terminal-cv/node_modules/sshpk/lib/formats/dnssec.js

// Copyright 2017 Joyent, Inc.

module.exports = {
	read: read,
	write: write
};

var assert = require('assert-plus');
var Buffer = require('safer-buffer').Buffer;
var Key = require('../key');
var PrivateKey = require('../private-key');
var utils = require('../utils');
var SSHBuffer = require('../ssh-buffer');
var Dhe = require('../dhe');

var supportedAlgos = {
	'rsa-sha1' : 5,
	'rsa-sha256' : 8,
	'rsa-sha512' : 10,
	'ecdsa-p256-sha256' : 13,
	'ecdsa-p384-sha384' : 14
	/*
	 * ed25519 is hypothetically supported with id 15
	 * but the common tools available don't appear to be
	 * capable of generating/using ed25519 keys
	 */
};

var supportedAlgosById = {};
Object.keys(supportedAlgos).forEach(function (k) {
	supportedAlgosById[supportedAlgos[k]] = k.toUpperCase();
});

function read(buf, options) {
	if (typeof (buf) !== 'string') {
		assert.buffer(buf, 'buf');
		buf = buf.toString('ascii');
	}
	var lines = buf.split('\n');
	if (lines[0].match(/^Private-key-format\: v1/)) {
		var algElems = lines[1].split(' ');
		var algoNum = parseInt(algElems[1], 10);
		var algoName = algElems[2];
		if (!supportedAlgosById[algoNum])
			throw (new Error('Unsupported algorithm: ' + algoName));
		return (readDNSSECPrivateKey(algoNum, lines.slice(2)));
	}

	// skip any comment-lines
	var line = 0;
	/* JSSTYLED */
	while (lines[line].match(/^\;/))
		line++;
	// we should now have *one single* line left with our KEY on it.
	if ((lines[line].match(/\. IN KEY /) ||
	    lines[line].match(/\. IN DNSKEY /)) && lines[line+1].length === 0) {
		return (readRFC3110(lines[line]));
	}
	throw (new Error('Cannot parse dnssec key'));
}

function readRFC3110(keyString) {
	var elems = keyString.split(' ');
	//unused var flags = parseInt(elems[3], 10);
	//unused var protocol = parseInt(elems[4], 10);
	var algorithm = parseInt(elems[5], 10);
	if (!supportedAlgosById[algorithm])
		throw (new Error('Unsupported algorithm: ' + algorithm));
	var base64key = elems.slice(6, elems.length).join();
	var keyBuffer = Buffer.from(base64key, 'base64');
	if (supportedAlgosById[algorithm].match(/^RSA-/)) {
		// join the rest of the body into a single base64-blob
		var publicExponentLen = keyBuffer.readUInt8(0);
		if (publicExponentLen != 3 && publicExponentLen != 1)
			throw (new Error('Cannot parse dnssec key: ' +
			    'unsupported exponent length'));

		var publicExponent = keyBuffer.slice(1, publicExponentLen+1);
		publicExponent = utils.mpNormalize(publicExponent);
		var modulus = keyBuffer.slice(1+publicExponentLen);
		modulus = utils.mpNormalize(modulus);
		// now, make the key
		var rsaKey = {
			type: 'rsa',
			parts: []
		};
		rsaKey.parts.push({ name: 'e', data: publicExponent});
		rsaKey.parts.push({ name: 'n', data: modulus});
		return (new Key(rsaKey));
	}
	if (supportedAlgosById[algorithm] === 'ECDSA-P384-SHA384' ||
	    supportedAlgosById[algorithm] === 'ECDSA-P256-SHA256') {
		var curve = 'nistp384';
		var size = 384;
		if (supportedAlgosById[algorithm].match(/^ECDSA-P256-SHA256/)) {
			curve = 'nistp256';
			size = 256;
		}

		var ecdsaKey = {
			type: 'ecdsa',
			curve: curve,
			size: size,
			parts: [
				{name: 'curve', data: Buffer.from(curve) },
				{name: 'Q', data: utils.ecNormalize(keyBuffer) }
			]
		};
		return (new Key(ecdsaKey));
	}
	throw (new Error('Unsupported algorithm: ' +
	    supportedAlgosById[algorithm]));
}

