
+function p256_generate_keypair() {
+  let ecdh = crypto.createECDH('prime256v1');
+  ecdh.generateKeys();
+  return {
+    private_key: new Uint8Array(ecdh.getPrivateKey()),
+    public_key: new Uint8Array(ecdh.getPublicKey(null, 'uncompressed'))
+  };
+}
+
+/**
+ * Compute P-256 shared secret (raw x-coordinate, 32 bytes).
+ */
+function p256_get_shared_secret(localPrivateRaw, remotePublicRaw) {
+  let ecdh = crypto.createECDH('prime256v1');
+  ecdh.setPrivateKey(Buffer.from(localPrivateRaw));
+  return new Uint8Array(ecdh.computeSecret(Buffer.from(remotePublicRaw)));
+}
+
+export {
+  x25519_get_public_key,
+  x25519_get_shared_secret,
+  p256_generate_keypair,
+  p256_get_shared_secret
+};

package/src/session/message.js

@@ -0,0 +1,203 @@
+/**
+ * TLS handshake message building, parsing, and hello normalization.
+ * Wraps wire.js functions with higher-level type-driven dispatch.
+ */
+
+import * as wire from '../wire.js';
+
+
+/**
+ * Normalize a parsed hello into a flat object with named extension fields.
+ */
+function normalize_hello(hello) {
+  let out = {};
+
+  for (let key in hello) {
+    out[key] = hello[key];
+  }
+
+  if ('extensions' in hello && Array.isArray(hello.extensions)) {
+    for (let i = 0; i < hello.extensions.length; i++) {
+      let e = hello.extensions[i];
+      let name = e.name;
+      let value = e.value;
+
+      if (name === 'SERVER_NAME') {
+        out.sni = value;
+      } else if (name === 'ALPN') {
+        out.alpn = value;
+      } else if (name === 'KEY_SHARE') {
+        if (!('key_groups' in out)) out.key_groups = [];
+        if (!('supported_groups' in out)) out.supported_groups = [];
+        for (let i2 in value) {
+          if (out.supported_groups.indexOf(value[i2].group) < 0) {
+            out.supported_groups.push(value[i2].group);
+          }
+          out.key_groups.push({
+            group: value[i2].group,
+            public_key: value[i2].key_exchange
+          });
+        }
+      } else if (name === 'SUPPORTED_VERSIONS') {
+        out.supported_versions = value;
+      } else if (name === 'SIGNATURE_ALGORITHMS') {
+        out.signature_algorithms = value;
+      } else if (name === 'SIGNATURE_ALGORITHMS_CERT') {
+        out.signature_algorithms_cert = value;
+      } else if (name === 'SUPPORTED_GROUPS') {
+        out.supported_groups = value;
+      } else if (name === 'COOKIE') {
+        out.cookie = value;
+      } else if (name === 'EARLY_DATA') {
+        out.early_data = value;
+      } else if (name === 'PSK_KEY_EXCHANGE_MODES') {
+        out.psk_modes = value;
+      } else if (name === 'PRE_SHARED_KEY') {
+        out.pre_shared_key = value;
+      } else if (name === 'RENEGOTIATION_INFO') {
+        out.renegotiation_info = value;
+      } else if (name === 'STATUS_REQUEST') {
+        out.status_request = value;
+      } else if (name === 'MAX_FRAGMENT_LENGTH') {
+        out.max_fragment_length = value;
+      } else if (name === 'CERTIFICATE_AUTHORITIES') {
+        out.certificate_authorities = value;
+      } else if (name === 'SCT') {
+        out.sct = value;
+      } else if (name === 'HEARTBEAT') {
+        out.heartbeat = value;
+      } else if (name === 'USE_SRTP') {
+        out.use_srtp = value;
+      } else {
+        if (!('unknown' in out)) out.unknown = [];
+        out.unknown.push(e);
+      }
+    }
+  }
+
+  if (!('supported_versions' in out)) {
+    out.supported_versions = [];
+  }
+
+  if (out.supported_versions.indexOf(out.version) < 0) {
+    out.supported_versions.push(out.version);
+  }
+
+  return out;
+}
+
+
+/**
+ * Build a TLS handshake message from a high-level params object.
+ * Returns a Uint8Array with handshake header + body.
