node_modules/sshpk/lib/formats/dnssec.js - nifi-fds - Git at Google

 // Copyright 2017 Joyent, Inc.

 module.exports = {
 	read: read,
 	write: write
 };

 var assert = require('assert-plus');
 var Buffer = require('safer-buffer').Buffer;
 var Key = require('../key');
 var PrivateKey = require('../private-key');
 var utils = require('../utils');
 var SSHBuffer = require('../ssh-buffer');
 var Dhe = require('../dhe');

 var supportedAlgos = {
 	'rsa-sha1' : 5,
 	'rsa-sha256' : 8,
 	'rsa-sha512' : 10,
 	'ecdsa-p256-sha256' : 13,
 	'ecdsa-p384-sha384' : 14
 	/*
 	 * ed25519 is hypothetically supported with id 15
 	 * but the common tools available don't appear to be
 	 * capable of generating/using ed25519 keys
 	 */
 };

 var supportedAlgosById = {};
 Object.keys(supportedAlgos).forEach(function (k) {
 	supportedAlgosById[supportedAlgos[k]] = k.toUpperCase();
 });

 function read(buf, options) {
 	if (typeof (buf) !== 'string') {
 		assert.buffer(buf, 'buf');
 		buf = buf.toString('ascii');
 	}
 	var lines = buf.split('\n');
 	if (lines[0].match(/^Private-key-format\: v1/)) {
 		var algElems = lines[1].split(' ');
 		var algoNum = parseInt(algElems[1], 10);
 		var algoName = algElems[2];
 		if (!supportedAlgosById[algoNum])
 			throw (new Error('Unsupported algorithm: ' + algoName));
 		return (readDNSSECPrivateKey(algoNum, lines.slice(2)));
 	}

 	// skip any comment-lines
 	var line = 0;
 	/* JSSTYLED */
 	while (lines[line].match(/^\;/))
 		line++;
 	// we should now have *one single* line left with our KEY on it.
 	if ((lines[line].match(/\. IN KEY /) ||
 	    lines[line].match(/\. IN DNSKEY /)) && lines[line+1].length === 0) {
 		return (readRFC3110(lines[line]));
 	}
 	throw (new Error('Cannot parse dnssec key'));
 }

 function readRFC3110(keyString) {
 	var elems = keyString.split(' ');
 	//unused var flags = parseInt(elems[3], 10);
 	//unused var protocol = parseInt(elems[4], 10);
 	var algorithm = parseInt(elems[5], 10);
 	if (!supportedAlgosById[algorithm])
 		throw (new Error('Unsupported algorithm: ' + algorithm));
 	var base64key = elems.slice(6, elems.length).join();
 	var keyBuffer = Buffer.from(base64key, 'base64');
 	if (supportedAlgosById[algorithm].match(/^RSA-/)) {
 		// join the rest of the body into a single base64-blob
 		var publicExponentLen = keyBuffer.readUInt8(0);
 		if (publicExponentLen != 3 && publicExponentLen != 1)
 			throw (new Error('Cannot parse dnssec key: ' +
 			    'unsupported exponent length'));

 		var publicExponent = keyBuffer.slice(1, publicExponentLen+1);
 		publicExponent = utils.mpNormalize(publicExponent);
 		var modulus = keyBuffer.slice(1+publicExponentLen);
 		modulus = utils.mpNormalize(modulus);
 		// now, make the key
 		var rsaKey = {
 			type: 'rsa',
 			parts: []
 		};
 		rsaKey.parts.push({ name: 'e', data: publicExponent});
 		rsaKey.parts.push({ name: 'n', data: modulus});
 		return (new Key(rsaKey));
 	}
 	if (supportedAlgosById[algorithm] === 'ECDSA-P384-SHA384' ||
 	    supportedAlgosById[algorithm] === 'ECDSA-P256-SHA256') {
 		var curve = 'nistp384';
 		var size = 384;
 		if (supportedAlgosById[algorithm].match(/^ECDSA-P256-SHA256/)) {
 			curve = 'nistp256';
 			size = 256;
 		}

