UNPKG

@libp2p/keychain

Version:

Key management and cryptographically protected messages

github.com/libp2p/js-libp2p/tree/main/packages/keychain

libp2p/js-libp2p

197 lines • 7.01 kB

JavaScript

import { randomBytes } from '@libp2p/crypto'; import { AES_GCM } from '@libp2p/crypto/ciphers'; import { privateKeyToProtobuf } from '@libp2p/crypto/keys'; import webcrypto from '@libp2p/crypto/webcrypto'; import { InvalidParametersError, UnsupportedKeyTypeError } from '@libp2p/interface'; import { pbkdf2Async } from '@noble/hashes/pbkdf2.js'; import { sha512 } from '@noble/hashes/sha2.js'; import * as asn1js from 'asn1js'; import { base64 } from 'multiformats/bases/base64'; import { toString as uint8ArrayToString } from 'uint8arrays/to-string'; import { ITERATIONS, KEY_SIZE, SALT_LENGTH } from "./constants.js"; /** * Exports the given PrivateKey as a base64 encoded string. * The PrivateKey is encrypted via a password derived PBKDF2 key * leveraging the aes-gcm cipher algorithm. */ export async function exporter(privateKey, password) { const cipher = AES_GCM.create(); const encryptedKey = await cipher.encrypt(privateKey, password); return base64.encode(encryptedKey); } /** * Converts an exported private key into its representative object. * * Supported formats are 'pem' (RSA only) and 'libp2p-key'. */ export async function exportPrivateKey(key, password, format) { if (key.type === 'RSA') { return exportRSAPrivateKey(key, password, format); } if (key.type === 'Ed25519') { return exportEd25519PrivateKey(key, password, format); } if (key.type === 'secp256k1') { return exportSecp256k1PrivateKey(key, password, format); } if (key.type === 'ECDSA') { return exportECDSAPrivateKey(key, password, format); } throw new UnsupportedKeyTypeError(); } /** * Exports the key into a password protected `format` */ export async function exportEd25519PrivateKey(key, password, format = 'libp2p-key') { if (format === 'libp2p-key') { return exporter(privateKeyToProtobuf(key), password); } else { throw new InvalidParametersError(`export format '${format}' is not supported`); } } /** * Exports the key into a password protected `format` */ export async function exportSecp256k1PrivateKey(key, password, format = 'libp2p-key') { if (format === 'libp2p-key') { return exporter(privateKeyToProtobuf(key), password); } else { throw new InvalidParametersError('Export format is not supported'); } } /** * Exports the key into a password protected `format` */ export async function exportECDSAPrivateKey(key, password, format = 'libp2p-key') { if (format === 'libp2p-key') { return exporter(privateKeyToProtobuf(key), password); } else { throw new InvalidParametersError(`export format '${format}' is not supported`); } } /** * Exports the key as libp2p-key - a aes-gcm encrypted value with the key * derived from the password. * * To export it as a password protected PEM file, please use the `exportPEM` * function from `@libp2p/rsa`. */ export async function exportRSAPrivateKey(key, password, format = 'pkcs-8') { if (format === 'pkcs-8') { return exportToPem(key, password); } else if (format === 'libp2p-key') { return exporter(privateKeyToProtobuf(key), password); } else { throw new InvalidParametersError('Export format is not supported'); } } export async function exportToPem(privateKey, password) { const crypto = webcrypto.get(); // PrivateKeyInfo const keyWrapper = new asn1js.Sequence({ value: [ // version (0) new asn1js.Integer({ value: 0 }), // privateKeyAlgorithm new asn1js.Sequence({ value: [ // rsaEncryption OID new asn1js.ObjectIdentifier({ value: '1.2.840.113549.1.1.1' }), new asn1js.Null() ] }), // PrivateKey new asn1js.OctetString({ valueHex: privateKey.raw }) ] }); const keyBuf = keyWrapper.toBER(); const keyArr = new Uint8Array(keyBuf, 0, keyBuf.byteLength); const salt = randomBytes(SALT_LENGTH); const encryptionKey = await pbkdf2Async(sha512, password, salt, { c: ITERATIONS, dkLen: KEY_SIZE }); const iv = randomBytes(16); const cryptoKey = await crypto.subtle.importKey('raw', encryptionKey, 'AES-CBC', false, ['encrypt']); const encrypted = await crypto.subtle.encrypt({ name: 'AES-CBC', iv }, cryptoKey, keyArr); const pbkdf2Params = new asn1js.Sequence({ value: [ // salt new asn1js.OctetString({ valueHex: salt }), // iteration count new asn1js.Integer({ value: ITERATIONS }), // key length new asn1js.Integer({ value: KEY_SIZE }), // AlgorithmIdentifier new asn1js.Sequence({ value: [ // hmacWithSHA512 new asn1js.ObjectIdentifier({ value: '1.2.840.113549.2.11' }), new asn1js.Null() ] }) ] }); const encryptionAlgorithm = new asn1js.Sequence({ value: [ // pkcs5PBES2 new asn1js.ObjectIdentifier({ value: '1.2.840.113549.1.5.13' }), new asn1js.Sequence({ value: [ // keyDerivationFunc new asn1js.Sequence({ value: [ // pkcs5PBKDF2 new asn1js.ObjectIdentifier({ value: '1.2.840.113549.1.5.12' }), // PBKDF2-params pbkdf2Params ] }), // encryptionScheme new asn1js.Sequence({ value: [ // aes256-CBC new asn1js.ObjectIdentifier({ value: '2.16.840.1.101.3.4.1.42' }), // iv new asn1js.OctetString({ valueHex: iv }) ] }) ] }) ] }); const finalWrapper = new asn1js.Sequence({ value: [ encryptionAlgorithm, new asn1js.OctetString({ valueHex: encrypted }) ] }); const finalWrapperBuf = finalWrapper.toBER(); const finalWrapperArr = new Uint8Array(finalWrapperBuf, 0, finalWrapperBuf.byteLength); return [ '-----BEGIN ENCRYPTED PRIVATE KEY-----', ...uint8ArrayToString(finalWrapperArr, 'base64pad').split(/(.{64})/).filter(Boolean), '-----END ENCRYPTED PRIVATE KEY-----' ].join('\n'); } //# sourceMappingURL=export.js.map