function elementToBuf(e) {
	return (Buffer.from(e.split(' ')[1], 'base64'));
}

function readDNSSECRSAPrivateKey(elements) {
	var rsaParams = {};
	elements.forEach(function (element) {
		if (element.split(' ')[0] === 'Modulus:')
			rsaParams['n'] = elementToBuf(element);
		else if (element.split(' ')[0] === 'PublicExponent:')
			rsaParams['e'] = elementToBuf(element);
		else if (element.split(' ')[0] === 'PrivateExponent:')
			rsaParams['d'] = elementToBuf(element);
		else if (element.split(' ')[0] === 'Prime1:')
			rsaParams['p'] = elementToBuf(element);
		else if (element.split(' ')[0] === 'Prime2:')
			rsaParams['q'] = elementToBuf(element);
		else if (element.split(' ')[0] === 'Exponent1:')
			rsaParams['dmodp'] = elementToBuf(element);
		else if (element.split(' ')[0] === 'Exponent2:')
			rsaParams['dmodq'] = elementToBuf(element);
		else if (element.split(' ')[0] === 'Coefficient:')
			rsaParams['iqmp'] = elementToBuf(element);
	});
	// now, make the key
	var key = {
		type: 'rsa',
		parts: [
			{ name: 'e', data: utils.mpNormalize(rsaParams['e'])},
			{ name: 'n', data: utils.mpNormalize(rsaParams['n'])},
			{ name: 'd', data: utils.mpNormalize(rsaParams['d'])},
			{ name: 'p', data: utils.mpNormalize(rsaParams['p'])},
			{ name: 'q', data: utils.mpNormalize(rsaParams['q'])},
			{ name: 'dmodp',
			    data: utils.mpNormalize(rsaParams['dmodp'])},
			{ name: 'dmodq',
			    data: utils.mpNormalize(rsaParams['dmodq'])},
			{ name: 'iqmp',
			    data: utils.mpNormalize(rsaParams['iqmp'])}
		]
	};
	return (new PrivateKey(key));
}

function readDNSSECPrivateKey(alg, elements) {
	if (supportedAlgosById[alg].match(/^RSA-/)) {
		return (readDNSSECRSAPrivateKey(elements));
	}
	if (supportedAlgosById[alg] === 'ECDSA-P384-SHA384' ||
	    supportedAlgosById[alg] === 'ECDSA-P256-SHA256') {
		var d = Buffer.from(elements[0].split(' ')[1], 'base64');
		var curve = 'nistp384';
		var size = 384;
		if (supportedAlgosById[alg] === 'ECDSA-P256-SHA256') {
			curve = 'nistp256';
			size = 256;
		}
		// DNSSEC generates the public-key on the fly (go calculate it)
		var publicKey = utils.publicFromPrivateECDSA(curve, d);
		var Q = publicKey.part['Q'].data;
		var ecdsaKey = {
			type: 'ecdsa',
			curve: curve,
			size: size,
			parts: [
				{name: 'curve', data: Buffer.from(curve) },
				{name: 'd', data: d },
				{name: 'Q', data: Q }
			]
		};
		return (new PrivateKey(ecdsaKey));
	}
	throw (new Error('Unsupported algorithm: ' + supportedAlgosById[alg]));
}

function dnssecTimestamp(date) {
	var year = date.getFullYear() + ''; //stringify
	var month = (date.getMonth() + 1);
	var timestampStr = year + month + date.getUTCDate();
	timestampStr += '' + date.getUTCHours() + date.getUTCMinutes();
	timestampStr += date.getUTCSeconds();
	return (timestampStr);
}

function rsaAlgFromOptions(opts) {
	if (!opts || !opts.hashAlgo || opts.hashAlgo === 'sha1')
		return ('5 (RSASHA1)');
	else if (opts.hashAlgo === 'sha256')
		return ('8 (RSASHA256)');
	else if (opts.hashAlgo === 'sha512')
		return ('10 (RSASHA512)');
	else
		throw (new Error('Unknown or unsupported hash: ' +
		    opts.hashAlgo));
}