 		var ecdsaKey = {
 			type: 'ecdsa',
 			curve: curve,
 			size: size,
 			parts: [
 				{name: 'curve', data: Buffer.from(curve) },
 				{name: 'Q', data: utils.ecNormalize(keyBuffer) }
 			]
 		};
 		return (new Key(ecdsaKey));
 	}
 	throw (new Error('Unsupported algorithm: ' +
 	    supportedAlgosById[algorithm]));
 }

 function elementToBuf(e) {
 	return (Buffer.from(e.split(' ')[1], 'base64'));
 }

 function readDNSSECRSAPrivateKey(elements) {
 	var rsaParams = {};
 	elements.forEach(function (element) {
 		if (element.split(' ')[0] === 'Modulus:')
 			rsaParams['n'] = elementToBuf(element);
 		else if (element.split(' ')[0] === 'PublicExponent:')
 			rsaParams['e'] = elementToBuf(element);
 		else if (element.split(' ')[0] === 'PrivateExponent:')
 			rsaParams['d'] = elementToBuf(element);
 		else if (element.split(' ')[0] === 'Prime1:')
 			rsaParams['p'] = elementToBuf(element);
 		else if (element.split(' ')[0] === 'Prime2:')
 			rsaParams['q'] = elementToBuf(element);
 		else if (element.split(' ')[0] === 'Exponent1:')
 			rsaParams['dmodp'] = elementToBuf(element);
 		else if (element.split(' ')[0] === 'Exponent2:')
 			rsaParams['dmodq'] = elementToBuf(element);
 		else if (element.split(' ')[0] === 'Coefficient:')
 			rsaParams['iqmp'] = elementToBuf(element);
 	});
 	// now, make the key
 	var key = {
 		type: 'rsa',
 		parts: [
 			{ name: 'e', data: utils.mpNormalize(rsaParams['e'])},
 			{ name: 'n', data: utils.mpNormalize(rsaParams['n'])},
 			{ name: 'd', data: utils.mpNormalize(rsaParams['d'])},
 			{ name: 'p', data: utils.mpNormalize(rsaParams['p'])},
 			{ name: 'q', data: utils.mpNormalize(rsaParams['q'])},
 			{ name: 'dmodp',
 			    data: utils.mpNormalize(rsaParams['dmodp'])},
 			{ name: 'dmodq',
 			    data: utils.mpNormalize(rsaParams['dmodq'])},
 			{ name: 'iqmp',
 			    data: utils.mpNormalize(rsaParams['iqmp'])}
 		]
 	};
 	return (new PrivateKey(key));
 }

 function readDNSSECPrivateKey(alg, elements) {
 	if (supportedAlgosById[alg].match(/^RSA-/)) {
 		return (readDNSSECRSAPrivateKey(elements));
 	}
 	if (supportedAlgosById[alg] === 'ECDSA-P384-SHA384' ||
 	    supportedAlgosById[alg] === 'ECDSA-P256-SHA256') {
 		var d = Buffer.from(elements[0].split(' ')[1], 'base64');
 		var curve = 'nistp384';
 		var size = 384;
 		if (supportedAlgosById[alg] === 'ECDSA-P256-SHA256') {
 			curve = 'nistp256';
 			size = 256;
 		}
 		// DNSSEC generates the public-key on the fly (go calculate it)
 		var publicKey = utils.publicFromPrivateECDSA(curve, d);
 		var Q = publicKey.part['Q'].data;
 		var ecdsaKey = {
 			type: 'ecdsa',
 			curve: curve,
 			size: size,
 			parts: [
 				{name: 'curve', data: Buffer.from(curve) },
 				{name: 'd', data: d },
 				{name: 'Q', data: Q }
 			]
 		};
 		return (new PrivateKey(ecdsaKey));
 	}
 	throw (new Error('Unsupported algorithm: ' + supportedAlgosById[alg]));
 }

