Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: trip-planner-front/node_modules/node-forge/lib/rsa.js

Last change on this file was 6a3a178, checked in by Ema <ema_spirova@…>, 3 years ago
initial commit
Property mode set to `100644`
File size: 55.7 KB

Line
1	/**
2	* Javascript implementation of basic RSA algorithms.
3	*
4	* @author Dave Longley
5	*
6	* Copyright (c) 2010-2014 Digital Bazaar, Inc.
7	*
8	* The only algorithm currently supported for PKI is RSA.
9	*
10	* An RSA key is often stored in ASN.1 DER format. The SubjectPublicKeyInfo
11	* ASN.1 structure is composed of an algorithm of type AlgorithmIdentifier
12	* and a subjectPublicKey of type bit string.
13	*
14	* The AlgorithmIdentifier contains an Object Identifier (OID) and parameters
15	* for the algorithm, if any. In the case of RSA, there aren't any.
16	*
17	* SubjectPublicKeyInfo ::= SEQUENCE {
18	* algorithm AlgorithmIdentifier,
19	* subjectPublicKey BIT STRING
20	* }
21	*
22	* AlgorithmIdentifer ::= SEQUENCE {
23	* algorithm OBJECT IDENTIFIER,
24	* parameters ANY DEFINED BY algorithm OPTIONAL
25	* }
26	*
27	* For an RSA public key, the subjectPublicKey is:
28	*
29	* RSAPublicKey ::= SEQUENCE {
30	* modulus INTEGER, -- n
31	* publicExponent INTEGER -- e
32	* }
33	*
34	* PrivateKeyInfo ::= SEQUENCE {
35	* version Version,
36	* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
37	* privateKey PrivateKey,
38	* attributes [0] IMPLICIT Attributes OPTIONAL
39	* }
40	*
41	* Version ::= INTEGER
42	* PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
43	* PrivateKey ::= OCTET STRING
44	* Attributes ::= SET OF Attribute
45	*
46	* An RSA private key as the following structure:
47	*
48	* RSAPrivateKey ::= SEQUENCE {
49	* version Version,
50	* modulus INTEGER, -- n
51	* publicExponent INTEGER, -- e
52	* privateExponent INTEGER, -- d
53	* prime1 INTEGER, -- p
54	* prime2 INTEGER, -- q
55	* exponent1 INTEGER, -- d mod (p-1)
56	* exponent2 INTEGER, -- d mod (q-1)
57	* coefficient INTEGER -- (inverse of q) mod p
58	* }
59	*
60	* Version ::= INTEGER
61	*
62	* The OID for the RSA key algorithm is: 1.2.840.113549.1.1.1
63	*/
64	var forge = require('./forge');
65	require('./asn1');
66	require('./jsbn');
67	require('./oids');
68	require('./pkcs1');
69	require('./prime');
70	require('./random');
71	require('./util');
72
73	if(typeof BigInteger === 'undefined') {
74	var BigInteger = forge.jsbn.BigInteger;
75	}
76
77	var _crypto = forge.util.isNodejs ? require('crypto') : null;
78
79	// shortcut for asn.1 API
80	var asn1 = forge.asn1;
81
82	// shortcut for util API
83	var util = forge.util;
84
85	/*
86	* RSA encryption and decryption, see RFC 2313.
87	*/
88	forge.pki = forge.pki \|\| {};
89	module.exports = forge.pki.rsa = forge.rsa = forge.rsa \|\| {};
90	var pki = forge.pki;
91
92	// for finding primes, which are 30k+i for i = 1, 7, 11, 13, 17, 19, 23, 29
93	var GCD_30_DELTA = [6, 4, 2, 4, 2, 4, 6, 2];
94
95	// validator for a PrivateKeyInfo structure
96	var privateKeyValidator = {
97	// PrivateKeyInfo
98	name: 'PrivateKeyInfo',
99	tagClass: asn1.Class.UNIVERSAL,
100	type: asn1.Type.SEQUENCE,
101	constructed: true,
102	value: [{
103	// Version (INTEGER)
104	name: 'PrivateKeyInfo.version',
105	tagClass: asn1.Class.UNIVERSAL,
106	type: asn1.Type.INTEGER,
107	constructed: false,
108	capture: 'privateKeyVersion'
109	}, {
110	// privateKeyAlgorithm
111	name: 'PrivateKeyInfo.privateKeyAlgorithm',
112	tagClass: asn1.Class.UNIVERSAL,
113	type: asn1.Type.SEQUENCE,
114	constructed: true,
115	value: [{
116	name: 'AlgorithmIdentifier.algorithm',
117	tagClass: asn1.Class.UNIVERSAL,
118	type: asn1.Type.OID,
119	constructed: false,
120	capture: 'privateKeyOid'
121	}]
122	}, {
123	// PrivateKey
124	name: 'PrivateKeyInfo',
125	tagClass: asn1.Class.UNIVERSAL,
126	type: asn1.Type.OCTETSTRING,
127	constructed: false,
128	capture: 'privateKey'
129	}]
130	};
131
132	// validator for an RSA private key
133	var rsaPrivateKeyValidator = {
134	// RSAPrivateKey
135	name: 'RSAPrivateKey',
136	tagClass: asn1.Class.UNIVERSAL,
137	type: asn1.Type.SEQUENCE,
138	constructed: true,
139	value: [{
140	// Version (INTEGER)
141	name: 'RSAPrivateKey.version',
142	tagClass: asn1.Class.UNIVERSAL,
143	type: asn1.Type.INTEGER,
144	constructed: false,
145	capture: 'privateKeyVersion'
146	}, {
147	// modulus (n)
148	name: 'RSAPrivateKey.modulus',
149	tagClass: asn1.Class.UNIVERSAL,
150	type: asn1.Type.INTEGER,
151	constructed: false,
152	capture: 'privateKeyModulus'
153	}, {
154	// publicExponent (e)
155	name: 'RSAPrivateKey.publicExponent',
156	tagClass: asn1.Class.UNIVERSAL,
157	type: asn1.Type.INTEGER,
158	constructed: false,
159	capture: 'privateKeyPublicExponent'
160	}, {
161	// privateExponent (d)
162	name: 'RSAPrivateKey.privateExponent',
163	tagClass: asn1.Class.UNIVERSAL,
164	type: asn1.Type.INTEGER,
165	constructed: false,
166	capture: 'privateKeyPrivateExponent'
167	}, {
168	// prime1 (p)
169	name: 'RSAPrivateKey.prime1',
170	tagClass: asn1.Class.UNIVERSAL,
171	type: asn1.Type.INTEGER,
172	constructed: false,
173	capture: 'privateKeyPrime1'
174	}, {
175	// prime2 (q)
176	name: 'RSAPrivateKey.prime2',
177	tagClass: asn1.Class.UNIVERSAL,
178	type: asn1.Type.INTEGER,
179	constructed: false,
180	capture: 'privateKeyPrime2'
181	}, {
182	// exponent1 (d mod (p-1))
183	name: 'RSAPrivateKey.exponent1',
184	tagClass: asn1.Class.UNIVERSAL,
185	type: asn1.Type.INTEGER,
186	constructed: false,
187	capture: 'privateKeyExponent1'
188	}, {
189	// exponent2 (d mod (q-1))
190	name: 'RSAPrivateKey.exponent2',
191	tagClass: asn1.Class.UNIVERSAL,
192	type: asn1.Type.INTEGER,
193	constructed: false,
194	capture: 'privateKeyExponent2'
195	}, {
196	// coefficient ((inverse of q) mod p)
197	name: 'RSAPrivateKey.coefficient',
198	tagClass: asn1.Class.UNIVERSAL,
199	type: asn1.Type.INTEGER,
200	constructed: false,
201	capture: 'privateKeyCoefficient'
202	}]
203	};
204
205	// validator for an RSA public key
206	var rsaPublicKeyValidator = {
207	// RSAPublicKey
208	name: 'RSAPublicKey',
209	tagClass: asn1.Class.UNIVERSAL,
210	type: asn1.Type.SEQUENCE,
211	constructed: true,
212	value: [{
213	// modulus (n)
214	name: 'RSAPublicKey.modulus',
215	tagClass: asn1.Class.UNIVERSAL,
216	type: asn1.Type.INTEGER,
217	constructed: false,
218	capture: 'publicKeyModulus'
219	}, {
220	// publicExponent (e)
221	name: 'RSAPublicKey.exponent',
222	tagClass: asn1.Class.UNIVERSAL,
223	type: asn1.Type.INTEGER,
224	constructed: false,
225	capture: 'publicKeyExponent'
226	}]
227	};
228
229	// validator for an SubjectPublicKeyInfo structure
230	// Note: Currently only works with an RSA public key
231	var publicKeyValidator = forge.pki.rsa.publicKeyValidator = {
232	name: 'SubjectPublicKeyInfo',
233	tagClass: asn1.Class.UNIVERSAL,
234	type: asn1.Type.SEQUENCE,
235	constructed: true,
236	captureAsn1: 'subjectPublicKeyInfo',
237	value: [{
238	name: 'SubjectPublicKeyInfo.AlgorithmIdentifier',
239	tagClass: asn1.Class.UNIVERSAL,
240	type: asn1.Type.SEQUENCE,
241	constructed: true,
242	value: [{
243	name: 'AlgorithmIdentifier.algorithm',
244	tagClass: asn1.Class.UNIVERSAL,
245	type: asn1.Type.OID,
246	constructed: false,
247	capture: 'publicKeyOid'
248	}]
249	}, {
250	// subjectPublicKey
251	name: 'SubjectPublicKeyInfo.subjectPublicKey',
252	tagClass: asn1.Class.UNIVERSAL,
253	type: asn1.Type.BITSTRING,
254	constructed: false,
255	value: [{
256	// RSAPublicKey
257	name: 'SubjectPublicKeyInfo.subjectPublicKey.RSAPublicKey',
258	tagClass: asn1.Class.UNIVERSAL,
259	type: asn1.Type.SEQUENCE,
260	constructed: true,
261	optional: true,
262	captureAsn1: 'rsaPublicKey'
263	}]
264	}]
265	};
266
267	/**
268	* Wrap digest in DigestInfo object.
