diff --git a/lib/jwa/index.js b/lib/jwa/index.js index 77cd0835ec..713beb4349 100644 --- a/lib/jwa/index.js +++ b/lib/jwa/index.js @@ -13,6 +13,7 @@ const JWA = { require('./hmac')(JWA) require('./ecdsa')(JWA) require('./rsassa')(JWA) +require('./rsassa_pss')(JWA) // encrypt, decrypt require('./aes_cbc_hmac_sha2')(JWA) diff --git a/lib/jwa/rsassa.js b/lib/jwa/rsassa.js index 12ceb5ca42..92655e5f83 100644 --- a/lib/jwa/rsassa.js +++ b/lib/jwa/rsassa.js @@ -1,51 +1,39 @@ const { strict: assert } = require('assert') -const { createSign, createVerify, constants } = require('crypto') +const { createSign, createVerify } = require('crypto') const { KEYOBJECT } = require('../help/symbols') const resolveNodeAlg = (alg) => { switch (alg) { - case 'PS256': case 'RS256': return 'RSA-SHA256' - case 'PS384': case 'RS384': return 'RSA-SHA384' - case 'PS512': case 'RS512': return 'RSA-SHA512' } } -const resolvePadding = (alg) => { - if (alg.startsWith('RS')) { - return constants.RSA_PKCS1_PADDING - } - - return constants.RSA_PKCS1_PSS_PADDING -} - -const sign = (nodeAlg, padding, { [KEYOBJECT]: keyObject }, payload) => { +const sign = (nodeAlg, { [KEYOBJECT]: keyObject }, payload) => { const sign = createSign(nodeAlg) sign.update(payload) - return sign.sign({ key: keyObject, padding }) + return sign.sign(keyObject) } -const verify = (nodeAlg, padding, { [KEYOBJECT]: keyObject }, payload, signature) => { +const verify = (nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => { const verify = createVerify(nodeAlg) verify.update(payload) - return verify.verify({ key: keyObject, padding }, signature) + return verify.verify(keyObject, signature) } module.exports = (JWA) => { - ['PS256', 'PS384', 'PS512', 'RS256', 'RS384', 'RS512'].forEach((jwaAlg) => { + ['RS256', 'RS384', 'RS512'].forEach((jwaAlg) => { const nodeAlg = resolveNodeAlg(jwaAlg) - const padding = resolvePadding(jwaAlg) assert(!JWA.sign.has(jwaAlg), `sign alg ${jwaAlg} already registered`) assert(!JWA.verify.has(jwaAlg), `verify alg ${jwaAlg} already registered`) - JWA.sign.set(jwaAlg, sign.bind(undefined, nodeAlg, padding)) - JWA.verify.set(jwaAlg, verify.bind(undefined, nodeAlg, padding)) + JWA.sign.set(jwaAlg, sign.bind(undefined, nodeAlg)) + JWA.verify.set(jwaAlg, verify.bind(undefined, nodeAlg)) }) } diff --git a/lib/jwa/rsassa_pss.js b/lib/jwa/rsassa_pss.js new file mode 100644 index 0000000000..a3d2fb68c5 --- /dev/null +++ b/lib/jwa/rsassa_pss.js @@ -0,0 +1,49 @@ +const { strict: assert } = require('assert') +const { createSign, createVerify, constants } = require('crypto') + +const { KEYOBJECT } = require('../help/symbols') + +const resolveNodeAlg = (alg) => { + switch (alg) { + case 'PS256': + return 'RSA-SHA256' + case 'PS384': + return 'RSA-SHA384' + case 'PS512': + return 'RSA-SHA512' + } +} + +const sign = (nodeAlg, { [KEYOBJECT]: keyObject, length }, payload) => { + const sign = createSign(nodeAlg) + sign.update(payload) + + return sign.sign({ + key: keyObject, + padding: constants.RSA_PKCS1_PSS_PADDING, + saltLength: constants.RSA_PSS_SALTLEN_DIGEST + }) +} + +const verify = (nodeAlg, { [KEYOBJECT]: keyObject, length }, payload, signature) => { + const verify = createVerify(nodeAlg) + verify.update(payload) + + return verify.verify({ + key: keyObject, + padding: constants.RSA_PKCS1_PSS_PADDING, + saltLength: constants.RSA_PSS_SALTLEN_DIGEST + }, signature) +} + +module.exports = (JWA) => { + ['PS256', 'PS384', 'PS512'].forEach((jwaAlg) => { + const nodeAlg = resolveNodeAlg(jwaAlg) + + assert(!JWA.sign.has(jwaAlg), `sign alg ${jwaAlg} already registered`) + assert(!JWA.verify.has(jwaAlg), `verify alg ${jwaAlg} already registered`) + + JWA.sign.set(jwaAlg, sign.bind(undefined, nodeAlg)) + JWA.verify.set(jwaAlg, verify.bind(undefined, nodeAlg)) + }) +}