node-rtc-connection 2.0.4 → 2.0.5

package/src/crypto/der.ts

@@ -1,205 +0,0 @@
-/**
- * @file der.ts
- * @description Minimal ASN.1 DER encoder/decoder for X.509 certificate generation.
- * @module crypto/der
- *
- * Implements just enough of ITU-T X.690 DER to build and read the structures
- * WebRTC needs: self-signed ECDSA certificates and SubjectPublicKeyInfo.
- *
- * All encoders return Buffers. The TLV length is always encoded in the
- * minimal (definite, shortest-form) representation required by DER.
- */
-
-'use strict';
-
-// ASN.1 universal tag numbers (class 0, primitive/constructed as noted).
-export const TAG = Object.freeze({
-  BOOLEAN: 0x01,
-  INTEGER: 0x02,
-  BIT_STRING: 0x03,
-  OCTET_STRING: 0x04,
-  NULL: 0x05,
-  OID: 0x06,
-  UTF8_STRING: 0x0c,
-  PRINTABLE_STRING: 0x13,
-  IA5_STRING: 0x16,
-  UTC_TIME: 0x17,
-  GENERALIZED_TIME: 0x18,
-  SEQUENCE: 0x30, // constructed
-  SET: 0x31, // constructed
-});
-
-/**
- * Encode a DER length in definite, shortest form.
- * @param {number} len
- * @returns {Buffer}
- */
-export function encodeLength(len: number): Buffer {
-  if (len < 0x80) {
-    return Buffer.from([len]);
-  }
-  const bytes: number[] = [];
-  let n = len;
-  while (n > 0) {
-    bytes.unshift(n & 0xff);
-    n >>>= 8;
-  }
-  return Buffer.from([0x80 | bytes.length, ...bytes]);
-}
-
-/**
- * Wrap a body in a TLV with the given tag.
- * @param {number} tag
- * @param {Buffer} body
- * @returns {Buffer}
- */
-export function tlv(tag: number, body: Buffer): Buffer {
-  return Buffer.concat([Buffer.from([tag]), encodeLength(body.length), body]);
-}
-
-/**
- * Encode an unsigned big-endian integer (from a Buffer) as a DER INTEGER,
- * adding a leading 0x00 when the high bit is set so it stays positive.
- * @param {Buffer} buf - Big-endian magnitude.
- * @returns {Buffer}
- */
-export function encodeIntegerFromBuffer(buf: Buffer): Buffer {
-  let start = 0;
-  while (start < buf.length - 1 && buf[start] === 0x00) {
-    start++; // strip leading zeros (keep at least one byte)
-  }
-  let body = buf.slice(start);
-  if (body[0]! & 0x80) {
-    body = Buffer.concat([Buffer.from([0x00]), body]);
-  }
-  return tlv(TAG.INTEGER, body);
-}
-
-/**
- * Encode a small non-negative JS integer as a DER INTEGER.
- * @param {number} value
- * @returns {Buffer}
- */
-export function encodeInteger(value: number): Buffer {
-  if (value === 0) {
-    return tlv(TAG.INTEGER, Buffer.from([0x00]));
-  }
-  const bytes: number[] = [];
-  let n = value;
-  while (n > 0) {
-    bytes.unshift(n & 0xff);
-    n = Math.floor(n / 256);
-  }
-  if (bytes[0]! & 0x80) {
-    bytes.unshift(0x00);
-  }
-  return tlv(TAG.INTEGER, Buffer.from(bytes));
-}
-
-/**
- * Encode an OBJECT IDENTIFIER from its dotted-decimal string.
- * @param {string} oid - e.g. "1.2.840.10045.2.1"
- * @returns {Buffer}
- */
-export function encodeOID(oid: string): Buffer {
-  const parts = oid.split('.').map(Number);
-  if (parts.length < 2) {
-    throw new Error(`Invalid OID: ${oid}`);
-  }
-  const bytes = [40 * parts[0]! + parts[1]!];
-  for (let i = 2; i < parts.length; i++) {
-    let v = parts[i]!;
-    const stack = [v & 0x7f];
-    v = Math.floor(v / 128);
-    while (v > 0) {
-      stack.unshift((v & 0x7f) | 0x80);
-      v = Math.floor(v / 128);
-    }
-    bytes.push(...stack);
-  }
-  return tlv(TAG.OID, Buffer.from(bytes));
-}
-
-/**
- * Encode a BIT STRING with zero unused bits.
