UNPKG

@noble/curves

Version:

Audited & minimal JS implementation of elliptic curve cryptography

paulmillr.com/noble/

paulmillr/noble-curves

363 lines 16.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
/** Raw type */ const TYPE_RAW = 'raw'; const TYPE_JWK = 'jwk'; const TYPE_SPKI = 'spki'; const TYPE_PKCS = 'pkcs8'; // default formats const dfsec = TYPE_PKCS; const dfpub = TYPE_SPKI; function getSubtle() { const s = globalThis?.crypto?.subtle; if (typeof s === 'object' && s != null) return s; throw new Error('crypto.subtle must be defined'); } function createKeygenA(randomSecretKey, getPublicKey) { // Runtime accepts an accidental `keygen(seed)` argument for parity with other wrappers, but the // seed is intentionally ignored because WebCrypto keygen here always goes through fresh keygen. return async function keygenA(_seed) { const secretKey = (await randomSecretKey()); return { secretKey, publicKey: (await getPublicKey(secretKey)) }; }; } // Internal helper only: strict hex parser for the local hardcoded PKCS8 header constants. function hexToBytesLocal(hex) { const pairs = hex.match(/[0-9a-f]{2}/gi); if (!pairs || pairs.length * 2 !== hex.length) throw new Error('invalid hex'); return Uint8Array.from(pairs, (b) => Number.parseInt(b, 16)); } export const __TEST = /* @__PURE__ */ Object.freeze({ hexToBytesLocal, }); function assertType(type, key) { // Callers are expected to pass a non-null key-like object; `null` / `undefined` still fail first // via property access before reaching the explicit wrapper error. if (key.type !== type) throw new Error(`invalid key type, expected ${type}`); } function createKeyUtils(algo, derive, keyLen, pkcs8header) { const secUsage = derive ? ['deriveBits'] : ['sign']; const pubUsage = derive ? [] : ['verify']; // Return Uint8Array instead of ArrayBuffer const arrBufToU8 = (res, format) => (format === TYPE_JWK ? res : new Uint8Array(res)); const pub = { async import(key, format) { // For sign/verify wrappers we pass caller-provided JWK metadata through unchanged and let // WebCrypto enforce mismatched `key_ops` / extractability instead of normalizing it here. const keyi = await getSubtle().importKey(format, key, algo, true, pubUsage); assertType('public', keyi); return keyi; }, async export(key, format) { assertType('public', key); const keyi = await getSubtle().exportKey(format, key); return arrBufToU8(keyi, format); }, async convert(key, inFormat, outFormat) { return pub.export(await pub.import(key, inFormat), outFormat); }, }; const priv = { async import(key, format) { const crypto = getSubtle(); let keyi; if (format === TYPE_RAW) { // Chrome, node, bun, deno: works // Safari, Firefox: Data provided to an operation does not meet requirements // This is the best one can do. JWK can't be used: it contains public key component inside. const k = key; const head = hexToBytesLocal(pkcs8header); const all = new Uint8Array(head.length + k.length); all.set(head, 0); all.set(k, head.length); keyi = await crypto.importKey(TYPE_PKCS, all, algo, true, secUsage); } else { // Sign/verify wrappers keep caller JWK metadata as-is and assume the supplied `key_ops` // already match the requested operation. ECDH is different: noble treats the same key // material as usable for both sign and derive, so JWK imported through the derive path // must rewrite `key_ops` or WebCrypto refuses otherwise-correct keys exported by keygen. if (derive && format === TYPE_JWK) key = { ...key, key_ops: secUsage }; keyi = await crypto.importKey(format, key, algo, true, secUsage); } assertType('private', keyi); return keyi; }, async export(key, format) { const crypto = getSubtle(); assertType('private', key); if (format === TYPE_RAW) { // scure-base base64urlnopad could have been used, but we can't add more deps. // pkcs8 would be even more fragile const jwk = await crypto.exportKey(TYPE_JWK, key); const base64 = jwk.d.replace(/-/g, '+').replace(/_/g, '/'); // base64url const pad = base64.length % 4 ? '='.repeat(4 - (base64.length % 4)) : ''; // add padding const binary = atob(base64 + pad); // This is not ASCII, and not text: this is only semi-safe with atob output const raw = Uint8Array.from(binary, (c) => c.charCodeAt(0)); // Pad key to key len because Bun strips leading zero for P-521 only const res = new Uint8Array(keyLen); res.set(raw, keyLen - raw.length); return res; } const keyi = await crypto.exportKey(format, key); return arrBufToU8(keyi, format); }, async convert(key, inFormat, outFormat) { return priv.export(await priv.import(key, inFormat), outFormat); }, }; async function getPublicKey(secretKey, opts = {}) { const fsec = opts.formatSec ?? dfsec; const fpub = opts.formatPub ?? dfpub; // Export to jwk, remove private scalar and then convert to format const jwk = (fsec === TYPE_JWK ? { ...secretKey } : await priv.convert(secretKey, fsec, TYPE_JWK)); delete jwk.d; jwk.key_ops = pubUsage; if (fpub === TYPE_JWK) return jwk; return pub.convert(jwk, TYPE_JWK, fpub); } async function randomSecretKey(format = dfsec) { const keyPair = await getSubtle().generateKey(algo, true, secUsage); return priv.export(keyPair.privateKey, format); } // Key generation could be slow, so we cache result once. let supported; return { pub: pub, priv: priv, async isSupported() { if (supported !== undefined) return supported; try { const crypto = getSubtle(); const key = await crypto.generateKey(algo, true, secUsage); // Deno is broken and generates key for unsupported curves, but then fails on export await priv.export(key.privateKey, TYPE_JWK); // Bun fails on derive for x25519, but not x448 if (derive) { await crypto.deriveBits({ name: typeof algo === 'string' ? algo : algo.name, public: key.publicKey }, key.privateKey, 8); } return (supported = true); } catch (e) { return (supported = false); } }, getPublicKey, keygen: createKeygenA(randomSecretKey, getPublicKey), utils: Object.freeze({ randomSecretKey, // Runtime expects both formats explicitly here; omitted formats just flow into // `subtle.importKey(...)`, and JWK conversion also assumes extractable keys (`ext !== false`). convertPublicKey: pub.convert, // Runtime expects both formats explicitly here; omitted formats just flow into // `subtle.importKey(...)`, and JWK conversion also assumes extractable keys (`ext !== false`). convertSecretKey: priv.convert, }), }; } function createSigner(keys, algo) { return { // Historical param name: wrappers pass message bytes here, while WebCrypto performs the // algorithm-specific hashing itself for ECDSA. We also return provider signatures verbatim: // this wrapper is intentionally "raw WebCrypto", so it does not parse scalars or normalize // high-S ECDSA outputs into software noble's low-S convention. async sign(msgHash, secretKey, opts = {}) { const key = await keys.priv.import(secretKey, opts.formatSec ?? dfsec); const sig = await getSubtle().sign(algo, key, msgHash); return new Uint8Array(sig); }, async verify(signature, msgHash, publicKey, opts = {}) { const key = await keys.pub.import(publicKey, opts.formatPub ?? dfpub); return await getSubtle().verify(algo, key, signature, msgHash); }, }; } function createECDH(keys, algo, keyLen) { return { // Runtime accepts the alternate key formats supported by `keys.import(...)`; the public type is // still narrower than that accepted surface. async getSharedSecret(secretKeyA, publicKeyB, opts = {}) { // if (_isCompressed !