function writeRSA(key, options) {
	// if we're missing parts, add them.
	if (!key.part.dmodp || !key.part.dmodq) {
		utils.addRSAMissing(key);
	}

	var out = '';
	out += 'Private-key-format: v1.3\n';
	out += 'Algorithm: ' + rsaAlgFromOptions(options) + '\n';
	var n = utils.mpDenormalize(key.part['n'].data);
	out += 'Modulus: ' + n.toString('base64') + '\n';
	var e = utils.mpDenormalize(key.part['e'].data);
	out += 'PublicExponent: ' + e.toString('base64') + '\n';
	var d = utils.mpDenormalize(key.part['d'].data);
	out += 'PrivateExponent: ' + d.toString('base64') + '\n';
	var p = utils.mpDenormalize(key.part['p'].data);
	out += 'Prime1: ' + p.toString('base64') + '\n';
	var q = utils.mpDenormalize(key.part['q'].data);
	out += 'Prime2: ' + q.toString('base64') + '\n';
	var dmodp = utils.mpDenormalize(key.part['dmodp'].data);
	out += 'Exponent1: ' + dmodp.toString('base64') + '\n';
	var dmodq = utils.mpDenormalize(key.part['dmodq'].data);
	out += 'Exponent2: ' + dmodq.toString('base64') + '\n';
	var iqmp = utils.mpDenormalize(key.part['iqmp'].data);
	out += 'Coefficient: ' + iqmp.toString('base64') + '\n';
	// Assume that we're valid as-of now
	var timestamp = new Date();
	out += 'Created: ' + dnssecTimestamp(timestamp) + '\n';
	out += 'Publish: ' + dnssecTimestamp(timestamp) + '\n';
	out += 'Activate: ' + dnssecTimestamp(timestamp) + '\n';
	return (Buffer.from(out, 'ascii'));
}

function writeECDSA(key, options) {
	var out = '';
	out += 'Private-key-format: v1.3\n';

	if (key.curve === 'nistp256') {
		out += 'Algorithm: 13 (ECDSAP256SHA256)\n';
	} else if (key.curve === 'nistp384') {
		out += 'Algorithm: 14 (ECDSAP384SHA384)\n';
	} else {
		throw (new Error('Unsupported curve'));
	}
	var base64Key = key.part['d'].data.toString('base64');
	out += 'PrivateKey: ' + base64Key + '\n';

	// Assume that we're valid as-of now
	var timestamp = new Date();
	out += 'Created: ' + dnssecTimestamp(timestamp) + '\n';
	out += 'Publish: ' + dnssecTimestamp(timestamp) + '\n';
	out += 'Activate: ' + dnssecTimestamp(timestamp) + '\n';

	return (Buffer.from(out, 'ascii'));
}

function write(key, options) {
	if (PrivateKey.isPrivateKey(key)) {
		if (key.type === 'rsa') {
			return (writeRSA(key, options));
		} else if (key.type === 'ecdsa') {
			return (writeECDSA(key, options));
		} else {
			throw (new Error('Unsupported algorithm: ' + key.type));
		}
	} else if (Key.isKey(key)) {
		/*
		 * RFC3110 requires a keyname, and a keytype, which we
		 * don't really have a mechanism for specifying such
		 * additional metadata.
		 */
		throw (new Error('Format "dnssec" only supports ' +
		    'writing private keys'));
	} else {
		throw (new Error('key is not a Key or PrivateKey'));
	}
}
maj 1 year ago			`// Copyright 2017 Joyent, Inc.`

			`module.exports = {`
			`read: read,`
			`write: write`
			`};`

			`var assert = require('assert-plus');`
			`var Buffer = require('safer-buffer').Buffer;`
			`var Key = require('../key');`
			`var PrivateKey = require('../private-key');`
			`var utils = require('../utils');`
			`var SSHBuffer = require('../ssh-buffer');`
			`var Dhe = require('../dhe');`