+ */
+function build_tls_message(params) {
+  let type = 0;
+  let body = null;
+
+  if (params.type == 'server_hello') {
+    type = wire.TLS_MESSAGE_TYPE.SERVER_HELLO;
+    body = wire.build_hello('server', params);
+  } else if (params.type == 'client_hello') {
+    type = wire.TLS_MESSAGE_TYPE.CLIENT_HELLO;
+    body = wire.build_hello('client', params);
+  } else if (params.type == 'server_key_exchange') {
+    type = wire.TLS_MESSAGE_TYPE.SERVER_KEY_EXCHANGE;
+    body = wire.build_server_key_exchange_ecdhe(params);
+  } else if (params.type == 'client_key_exchange') {
+    type = wire.TLS_MESSAGE_TYPE.CLIENT_KEY_EXCHANGE;
+    body = wire.build_client_key_exchange_ecdhe(params.public_key);
+  } else if (params.type == 'server_hello_done') {
+    type = wire.TLS_MESSAGE_TYPE.SERVER_HELLO_DONE;
+    body = new Uint8Array(0);
+  } else if (params.type == 'encrypted_extensions') {
+    type = wire.TLS_MESSAGE_TYPE.ENCRYPTED_EXTENSIONS;
+    body = wire.build_extensions(params.extensions);
+  } else if (params.type == 'certificate') {
+    type = wire.TLS_MESSAGE_TYPE.CERTIFICATE;
+    body = wire.build_certificate(params);
+  } else if (params.type == 'certificate_verify') {
+    type = wire.TLS_MESSAGE_TYPE.CERTIFICATE_VERIFY;
+    body = wire.build_certificate_verify(params.scheme, params.signature);
+  } else if (params.type == 'finished') {
+    type = wire.TLS_MESSAGE_TYPE.FINISHED;
+    body = params.data;
+  } else if (params.type == 'key_update') {
+    type = wire.TLS_MESSAGE_TYPE.KEY_UPDATE;
+    body = wire.build_key_update(params.request_update);
+  } else if (params.type == 'certificate_request') {
+    type = wire.TLS_MESSAGE_TYPE.CERTIFICATE_REQUEST;
+    body = wire.build_certificate_request(params);
+  } else if (params.type == 'hello_retry_request') {
+    type = wire.TLS_MESSAGE_TYPE.SERVER_HELLO; // HRR uses ServerHello type with magic random
+    body = wire.build_hello_retry_request(params);
+  }
+
+  return wire.build_message(type, body);
+}
+
+
+/**
+ * Parse a raw TLS handshake message into a typed object.
+ */
+function parse_tls_message(data) {
+  let out = {};
+  let message = wire.parse_message(data);
+
+  if (message.type == wire.TLS_MESSAGE_TYPE.CLIENT_HELLO || message.type == wire.TLS_MESSAGE_TYPE.SERVER_HELLO) {
+    let hello = wire.parse_hello(message.type, message.body);
+    out = normalize_hello(hello);
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.SERVER_KEY_EXCHANGE) {
+    out = wire.parse_server_key_exchange(message.body);
+    out.type = 'server_key_exchange';
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.CLIENT_KEY_EXCHANGE) {
+    out.body = message.body;
+    out.public_key = message.body.slice(1);
+    out.type = 'client_key_exchange';
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.SERVER_HELLO_DONE) {
+    out.body = message.body;
+    out.type = 'server_hello_done';
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.ENCRYPTED_EXTENSIONS) {
+    out = normalize_hello({
+      extensions: wire.parse_extensions(message.body)
+    });
+    out.type = 'encrypted_extensions';
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.CERTIFICATE) {
+    out = wire.parse_certificate(message.body);
+    out.type = 'certificate';
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.CERTIFICATE_VERIFY) {
+    out.type = 'certificate_verify';
+    out.body = message.body;
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.FINISHED) {
+    out.type = 'finished';
+    out.body = message.body;
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.NEW_SESSION_TICKET) {
+    out = wire.parse_new_session_ticket(message.body);
+    out.type = 'new_session_ticket';
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.KEY_UPDATE) {
+    out = wire.parse_key_update(message.body);
+    out.type = 'key_update';
+
+  } else if (message.type == wire.TLS_MESSAGE_TYPE.CERTIFICATE_REQUEST) {
+    out = wire.parse_certificate_request(message.body);
+    out.type = 'certificate_request';
+  }
+
+  return out;
+}
+
+
+export {
+  normalize_hello,
+  build_tls_message,
+  parse_tls_message
+};

package/src/session/signing.js

@@ -0,0 +1,129 @@
+/**
+ * TLS signature scheme helpers.
+ * Handles scheme negotiation and signing for both TLS 1.2 and 1.3.
+ */
+
+import * as crypto from 'crypto';
+
+let TLS_VERSION_TLS1_2 = 0x0303;
+let TLS_VERSION_TLS1_3 = 0x0304;
+
+/**
+ * Decode a SignatureScheme (u16) into hash/sig/isPSS info.
+ * Returns null if the scheme is unsupported for the given TLS version.