269	*
270	* This function implements EMSA-PKCS1-v1_5-ENCODE as per RFC 3447.
271	*
272	* DigestInfo ::= SEQUENCE {
273	* digestAlgorithm DigestAlgorithmIdentifier,
274	* digest Digest
275	* }
276	*
277	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
278	* Digest ::= OCTET STRING
279	*
280	* @param md the message digest object with the hash to sign.
281	*
282	* @return the encoded message (ready for RSA encrytion)
283	*/
284	var emsaPkcs1v15encode = function(md) {
285	// get the oid for the algorithm
286	var oid;
287	if(md.algorithm in pki.oids) {
288	oid = pki.oids[md.algorithm];
289	} else {
290	var error = new Error('Unknown message digest algorithm.');
291	error.algorithm = md.algorithm;
292	throw error;
293	}
294	var oidBytes = asn1.oidToDer(oid).getBytes();
295
296	// create the digest info
297	var digestInfo = asn1.create(
298	asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
299	var digestAlgorithm = asn1.create(
300	asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
301	digestAlgorithm.value.push(asn1.create(
302	asn1.Class.UNIVERSAL, asn1.Type.OID, false, oidBytes));
303	digestAlgorithm.value.push(asn1.create(
304	asn1.Class.UNIVERSAL, asn1.Type.NULL, false, ''));
305	var digest = asn1.create(
306	asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING,
307	false, md.digest().getBytes());
308	digestInfo.value.push(digestAlgorithm);
309	digestInfo.value.push(digest);
310
311	// encode digest info
312	return asn1.toDer(digestInfo).getBytes();
313	};
314
315	/**
316	* Performs x^c mod n (RSA encryption or decryption operation).
317	*
318	* @param x the number to raise and mod.
319	* @param key the key to use.
320	* @param pub true if the key is public, false if private.
321	*
322	* @return the result of x^c mod n.
323	*/
324	var _modPow = function(x, key, pub) {
325	if(pub) {
326	return x.modPow(key.e, key.n);
327	}
328
329	if(!key.p \|\| !key.q) {
330	// allow calculation without CRT params (slow)
331	return x.modPow(key.d, key.n);
332	}
333
334	// pre-compute dP, dQ, and qInv if necessary
335	if(!key.dP) {
336	key.dP = key.d.mod(key.p.subtract(BigInteger.ONE));
337	}
338	if(!key.dQ) {
339	key.dQ = key.d.mod(key.q.subtract(BigInteger.ONE));
340	}
341	if(!key.qInv) {
342	key.qInv = key.q.modInverse(key.p);
343	}
344
345	/* Chinese remainder theorem (CRT) states:
346
347	Suppose n1, n2, ..., nk are positive integers which are pairwise
348	coprime (n1 and n2 have no common factors other than 1). For any
349	integers x1, x2, ..., xk there exists an integer x solving the
350	system of simultaneous congruences (where ~= means modularly
351	congruent so a ~= b mod n means a mod n = b mod n):
352
353	x ~= x1 mod n1
354	x ~= x2 mod n2
355	...
356	x ~= xk mod nk
357
358	This system of congruences has a single simultaneous solution x
359	between 0 and n - 1. Furthermore, each xk solution and x itself
360	is congruent modulo the product n = n1n2...*nk.
361	So x1 mod n = x2 mod n = xk mod n = x mod n.
362
363	The single simultaneous solution x can be solved with the following
364	equation:
365
366	x = sum(xirisi) mod n where ri = n/ni and si = ri^-1 mod ni.
367
368	Where x is less than n, xi = x mod ni.
369
370	For RSA we are only concerned with k = 2. The modulus n = pq, where
371	p and q are coprime. The RSA decryption algorithm is:
372
373	y = x^d mod n
374
375	Given the above:
376
377	x1 = x^d mod p
378	r1 = n/p = q
379	s1 = q^-1 mod p
380	x2 = x^d mod q
381	r2 = n/q = p
382	s2 = p^-1 mod q
383
384	So y = (x1r1s1 + x2r2s2) mod n
385	= ((x^d mod p)q(q^-1 mod p) + (x^d mod q)p(p^-1 mod q)) mod n
386
387	According to Fermat's Little Theorem, if the modulus P is prime,
388	for any integer A not evenly divisible by P, A^(P-1) ~= 1 mod P.
389	Since A is not divisible by P it follows that if:
390	N ~= M mod (P - 1), then A^N mod P = A^M mod P. Therefore:
391
392	A^N mod P = A^(M mod (P - 1)) mod P. (The latter takes less effort
393	to calculate). In order to calculate x^d mod p more quickly the
394	exponent d mod (p - 1) is stored in the RSA private key (the same
395	is done for x^d mod q). These values are referred to as dP and dQ
396	respectively. Therefore we now have:
397
398	y = ((x^dP mod p)q(q^-1 mod p) + (x^dQ mod q)p(p^-1 mod q)) mod n
399
400	Since we'll be reducing x^dP by modulo p (same for q) we can also
401	reduce x by p (and q respectively) before hand. Therefore, let
402
403	xp = ((x mod p)^dP mod p), and
404	xq = ((x mod q)^dQ mod q), yielding:
405
406	y = (xpq(q^-1 mod p) + xqp(p^-1 mod q)) mod n
407
408	This can be further reduced to a simple algorithm that only
409	requires 1 inverse (the q inverse is used) to be used and stored.
410	The algorithm is called Garner's algorithm. If qInv is the
411	inverse of q, we simply calculate:
412
413	y = (qInv(xp - xq) mod p) q + xq
414
415	However, there are two further complications. First, we need to
416	ensure that xp > xq to prevent signed BigIntegers from being used
417	so we add p until this is true (since we will be mod'ing with
418	p anyway). Then, there is a known timing attack on algorithms
419	using the CRT. To mitigate this risk, "cryptographic blinding"
420	should be used. This requires simply generating a random number r
421	between 0 and n-1 and its inverse and multiplying x by r^e before
422	calculating y and then multiplying y by r^-1 afterwards. Note that
423	r must be coprime with n (gcd(r, n) === 1) in order to have an
424	inverse.
425	*/
426
427	// cryptographic blinding
428	var r;
429	do {
430	r = new BigInteger(
431	forge.util.bytesToHex(forge.random.getBytes(key.n.bitLength() / 8)),
432	16);
433	} while(r.compareTo(key.n) >= 0 \|\| !r.gcd(key.n).equals(BigInteger.ONE));
434	x = x.multiply(r.modPow(key.e, key.n)).mod(key.n);
435
436	// calculate xp and xq
437	var xp = x.mod(key.p).modPow(key.dP, key.p);
438	var xq = x.mod(key.q).modPow(key.dQ, key.q);
439
440	// xp must be larger than xq to avoid signed bit usage
441	while(xp.compareTo(xq) < 0) {
442	xp = xp.add(key.p);
443	}
444
445	// do last step
446	var y = xp.subtract(xq)
447	.multiply(key.qInv).mod(key.p)
448	.multiply(key.q).add(xq);
449
450	// remove effect of random for cryptographic blinding
451	y = y.multiply(r.modInverse(key.n)).mod(key.n);
452
453	return y;
454	};
455
456	/**
457	* NOTE: THIS METHOD IS DEPRECATED, use 'sign' on a private key object or
458	* 'encrypt' on a public key object instead.