			`var supportedAlgos = {`
			`'rsa-sha1' : 5,`
			`'rsa-sha256' : 8,`
			`'rsa-sha512' : 10,`
			`'ecdsa-p256-sha256' : 13,`
			`'ecdsa-p384-sha384' : 14`
			`/*`
			`* ed25519 is hypothetically supported with id 15`
			`* but the common tools available don't appear to be`
			`* capable of generating/using ed25519 keys`
			`*/`
			`};`

			`var supportedAlgosById = {};`
			`Object.keys(supportedAlgos).forEach(function (k) {`
			`supportedAlgosById[supportedAlgos[k]] = k.toUpperCase();`
			`});`

			`function read(buf, options) {`
			`if (typeof (buf) !== 'string') {`
			`assert.buffer(buf, 'buf');`
			`buf = buf.toString('ascii');`
			`}`
			`var lines = buf.split('\n');`
			`if (lines[0].match(/^Private-key-format\: v1/)) {`
			`var algElems = lines[1].split(' ');`
			`var algoNum = parseInt(algElems[1], 10);`
			`var algoName = algElems[2];`
			`if (!supportedAlgosById[algoNum])`
			`throw (new Error('Unsupported algorithm: ' + algoName));`
			`return (readDNSSECPrivateKey(algoNum, lines.slice(2)));`
			`}`

			`// skip any comment-lines`
			`var line = 0;`
			`/* JSSTYLED */`
			`while (lines[line].match(/^\;/))`
			`line++;`
			`// we should now have one single line left with our KEY on it.`
			`if ((lines[line].match(/\. IN KEY /) \|\|`
			`lines[line].match(/\. IN DNSKEY /)) && lines[line+1].length === 0) {`
			`return (readRFC3110(lines[line]));`
			`}`
			`throw (new Error('Cannot parse dnssec key'));`
			`}`

			`function readRFC3110(keyString) {`
			`var elems = keyString.split(' ');`
			`//unused var flags = parseInt(elems[3], 10);`
			`//unused var protocol = parseInt(elems[4], 10);`
			`var algorithm = parseInt(elems[5], 10);`
			`if (!supportedAlgosById[algorithm])`
			`throw (new Error('Unsupported algorithm: ' + algorithm));`
			`var base64key = elems.slice(6, elems.length).join();`
			`var keyBuffer = Buffer.from(base64key, 'base64');`
			`if (supportedAlgosById[algorithm].match(/^RSA-/)) {`
			`// join the rest of the body into a single base64-blob`
			`var publicExponentLen = keyBuffer.readUInt8(0);`
			`if (publicExponentLen != 3 && publicExponentLen != 1)`
			`throw (new Error('Cannot parse dnssec key: ' +`
			`'unsupported exponent length'));`

			`var publicExponent = keyBuffer.slice(1, publicExponentLen+1);`
			`publicExponent = utils.mpNormalize(publicExponent);`
			`var modulus = keyBuffer.slice(1+publicExponentLen);`
			`modulus = utils.mpNormalize(modulus);`
			`// now, make the key`
			`var rsaKey = {`
			`type: 'rsa',`
			`parts: []`
			`};`
			`rsaKey.parts.push({ name: 'e', data: publicExponent});`
			`rsaKey.parts.push({ name: 'n', data: modulus});`
			`return (new Key(rsaKey));`
			`}`
			`if (supportedAlgosById[algorithm] === 'ECDSA-P384-SHA384' \|\|`
			`supportedAlgosById[algorithm] === 'ECDSA-P256-SHA256') {`
			`var curve = 'nistp384';`
			`var size = 384;`
			`if (supportedAlgosById[algorithm].match(/^ECDSA-P256-SHA256/)) {`
			`curve = 'nistp256';`
			`size = 256;`
			`}`

			`var ecdsaKey = {`
			`type: 'ecdsa',`
			`curve: curve,`
			`size: size,`
			`parts: [`
			`{name: 'curve', data: Buffer.from(curve) },`
			`{name: 'Q', data: utils.ecNormalize(keyBuffer) }`
			`]`
			`};`
			`return (new Key(ecdsaKey));`
			`}`
			`throw (new Error('Unsupported algorithm: ' +`
			`supportedAlgosById[algorithm]));`
			`}`

			`function elementToBuf(e) {`
			`return (Buffer.from(e.split(' ')[1], 'base64'));`
			`}`

