chore: wip

Author: chrisbbreuer

.vscode/dictionary.txt

@@ -17,6 +17,7 @@ codecov
 commitlint
 commitlintrc
 composables
+csrs
 davidanson
 dbaeumer
 degit

packages/pem/src/pem.ts

@@ -1,59 +1,255 @@
+import { decode64, encode64 } from 'ts-security-utils'
+import type { PEMMessage, PEMHeader, ProcType, DEKInfo, PEMEncodeOptions } from './types'
+
+/**
+ * TypeScript implementation of basic PEM (Privacy Enhanced Mail) algorithms.
+ *
+ * See: RFC 1421.
+ *
+ * @author Dave Longley
+ * @author Chris Breuer
+ *
+ * A PEM object has the following fields:
+ *
+ * type: identifies the type of message (eg: "RSA PRIVATE KEY").
+ *
+ * procType: identifies the type of processing performed on the message,
+ *   it has two subfields: version and type, eg: 4,ENCRYPTED.
+ *
+ * contentDomain: identifies the type of content in the message, typically
+ *   only uses the value: "RFC822".
+ *
+ * dekInfo: identifies the message encryption algorithm and mode and includes
+ *   any parameters for the algorithm, it has two subfields: algorithm and
+ *   parameters, eg: DES-CBC,F8143EDE5960C597.
+ *
+ * headers: contains all other PEM encapsulated headers -- where order is
+ *   significant (for pairing data like recipient ID + key info).
+ *
+ * body: the binary-encoded body.
+ */
+
 /**
- * Converts an RSA private key from PEM format.
+ * Encodes (serializes) the given PEM object.
  *
- * @param pem the PEM-formatted private key.
+ * @param msg the PEM message object to encode.
+ * @param options the options to use: maxline the maximum characters per line for the body, (default: 64).
  *
- * @return the private key.
+ * @return the PEM-formatted string.
  */
-export function privateKeyFromPem(pem: string) {
-  var msg = forge.pem.decode(pem)[0];
+export function encode(msg: PEMMessage, options: PEMEncodeOptions = {}): string {
+  let rval = `-----BEGIN ${msg.type}-----\r\n`;
+
+  // encode special headers
+  let header: PEMHeader;
+  if (msg.procType) {
+    header = {
+      name: 'Proc-Type',
+      values: [String(msg.procType.version), msg.procType.type]
+    };
+    rval += foldHeader(header);
+  }
+  if (msg.contentDomain) {
+    header = { name: 'Content-Domain', values: [msg.contentDomain] };
+    rval += foldHeader(header);
+  }
+  if (msg.dekInfo) {
+    header = { name: 'DEK-Info', values: [msg.dekInfo.algorithm] };
+    if (msg.dekInfo.parameters) {
+      header.values.push(msg.dekInfo.parameters);
+    }
+    rval += foldHeader(header);
+  }
 
-  if (msg.type !== 'PRIVATE KEY' && msg.type !== 'RSA PRIVATE KEY') {
-    var error = new Error('Could not convert private key from PEM; PEM ' +
-      'header type is not "PRIVATE KEY" or "RSA PRIVATE KEY".');
-    error.headerType = msg.type;
-    throw error;
+  if (msg.headers) {
+    // encode all other headers
+    for (let i = 0; i < msg.headers.length; ++i) {
+      rval += foldHeader(msg.headers[i]);
+    }
   }
-  if (msg.procType && msg.procType.type === 'ENCRYPTED') {
-    throw new Error('Could not convert private key from PEM; PEM is encrypted.');
+
+  // terminate header
+  if (msg.procType) {
+    rval += '\r\n';
   }
 
-  // convert DER to ASN.1 object
-  var obj = asn1.fromDer(msg.body);
+  // add body
+  rval += encode64(msg.body as unknown as string, options.maxline || 64) + '\r\n';
 
-  return pki.privateKeyFromAsn1(obj);
-};
+  rval += `-----END ${msg.type}-----\r\n`;
+  return rval;
+}
 