 function dnssecTimestamp(date) {
 	var year = date.getFullYear() + ''; //stringify
 	var month = (date.getMonth() + 1);
 	var timestampStr = year + month + date.getUTCDate();
 	timestampStr += '' + date.getUTCHours() + date.getUTCMinutes();
 	timestampStr += date.getUTCSeconds();
 	return (timestampStr);
 }

 function rsaAlgFromOptions(opts) {
 	if (!opts || !opts.hashAlgo || opts.hashAlgo === 'sha1')
 		return ('5 (RSASHA1)');
 	else if (opts.hashAlgo === 'sha256')
 		return ('8 (RSASHA256)');
 	else if (opts.hashAlgo === 'sha512')
 		return ('10 (RSASHA512)');
 	else
 		throw (new Error('Unknown or unsupported hash: ' +
 		    opts.hashAlgo));
 }

 function writeRSA(key, options) {
 	// if we're missing parts, add them.
 	if (!key.part.dmodp || !key.part.dmodq) {
 		utils.addRSAMissing(key);
 	}

 	var out = '';
 	out += 'Private-key-format: v1.3\n';
 	out += 'Algorithm: ' + rsaAlgFromOptions(options) + '\n';
 	var n = utils.mpDenormalize(key.part['n'].data);
 	out += 'Modulus: ' + n.toString('base64') + '\n';
 	var e = utils.mpDenormalize(key.part['e'].data);
 	out += 'PublicExponent: ' + e.toString('base64') + '\n';
 	var d = utils.mpDenormalize(key.part['d'].data);
 	out += 'PrivateExponent: ' + d.toString('base64') + '\n';
 	var p = utils.mpDenormalize(key.part['p'].data);
 	out += 'Prime1: ' + p.toString('base64') + '\n';
 	var q = utils.mpDenormalize(key.part['q'].data);
 	out += 'Prime2: ' + q.toString('base64') + '\n';
 	var dmodp = utils.mpDenormalize(key.part['dmodp'].data);
 	out += 'Exponent1: ' + dmodp.toString('base64') + '\n';
 	var dmodq = utils.mpDenormalize(key.part['dmodq'].data);
 	out += 'Exponent2: ' + dmodq.toString('base64') + '\n';
 	var iqmp = utils.mpDenormalize(key.part['iqmp'].data);
 	out += 'Coefficient: ' + iqmp.toString('base64') + '\n';
 	// Assume that we're valid as-of now
 	var timestamp = new Date();
 	out += 'Created: ' + dnssecTimestamp(timestamp) + '\n';
 	out += 'Publish: ' + dnssecTimestamp(timestamp) + '\n';
 	out += 'Activate: ' + dnssecTimestamp(timestamp) + '\n';
 	return (Buffer.from(out, 'ascii'));
 }

 function writeECDSA(key, options) {
 	var out = '';
 	out += 'Private-key-format: v1.3\n';

 	if (key.curve === 'nistp256') {
 		out += 'Algorithm: 13 (ECDSAP256SHA256)\n';
 	} else if (key.curve === 'nistp384') {
 		out += 'Algorithm: 14 (ECDSAP384SHA384)\n';
 	} else {
 		throw (new Error('Unsupported curve'));
 	}
 	var base64Key = key.part['d'].data.toString('base64');
 	out += 'PrivateKey: ' + base64Key + '\n';

 	// Assume that we're valid as-of now
 	var timestamp = new Date();
 	out += 'Created: ' + dnssecTimestamp(timestamp) + '\n';
 	out += 'Publish: ' + dnssecTimestamp(timestamp) + '\n';
 	out += 'Activate: ' + dnssecTimestamp(timestamp) + '\n';

 	return (Buffer.from(out, 'ascii'));
 }

 function write(key, options) {
 	if (PrivateKey.isPrivateKey(key)) {
 		if (key.type === 'rsa') {
 			return (writeRSA(key, options));
 		} else if (key.type === 'ecdsa') {
 			return (writeECDSA(key, options));
 		} else {
 			throw (new Error('Unsupported algorithm: ' + key.type));
 		}
 	} else if (Key.isKey(key)) {
 		/*
 		 * RFC3110 requires a keyname, and a keytype, which we
 		 * don't really have a mechanism for specifying such
 		 * additional metadata.
 		 */
 		throw (new Error('Format "dnssec" only supports ' +
 		    'writing private keys'));
 	} else {
 		throw (new Error('key is not a Key or PrivateKey'));
 	}
 }
	// Copyright 2017 Joyent, Inc.