459	*
460	* Performs RSA encryption.
461	*
462	* The parameter bt controls whether to put padding bytes before the
463	* message passed in. Set bt to either true or false to disable padding
464	* completely (in order to handle e.g. EMSA-PSS encoding seperately before),
465	* signaling whether the encryption operation is a public key operation
466	* (i.e. encrypting data) or not, i.e. private key operation (data signing).
467	*
468	* For PKCS#1 v1.5 padding pass in the block type to use, i.e. either 0x01
469	* (for signing) or 0x02 (for encryption). The key operation mode (private
470	* or public) is derived from this flag in that case).
471	*
472	* @param m the message to encrypt as a byte string.
473	* @param key the RSA key to use.
474	* @param bt for PKCS#1 v1.5 padding, the block type to use
475	* (0x01 for private key, 0x02 for public),
476	* to disable padding: true = public key, false = private key.
477	*
478	* @return the encrypted bytes as a string.
479	*/
480	pki.rsa.encrypt = function(m, key, bt) {
481	var pub = bt;
482	var eb;
483
484	// get the length of the modulus in bytes
485	var k = Math.ceil(key.n.bitLength() / 8);
486
487	if(bt !== false && bt !== true) {
488	// legacy, default to PKCS#1 v1.5 padding
489	pub = (bt === 0x02);
490	eb = _encodePkcs1_v1_5(m, key, bt);
491	} else {
492	eb = forge.util.createBuffer();
493	eb.putBytes(m);
494	}
495
496	// load encryption block as big integer 'x'
497	// FIXME: hex conversion inefficient, get BigInteger w/byte strings
498	var x = new BigInteger(eb.toHex(), 16);
499
500	// do RSA encryption
501	var y = _modPow(x, key, pub);
502
503	// convert y into the encrypted data byte string, if y is shorter in
504	// bytes than k, then prepend zero bytes to fill up ed
505	// FIXME: hex conversion inefficient, get BigInteger w/byte strings
506	var yhex = y.toString(16);
507	var ed = forge.util.createBuffer();
508	var zeros = k - Math.ceil(yhex.length / 2);
509	while(zeros > 0) {
510	ed.putByte(0x00);
511	--zeros;
512	}
513	ed.putBytes(forge.util.hexToBytes(yhex));
514	return ed.getBytes();
515	};
516
517	/**
518	* NOTE: THIS METHOD IS DEPRECATED, use 'decrypt' on a private key object or
519	* 'verify' on a public key object instead.
520	*
521	* Performs RSA decryption.
522	*
523	* The parameter ml controls whether to apply PKCS#1 v1.5 padding
524	* or not. Set ml = false to disable padding removal completely
525	* (in order to handle e.g. EMSA-PSS later on) and simply pass back
526	* the RSA encryption block.
527	*
528	* @param ed the encrypted data to decrypt in as a byte string.
529	* @param key the RSA key to use.
530	* @param pub true for a public key operation, false for private.
531	* @param ml the message length, if known, false to disable padding.
532	*
533	* @return the decrypted message as a byte string.
534	*/
535	pki.rsa.decrypt = function(ed, key, pub, ml) {
536	// get the length of the modulus in bytes
537	var k = Math.ceil(key.n.bitLength() / 8);
538
539	// error if the length of the encrypted data ED is not k
540	if(ed.length !== k) {
541	var error = new Error('Encrypted message length is invalid.');
542	error.length = ed.length;
543	error.expected = k;
544	throw error;
545	}
546
547	// convert encrypted data into a big integer
548	// FIXME: hex conversion inefficient, get BigInteger w/byte strings
549	var y = new BigInteger(forge.util.createBuffer(ed).toHex(), 16);
550
551	// y must be less than the modulus or it wasn't the result of
552	// a previous mod operation (encryption) using that modulus
553	if(y.compareTo(key.n) >= 0) {
554	throw new Error('Encrypted message is invalid.');
555	}
556
557	// do RSA decryption
558	var x = _modPow(y, key, pub);
559
560	// create the encryption block, if x is shorter in bytes than k, then
561	// prepend zero bytes to fill up eb
562	// FIXME: hex conversion inefficient, get BigInteger w/byte strings
563	var xhex = x.toString(16);
564	var eb = forge.util.createBuffer();
565	var zeros = k - Math.ceil(xhex.length / 2);
566	while(zeros > 0) {
567	eb.putByte(0x00);
568	--zeros;
569	}
570	eb.putBytes(forge.util.hexToBytes(xhex));
571
572	if(ml !== false) {
573	// legacy, default to PKCS#1 v1.5 padding
574	return _decodePkcs1_v1_5(eb.getBytes(), key, pub);
575	}
576
577	// return message
578	return eb.getBytes();
579	};
580
581	/**
582	* Creates an RSA key-pair generation state object. It is used to allow
583	* key-generation to be performed in steps. It also allows for a UI to
584	* display progress updates.
585	*
586	* @param bits the size for the private key in bits, defaults to 2048.
587	* @param e the public exponent to use, defaults to 65537 (0x10001).
588	* @param [options] the options to use.
589	* prng a custom crypto-secure pseudo-random number generator to use,
590	* that must define "getBytesSync".
591	* algorithm the algorithm to use (default: 'PRIMEINC').
592	*
593	* @return the state object to use to generate the key-pair.
594	*/
595	pki.rsa.createKeyPairGenerationState = function(bits, e, options) {
596	// TODO: migrate step-based prime generation code to forge.prime
597
598	// set default bits
599	if(typeof(bits) === 'string') {
600	bits = parseInt(bits, 10);
601	}
602	bits = bits \|\| 2048;
603
604	// create prng with api that matches BigInteger secure random
605	options = options \|\| {};
606	var prng = options.prng \|\| forge.random;
607	var rng = {
608	// x is an array to fill with bytes
609	nextBytes: function(x) {
610	var b = prng.getBytesSync(x.length);
611	for(var i = 0; i < x.length; ++i) {
612	x[i] = b.charCodeAt(i);
613	}
614	}
615	};
616
617	var algorithm = options.algorithm \|\| 'PRIMEINC';
618
619	// create PRIMEINC algorithm state
620	var rval;
621	if(algorithm === 'PRIMEINC') {
622	rval = {
623	algorithm: algorithm,
624	state: 0,
625	bits: bits,
626	rng: rng,
627	eInt: e \|\| 65537,
628	e: new BigInteger(null),
629	p: null,
630	q: null,
631	qBits: bits >> 1,
632	pBits: bits - (bits >> 1),
633	pqState: 0,
634	num: null,
635	keys: null
636	};
637	rval.e.fromInt(rval.eInt);
638	} else {
639	throw new Error('Invalid key generation algorithm: ' + algorithm);
640	}
641
642	return rval;
643	};
644
645	/**
646	* Attempts to runs the key-generation algorithm for at most n seconds
647	* (approximately) using the given state. When key-generation has completed,
648	* the keys will be stored in state.keys.
649	*
650	* To use this function to update a UI while generating a key or to prevent
651	* causing browser lockups/warnings, set "n" to a value other than 0. A
652	* simple pattern for generating a key and showing a progress indicator is:
653	*
654	* var state = pki.rsa.createKeyPairGenerationState(2048);
655	* var step = function() {
656	* // step key-generation, run algorithm for 100 ms, repeat
657	* if(!forge.pki.rsa.stepKeyPairGenerationState(state, 100)) {
658	* setTimeout(step, 1);
659	* } else {
660	* // key-generation complete
661	* // TODO: turn off progress indicator here
662	* // TODO: use the generated key-pair in "state.keys"
663	* }
664	* };
665	* // TODO: turn on progress indicator here
666	* setTimeout(step, 0);
667	*
668	* @param state the state to use.
669	* @param n the maximum number of milliseconds to run the algorithm for, 0
670	* to run the algorithm to completion.
671	*
672	* @return true if the key-generation completed, false if not.