			`function readDNSSECRSAPrivateKey(elements) {`
			`var rsaParams = {};`
			`elements.forEach(function (element) {`
			`if (element.split(' ')[0] === 'Modulus:')`
			`rsaParams['n'] = elementToBuf(element);`
			`else if (element.split(' ')[0] === 'PublicExponent:')`
			`rsaParams['e'] = elementToBuf(element);`
			`else if (element.split(' ')[0] === 'PrivateExponent:')`
			`rsaParams['d'] = elementToBuf(element);`
			`else if (element.split(' ')[0] === 'Prime1:')`
			`rsaParams['p'] = elementToBuf(element);`
			`else if (element.split(' ')[0] === 'Prime2:')`
			`rsaParams['q'] = elementToBuf(element);`
			`else if (element.split(' ')[0] === 'Exponent1:')`
			`rsaParams['dmodp'] = elementToBuf(element);`
			`else if (element.split(' ')[0] === 'Exponent2:')`
			`rsaParams['dmodq'] = elementToBuf(element);`
			`else if (element.split(' ')[0] === 'Coefficient:')`
			`rsaParams['iqmp'] = elementToBuf(element);`
			`});`
			`// now, make the key`
			`var key = {`
			`type: 'rsa',`
			`parts: [`
			`{ name: 'e', data: utils.mpNormalize(rsaParams['e'])},`
			`{ name: 'n', data: utils.mpNormalize(rsaParams['n'])},`
			`{ name: 'd', data: utils.mpNormalize(rsaParams['d'])},`
			`{ name: 'p', data: utils.mpNormalize(rsaParams['p'])},`
			`{ name: 'q', data: utils.mpNormalize(rsaParams['q'])},`
			`{ name: 'dmodp',`
			`data: utils.mpNormalize(rsaParams['dmodp'])},`
			`{ name: 'dmodq',`
			`data: utils.mpNormalize(rsaParams['dmodq'])},`
			`{ name: 'iqmp',`
			`data: utils.mpNormalize(rsaParams['iqmp'])}`
			`]`
			`};`
			`return (new PrivateKey(key));`
			`}`

			`function readDNSSECPrivateKey(alg, elements) {`
			`if (supportedAlgosById[alg].match(/^RSA-/)) {`
			`return (readDNSSECRSAPrivateKey(elements));`
			`}`
			`if (supportedAlgosById[alg] === 'ECDSA-P384-SHA384' \|\|`
			`supportedAlgosById[alg] === 'ECDSA-P256-SHA256') {`
			`var d = Buffer.from(elements[0].split(' ')[1], 'base64');`
			`var curve = 'nistp384';`
			`var size = 384;`
			`if (supportedAlgosById[alg] === 'ECDSA-P256-SHA256') {`
			`curve = 'nistp256';`
			`size = 256;`
			`}`
			`// DNSSEC generates the public-key on the fly (go calculate it)`
			`var publicKey = utils.publicFromPrivateECDSA(curve, d);`
			`var Q = publicKey.part['Q'].data;`
			`var ecdsaKey = {`
			`type: 'ecdsa',`
			`curve: curve,`
			`size: size,`
			`parts: [`
			`{name: 'curve', data: Buffer.from(curve) },`
			`{name: 'd', data: d },`
			`{name: 'Q', data: Q }`
			`]`
			`};`
			`return (new PrivateKey(ecdsaKey));`
			`}`
			`throw (new Error('Unsupported algorithm: ' + supportedAlgosById[alg]));`
			`}`

			`function dnssecTimestamp(date) {`
			`var year = date.getFullYear() + ''; //stringify`
			`var month = (date.getMonth() + 1);`
			`var timestampStr = year + month + date.getUTCDate();`
			`timestampStr += '' + date.getUTCHours() + date.getUTCMinutes();`
			`timestampStr += date.getUTCSeconds();`
			`return (timestampStr);`
			`}`