	module.exports = {
	read: read,
	write: write
	};

	var assert = require('assert-plus');
	var Buffer = require('safer-buffer').Buffer;
	var Key = require('../key');
	var PrivateKey = require('../private-key');
	var utils = require('../utils');
	var SSHBuffer = require('../ssh-buffer');
	var Dhe = require('../dhe');

	var supportedAlgos = {
	'rsa-sha1' : 5,
	'rsa-sha256' : 8,
	'rsa-sha512' : 10,
	'ecdsa-p256-sha256' : 13,
	'ecdsa-p384-sha384' : 14
	/*
	* ed25519 is hypothetically supported with id 15
	* but the common tools available don't appear to be
	* capable of generating/using ed25519 keys
	*/
	};

	var supportedAlgosById = {};
	Object.keys(supportedAlgos).forEach(function (k) {
	supportedAlgosById[supportedAlgos[k]] = k.toUpperCase();
	});

	function read(buf, options) {
	if (typeof (buf) !== 'string') {
	assert.buffer(buf, 'buf');
	buf = buf.toString('ascii');
	}
	var lines = buf.split('\n');
	if (lines[0].match(/^Private-key-format\: v1/)) {
	var algElems = lines[1].split(' ');
	var algoNum = parseInt(algElems[1], 10);
	var algoName = algElems[2];
	if (!supportedAlgosById[algoNum])
	throw (new Error('Unsupported algorithm: ' + algoName));
	return (readDNSSECPrivateKey(algoNum, lines.slice(2)));
	}

	// skip any comment-lines
	var line = 0;
	/* JSSTYLED */
	while (lines[line].match(/^\;/))
	line++;
	// we should now have one single line left with our KEY on it.
	if ((lines[line].match(/\. IN KEY /) \|\|
	lines[line].match(/\. IN DNSKEY /)) && lines[line+1].length === 0) {
	return (readRFC3110(lines[line]));
	}
	throw (new Error('Cannot parse dnssec key'));
	}

	function readRFC3110(keyString) {
	var elems = keyString.split(' ');
	//unused var flags = parseInt(elems[3], 10);
	//unused var protocol = parseInt(elems[4], 10);
	var algorithm = parseInt(elems[5], 10);
	if (!supportedAlgosById[algorithm])
	throw (new Error('Unsupported algorithm: ' + algorithm));
	var base64key = elems.slice(6, elems.length).join();
	var keyBuffer = Buffer.from(base64key, 'base64');
	if (supportedAlgosById[algorithm].match(/^RSA-/)) {
	// join the rest of the body into a single base64-blob
	var publicExponentLen = keyBuffer.readUInt8(0);
	if (publicExponentLen != 3 && publicExponentLen != 1)
	throw (new Error('Cannot parse dnssec key: ' +
	'unsupported exponent length'));

	var publicExponent = keyBuffer.slice(1, publicExponentLen+1);
	publicExponent = utils.mpNormalize(publicExponent);
	var modulus = keyBuffer.slice(1+publicExponentLen);
	modulus = utils.mpNormalize(modulus);
	// now, make the key
	var rsaKey = {
	type: 'rsa',
	parts: []
	};
	rsaKey.parts.push({ name: 'e', data: publicExponent});
	rsaKey.parts.push({ name: 'n', data: modulus});
	return (new Key(rsaKey));
	}
	if (supportedAlgosById[algorithm] === 'ECDSA-P384-SHA384' \|\|
	supportedAlgosById[algorithm] === 'ECDSA-P256-SHA256') {
	var curve = 'nistp384';
	var size = 384;
	if (supportedAlgosById[algorithm].match(/^ECDSA-P256-SHA256/)) {
	curve = 'nistp256';
	size = 256;
	}