673	*/
674	pki.rsa.stepKeyPairGenerationState = function(state, n) {
675	// set default algorithm if not set
676	if(!('algorithm' in state)) {
677	state.algorithm = 'PRIMEINC';
678	}
679
680	// TODO: migrate step-based prime generation code to forge.prime
681	// TODO: abstract as PRIMEINC algorithm
682
683	// do key generation (based on Tom Wu's rsa.js, see jsbn.js license)
684	// with some minor optimizations and designed to run in steps
685
686	// local state vars
687	var THIRTY = new BigInteger(null);
688	THIRTY.fromInt(30);
689	var deltaIdx = 0;
690	var op_or = function(x, y) {return x \| y;};
691
692	// keep stepping until time limit is reached or done
693	var t1 = +new Date();
694	var t2;
695	var total = 0;
696	while(state.keys === null && (n <= 0 \|\| total < n)) {
697	// generate p or q
698	if(state.state === 0) {
699	/* Note: All primes are of the form:
700
701	30k+i, for i < 30 and gcd(30, i)=1, where there are 8 values for i
702
703	When we generate a random number, we always align it at 30k + 1. Each
704	time the number is determined not to be prime we add to get to the
705	next 'i', eg: if the number was at 30k + 1 we add 6. */
706	var bits = (state.p === null) ? state.pBits : state.qBits;
707	var bits1 = bits - 1;
708
709	// get a random number
710	if(state.pqState === 0) {
711	state.num = new BigInteger(bits, state.rng);
712	// force MSB set
713	if(!state.num.testBit(bits1)) {
714	state.num.bitwiseTo(
715	BigInteger.ONE.shiftLeft(bits1), op_or, state.num);
716	}
717	// align number on 30k+1 boundary
718	state.num.dAddOffset(31 - state.num.mod(THIRTY).byteValue(), 0);
719	deltaIdx = 0;
720
721	++state.pqState;
722	} else if(state.pqState === 1) {
723	// try to make the number a prime
724	if(state.num.bitLength() > bits) {
725	// overflow, try again
726	state.pqState = 0;
727	// do primality test
728	} else if(state.num.isProbablePrime(
729	_getMillerRabinTests(state.num.bitLength()))) {
730	++state.pqState;
731	} else {
732	// get next potential prime
733	state.num.dAddOffset(GCD_30_DELTA[deltaIdx++ % 8], 0);
734	}
735	} else if(state.pqState === 2) {
736	// ensure number is coprime with e
737	state.pqState =
738	(state.num.subtract(BigInteger.ONE).gcd(state.e)
739	.compareTo(BigInteger.ONE) === 0) ? 3 : 0;
740	} else if(state.pqState === 3) {
741	// store p or q
742	state.pqState = 0;
743	if(state.p === null) {
744	state.p = state.num;
745	} else {
746	state.q = state.num;
747	}
748
749	// advance state if both p and q are ready
750	if(state.p !== null && state.q !== null) {
751	++state.state;
752	}
753	state.num = null;
754	}
755	} else if(state.state === 1) {
756	// ensure p is larger than q (swap them if not)
757	if(state.p.compareTo(state.q) < 0) {
758	state.num = state.p;
759	state.p = state.q;
760	state.q = state.num;
761	}
762	++state.state;
763	} else if(state.state === 2) {
764	// compute phi: (p - 1)(q - 1) (Euler's totient function)
765	state.p1 = state.p.subtract(BigInteger.ONE);
766	state.q1 = state.q.subtract(BigInteger.ONE);
767	state.phi = state.p1.multiply(state.q1);
768	++state.state;
769	} else if(state.state === 3) {
770	// ensure e and phi are coprime
771	if(state.phi.gcd(state.e).compareTo(BigInteger.ONE) === 0) {
772	// phi and e are coprime, advance
773	++state.state;
774	} else {
775	// phi and e aren't coprime, so generate a new p and q
776	state.p = null;
777	state.q = null;
778	state.state = 0;
779	}
780	} else if(state.state === 4) {
781	// create n, ensure n is has the right number of bits
782	state.n = state.p.multiply(state.q);
783
784	// ensure n is right number of bits
785	if(state.n.bitLength() === state.bits) {
786	// success, advance
787	++state.state;
788	} else {
789	// failed, get new q
790	state.q = null;
791	state.state = 0;
792	}
793	} else if(state.state === 5) {
794	// set keys
795	var d = state.e.modInverse(state.phi);
796	state.keys = {
797	privateKey: pki.rsa.setPrivateKey(
798	state.n, state.e, d, state.p, state.q,
799	d.mod(state.p1), d.mod(state.q1),
800	state.q.modInverse(state.p)),
801	publicKey: pki.rsa.setPublicKey(state.n, state.e)
802	};
803	}
804
805	// update timing
806	t2 = +new Date();
807	total += t2 - t1;
808	t1 = t2;
809	}
810
811	return state.keys !== null;
812	};
813
814	/**
815	* Generates an RSA public-private key pair in a single call.
816	*
817	* To generate a key-pair in steps (to allow for progress updates and to
818	* prevent blocking or warnings in slow browsers) then use the key-pair
819	* generation state functions.
820	*
821	* To generate a key-pair asynchronously (either through web-workers, if
822	* available, or by breaking up the work on the main thread), pass a
823	* callback function.
824	*
825	* @param [bits] the size for the private key in bits, defaults to 2048.
826	* @param [e] the public exponent to use, defaults to 65537.
827	* @param [options] options for key-pair generation, if given then 'bits'
828	* and 'e' must not be given:
829	* bits the size for the private key in bits, (default: 2048).
830	* e the public exponent to use, (default: 65537 (0x10001)).
831	* workerScript the worker script URL.
832	* workers the number of web workers (if supported) to use,
833	* (default: 2).
834	* workLoad the size of the work load, ie: number of possible prime
835	* numbers for each web worker to check per work assignment,
836	* (default: 100).
837	* prng a custom crypto-secure pseudo-random number generator to use,
838	* that must define "getBytesSync". Disables use of native APIs.
839	* algorithm the algorithm to use (default: 'PRIMEINC').
840	* @param [callback(err, keypair)] called once the operation completes.
841	*
842	* @return an object with privateKey and publicKey properties.
843	*/
844	pki.rsa.generateKeyPair = function(bits, e, options, callback) {
845	// (bits), (options), (callback)
846	if(arguments.length === 1) {
847	if(typeof bits === 'object') {
848	options = bits;
849	bits = undefined;
850	} else if(typeof bits === 'function') {
851	callback = bits;
852	bits = undefined;
853	}
854	} else if(arguments.length === 2) {
855	// (bits, e), (bits, options), (bits, callback), (options, callback)
856	if(typeof bits === 'number') {
857	if(typeof e === 'function') {
858	callback = e;
859	e = undefined;
860	} else if(typeof e !== 'number') {
861	options = e;
862	e = undefined;
863	}
864	} else {
865	options = bits;
866	callback = e;
867	bits = undefined;
868	e = undefined;
869	}
870	} else if(arguments.length === 3) {
871	// (bits, e, options), (bits, e, callback), (bits, options, callback)
872	if(typeof e === 'number') {
873	if(typeof options === 'function') {
874	callback = options;
875	options = undefined;
876	}
877	} else {
878	callback = options;
879	options = e;
880	e = undefined;
881	}
882	}
883	options = options \|\| {};
884	if(bits === undefined) {
885	bits = options.bits \|\| 2048;
886	}
887	if(e === undefined) {
888	e = options.e \|\| 0x10001;
889	}
890
891	// use native code if permitted, available, and parameters are acceptable
892	if(!forge.options.usePureJavaScript && !options.prng &&
893	bits >= 256 && bits <= 16384 && (e === 0x10001 \|\| e === 3)) {
894	if(callback) {
895	// try native async
896	if(_detectNodeCrypto('generateKeyPair')) {
897	return _crypto.generateKeyPair('rsa', {
898	modulusLength: bits,
899	publicExponent: e,
900	publicKeyEncoding: {
901	type: 'spki',
902	format: 'pem'
903	},
904	privateKeyEncoding: {
905	type: 'pkcs8',
906	format: 'pem'
907	}
908	}, function(err, pub, priv) {
909	if(err) {
910	return callback(err);
911	}
912	callback(null, {
913	privateKey: pki.privateKeyFromPem(priv),
914	publicKey: pki.publicKeyFromPem(pub)
915	});
916	});
917	}
918	if(_detectSubtleCrypto('generateKey') &&
919	_detectSubtleCrypto('exportKey')) {
