| 1 | /**
|
|---|
| 2 | * RSA Key Generation Worker.
|
|---|
| 3 | *
|
|---|
| 4 | * @author Dave Longley
|
|---|
| 5 | *
|
|---|
| 6 | * Copyright (c) 2013 Digital Bazaar, Inc.
|
|---|
| 7 | */
|
|---|
| 8 | // worker is built using CommonJS syntax to include all code in one worker file
|
|---|
| 9 | //importScripts('jsbn.js');
|
|---|
| 10 | var forge = require('./forge');
|
|---|
| 11 | require('./jsbn');
|
|---|
| 12 |
|
|---|
| 13 | // prime constants
|
|---|
| 14 | var LOW_PRIMES = [2,3,5,7,11,13,17,19,23,29,31,37,41,43,47,53,59,61,67,71,73,79,83,89,97,101,103,107,109,113,127,131,137,139,149,151,157,163,167,173,179,181,191,193,197,199,211,223,227,229,233,239,241,251,257,263,269,271,277,281,283,293,307,311,313,317,331,337,347,349,353,359,367,373,379,383,389,397,401,409,419,421,431,433,439,443,449,457,461,463,467,479,487,491,499,503,509,521,523,541,547,557,563,569,571,577,587,593,599,601,607,613,617,619,631,641,643,647,653,659,661,673,677,683,691,701,709,719,727,733,739,743,751,757,761,769,773,787,797,809,811,821,823,827,829,839,853,857,859,863,877,881,883,887,907,911,919,929,937,941,947,953,967,971,977,983,991,997];
|
|---|
| 15 | var LP_LIMIT = (1 << 26) / LOW_PRIMES[LOW_PRIMES.length - 1];
|
|---|
| 16 |
|
|---|
| 17 | var BigInteger = forge.jsbn.BigInteger;
|
|---|
| 18 | var BIG_TWO = new BigInteger(null);
|
|---|
| 19 | BIG_TWO.fromInt(2);
|
|---|
| 20 |
|
|---|
| 21 | self.addEventListener('message', function(e) {
|
|---|
| 22 | var result = findPrime(e.data);
|
|---|
| 23 | self.postMessage(result);
|
|---|
| 24 | });
|
|---|
| 25 |
|
|---|
| 26 | // start receiving ranges to check
|
|---|
| 27 | self.postMessage({found: false});
|
|---|
| 28 |
|
|---|
| 29 | // primes are 30k+i for i = 1, 7, 11, 13, 17, 19, 23, 29
|
|---|
| 30 | var GCD_30_DELTA = [6, 4, 2, 4, 2, 4, 6, 2];
|
|---|
| 31 |
|
|---|
| 32 | function findPrime(data) {
|
|---|
| 33 | // TODO: abstract based on data.algorithm (PRIMEINC vs. others)
|
|---|
| 34 |
|
|---|
| 35 | // create BigInteger from given random bytes
|
|---|
| 36 | var num = new BigInteger(data.hex, 16);
|
|---|
| 37 |
|
|---|
| 38 | /* Note: All primes are of the form 30k+i for i < 30 and gcd(30, i)=1. The
|
|---|
| 39 | number we are given is always aligned at 30k + 1. Each time the number is
|
|---|
| 40 | determined not to be prime we add to get to the next 'i', eg: if the number
|
|---|
| 41 | was at 30k + 1 we add 6. */
|
|---|
| 42 | var deltaIdx = 0;
|
|---|
| 43 |
|
|---|
| 44 | // find nearest prime
|
|---|
| 45 | var workLoad = data.workLoad;
|
|---|
| 46 | for(var i = 0; i < workLoad; ++i) {
|
|---|
| 47 | // do primality test
|
|---|
| 48 | if(isProbablePrime(num)) {
|
|---|
| 49 | return {found: true, prime: num.toString(16)};
|
|---|
| 50 | }
|
|---|
| 51 | // get next potential prime
|
|---|
| 52 | num.dAddOffset(GCD_30_DELTA[deltaIdx++ % 8], 0);
|
|---|
| 53 | }
|
|---|
| 54 |
|
|---|
| 55 | return {found: false};
|
|---|
| 56 | }
|
|---|
| 57 |
|
|---|
| 58 | function isProbablePrime(n) {
|
|---|
| 59 | // divide by low primes, ignore even checks, etc (n alread aligned properly)
|
|---|
| 60 | var i = 1;
|
|---|
| 61 | while(i < LOW_PRIMES.length) {
|
|---|
| 62 | var m = LOW_PRIMES[i];
|
|---|
| 63 | var j = i + 1;
|
|---|
| 64 | while(j < LOW_PRIMES.length && m < LP_LIMIT) {
|
|---|
| 65 | m *= LOW_PRIMES[j++];
|
|---|
| 66 | }
|
|---|
| 67 | m = n.modInt(m);
|
|---|
| 68 | while(i < j) {
|
|---|
| 69 | if(m % LOW_PRIMES[i++] === 0) {
|
|---|
| 70 | return false;
|