	var ecdsaKey = {
	type: 'ecdsa',
	curve: curve,
	size: size,
	parts: [
	{name: 'curve', data: Buffer.from(curve) },
	{name: 'Q', data: utils.ecNormalize(keyBuffer) }
	]
	};
	return (new Key(ecdsaKey));
	}
	throw (new Error('Unsupported algorithm: ' +
	supportedAlgosById[algorithm]));
	}

	function elementToBuf(e) {
	return (Buffer.from(e.split(' ')[1], 'base64'));
	}

	function readDNSSECRSAPrivateKey(elements) {
	var rsaParams = {};
	elements.forEach(function (element) {
	if (element.split(' ')[0] === 'Modulus:')
	rsaParams['n'] = elementToBuf(element);
	else if (element.split(' ')[0] === 'PublicExponent:')
	rsaParams['e'] = elementToBuf(element);
	else if (element.split(' ')[0] === 'PrivateExponent:')
	rsaParams['d'] = elementToBuf(element);
	else if (element.split(' ')[0] === 'Prime1:')
	rsaParams['p'] = elementToBuf(element);
	else if (element.split(' ')[0] === 'Prime2:')
	rsaParams['q'] = elementToBuf(element);
	else if (element.split(' ')[0] === 'Exponent1:')
	rsaParams['dmodp'] = elementToBuf(element);
	else if (element.split(' ')[0] === 'Exponent2:')
	rsaParams['dmodq'] = elementToBuf(element);
	else if (element.split(' ')[0] === 'Coefficient:')
	rsaParams['iqmp'] = elementToBuf(element);
	});
	// now, make the key
	var key = {
	type: 'rsa',
	parts: [
	{ name: 'e', data: utils.mpNormalize(rsaParams['e'])},
	{ name: 'n', data: utils.mpNormalize(rsaParams['n'])},
	{ name: 'd', data: utils.mpNormalize(rsaParams['d'])},
	{ name: 'p', data: utils.mpNormalize(rsaParams['p'])},
	{ name: 'q', data: utils.mpNormalize(rsaParams['q'])},
	{ name: 'dmodp',
	data: utils.mpNormalize(rsaParams['dmodp'])},
	{ name: 'dmodq',
	data: utils.mpNormalize(rsaParams['dmodq'])},
	{ name: 'iqmp',
	data: utils.mpNormalize(rsaParams['iqmp'])}
	]
	};
	return (new PrivateKey(key));
	}

	function readDNSSECPrivateKey(alg, elements) {
	if (supportedAlgosById[alg].match(/^RSA-/)) {
	return (readDNSSECRSAPrivateKey(elements));
	}
	if (supportedAlgosById[alg] === 'ECDSA-P384-SHA384' \|\|
	supportedAlgosById[alg] === 'ECDSA-P256-SHA256') {
	var d = Buffer.from(elements[0].split(' ')[1], 'base64');
	var curve = 'nistp384';
	var size = 384;
	if (supportedAlgosById[alg] === 'ECDSA-P256-SHA256') {
	curve = 'nistp256';
	size = 256;
	}
	// DNSSEC generates the public-key on the fly (go calculate it)
	var publicKey = utils.publicFromPrivateECDSA(curve, d);
	var Q = publicKey.part['Q'].data;
	var ecdsaKey = {
	type: 'ecdsa',
	curve: curve,
	size: size,
	parts: [
	{name: 'curve', data: Buffer.from(curve) },
	{name: 'd', data: d },
	{name: 'Q', data: Q }
	]
	};
	return (new PrivateKey(ecdsaKey));
	}
	throw (new Error('Unsupported algorithm: ' + supportedAlgosById[alg]));
	}

	function dnssecTimestamp(date) {
	var year = date.getFullYear() + ''; //stringify
	var month = (date.getMonth() + 1);
	var timestampStr = year + month + date.getUTCDate();
	timestampStr += '' + date.getUTCHours() + date.getUTCMinutes();
	timestampStr += date.getUTCSeconds();
	return (timestampStr);
	}