920	// use standard native generateKey
921	return util.globalScope.crypto.subtle.generateKey({
922	name: 'RSASSA-PKCS1-v1_5',
923	modulusLength: bits,
924	publicExponent: _intToUint8Array(e),
925	hash: {name: 'SHA-256'}
926	}, true /* key can be exported*/, ['sign', 'verify'])
927	.then(function(pair) {
928	return util.globalScope.crypto.subtle.exportKey(
929	'pkcs8', pair.privateKey);
930	// avoiding catch(function(err) {...}) to support IE <= 8
931	}).then(undefined, function(err) {
932	callback(err);
933	}).then(function(pkcs8) {
934	if(pkcs8) {
935	var privateKey = pki.privateKeyFromAsn1(
936	asn1.fromDer(forge.util.createBuffer(pkcs8)));
937	callback(null, {
938	privateKey: privateKey,
939	publicKey: pki.setRsaPublicKey(privateKey.n, privateKey.e)
940	});
941	}
942	});
943	}
944	if(_detectSubtleMsCrypto('generateKey') &&
945	_detectSubtleMsCrypto('exportKey')) {
946	var genOp = util.globalScope.msCrypto.subtle.generateKey({
947	name: 'RSASSA-PKCS1-v1_5',
948	modulusLength: bits,
949	publicExponent: _intToUint8Array(e),
950	hash: {name: 'SHA-256'}
951	}, true /* key can be exported*/, ['sign', 'verify']);
952	genOp.oncomplete = function(e) {
953	var pair = e.target.result;
954	var exportOp = util.globalScope.msCrypto.subtle.exportKey(
955	'pkcs8', pair.privateKey);
956	exportOp.oncomplete = function(e) {
957	var pkcs8 = e.target.result;
958	var privateKey = pki.privateKeyFromAsn1(
959	asn1.fromDer(forge.util.createBuffer(pkcs8)));
960	callback(null, {
961	privateKey: privateKey,
962	publicKey: pki.setRsaPublicKey(privateKey.n, privateKey.e)
963	});
964	};
965	exportOp.onerror = function(err) {
966	callback(err);
967	};
968	};
969	genOp.onerror = function(err) {
970	callback(err);
971	};
972	return;
973	}
974	} else {
975	// try native sync
976	if(_detectNodeCrypto('generateKeyPairSync')) {
977	var keypair = _crypto.generateKeyPairSync('rsa', {
978	modulusLength: bits,
979	publicExponent: e,
980	publicKeyEncoding: {
981	type: 'spki',
982	format: 'pem'
983	},
984	privateKeyEncoding: {
985	type: 'pkcs8',
986	format: 'pem'
987	}
988	});
989	return {
990	privateKey: pki.privateKeyFromPem(keypair.privateKey),
991	publicKey: pki.publicKeyFromPem(keypair.publicKey)
992	};
993	}
994	}
995	}
996
997	// use JavaScript implementation
998	var state = pki.rsa.createKeyPairGenerationState(bits, e, options);
999	if(!callback) {
1000	pki.rsa.stepKeyPairGenerationState(state, 0);
1001	return state.keys;
1002	}
1003	_generateKeyPair(state, options, callback);
1004	};
1005
1006	/**
1007	* Sets an RSA public key from BigIntegers modulus and exponent.
1008	*
1009	* @param n the modulus.
1010	* @param e the exponent.
1011	*
1012	* @return the public key.
1013	*/
1014	pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {
1015	var key = {
1016	n: n,
1017	e: e
1018	};
1019
1020	/**
1021	* Encrypts the given data with this public key. Newer applications
1022	* should use the 'RSA-OAEP' decryption scheme, 'RSAES-PKCS1-V1_5' is for
1023	* legacy applications.
1024	*
1025	* @param data the byte string to encrypt.
1026	* @param scheme the encryption scheme to use:
1027	* 'RSAES-PKCS1-V1_5' (default),
1028	* 'RSA-OAEP',
1029	* 'RAW', 'NONE', or null to perform raw RSA encryption,
1030	* an object with an 'encode' property set to a function
1031	* with the signature 'function(data, key)' that returns
1032	* a binary-encoded string representing the encoded data.
1033	* @param schemeOptions any scheme-specific options.
1034	*
1035	* @return the encrypted byte string.
1036	*/
1037	key.encrypt = function(data, scheme, schemeOptions) {
1038	if(typeof scheme === 'string') {
1039	scheme = scheme.toUpperCase();
1040	} else if(scheme === undefined) {
1041	scheme = 'RSAES-PKCS1-V1_5';
1042	}
1043
1044	if(scheme === 'RSAES-PKCS1-V1_5') {
1045	scheme = {
1046	encode: function(m, key, pub) {
1047	return _encodePkcs1_v1_5(m, key, 0x02).getBytes();
1048	}
1049	};
1050	} else if(scheme === 'RSA-OAEP' \|\| scheme === 'RSAES-OAEP') {
1051	scheme = {
1052	encode: function(m, key) {
1053	return forge.pkcs1.encode_rsa_oaep(key, m, schemeOptions);
1054	}
1055	};
1056	} else if(['RAW', 'NONE', 'NULL', null].indexOf(scheme) !== -1) {
1057	scheme = {encode: function(e) {return e;}};
1058	} else if(typeof scheme === 'string') {
1059	throw new Error('Unsupported encryption scheme: "' + scheme + '".');
1060	}
1061
1062	// do scheme-based encoding then rsa encryption
1063	var e = scheme.encode(data, key, true);
1064	return pki.rsa.encrypt(e, key, true);
1065	};
1066
1067	/**
1068	* Verifies the given signature against the given digest.
1069	*
1070	* PKCS#1 supports multiple (currently two) signature schemes:
1071	* RSASSA-PKCS1-V1_5 and RSASSA-PSS.
1072	*
1073	* By default this implementation uses the "old scheme", i.e.
1074	* RSASSA-PKCS1-V1_5, in which case once RSA-decrypted, the
1075	* signature is an OCTET STRING that holds a DigestInfo.
1076	*
1077	* DigestInfo ::= SEQUENCE {
1078	* digestAlgorithm DigestAlgorithmIdentifier,
1079	* digest Digest
1080	* }
1081	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1082	* Digest ::= OCTET STRING
1083	*
1084	* To perform PSS signature verification, provide an instance
1085	* of Forge PSS object as the scheme parameter.
1086	*
1087	* @param digest the message digest hash to compare against the signature,
1088	* as a binary-encoded string.
1089	* @param signature the signature to verify, as a binary-encoded string.
1090	* @param scheme signature verification scheme to use:
1091	* 'RSASSA-PKCS1-V1_5' or undefined for RSASSA PKCS#1 v1.5,
1092	* a Forge PSS object for RSASSA-PSS,
1093	* 'NONE' or null for none, DigestInfo will not be expected, but
1094	* PKCS#1 v1.5 padding will still be used.
1095	*
1096	* @return true if the signature was verified, false if not.
1097	*/
1098	key.verify = function(digest, signature, scheme) {
1099	if(typeof scheme === 'string') {
1100	scheme = scheme.toUpperCase();
1101	} else if(scheme === undefined) {
1102	scheme = 'RSASSA-PKCS1-V1_5';
1103	}
1104
1105	if(scheme === 'RSASSA-PKCS1-V1_5') {
1106	scheme = {
1107	verify: function(digest, d) {
1108	// remove padding
1109	d = _decodePkcs1_v1_5(d, key, true);
1110	// d is ASN.1 BER-encoded DigestInfo
1111	var obj = asn1.fromDer(d);
1112	// compare the given digest to the decrypted one
1113	return digest === obj.value[1].value;
1114	}
1115	};
1116	} else if(scheme === 'NONE' \|\| scheme === 'NULL' \|\| scheme === null) {
1117	scheme = {
1118	verify: function(digest, d) {
1119	// remove padding
1120	d = _decodePkcs1_v1_5(d, key, true);
1121	return digest === d;
1122	}
1123	};
1124	}
1125
1126	// do rsa decryption w/o any decoding, then verify -- which does decoding
1127	var d = pki.rsa.decrypt(signature, key, true, false);
1128	return scheme.verify(digest, d, key.n.bitLength());
1129	};
1130
1131	return key;
1132	};
1133
1134	/**
1135	* Sets an RSA private key from BigIntegers modulus, exponent, primes,
1136	* prime exponents, and modular multiplicative inverse.
1137	*
1138	* @param n the modulus.
1139	* @param e the public exponent.
1140	* @param d the private exponent ((inverse of e) mod n).
1141	* @param p the first prime.
1142	* @param q the second prime.
1143	* @param dP exponent1 (d mod (p-1)).
1144	* @param dQ exponent2 (d mod (q-1)).
1145	* @param qInv ((inverse of q) mod p)
1146	*
1147	* @return the private key.
1148	*/
1149	pki.setRsaPrivateKey = pki.rsa.setPrivateKey = function(
1150	n, e, d, p, q, dP, dQ, qInv) {
1151	var key = {
1152	n: n,
1153	e: e,
1154	d: d,
1155	p: p,
1156	q: q,
1157	dP: dP,
1158	dQ: dQ,
1159	qInv: qInv
1160	};
1161
1162	/**
1163	* Decrypts the given data with this private key. The decryption scheme
1164	* must match the one used to encrypt the data.