 /**
- * Converts an RSA private key to PEM format.
+ * Decodes (deserializes) all PEM messages found in the given string.
  *
- * @param key the private key.
- * @param maxline the maximum characters per line, defaults to 64.
+ * @param str the PEM-formatted string to decode.
  *
- * @return the PEM-formatted private key.
+ * @return the PEM message objects in an array.
  */
-export function privateKeyToPem(key: any, maxline: number) {
-  // convert to ASN.1, then DER, then PEM-encode
-  var msg = {
-    type: 'RSA PRIVATE KEY',
-    body: asn1.toDer(pki.privateKeyToAsn1(key)).getBytes()
-  };
-  return forge.pem.encode(msg, { maxline: maxline });
-};
+export function decode(str: string): PEMMessage[] {
+  const rval: PEMMessage[] = [];
+
+  // split string into PEM messages (be lenient w/EOF on BEGIN line)
+  const rMessage = /\s*-----BEGIN ([A-Z0-9- ]+)-----\r?\n?([\x21-\x7e\s]+?(?:\r?\n\r?\n))?([:A-Za-z0-9+\/=\s]+?)-----END \1-----/g;
+  const rHeader = /([\x21-\x7e]+):\s*([\x21-\x7e\s^:]+)/;
+  const rCRLF = /\r?\n/;
+  let match: RegExpExecArray | null;
+
+  while ((match = rMessage.exec(str)) !== null) {
+    // accept "NEW CERTIFICATE REQUEST" as "CERTIFICATE REQUEST"
+    // https://datatracker.ietf.org/doc/html/rfc7468#section-7
+    let type = match[1];
+    if (type === 'NEW CERTIFICATE REQUEST') {
+      type = 'CERTIFICATE REQUEST';
+    }
+
+    const msg: PEMMessage = {
+      type: type,
+      procType: null,
+      contentDomain: null,
+      dekInfo: null,
+      headers: [],
+      body: decode64(match[3]) as unknown as Uint8Array
+    };
+    rval.push(msg);
+
+    // no headers
+    if (!match[2]) {
+      continue;
+    }
+
+    // parse headers
+    const lines = match[2].split(rCRLF);
+    let li = 0;
+    let headerMatch: RegExpExecArray | null;
+
+    while (li < lines.length) {
+      // get line, trim any rhs whitespace
+      let line = lines[li].replace(/\s+$/, '');
+
+      // RFC2822 unfold any following folded lines
+      for (let nl = li + 1; nl < lines.length; ++nl) {
+        const next = lines[nl];
+        if (!/\s/.test(next[0])) {
+          break;
+        }
+        line += next;
+        li = nl;
+      }
+
+      // parse header
+      headerMatch = rHeader.exec(line);
+      if (headerMatch) {
+        const header: PEMHeader = { name: headerMatch[1], values: [] };
+        const values = headerMatch[2].split(',');
+        for (let vi = 0; vi < values.length; ++vi) {
+          header.values.push(ltrim(values[vi]));
+        }
+
+        // Proc-Type must be the first header
+        if (!msg.procType) {
+          if (header.name !== 'Proc-Type') {
+            throw new Error('Invalid PEM formatted message. The first ' +
+              'encapsulated header must be "Proc-Type".');
+          } else if (header.values.length !== 2) {
+            throw new Error('Invalid PEM formatted message. The "Proc-Type" ' +
+              'header must have two subfields.');
+          }
+          msg.procType = { version: values[0], type: values[1] };
+        } else if (!msg.contentDomain && header.name === 'Content-Domain') {
+          // special-case Content-Domain
+          msg.contentDomain = values[0] || '';
+        } else if (!msg.dekInfo && header.name === 'DEK-Info') {
+          // special-case DEK-Info
+          if (header.values.length === 0) {
+            throw new Error('Invalid PEM formatted message. The "DEK-Info" ' +
+              'header must have at least one subfield.');
+          }
+          msg.dekInfo = { algorithm: values[0], parameters: values[1] || null };
+        } else {
+          msg.headers.push(header);
+        }
+      }
+
+      ++li;
+    }
+
+    if (msg.procType?.type === 'ENCRYPTED' && !msg.dekInfo) {
+      throw new Error('Invalid PEM formatted message. The "DEK-Info" ' +
+        'header must be present if "Proc-Type" is "ENCRYPTED".');
+    }
+  }
+
+  if (rval.length === 0) {
+    throw new Error('Invalid PEM formatted message.');
+  }
+
+  return rval;
+}
 
