Web crypto verify

README.md

@@ -1,6 +1,7 @@
 ## xml-crypto
 
 ![Build](https://github.com/yaronn/xml-crypto/actions/workflows/ci.yml/badge.svg)
+[![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/from-referrer/)
 
 An xml digital signature library for node. Xml encryption is coming soon. Written in pure javascript!
 

lib/base64.js

@@ -0,0 +1,66 @@
+/**
+ * CREDIT: https://deno.land/[email protected]/encoding/base64.ts?code
+ */
+
+exports.decode = decode;
+exports.encode = encode;
+
+// prettier-ignore
+var base64abc = ["A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L",
+  "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "a",
+  "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p",
+  "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "0", "1", "2", "3", "4",
+  "5", "6", "7", "8", "9", "+", "/"]
+
+/**
+ * CREDIT: https://gist.github.com/enepomnyaschih/72c423f727d395eeaa09697058238727
+ * Encodes a given Uint8Array, ArrayBuffer or string into RFC4648 base64 representation
+ * @param {ArrayBuffer | Uint8Array | string} data
+ * @returns {string}
+ */
+function encode(data) {
+  var uint8 =
+    typeof data === 'string'
+      ? new TextEncoder().encode(data)
+      : data instanceof Uint8Array
+      ? data
+      : new Uint8Array(data);
+  var result = '',
+    i;
+  var l = uint8.length;
+  for (i = 2; i < l; i += 3) {
+    result += base64abc[uint8[i - 2] >> 2];
+    result += base64abc[((uint8[i - 2] & 0x03) << 4) | (uint8[i - 1] >> 4)];
+    result += base64abc[((uint8[i - 1] & 0x0f) << 2) | (uint8[i] >> 6)];
+    result += base64abc[uint8[i] & 0x3f];
+  }
+  if (i === l + 1) {
+    // 1 octet yet to write
+    result += base64abc[uint8[i - 2] >> 2];
+    result += base64abc[(uint8[i - 2] & 0x03) << 4];
+    result += '==';
+  }
+  if (i === l) {
+    // 2 octets yet to write
+    result += base64abc[uint8[i - 2] >> 2];
+    result += base64abc[((uint8[i - 2] & 0x03) << 4) | (uint8[i - 1] >> 4)];
+    result += base64abc[(uint8[i - 1] & 0x0f) << 2];
+    result += '=';
+  }
+  return result;
+}
+
+/**
+ * Decodes a given RFC4648 base64 encoded string
+ * @param b64
+ * @returns {Uint8Array}
+ */
+function decode(b64) {
+  var binString = atob(b64);
+  var size = binString.length;
+  var bytes = new Uint8Array(size);
+  for (let i = 0; i < size; i++) {
+    bytes[i] = binString.charCodeAt(i);
+  }
+  return bytes;
+}

lib/cert.js

@@ -0,0 +1,118 @@
+var base64 = require('./base64')
+
+exports.extractPubKey = extractPubKey
+exports.extractSpkiFromX509 = extractSpkiFromX509
+
+/**
+ *
+ * @param {Uint8Array} der
+ * @param {number} idx
+ * @param {number} expected
+ */
+function checkOctet(der, idx, expected) {
+  var octet = der[idx]
+  if (octet != expected) {
+    throw new Error(
+      `Error extracting public key, idx: [${idx}], octet: [${octet.toString(
+        16,
+      )}], expected: [${expected.toString(16)}]`,
+    )
+  }
+}
+
+// 30 0D 06 09 2A 86 48 86 F7  0D 01 01 01
+// (30 SEQ) (09 length) (06 OID) (09 length) (1.2.840.113549.1.1.1) RSA encryption
+function isRsaOid(der, idx) {
+  if (
+    der[idx + 0] === 0x30 &&
+    der[idx + 1] === 0x0d &&
+    der[idx + 2] === 0x06 &&
+    der[idx + 3] === 0x09 &&
+    der[idx + 4] === 0x2a &&
+    der[idx + 5] === 0x86 &&
+    der[idx + 6] === 0x48 &&
+    der[idx + 7] === 0x86 &&
+    der[idx + 8] === 0xf7 &&
+    der[idx + 9] === 0x0d &&
+    der[idx + 10] === 0x01 &&
+    der[idx + 11] === 0x01 &&
+    der[idx + 12] === 0x01
+  ) {
+    return true;
+  }
+  return false;
+}
+
+
+
+/**
+ * https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/
+ * @param {Uint8Array} der
+ * @returns {Uint8Array}
+ */
+function extractPubKey(der) {
+  // skip through first two wrapper sequences
+  // SEQUENCE
+  checkOctet(der, 0, 0x30)
+  checkOctet(der, 1, 0x82)
+  // SEQUENCE
+  checkOctet(der, 4, 0x30)
+  checkOctet(der, 5, 0x82)
+
+  var versionStart = 8
+  var currentByte = versionStart
+
+  var publicKeyStart = 0;
+  var publicKeyLen = 0;
+  while(currentByte < der.byteLength) {
+    var dataOffset = 2; // + 2 (type, length byte)
+    var length = der[currentByte + 1];
+
+    // long form of the length
+    if (length === 0x81) {
+      dataOffset = 3;  // + 3 (type, length long, length byte)
+      length = der[currentByte + 2];
+    } else if (length === 0x82) {
+      dataOffset = 4; // + 4 (type, length long, 2 length bytes)
+      length = der[currentByte + 2] * 256 + der[currentByte + 3];
+    } else if (length > 0x80) {
+      throw new Error('Certificate is not supported by current implementation');
+    }
+
+    if (isRsaOid(der, currentByte + dataOffset)) {
+      var view = new Uint8Array(der.buffer, currentByte, length + dataOffset)
+      return new Uint8Array(view)
+    }
+
+    currentByte += length + dataOffset
+  }
+
+  throw new Error('Failed to extract RSA public key from the certificate');
+}
+
+/**
+ *
+ * @param {string} pem
+ * @returns string
+ */
+function extractPemDataString(pem) {
+  return pem
+    .replace(
+      /(\n\s)*-----(BEGIN|END) (CERTIFICATE|PUBLIC KEY|PRIVATE KEY|RSA PUBLIC KEY)-----(\n\s)*/g,
+      '',
+    )
+    .replace(/(\n|\r)/g, '')
+    .trim()
+}
+
+/**
+ *
+ * @param {string} x509pem
+ * @returns {Uint8Array}
+ */
+function extractSpkiFromX509(x509pem) {
+  const pemDataBase64 = extractPemDataString(x509pem);
+  const x509Der = base64.decode(pemDataBase64);
+  const spkiDer = extractPubKey(x509Der);
+  return spkiDer;
+}