1165	*
1166	* @param data the byte string to decrypt.
1167	* @param scheme the decryption scheme to use:
1168	* 'RSAES-PKCS1-V1_5' (default),
1169	* 'RSA-OAEP',
1170	* 'RAW', 'NONE', or null to perform raw RSA decryption.
1171	* @param schemeOptions any scheme-specific options.
1172	*
1173	* @return the decrypted byte string.
1174	*/
1175	key.decrypt = function(data, scheme, schemeOptions) {
1176	if(typeof scheme === 'string') {
1177	scheme = scheme.toUpperCase();
1178	} else if(scheme === undefined) {
1179	scheme = 'RSAES-PKCS1-V1_5';
1180	}
1181
1182	// do rsa decryption w/o any decoding
1183	var d = pki.rsa.decrypt(data, key, false, false);
1184
1185	if(scheme === 'RSAES-PKCS1-V1_5') {
1186	scheme = {decode: _decodePkcs1_v1_5};
1187	} else if(scheme === 'RSA-OAEP' \|\| scheme === 'RSAES-OAEP') {
1188	scheme = {
1189	decode: function(d, key) {
1190	return forge.pkcs1.decode_rsa_oaep(key, d, schemeOptions);
1191	}
1192	};
1193	} else if(['RAW', 'NONE', 'NULL', null].indexOf(scheme) !== -1) {
1194	scheme = {decode: function(d) {return d;}};
1195	} else {
1196	throw new Error('Unsupported encryption scheme: "' + scheme + '".');
1197	}
1198
1199	// decode according to scheme
1200	return scheme.decode(d, key, false);
1201	};
1202
1203	/**
1204	* Signs the given digest, producing a signature.
1205	*
1206	* PKCS#1 supports multiple (currently two) signature schemes:
1207	* RSASSA-PKCS1-V1_5 and RSASSA-PSS.
1208	*
1209	* By default this implementation uses the "old scheme", i.e.
1210	* RSASSA-PKCS1-V1_5. In order to generate a PSS signature, provide
1211	* an instance of Forge PSS object as the scheme parameter.
1212	*
1213	* @param md the message digest object with the hash to sign.
1214	* @param scheme the signature scheme to use:
1215	* 'RSASSA-PKCS1-V1_5' or undefined for RSASSA PKCS#1 v1.5,
1216	* a Forge PSS object for RSASSA-PSS,
1217	* 'NONE' or null for none, DigestInfo will not be used but
1218	* PKCS#1 v1.5 padding will still be used.
1219	*
1220	* @return the signature as a byte string.
1221	*/
1222	key.sign = function(md, scheme) {
1223	/* Note: The internal implementation of RSA operations is being
1224	transitioned away from a PKCS#1 v1.5 hard-coded scheme. Some legacy
1225	code like the use of an encoding block identifier 'bt' will eventually
1226	be removed. */
1227
1228	// private key operation
1229	var bt = false;
1230
1231	if(typeof scheme === 'string') {
1232	scheme = scheme.toUpperCase();
1233	}
1234
1235	if(scheme === undefined \|\| scheme === 'RSASSA-PKCS1-V1_5') {
1236	scheme = {encode: emsaPkcs1v15encode};
1237	bt = 0x01;
1238	} else if(scheme === 'NONE' \|\| scheme === 'NULL' \|\| scheme === null) {
1239	scheme = {encode: function() {return md;}};
1240	bt = 0x01;
1241	}
1242
1243	// encode and then encrypt
1244	var d = scheme.encode(md, key.n.bitLength());
1245	return pki.rsa.encrypt(d, key, bt);
1246	};
1247
1248	return key;
1249	};
1250
1251	/**
1252	* Wraps an RSAPrivateKey ASN.1 object in an ASN.1 PrivateKeyInfo object.
1253	*
1254	* @param rsaKey the ASN.1 RSAPrivateKey.
1255	*
1256	* @return the ASN.1 PrivateKeyInfo.
1257	*/
1258	pki.wrapRsaPrivateKey = function(rsaKey) {
1259	// PrivateKeyInfo
1260	return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
1261	// version (0)
1262	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1263	asn1.integerToDer(0).getBytes()),
1264	// privateKeyAlgorithm
1265	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
1266	asn1.create(
1267	asn1.Class.UNIVERSAL, asn1.Type.OID, false,
1268	asn1.oidToDer(pki.oids.rsaEncryption).getBytes()),
1269	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, '')
1270	]),
1271	// PrivateKey
1272	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false,
1273	asn1.toDer(rsaKey).getBytes())
1274	]);
1275	};
1276
1277	/**
1278	* Converts a private key from an ASN.1 object.
1279	*
1280	* @param obj the ASN.1 representation of a PrivateKeyInfo containing an
1281	* RSAPrivateKey or an RSAPrivateKey.
1282	*
1283	* @return the private key.
1284	*/
1285	pki.privateKeyFromAsn1 = function(obj) {
1286	// get PrivateKeyInfo
1287	var capture = {};
1288	var errors = [];
1289	if(asn1.validate(obj, privateKeyValidator, capture, errors)) {
1290	obj = asn1.fromDer(forge.util.createBuffer(capture.privateKey));
1291	}
1292
1293	// get RSAPrivateKey
1294	capture = {};
1295	errors = [];
1296	if(!asn1.validate(obj, rsaPrivateKeyValidator, capture, errors)) {
1297	var error = new Error('Cannot read private key. ' +
1298	'ASN.1 object does not contain an RSAPrivateKey.');
1299	error.errors = errors;
1300	throw error;
1301	}
1302
1303	// Note: Version is currently ignored.
1304	// capture.privateKeyVersion
1305	// FIXME: inefficient, get a BigInteger that uses byte strings
1306	var n, e, d, p, q, dP, dQ, qInv;
1307	n = forge.util.createBuffer(capture.privateKeyModulus).toHex();
1308	e = forge.util.createBuffer(capture.privateKeyPublicExponent).toHex();
1309	d = forge.util.createBuffer(capture.privateKeyPrivateExponent).toHex();
1310	p = forge.util.createBuffer(capture.privateKeyPrime1).toHex();
1311	q = forge.util.createBuffer(capture.privateKeyPrime2).toHex();
1312	dP = forge.util.createBuffer(capture.privateKeyExponent1).toHex();
1313	dQ = forge.util.createBuffer(capture.privateKeyExponent2).toHex();
1314	qInv = forge.util.createBuffer(capture.privateKeyCoefficient).toHex();
1315
1316	// set private key
1317	return pki.setRsaPrivateKey(
1318	new BigInteger(n, 16),
1319	new BigInteger(e, 16),
1320	new BigInteger(d, 16),
1321	new BigInteger(p, 16),
1322	new BigInteger(q, 16),
1323	new BigInteger(dP, 16),
1324	new BigInteger(dQ, 16),
1325	new BigInteger(qInv, 16));
1326	};
1327
1328	/**
1329	* Converts a private key to an ASN.1 RSAPrivateKey.
1330	*
1331	* @param key the private key.
1332	*
1333	* @return the ASN.1 representation of an RSAPrivateKey.
1334	*/
1335	pki.privateKeyToAsn1 = pki.privateKeyToRSAPrivateKey = function(key) {
1336	// RSAPrivateKey
1337	return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
1338	// version (0 = only 2 primes, 1 multiple primes)
1339	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1340	asn1.integerToDer(0).getBytes()),
1341	// modulus (n)
1342	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1343	_bnToBytes(key.n)),
1344	// publicExponent (e)
1345	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1346	_bnToBytes(key.e)),
1347	// privateExponent (d)
1348	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1349	_bnToBytes(key.d)),
1350	// privateKeyPrime1 (p)
1351	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1352	_bnToBytes(key.p)),
1353	// privateKeyPrime2 (q)
1354	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1355	_bnToBytes(key.q)),
1356	// privateKeyExponent1 (dP)
1357	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1358	_bnToBytes(key.dP)),
1359	// privateKeyExponent2 (dQ)
1360	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1361	_bnToBytes(key.dQ)),
1362	// coefficient (qInv)
1363	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1364	_bnToBytes(key.qInv))
1365	]);
1366	};
1367
1368	/**
1369	* Converts a public key from an ASN.1 SubjectPublicKeyInfo or RSAPublicKey.
1370	*
1371	* @param obj the asn1 representation of a SubjectPublicKeyInfo or RSAPublicKey.
1372	*
1373	* @return the public key.