|---|
| 71 | }
|
|---|
| 72 | }
|
|---|
| 73 | }
|
|---|
| 74 | return runMillerRabin(n);
|
|---|
| 75 | }
|
|---|
| 76 |
|
|---|
| 77 | // HAC 4.24, Miller-Rabin
|
|---|
| 78 | function runMillerRabin(n) {
|
|---|
| 79 | // n1 = n - 1
|
|---|
| 80 | var n1 = n.subtract(BigInteger.ONE);
|
|---|
| 81 |
|
|---|
| 82 | // get s and d such that n1 = 2^s * d
|
|---|
| 83 | var s = n1.getLowestSetBit();
|
|---|
| 84 | if(s <= 0) {
|
|---|
| 85 | return false;
|
|---|
| 86 | }
|
|---|
| 87 | var d = n1.shiftRight(s);
|
|---|
| 88 |
|
|---|
| 89 | var k = _getMillerRabinTests(n.bitLength());
|
|---|
| 90 | var prng = getPrng();
|
|---|
| 91 | var a;
|
|---|
| 92 | for(var i = 0; i < k; ++i) {
|
|---|
| 93 | // select witness 'a' at random from between 1 and n - 1
|
|---|
| 94 | do {
|
|---|
| 95 | a = new BigInteger(n.bitLength(), prng);
|
|---|
| 96 | } while(a.compareTo(BigInteger.ONE) <= 0 || a.compareTo(n1) >= 0);
|
|---|
| 97 |
|
|---|
| 98 | /* See if 'a' is a composite witness. */
|
|---|
| 99 |
|
|---|
| 100 | // x = a^d mod n
|
|---|
| 101 | var x = a.modPow(d, n);
|
|---|
| 102 |
|
|---|
| 103 | // probably prime
|
|---|
| 104 | if(x.compareTo(BigInteger.ONE) === 0 || x.compareTo(n1) === 0) {
|
|---|
| 105 | continue;
|
|---|
| 106 | }
|
|---|
| 107 |
|
|---|
| 108 | var j = s;
|
|---|
| 109 | while(--j) {
|
|---|
| 110 | // x = x^2 mod a
|
|---|
| 111 | x = x.modPowInt(2, n);
|
|---|
| 112 |
|
|---|
| 113 | // 'n' is composite because no previous x == -1 mod n
|
|---|
| 114 | if(x.compareTo(BigInteger.ONE) === 0) {
|
|---|
| 115 | return false;
|
|---|
| 116 | }
|
|---|
| 117 | // x == -1 mod n, so probably prime
|
|---|
| 118 | if(x.compareTo(n1) === 0) {
|
|---|
| 119 | break;
|
|---|
| 120 | }
|
|---|
| 121 | }
|
|---|
| 122 |
|
|---|
| 123 | // 'x' is first_x^(n1/2) and is not +/- 1, so 'n' is not prime
|
|---|
| 124 | if(j === 0) {
|
|---|
| 125 | return false;
|
|---|
| 126 | }
|
|---|
| 127 | }
|
|---|
| 128 |
|
|---|
| 129 | return true;
|
|---|
| 130 | }
|
|---|
| 131 |
|
|---|
| 132 | // get pseudo random number generator
|
|---|
| 133 | function getPrng() {
|
|---|
| 134 | // create prng with api that matches BigInteger secure random
|
|---|
| 135 | return {
|
|---|
| 136 | // x is an array to fill with bytes
|
|---|
| 137 | nextBytes: function(x) {
|
|---|
| 138 | for(var i = 0; i < x.length; ++i) {
|
|---|
| 139 | x[i] = Math.floor(Math.random() * 0xFF);
|
|---|
| 140 | }
|
|---|
| 141 | }
|
|---|
| 142 | };
|
|---|
| 143 | }
|
|---|
| 144 |
|
|---|
| 145 | /**
|
|---|
| 146 | * Returns the required number of Miller-Rabin tests to generate a
|
|---|
| 147 | * prime with an error probability of (1/2)^80.
|
|---|
| 148 | *
|
|---|
| 149 | * See Handbook of Applied Cryptography Chapter 4, Table 4.4.
|
|---|
| 150 | *
|
|---|
| 151 | * @param bits the bit size.
|
|---|
| 152 | *
|
|---|
| 153 | * @return the required number of iterations.
|
|---|
| 154 | */
|
|---|
| 155 | function _getMillerRabinTests(bits) {
|
|---|
| 156 | if(bits <= 100) return 27;
|
|---|
| 157 | if(bits <= 150) return 18;
|
|---|
| 158 | if(bits <= 200) return 15;
|
|---|
| 159 | if(bits <= 250) return 12;
|
|---|
| 160 | if(bits <= 300) return 9;
|
|---|
| 161 | if(bits <= 350) return 8;
|
|---|
| 162 | if(bits <= 400) return 7;
|
|---|
| 163 | if(bits <= 500) return 6;
|
|---|
| 164 | if(bits <= 600) return 5;
|
|---|
| 165 | if(bits <= 800) return 4;
|
|---|
| 166 | if(bits <= 1250) return 3;
|
|---|
| 167 | return 2;
|
|---|
| 168 | }
|
|---|