	function rsaAlgFromOptions(opts) {
	if (!opts \|\| !opts.hashAlgo \|\| opts.hashAlgo === 'sha1')
	return ('5 (RSASHA1)');
	else if (opts.hashAlgo === 'sha256')
	return ('8 (RSASHA256)');
	else if (opts.hashAlgo === 'sha512')
	return ('10 (RSASHA512)');
	else
	throw (new Error('Unknown or unsupported hash: ' +
	opts.hashAlgo));
	}

	function writeRSA(key, options) {
	// if we're missing parts, add them.
	if (!key.part.dmodp \|\| !key.part.dmodq) {
	utils.addRSAMissing(key);
	}

	var out = '';
	out += 'Private-key-format: v1.3\n';
	out += 'Algorithm: ' + rsaAlgFromOptions(options) + '\n';
	var n = utils.mpDenormalize(key.part['n'].data);
	out += 'Modulus: ' + n.toString('base64') + '\n';
	var e = utils.mpDenormalize(key.part['e'].data);
	out += 'PublicExponent: ' + e.toString('base64') + '\n';
	var d = utils.mpDenormalize(key.part['d'].data);
	out += 'PrivateExponent: ' + d.toString('base64') + '\n';
	var p = utils.mpDenormalize(key.part['p'].data);
	out += 'Prime1: ' + p.toString('base64') + '\n';
	var q = utils.mpDenormalize(key.part['q'].data);
	out += 'Prime2: ' + q.toString('base64') + '\n';
	var dmodp = utils.mpDenormalize(key.part['dmodp'].data);
	out += 'Exponent1: ' + dmodp.toString('base64') + '\n';
	var dmodq = utils.mpDenormalize(key.part['dmodq'].data);
	out += 'Exponent2: ' + dmodq.toString('base64') + '\n';
	var iqmp = utils.mpDenormalize(key.part['iqmp'].data);
	out += 'Coefficient: ' + iqmp.toString('base64') + '\n';
	// Assume that we're valid as-of now
	var timestamp = new Date();
	out += 'Created: ' + dnssecTimestamp(timestamp) + '\n';
	out += 'Publish: ' + dnssecTimestamp(timestamp) + '\n';
	out += 'Activate: ' + dnssecTimestamp(timestamp) + '\n';
	return (Buffer.from(out, 'ascii'));
	}

	function writeECDSA(key, options) {
	var out = '';
	out += 'Private-key-format: v1.3\n';

	if (key.curve === 'nistp256') {
	out += 'Algorithm: 13 (ECDSAP256SHA256)\n';
	} else if (key.curve === 'nistp384') {
	out += 'Algorithm: 14 (ECDSAP384SHA384)\n';
	} else {
	throw (new Error('Unsupported curve'));
	}
	var base64Key = key.part['d'].data.toString('base64');
	out += 'PrivateKey: ' + base64Key + '\n';

	// Assume that we're valid as-of now
	var timestamp = new Date();
	out += 'Created: ' + dnssecTimestamp(timestamp) + '\n';
	out += 'Publish: ' + dnssecTimestamp(timestamp) + '\n';
	out += 'Activate: ' + dnssecTimestamp(timestamp) + '\n';

	return (Buffer.from(out, 'ascii'));
	}

	function write(key, options) {
	if (PrivateKey.isPrivateKey(key)) {
	if (key.type === 'rsa') {
	return (writeRSA(key, options));
	} else if (key.type === 'ecdsa') {
	return (writeECDSA(key, options));
	} else {
	throw (new Error('Unsupported algorithm: ' + key.type));
	}
	} else if (Key.isKey(key)) {
	/*
	* RFC3110 requires a keyname, and a keytype, which we
	* don't really have a mechanism for specifying such
	* additional metadata.
	*/
	throw (new Error('Format "dnssec" only supports ' +
	'writing private keys'));
	} else {
	throw (new Error('key is not a Key or PrivateKey'));
	}
	}