- * @param {Buffer} data
- * @returns {Buffer}
- */
-export function encodeBitString(data: Buffer): Buffer {
-  return tlv(TAG.BIT_STRING, Buffer.concat([Buffer.from([0x00]), data]));
-}
-
-/**
- * Encode an OCTET STRING.
- * @param {Buffer} data
- * @returns {Buffer}
- */
-export function encodeOctetString(data: Buffer): Buffer {
-  return tlv(TAG.OCTET_STRING, data);
-}
-
-/**
- * Encode a SEQUENCE from already-encoded components.
- * @param {Buffer[]} components
- * @returns {Buffer}
- */
-export function encodeSequence(components: Buffer[]): Buffer {
-  return tlv(TAG.SEQUENCE, Buffer.concat(components));
-}
-
-/**
- * Encode a SET from already-encoded components.
- * @param {Buffer[]} components
- * @returns {Buffer}
- */
-export function encodeSet(components: Buffer[]): Buffer {
-  return tlv(TAG.SET, Buffer.concat(components));
-}
-
-/**
- * Encode NULL.
- * @returns {Buffer}
- */
-export function encodeNull(): Buffer {
-  return tlv(TAG.NULL, Buffer.alloc(0));
-}
-
-/**
- * Encode a UTF8String.
- * @param {string} str
- * @returns {Buffer}
- */
-export function encodeUTF8String(str: string): Buffer {
-  return tlv(TAG.UTF8_STRING, Buffer.from(str, 'utf8'));
-}
-
-/**
- * Encode a context-specific [n] explicit wrapper (constructed).
- * @param {number} n - context tag number
- * @param {Buffer} body
- * @returns {Buffer}
- */
-export function encodeExplicit(n: number, body: Buffer): Buffer {
-  return tlv(0xa0 | n, body);
-}
-
-/**
- * Encode an X.509 time. Uses UTCTime for years < 2050, else GeneralizedTime,
- * per RFC 5280 §4.1.2.5.
- * @param {Date} date
- * @returns {Buffer}
- */
-export function encodeTime(date: Date): Buffer {
-  const yyyy = date.getUTCFullYear();
-  const pad = (v: number, n = 2): string => String(v).padStart(n, '0');
-  const mm = pad(date.getUTCMonth() + 1);
-  const dd = pad(date.getUTCDate());
-  const hh = pad(date.getUTCHours());
-  const mi = pad(date.getUTCMinutes());
-  const ss = pad(date.getUTCSeconds());
-  if (yyyy < 2050) {
-    const yy = pad(yyyy % 100);
-    return tlv(TAG.UTC_TIME, Buffer.from(`${yy}${mm}${dd}${hh}${mi}${ss}Z`, 'ascii'));
-  }
-  return tlv(TAG.GENERALIZED_TIME, Buffer.from(`${yyyy}${mm}${dd}${hh}${mi}${ss}Z`, 'ascii'));
-}

package/src/crypto/x509.ts

@@ -1,146 +0,0 @@
-/**
- * @file x509.ts
- * @description Self-signed X.509 v3 certificate generation for WebRTC DTLS.
- * @module crypto/x509
- *
- * WebRTC peers authenticate by self-signed certificate. The SDP carries
- * a=fingerprint as the hash of the DER-encoded certificate (RFC 8122), which
- * the peer verifies against the certificate presented during the DTLS
- * handshake. Node has no certificate builder, so we assemble a minimal but
- * spec-valid ECDSA P-256 / ecdsa-with-SHA256 certificate by hand.
- */
-
-'use strict';
-
-import * as crypto from 'crypto';
-import * as der from './der';
-
-/**
- * Options for {@link generateSelfSigned}.
- */
-export interface GenerateSelfSignedOptions {
-  /** CN; WebRTC uses a random value. */
-  commonName?: string;
-  /** Validity period in days. */
-  days?: number;
-  /** Override start time (default: now - 1 day). */
-  notBefore?: Date;
-}
-
-/**
- * Result of {@link generateSelfSigned}.
- */
-export interface SelfSignedCertificate {
-  /** DER-encoded certificate. */
-  certDer: Buffer;
-  privateKey: crypto.KeyObject;
-  publicKey: crypto.KeyObject;
-  notBefore: Date;
-  notAfter: Date;
-}
-
-// OIDs used in the certificate.