 /**
- * Converts a PrivateKeyInfo to PEM format.
- *
- * @param pki the PrivateKeyInfo.
- * @param maxline the maximum characters per line, defaults to 64.
+ * Folds a PEM header according to RFC 1421 rules.
  *
- * @return the PEM-formatted private key.
+ * @param header The header to fold
+ * @returns The folded header string
  */
-export function privateKeyInfoToPem(pki: any, maxline: number) {
-  // convert to DER, then PEM-encode
-  var msg = {
-    type: 'PRIVATE KEY',
-    body: asn1.toDer(pki).getBytes()
+function foldHeader(header: PEMHeader): string {
+  let rval = `${header.name}: `;
+
+  // ensure values with CRLF are folded
+  const values: string[] = [];
+  const insertSpace = (match: string, $1: string): string => {
+    return ' ' + $1;
   };
-  return forge.pem.encode(msg, { maxline: maxline });
-};
+
+  for (let i = 0; i < header.values.length; ++i) {
+    values.push(header.values[i].replace(/^(\S+\r\n)/, insertSpace));
+  }
+  rval += values.join(',') + '\r\n';
+
+  // do folding
+  let length = 0;
+  let candidate = -1;
+  for (let i = 0; i < rval.length; ++i, ++length) {
+    if (length > 65 && candidate !== -1) {
+      const insert = rval[candidate];
+      if (insert === ',') {
+        ++candidate;
+        rval = rval.substring(0, candidate) + '\r\n ' + rval.substring(candidate);
+      } else {
+        rval = rval.substring(0, candidate) +
+          '\r\n' + insert + rval.substring(candidate + 1);
+      }
+      length = (i - candidate - 1);
+      candidate = -1;
+      ++i;
+    } else if (rval[i] === ' ' || rval[i] === '\t' || rval[i] === ',') {
+      candidate = i;
+    }
+  }
+
+  return rval;
+}
+
+/**
+ * Removes leading whitespace from a string.
+ *
+ * @param str The string to trim
+ * @returns The trimmed string
+ */
+function ltrim(str: string): string {
+  return str.replace(/^\s+/, '');
+}
+
+export interface PEM {
+  encode: (msg: PEMMessage, options?: PEMEncodeOptions) => string
+  decode: (str: string) => PEMMessage[]
+}
+
+export const pem: PEM = {
+  encode,
+  decode
+}
+
+export default pem

packages/pem/src/types.ts

@@ -0,0 +1,46 @@
+/**
+ * TypeScript types for PEM (Privacy Enhanced Mail) implementation.
+ */
+
+/**
+ * Represents a PEM header with a name and array of values.
+ */
+export interface PEMHeader {
+  name: string;
+  values: string[];
+}
+
+/**
+ * Represents the processing type information in a PEM message.
+ */
+export interface ProcType {
+  version: string;
+  type: string;
+}
+
+/**
+ * Represents the Data Encryption Key information in a PEM message.
+ */
+export interface DEKInfo {
+  algorithm: string;
+  parameters: string | null;
+}
+
+/**
+ * Represents a decoded PEM message.
+ */
+export interface PEMMessage {
+  type: string;
+  procType: ProcType | null;
+  contentDomain: string | null;
+  dekInfo: DEKInfo | null;
+  headers: PEMHeader[];
+  body: Uint8Array;
+}
+
+/**
+ * Options for encoding PEM messages.
+ */
+export interface PEMEncodeOptions {
+  maxline?: number;
+}