== true) throw new Error('WebCrypto only supports compressed keys'); const secKey = await keys.priv.import(secretKeyA, opts.formatSec === undefined ? dfsec : opts.formatSec); const pubKey = await keys.pub.import(publicKeyB, opts.formatPub === undefined ? dfpub : opts.formatPub); const shared = await getSubtle().deriveBits({ name: typeof algo === 'string' ? algo : algo.name, public: pubKey }, secKey, 8 * keyLen); return new Uint8Array(shared); }, }; } function wrapECDSA(curve, hash, keyLen, pkcs8header) { const ECDH_ALGO = { name: 'ECDH', namedCurve: curve }; const keys = createKeyUtils({ name: 'ECDSA', namedCurve: curve }, false, keyLen, pkcs8header); const keysEcdh = createKeyUtils(ECDH_ALGO, true, keyLen, pkcs8header); return Object.freeze({ name: curve, // Support probing comes from the sign-side wrapper only; ECDH availability is not checked // independently here even though the public wrapper also exposes `getSharedSecret(...)`. isSupported: keys.isSupported, getPublicKey: keys.getPublicKey, keygen: createKeygenA(keys.utils.randomSecretKey, keys.getPublicKey), ...createSigner(keys, { name: 'ECDSA', hash: { name: hash } }), ...createECDH(keysEcdh, ECDH_ALGO, keyLen), utils: Object.freeze({ ...keys.utils, async convertSecretKey(key, inFormat, outFormat) { const jwk = inFormat === TYPE_JWK ? key : undefined; // `wrapECDSA(...)` exposes the same key material for both sign and derive, so an ECDH-flavored // JWK secret key from `getSharedSecret(...)` should still round-trip through `utils`. if (Array.isArray(jwk?.key_ops) && jwk.key_ops.length === 1 && jwk.key_ops[0] === 'deriveBits') return keysEcdh.utils.convertSecretKey(key, inFormat, outFormat); return keys.utils.convertSecretKey(key, inFormat, outFormat); }, }), }); } function wrapEdDSA(curve, keyLen, pkcs8header) { const keys = createKeyUtils(curve, false, keyLen, pkcs8header); return Object.freeze({ name: curve, isSupported: keys.isSupported, // This wrapper intentionally re-exports the generic WebCrypto key-conversion/signing behavior // without adding extra JWK-metadata or extractability guardrails of its own. getPublicKey: keys.getPublicKey, keygen: createKeygenA(keys.utils.randomSecretKey, keys.getPublicKey), ...createSigner(keys, { name: curve }), utils: keys.utils, }); } function wrapMontgomery(curve, keyLen, pkcs8header) { const keys = createKeyUtils(curve, true, keyLen, pkcs8header); return Object.freeze({ name: curve, isSupported: keys.isSupported, // This wrapper intentionally re-exports the generic ECDH key-format behavior without widening // the narrow public `Uint8Array` key types. getPublicKey: keys.getPublicKey, keygen: createKeygenA(keys.utils.randomSecretKey, keys.getPublicKey), ...createECDH(keys, curve, keyLen), utils: keys.utils, }); } /** * Friendly wrapper over built-in WebCrypto NIST P-256 (secp256r1). * Inherits the generic WebCrypto ECDSA caveats: `isSupported()` only probes the sign-side API, and * the conversion/signing helpers keep the shared `createKeyUtils(...)` / `createSigner(...)` quirks, * including raw WebCrypto ECDSA signatures without low-S normalization. * @example * Check support, then sign and verify once with WebCrypto P-256. * * ```ts * if (await p256.isSupported()) { * const { secretKey, publicKey } = await p256.keygen(); * const msg = new TextEncoder().encode('hello noble'); * const sig = await p256.sign(msg, secretKey); * const isValid = await p256.verify(sig, msg, publicKey); * } * ``` */ export const p256 = /* @__PURE__ */ wrapECDSA('P-256', 'SHA-256', 32, '3041020100301306072a8648ce3d020106082a8648ce3d030107042730250201010420'); /** * Friendly wrapper over built-in WebCrypto NIST P-384 (secp384r1). * Inherits the generic WebCrypto ECDSA