			`function rsaAlgFromOptions(opts) {`
			`if (!opts \|\| !opts.hashAlgo \|\| opts.hashAlgo === 'sha1')`
			`return ('5 (RSASHA1)');`
			`else if (opts.hashAlgo === 'sha256')`
			`return ('8 (RSASHA256)');`
			`else if (opts.hashAlgo === 'sha512')`
			`return ('10 (RSASHA512)');`
			`else`
			`throw (new Error('Unknown or unsupported hash: ' +`
			`opts.hashAlgo));`
			`}`

			`function writeRSA(key, options) {`
			`// if we're missing parts, add them.`
			`if (!key.part.dmodp \|\| !key.part.dmodq) {`
			`utils.addRSAMissing(key);`
			`}`

			`var out = '';`
			`out += 'Private-key-format: v1.3\n';`
			`out += 'Algorithm: ' + rsaAlgFromOptions(options) + '\n';`
			`var n = utils.mpDenormalize(key.part['n'].data);`
			`out += 'Modulus: ' + n.toString('base64') + '\n';`
			`var e = utils.mpDenormalize(key.part['e'].data);`
			`out += 'PublicExponent: ' + e.toString('base64') + '\n';`
			`var d = utils.mpDenormalize(key.part['d'].data);`
			`out += 'PrivateExponent: ' + d.toString('base64') + '\n';`
			`var p = utils.mpDenormalize(key.part['p'].data);`
			`out += 'Prime1: ' + p.toString('base64') + '\n';`
			`var q = utils.mpDenormalize(key.part['q'].data);`
			`out += 'Prime2: ' + q.toString('base64') + '\n';`
			`var dmodp = utils.mpDenormalize(key.part['dmodp'].data);`
			`out += 'Exponent1: ' + dmodp.toString('base64') + '\n';`
			`var dmodq = utils.mpDenormalize(key.part['dmodq'].data);`
			`out += 'Exponent2: ' + dmodq.toString('base64') + '\n';`
			`var iqmp = utils.mpDenormalize(key.part['iqmp'].data);`
			`out += 'Coefficient: ' + iqmp.toString('base64') + '\n';`
			`// Assume that we're valid as-of now`
			`var timestamp = new Date();`
			`out += 'Created: ' + dnssecTimestamp(timestamp) + '\n';`
			`out += 'Publish: ' + dnssecTimestamp(timestamp) + '\n';`
			`out += 'Activate: ' + dnssecTimestamp(timestamp) + '\n';`
			`return (Buffer.from(out, 'ascii'));`
			`}`

			`function writeECDSA(key, options) {`
			`var out = '';`
			`out += 'Private-key-format: v1.3\n';`

			`if (key.curve === 'nistp256') {`
			`out += 'Algorithm: 13 (ECDSAP256SHA256)\n';`
			`} else if (key.curve === 'nistp384') {`
			`out += 'Algorithm: 14 (ECDSAP384SHA384)\n';`
			`} else {`
			`throw (new Error('Unsupported curve'));`
			`}`
			`var base64Key = key.part['d'].data.toString('base64');`
			`out += 'PrivateKey: ' + base64Key + '\n';`

			`// Assume that we're valid as-of now`
			`var timestamp = new Date();`
			`out += 'Created: ' + dnssecTimestamp(timestamp) + '\n';`
			`out += 'Publish: ' + dnssecTimestamp(timestamp) + '\n';`
			`out += 'Activate: ' + dnssecTimestamp(timestamp) + '\n';`

			`return (Buffer.from(out, 'ascii'));`
			`}`

			`function write(key, options) {`
			`if (PrivateKey.isPrivateKey(key)) {`
			`if (key.type === 'rsa') {`
			`return (writeRSA(key, options));`
			`} else if (key.type === 'ecdsa') {`
			`return (writeECDSA(key, options));`
			`} else {`
			`throw (new Error('Unsupported algorithm: ' + key.type));`
			`}`
			`} else if (Key.isKey(key)) {`
			`/*`
			`* RFC3110 requires a keyname, and a keytype, which we`
			`* don't really have a mechanism for specifying such`
			`* additional metadata.`
			`*/`
			`throw (new Error('Format "dnssec" only supports ' +`
			`'writing private keys'));`
			`} else {`
			`throw (new Error('key is not a Key or PrivateKey'));`
			`}`
			`}`