+ */
+function scheme_info(version, scheme) {
+  let h = (scheme >>> 8) & 0xff, s = scheme & 0xff;
+
+  // EdDSA (TLS 1.3 only)
+  if (scheme === 0x0807 || scheme === 0x0808) {
+    if (version === TLS_VERSION_TLS1_2) return null;
+    return { hash: null, sig: 'eddsa', isPSS: false };
+  }
+
+  // TLS 1.3: RSA means RSA-PSS
+  if (version === TLS_VERSION_TLS1_3) {
+    if (scheme === 0x0804) return { hash: 'sha256', sig: 'rsa', isPSS: true };
+    if (scheme === 0x0805) return { hash: 'sha384', sig: 'rsa', isPSS: true };
+    if (scheme === 0x0806) return { hash: 'sha512', sig: 'rsa', isPSS: true };
+    if (scheme === 0x0403) return { hash: 'sha256', sig: 'ecdsa', isPSS: false };
+    if (scheme === 0x0503) return { hash: 'sha384', sig: 'ecdsa', isPSS: false };
+    if (scheme === 0x0603) return { hash: 'sha512', sig: 'ecdsa', isPSS: false };
+    return null;
+  }
+
+  // TLS 1.2: classic (hash, sig) interpretation
+  if (h === 0x04 && s === 0x01) return { hash: 'sha256', sig: 'rsa',   isPSS: false };
+  if (h === 0x05 && s === 0x01) return { hash: 'sha384', sig: 'rsa',   isPSS: false };
+  if (h === 0x06 && s === 0x01) return { hash: 'sha512', sig: 'rsa',   isPSS: false };
+  if (h === 0x04 && s === 0x03) return { hash: 'sha256', sig: 'ecdsa', isPSS: false };
+  if (h === 0x05 && s === 0x03) return { hash: 'sha384', sig: 'ecdsa', isPSS: false };
+  if (h === 0x06 && s === 0x03) return { hash: 'sha512', sig: 'ecdsa', isPSS: false };
+
+  return null;
+}
+
+/**
+ * Pick the best signature scheme given the server's key type and client's supported list.
+ */
+function pick_scheme(version, certKeyObj, clientSupported) {
+  let cands = [];
+  if (certKeyObj.asymmetricKeyType === 'rsa') {
+    if (version === TLS_VERSION_TLS1_3) cands.push(0x0804, 0x0805, 0x0806);
+    else cands.push(0x0401, 0x0501, 0x0601);
+  } else if (certKeyObj.asymmetricKeyType === 'ec') {
+    let c = (certKeyObj.asymmetricKeyDetails && certKeyObj.asymmetricKeyDetails.namedCurve) || '';
+    if (c === 'prime256v1') cands.push(0x0403);
+    if (c === 'secp384r1')  cands.push(0x0503);
+    if (c === 'secp521r1')  cands.push(0x0603);
+  } else if (certKeyObj.asymmetricKeyType === 'ed25519' && version === TLS_VERSION_TLS1_3) {
+    cands.push(0x0807);
+  } else if (certKeyObj.asymmetricKeyType === 'ed448' && version === TLS_VERSION_TLS1_3) {
+    cands.push(0x0808);
+  }
+
+  let pref = (version === TLS_VERSION_TLS1_3)
+    ? [0x0807, 0x0808, 0x0403, 0x0503, 0x0603, 0x0804, 0x0805, 0x0806]
+    : [0x0403, 0x0503, 0x0603, 0x0401, 0x0501, 0x0601];
+
+  for (let s of pref) {
+    if (cands.includes(s) && clientSupported.includes(s)) return s;
+  }
+  return null;
+}
+
+/**
+ * Sign data using the given scheme. Works for both TLS 1.2 and 1.3.
+ */
+function sign_with_scheme(version, scheme, tbs, certKeyObj) {
+  let info = scheme_info(version, scheme);
+  if (!info) return null;
+
+  if (info.sig === 'eddsa') {
+    return new Uint8Array(crypto.sign(null, tbs, certKeyObj));
+  }
+
+  if (info.sig === 'ecdsa') {
+    return new Uint8Array(crypto.sign(info.hash, tbs, certKeyObj));
+  }
+
+  if (info.sig === 'rsa') {
+    if (info.isPSS) {
+      let saltLen = (info.hash === 'sha256') ? 32 : (info.hash === 'sha384') ? 48 : 64;
+      return new Uint8Array(crypto.sign(info.hash, tbs, {
+        key: certKeyObj,
+        padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+        saltLength: saltLen
+      }));
+    } else {
+      return new Uint8Array(crypto.sign(info.hash, tbs, {
+        key: certKeyObj,
+        padding: crypto.constants.RSA_PKCS1_PADDING
+      }));
+    }
+  }
+  return null;
+}
+
+/**
+ * Normalize a public key from the wire for TLS 1.2 ECDHE.
+ * P-256: add 0x04 prefix if missing. X25519: strip 0x04 prefix if present.
+ */
+function normalizeServerPubKeyForTls12(group, pub) {
+  let p = pub;
+  if (group === 0x0017) { // P-256
+    if (p.length === 64) {
+      const tmp = new Uint8Array(65); tmp[0] = 0x04; tmp.set(p, 1); p = tmp;
+    }
+  } else if (group === 0x001d) { // X25519
+    if (p.length === 33 && p[0] === 0x04) p = p.slice(1);
+  }
+  return p;
+}
+
+export {
+  scheme_info,
+  pick_scheme,
+  sign_with_scheme,
+  normalizeServerPubKeyForTls12
+};