caveats around support probing and key/signing conversion. * @example * Check support, then sign and verify once with WebCrypto P-384. * * ```ts * if (await p384.isSupported()) { * const { secretKey, publicKey } = await p384.keygen(); * const msg = new TextEncoder().encode('hello noble'); * const sig = await p384.sign(msg, secretKey); * const isValid = await p384.verify(sig, msg, publicKey); * } * ``` */ export const p384 = /* @__PURE__ */ wrapECDSA('P-384', 'SHA-384', 48, '304e020100301006072a8648ce3d020106052b81040022043730350201010430'); /** * Friendly wrapper over built-in WebCrypto NIST P-521 (secp521r1). * Inherits the generic WebCrypto ECDSA caveats around support probing and key/signing conversion. * @example * Check support, then sign and verify once with WebCrypto P-521. * * ```ts * if (await p521.isSupported()) { * const { secretKey, publicKey } = await p521.keygen(); * const msg = new TextEncoder().encode('hello noble'); * const sig = await p521.sign(msg, secretKey); * const isValid = await p521.verify(sig, msg, publicKey); * } * ``` */ export const p521 = /* @__PURE__ */ wrapECDSA('P-521', 'SHA-512', 66, '3060020100301006072a8648ce3d020106052b81040023044930470201010442'); /** * Friendly wrapper over built-in WebCrypto ed25519. * Inherits the generic WebCrypto EdDSA caveats around JWK conversion metadata and extractability. * @example * Check support, then sign and verify once with WebCrypto Ed25519. * * ```ts * if (await ed25519.isSupported()) { * const { secretKey, publicKey } = await ed25519.keygen(); * const msg = new TextEncoder().encode('hello noble'); * const sig = await ed25519.sign(msg, secretKey); * const isValid = await ed25519.verify(sig, msg, publicKey); * } * ``` */ export const ed25519 = /* @__PURE__ */ wrapEdDSA('Ed25519', 32, '302e020100300506032b657004220420'); /** * Friendly wrapper over built-in WebCrypto ed448. * Inherits the generic WebCrypto EdDSA caveats around JWK conversion metadata and extractability. * @example * Check support, then sign and verify once with WebCrypto Ed448. * * ```ts * if (await ed448.isSupported()) { * const { secretKey, publicKey } = await ed448.keygen(); * const msg = new TextEncoder().encode('hello noble'); * const sig = await ed448.sign(msg, secretKey); * const isValid = await ed448.verify(sig, msg, publicKey); * } * ``` */ export const ed448 = /* @__PURE__ */ wrapEdDSA('Ed448', 57, '3047020100300506032b6571043b0439'); /** * Friendly wrapper over built-in WebCrypto x25519 (ECDH over Curve25519). * Inherits the generic WebCrypto Montgomery caveat that runtime accepts more key formats than the * narrow public `Uint8Array` argument types suggest. * @example * Check support, then derive one shared secret with WebCrypto X25519. * * ```ts * if (await x25519.isSupported()) { * const alice = await x25519.keygen(); * const bob = await x25519.keygen(); * const shared = await x25519.getSharedSecret(alice.secretKey, bob.publicKey); * } * ``` */ export const x25519 = /* @__PURE__ */ wrapMontgomery('X25519', 32, '302e020100300506032b656e04220420'); /** * Friendly wrapper over built-in WebCrypto x448 (ECDH over Curve448). * Inherits the generic WebCrypto Montgomery caveat that runtime accepts more key formats than the * narrow public `Uint8Array` argument types suggest. * @example * Check support, then derive one shared secret with WebCrypto X448. * * ```ts * if (await x448.isSupported()) { * const alice = await x448.keygen(); * const bob = await x448.keygen(); * const shared = await x448.getSharedSecret(alice.secretKey, bob.publicKey); * } * ``` */ export const x448 = /* @__PURE__ */ wrapMontgomery('X448', 56, '3046020100300506032b656f043a0438'); //# sourceMappingURL=webcrypto.js.map