1374	*/
1375	pki.publicKeyFromAsn1 = function(obj) {
1376	// get SubjectPublicKeyInfo
1377	var capture = {};
1378	var errors = [];
1379	if(asn1.validate(obj, publicKeyValidator, capture, errors)) {
1380	// get oid
1381	var oid = asn1.derToOid(capture.publicKeyOid);
1382	if(oid !== pki.oids.rsaEncryption) {
1383	var error = new Error('Cannot read public key. Unknown OID.');
1384	error.oid = oid;
1385	throw error;
1386	}
1387	obj = capture.rsaPublicKey;
1388	}
1389
1390	// get RSA params
1391	errors = [];
1392	if(!asn1.validate(obj, rsaPublicKeyValidator, capture, errors)) {
1393	var error = new Error('Cannot read public key. ' +
1394	'ASN.1 object does not contain an RSAPublicKey.');
1395	error.errors = errors;
1396	throw error;
1397	}
1398
1399	// FIXME: inefficient, get a BigInteger that uses byte strings
1400	var n = forge.util.createBuffer(capture.publicKeyModulus).toHex();
1401	var e = forge.util.createBuffer(capture.publicKeyExponent).toHex();
1402
1403	// set public key
1404	return pki.setRsaPublicKey(
1405	new BigInteger(n, 16),
1406	new BigInteger(e, 16));
1407	};
1408
1409	/**
1410	* Converts a public key to an ASN.1 SubjectPublicKeyInfo.
1411	*
1412	* @param key the public key.
1413	*
1414	* @return the asn1 representation of a SubjectPublicKeyInfo.
1415	*/
1416	pki.publicKeyToAsn1 = pki.publicKeyToSubjectPublicKeyInfo = function(key) {
1417	// SubjectPublicKeyInfo
1418	return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
1419	// AlgorithmIdentifier
1420	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
1421	// algorithm
1422	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
1423	asn1.oidToDer(pki.oids.rsaEncryption).getBytes()),
1424	// parameters (null)
1425	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, '')
1426	]),
1427	// subjectPublicKey
1428	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BITSTRING, false, [
1429	pki.publicKeyToRSAPublicKey(key)
1430	])
1431	]);
1432	};
1433
1434	/**
1435	* Converts a public key to an ASN.1 RSAPublicKey.
1436	*
1437	* @param key the public key.
1438	*
1439	* @return the asn1 representation of a RSAPublicKey.
1440	*/
1441	pki.publicKeyToRSAPublicKey = function(key) {
1442	// RSAPublicKey
1443	return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
1444	// modulus (n)
1445	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1446	_bnToBytes(key.n)),
1447	// publicExponent (e)
1448	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
1449	_bnToBytes(key.e))
1450	]);
1451	};
1452
1453	/**
1454	* Encodes a message using PKCS#1 v1.5 padding.
1455	*
1456	* @param m the message to encode.
1457	* @param key the RSA key to use.
1458	* @param bt the block type to use, i.e. either 0x01 (for signing) or 0x02
1459	* (for encryption).
1460	*
1461	* @return the padded byte buffer.
1462	*/
1463	function _encodePkcs1_v1_5(m, key, bt) {
1464	var eb = forge.util.createBuffer();
1465
1466	// get the length of the modulus in bytes
1467	var k = Math.ceil(key.n.bitLength() / 8);
1468
1469	/* use PKCS#1 v1.5 padding */
1470	if(m.length > (k - 11)) {
1471	var error = new Error('Message is too long for PKCS#1 v1.5 padding.');
1472	error.length = m.length;
1473	error.max = k - 11;
1474	throw error;
1475	}
1476
1477	/* A block type BT, a padding string PS, and the data D shall be
1478	formatted into an octet string EB, the encryption block:
1479
1480	EB = 00 \|\| BT \|\| PS \|\| 00 \|\| D
1481
1482	The block type BT shall be a single octet indicating the structure of
1483	the encryption block. For this version of the document it shall have
1484	value 00, 01, or 02. For a private-key operation, the block type
1485	shall be 00 or 01. For a public-key operation, it shall be 02.
1486
1487	The padding string PS shall consist of k-3-\|\|D\|\| octets. For block
1488	type 00, the octets shall have value 00; for block type 01, they
1489	shall have value FF; and for block type 02, they shall be
1490	pseudorandomly generated and nonzero. This makes the length of the
1491	encryption block EB equal to k. */
1492
1493	// build the encryption block
1494	eb.putByte(0x00);
1495	eb.putByte(bt);
1496
1497	// create the padding
1498	var padNum = k - 3 - m.length;
1499	var padByte;
1500	// private key op
1501	if(bt === 0x00 \|\| bt === 0x01) {
1502	padByte = (bt === 0x00) ? 0x00 : 0xFF;
1503	for(var i = 0; i < padNum; ++i) {
1504	eb.putByte(padByte);
1505	}
1506	} else {
1507	// public key op
1508	// pad with random non-zero values
1509	while(padNum > 0) {
1510	var numZeros = 0;
1511	var padBytes = forge.random.getBytes(padNum);
1512	for(var i = 0; i < padNum; ++i) {
1513	padByte = padBytes.charCodeAt(i);
1514	if(padByte === 0) {
1515	++numZeros;
1516	} else {
1517	eb.putByte(padByte);
1518	}
1519	}
1520	padNum = numZeros;
1521	}
1522	}
1523
1524	// zero followed by message
1525	eb.putByte(0x00);
1526	eb.putBytes(m);
1527
1528	return eb;
1529	}
1530
1531	/**
1532	* Decodes a message using PKCS#1 v1.5 padding.
1533	*
1534	* @param em the message to decode.
1535	* @param key the RSA key to use.
1536	* @param pub true if the key is a public key, false if it is private.
1537	* @param ml the message length, if specified.
1538	*
1539	* @return the decoded bytes.
1540	*/
1541	function _decodePkcs1_v1_5(em, key, pub, ml) {
1542	// get the length of the modulus in bytes
1543	var k = Math.ceil(key.n.bitLength() / 8);
1544
1545	/* It is an error if any of the following conditions occurs:
1546
1547	1. The encryption block EB cannot be parsed unambiguously.
1548	2. The padding string PS consists of fewer than eight octets
1549	or is inconsisent with the block type BT.
1550	3. The decryption process is a public-key operation and the block
1551	type BT is not 00 or 01, or the decryption process is a
1552	private-key operation and the block type is not 02.
1553	*/
1554
1555	// parse the encryption block
1556	var eb = forge.util.createBuffer(em);
1557	var first = eb.getByte();
1558	var bt = eb.getByte();
1559	if(first !== 0x00 \|\|
1560	(pub && bt !== 0x00 && bt !== 0x01) \|\|
1561	(!pub && bt != 0x02) \|\|
1562	(pub && bt === 0x00 && typeof(ml) === 'undefined')) {
1563	throw new Error('Encryption block is invalid.');
1564	}
1565
1566	var padNum = 0;
1567	if(bt === 0x00) {
1568	// check all padding bytes for 0x00
1569	padNum = k - 3 - ml;
1570	for(var i = 0; i < padNum; ++i) {
1571	if(eb.getByte() !== 0x00) {
1572	throw new Error('Encryption block is invalid.');
1573	}
1574	}
1575	} else if(bt === 0x01) {
1576	// find the first byte that isn't 0xFF, should be after all padding
1577	padNum = 0;
1578	while(eb.length() > 1) {
1579	if(eb.getByte() !== 0xFF) {
1580	--eb.read;
1581	break;
1582	}
1583	++padNum;
1584	}
1585	} else if(bt === 0x02) {
1586	// look for 0x00 byte
1587	padNum = 0;
1588	while(eb.length() > 1) {
1589	if(eb.getByte() === 0x00) {
1590	--eb.read;
1591	break;
1592	}
1593	++padNum;
1594	}
1595	}
1596
1597	// zero must be 0x00 and padNum must be (k - 3 - message length)
1598	var zero = eb.getByte();
1599	if(zero !== 0x00 \|\| padNum !== (k - 3 - eb.length())) {
1600	throw new Error('Encryption block is invalid.');
1601	}
1602
1603	return eb.getBytes();
1604	}
1605
1606	/**
1607	* Runs the key-generation algorithm asynchronously, either in the background
1608	* via Web Workers, or using the main thread and setImmediate.
1609	*
1610	* @param state the key-pair generation state.
1611	* @param [options] options for key-pair generation:
1612	* workerScript the worker script URL.
1613	* workers the number of web workers (if supported) to use,
1614	* (default: 2, -1 to use estimated cores minus one).