-export const OID = Object.freeze({
-  ecPublicKey: '1.2.840.10045.2.1',
-  prime256v1: '1.2.840.10045.3.1.7',
-  ecdsaWithSHA256: '1.2.840.10045.4.3.2',
-  commonName: '2.5.4.3',
-});
-
-/**
- * Build a Name with a single CN RDN.
- * @param {string} cn
- * @returns {Buffer}
- */
-function buildName(cn: string): Buffer {
-  const attr = der.encodeSequence([
-    der.encodeOID(OID.commonName),
-    der.encodeUTF8String(cn),
-  ]);
-  const rdn = der.encodeSet([attr]);
-  return der.encodeSequence([rdn]);
-}
-
-/**
- * The AlgorithmIdentifier for ecdsa-with-SHA256 (no parameters).
- * @returns {Buffer}
- */
-function ecdsaWithSHA256AlgId(): Buffer {
-  return der.encodeSequence([der.encodeOID(OID.ecdsaWithSHA256)]);
-}
-
-/**
- * Generate a self-signed ECDSA P-256 certificate.
- *
- * @param {GenerateSelfSignedOptions} [options]
- * @returns {SelfSignedCertificate}
- */
-export function generateSelfSigned(
-  options: GenerateSelfSignedOptions = {}
-): SelfSignedCertificate {
-  const commonName =
-    options.commonName || `WebRTC-${crypto.randomBytes(8).toString('hex')}`;
-  const days = options.days || 30;
-
-  const { publicKey, privateKey } = crypto.generateKeyPairSync('ec', {
-    namedCurve: 'prime256v1',
-  });
-
-  // Node exports a complete SubjectPublicKeyInfo in DER — reuse verbatim.
-  const spki = publicKey.export({ type: 'spki', format: 'der' }) as Buffer;
-
-  // Validity. Start one day in the past to tolerate clock skew between peers.
-  const notBefore =
-    options.notBefore || new Date(Date.now() - 24 * 60 * 60 * 1000);
-  const notAfter = new Date(notBefore.getTime() + days * 24 * 60 * 60 * 1000);
-
-  // Serial number: positive 20-byte random (high bit cleared via encoder).
-  const serial = crypto.randomBytes(20);
-  serial[0]! &= 0x7f;
-  if (serial[0] === 0) serial[0] = 0x01;
-
-  const name = buildName(commonName);
-
-  // TBSCertificate (X.509 v3).
-  const tbs = der.encodeSequence([
-    der.encodeExplicit(0, der.encodeInteger(2)), // version v3 (value 2)
-    der.encodeIntegerFromBuffer(serial), // serialNumber
-    ecdsaWithSHA256AlgId(), // signature algorithm
-    name, // issuer (== subject, self-signed)
-    der.encodeSequence([der.encodeTime(notBefore), der.encodeTime(notAfter)]),
-    name, // subject
-    spki, // subjectPublicKeyInfo
-  ]);
-
-  // Sign the TBS. Node returns a DER ECDSA-Sig-Value (SEQUENCE { r, s }).
-  const signature = crypto.sign('sha256', tbs, privateKey);
-
-  const certDer = der.encodeSequence([
-    tbs,
-    ecdsaWithSHA256AlgId(),
-    der.encodeBitString(signature),
-  ]);
-
-  return { certDer, privateKey, publicKey, notBefore, notAfter };
-}
-
-/**
- * Compute the certificate fingerprint as used in SDP a=fingerprint (RFC 8122):
- * hash over the DER-encoded certificate, uppercase hex, colon-separated.
- *
- * @param {Buffer} certDer
- * @param {string} [algorithm='sha-256'] - 'sha-256' | 'sha-384' | 'sha-512'
- * @returns {string}
- */
-export function fingerprint(
-  certDer: Buffer,
-  algorithm: string = 'sha-256'
-): string {
-  const nodeAlgo = algorithm.replace('-', '').toLowerCase(); // sha-256 -> sha256
-  const digest = crypto
-    .createHash(nodeAlgo)
-    .update(certDer)
-    .digest('hex')
-    .toUpperCase();
-  return digest.match(/.{2}/g)!.join(':');
-}