1615	* workLoad the size of the work load, ie: number of possible prime
1616	* numbers for each web worker to check per work assignment,
1617	* (default: 100).
1618	* @param callback(err, keypair) called once the operation completes.
1619	*/
1620	function _generateKeyPair(state, options, callback) {
1621	if(typeof options === 'function') {
1622	callback = options;
1623	options = {};
1624	}
1625	options = options \|\| {};
1626
1627	var opts = {
1628	algorithm: {
1629	name: options.algorithm \|\| 'PRIMEINC',
1630	options: {
1631	workers: options.workers \|\| 2,
1632	workLoad: options.workLoad \|\| 100,
1633	workerScript: options.workerScript
1634	}
1635	}
1636	};
1637	if('prng' in options) {
1638	opts.prng = options.prng;
1639	}
1640
1641	generate();
1642
1643	function generate() {
1644	// find p and then q (done in series to simplify)
1645	getPrime(state.pBits, function(err, num) {
1646	if(err) {
1647	return callback(err);
1648	}
1649	state.p = num;
1650	if(state.q !== null) {
1651	return finish(err, state.q);
1652	}
1653	getPrime(state.qBits, finish);
1654	});
1655	}
1656
1657	function getPrime(bits, callback) {
1658	forge.prime.generateProbablePrime(bits, opts, callback);
1659	}
1660
1661	function finish(err, num) {
1662	if(err) {
1663	return callback(err);
1664	}
1665
1666	// set q
1667	state.q = num;
1668
1669	// ensure p is larger than q (swap them if not)
1670	if(state.p.compareTo(state.q) < 0) {
1671	var tmp = state.p;
1672	state.p = state.q;
1673	state.q = tmp;
1674	}
1675
1676	// ensure p is coprime with e
1677	if(state.p.subtract(BigInteger.ONE).gcd(state.e)
1678	.compareTo(BigInteger.ONE) !== 0) {
1679	state.p = null;
1680	generate();
1681	return;
1682	}
1683
1684	// ensure q is coprime with e
1685	if(state.q.subtract(BigInteger.ONE).gcd(state.e)
1686	.compareTo(BigInteger.ONE) !== 0) {
1687	state.q = null;
1688	getPrime(state.qBits, finish);
1689	return;
1690	}
1691
1692	// compute phi: (p - 1)(q - 1) (Euler's totient function)
1693	state.p1 = state.p.subtract(BigInteger.ONE);
1694	state.q1 = state.q.subtract(BigInteger.ONE);
1695	state.phi = state.p1.multiply(state.q1);
1696
1697	// ensure e and phi are coprime
1698	if(state.phi.gcd(state.e).compareTo(BigInteger.ONE) !== 0) {
1699	// phi and e aren't coprime, so generate a new p and q
1700	state.p = state.q = null;
1701	generate();
1702	return;
1703	}
1704
1705	// create n, ensure n is has the right number of bits
1706	state.n = state.p.multiply(state.q);
1707	if(state.n.bitLength() !== state.bits) {
1708	// failed, get new q
1709	state.q = null;
1710	getPrime(state.qBits, finish);
1711	return;
1712	}
1713
1714	// set keys
1715	var d = state.e.modInverse(state.phi);
1716	state.keys = {
1717	privateKey: pki.rsa.setPrivateKey(
1718	state.n, state.e, d, state.p, state.q,
1719	d.mod(state.p1), d.mod(state.q1),
1720	state.q.modInverse(state.p)),
1721	publicKey: pki.rsa.setPublicKey(state.n, state.e)
1722	};
1723
1724	callback(null, state.keys);
1725	}
1726	}
1727
1728	/**
1729	* Converts a positive BigInteger into 2's-complement big-endian bytes.
1730	*
1731	* @param b the big integer to convert.
1732	*
1733	* @return the bytes.
1734	*/
1735	function _bnToBytes(b) {
1736	// prepend 0x00 if first byte >= 0x80
1737	var hex = b.toString(16);
1738	if(hex[0] >= '8') {
1739	hex = '00' + hex;
1740	}
1741	var bytes = forge.util.hexToBytes(hex);
1742
1743	// ensure integer is minimally-encoded
1744	if(bytes.length > 1 &&
1745	// leading 0x00 for positive integer
1746	((bytes.charCodeAt(0) === 0 &&
1747	(bytes.charCodeAt(1) & 0x80) === 0) \|\|
1748	// leading 0xFF for negative integer
1749	(bytes.charCodeAt(0) === 0xFF &&
1750	(bytes.charCodeAt(1) & 0x80) === 0x80))) {
1751	return bytes.substr(1);
1752	}
1753	return bytes;
1754	}
1755
1756	/**
1757	* Returns the required number of Miller-Rabin tests to generate a
1758	* prime with an error probability of (1/2)^80.
1759	*
1760	* See Handbook of Applied Cryptography Chapter 4, Table 4.4.
1761	*
1762	* @param bits the bit size.
1763	*
1764	* @return the required number of iterations.
1765	*/
1766	function _getMillerRabinTests(bits) {
1767	if(bits <= 100) return 27;
1768	if(bits <= 150) return 18;
1769	if(bits <= 200) return 15;
1770	if(bits <= 250) return 12;
1771	if(bits <= 300) return 9;
1772	if(bits <= 350) return 8;
1773	if(bits <= 400) return 7;
1774	if(bits <= 500) return 6;
1775	if(bits <= 600) return 5;
1776	if(bits <= 800) return 4;
1777	if(bits <= 1250) return 3;
1778	return 2;
1779	}
1780
1781	/**
1782	* Performs feature detection on the Node crypto interface.
1783	*
1784	* @param fn the feature (function) to detect.
1785	*
1786	* @return true if detected, false if not.
1787	*/
1788	function _detectNodeCrypto(fn) {
1789	return forge.util.isNodejs && typeof _crypto[fn] === 'function';
1790	}
1791
1792	/**
1793	* Performs feature detection on the SubtleCrypto interface.
1794	*
1795	* @param fn the feature (function) to detect.
1796	*
1797	* @return true if detected, false if not.
1798	*/
1799	function _detectSubtleCrypto(fn) {
1800	return (typeof util.globalScope !== 'undefined' &&
1801	typeof util.globalScope.crypto === 'object' &&
1802	typeof util.globalScope.crypto.subtle === 'object' &&
1803	typeof util.globalScope.crypto.subtle[fn] === 'function');
1804	}
1805
1806	/**
1807	* Performs feature detection on the deprecated Microsoft Internet Explorer
1808	* outdated SubtleCrypto interface. This function should only be used after
1809	* checking for the modern, standard SubtleCrypto interface.
1810	*
1811	* @param fn the feature (function) to detect.
1812	*
1813	* @return true if detected, false if not.
1814	*/
1815	function _detectSubtleMsCrypto(fn) {
1816	return (typeof util.globalScope !== 'undefined' &&
1817	typeof util.globalScope.msCrypto === 'object' &&
1818	typeof util.globalScope.msCrypto.subtle === 'object' &&
1819	typeof util.globalScope.msCrypto.subtle[fn] === 'function');
1820	}
1821
1822	function _intToUint8Array(x) {
1823	var bytes = forge.util.hexToBytes(x.toString(16));
1824	var buffer = new Uint8Array(bytes.length);
1825	for(var i = 0; i < bytes.length; ++i) {
1826	buffer[i] = bytes.charCodeAt(i);
1827	}
1828	return buffer;
1829	}
1830
1831	function _privateKeyFromJwk(jwk) {
1832	if(jwk.kty !== 'RSA') {
1833	throw new Error(
1834	'Unsupported key algorithm "' + jwk.kty + '"; algorithm must be "RSA".');
1835	}
1836	return pki.setRsaPrivateKey(
1837	_base64ToBigInt(jwk.n),
1838	_base64ToBigInt(jwk.e),
1839	_base64ToBigInt(jwk.d),
1840	_base64ToBigInt(jwk.p),
1841	_base64ToBigInt(jwk.q),
1842	_base64ToBigInt(jwk.dp),
1843	_base64ToBigInt(jwk.dq),
1844	_base64ToBigInt(jwk.qi));
1845	}
1846
1847	function _publicKeyFromJwk(jwk) {
1848	if(jwk.kty !== 'RSA') {
1849	throw new Error('Key algorithm must be "RSA".');
1850	}
1851	return pki.setRsaPublicKey(
1852	_base64ToBigInt(jwk.n),
1853	_base64ToBigInt(jwk.e));
1854	}
1855
1856	function _base64ToBigInt(b64) {
1857	return new BigInteger(forge.util.bytesToHex(forge.util.decode64(b64)), 16);
1858	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: