Merge pull request #19 from armortal/feat/rsa-oaep-encryption

Feat/rsa oaep encryption

Author: stevencedro

README.md

@@ -30,7 +30,7 @@ This library is still in active development and all algorithms are not yet suppo
 | Algorithm | encrypt | decrypt | sign | verify | digest | generateKey | deriveKey | deriveBits | importKey | exportKey | wrapKey | unwrapKey | 
 | :--: | :--: | :--: | :--: | :--: | :--: | :--: | :--: | :--: | :--: | :--: | :--: | :--: | 
 | [HMAC](#hmac) |||:white_check_mark:|:white_check_mark:||:white_check_mark:|||:white_check_mark:|:white_check_mark:|||
-| [RSA-OAEP](#rsa-oaep) ||||||:white_check_mark:|||:white_check_mark:|:white_check_mark:|||
+| [RSA-OAEP](#rsa-oaep) |:white_check_mark:|:white_check_mark:||||:white_check_mark:|||:white_check_mark:|:white_check_mark:|||
 | [SHA](#sha) |||||:white_check_mark:||||||||
 
 ## Getting started

algorithms/hmac/hmac.go

@@ -23,7 +23,6 @@ import (
 	"errors"
 	"fmt"
 	"hash"
-	"io"
 
 	"github.com/armortal/webcrypto-go"
 	"github.com/armortal/webcrypto-go/util"
@@ -34,6 +33,10 @@ var usages = []webcrypto.KeyUsage{
 	webcrypto.Verify,
 }
 
+func init() {
+	webcrypto.RegisterAlgorithm("HMAC", func() webcrypto.SubtleCrypto { return &SubtleCrypto{} })
+}
+
 type SubtleCrypto struct {
 	webcrypto.SubtleCrypto
 	Hash   webcrypto.Algorithm
@@ -96,7 +99,7 @@ func (a *SubtleCrypto) Name() string {
 	return "HMAC"
 }
 
-func (a *SubtleCrypto) Decrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data io.Reader) (any, error) {
+func (a *SubtleCrypto) Decrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data []byte) ([]byte, error) {
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
@@ -108,11 +111,11 @@ func (a *SubtleCrypto) DeriveKey(algorithm webcrypto.Algorithm, baseKey webcrypt
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
-func (a *SubtleCrypto) Digest(algorithm webcrypto.Algorithm, data io.Reader) ([]byte, error) {
+func (a *SubtleCrypto) Digest(algorithm webcrypto.Algorithm, data []byte) ([]byte, error) {
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
-func (a *SubtleCrypto) Encrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data io.Reader) (any, error) {
+func (a *SubtleCrypto) Encrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data []byte) ([]byte, error) {
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
@@ -345,7 +348,7 @@ func importKeyFromRaw(keyData []byte, algorithm *Algorithm, extractable bool, ke
 	}, nil
 }
 
-func (a *SubtleCrypto) Sign(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data io.Reader) ([]byte, error) {
+func (a *SubtleCrypto) Sign(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data []byte) ([]byte, error) {
 	if _, ok := algorithm.(*Algorithm); !ok {
 		return nil, errors.New("webcrypto: algorithm must be *hmac.Algorithm")
 	}
@@ -370,11 +373,7 @@ func (a *SubtleCrypto) Sign(algorithm webcrypto.Algorithm, key webcrypto.CryptoK
 	}
 
 	h := hmac.New(hash, k.secret)
-	b, err := io.ReadAll(data)
-	if err != nil {
-		return nil, err
-	}
-	h.Write(b)
+	h.Write(data)
 	return h.Sum(nil), nil
 }
 
@@ -388,7 +387,7 @@ func (a *SubtleCrypto) UnwrapKey(format webcrypto.KeyFormat,
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
-func (a *SubtleCrypto) Verify(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, signature []byte, data io.Reader) (bool, error) {
+func (a *SubtleCrypto) Verify(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, signature []byte, data []byte) (bool, error) {
 	act, err := a.Sign(algorithm, key, data)
 	if err != nil {
 		return false, err

algorithms/hmac/hmac_test.go

@@ -146,7 +146,7 @@ func TestSign(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	sig, err := subtle.Sign(&Algorithm{}, key, bytes.NewReader([]byte(input)))
+	sig, err := subtle.Sign(&Algorithm{}, key, []byte(input))
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -175,7 +175,7 @@ func TestVerify(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	ok, err := subtle.Verify(&Algorithm{}, key, sig, bytes.NewReader([]byte(input)))
+	ok, err := subtle.Verify(&Algorithm{}, key, sig, []byte(input))
 	if err != nil {
 		t.Fatal(err)
 	}

algorithms/rsa/rsa.go

@@ -19,11 +19,13 @@ package rsa
 import (
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
 	"crypto/x509"
 	"encoding/base64"
-	"errors"
 	"fmt"
-	"io"
+	"hash"
 	"math/big"
 
 	"github.com/armortal/webcrypto-go"
@@ -123,7 +125,7 @@ func (c *CryptoKeyPair) PrivateKey() webcrypto.CryptoKey {
 
 type CryptoKey struct {
 	isPrivate bool
-	pub       rsa.PublicKey
+	pub       *rsa.PublicKey
 	priv      *rsa.PrivateKey
 	alg       *KeyAlgorithm
 	ext       bool
@@ -149,8 +151,39 @@ func (c *CryptoKey) Usages() []webcrypto.KeyUsage {
 	return c.usages
 }
 
-func (a *SubtleCrypto) Decrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data io.Reader) (any, error) {
-	return nil, errors.New("unimplemented")
+func (a *SubtleCrypto) Decrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data []byte) ([]byte, error) {
+	alg, err := getAlgorithm(algorithm)
+	if err != nil {
+		return nil, err
+	}
+	if alg.Name != rsaOaep {
+		return nil, webcrypto.NewError(webcrypto.ErrNotSupportedError, "encrypt not supported")
+	}
+
+	k, ok := key.(*CryptoKey)
+	if !ok {
+		return nil, webcrypto.NewError(webcrypto.ErrDataError, "key must be *rsa.CryptoKey")
+	}
+
+	if !k.isPrivate {
+		return nil, webcrypto.NewError(webcrypto.ErrInvalidAccessError, "key must be private")
+	}
+
+	hash, err := getHash(k.alg.Hash)
+	if err != nil {
+		return nil, err
+	}
+	label := make([]byte, 0)
+	if alg.OaepParams != nil {
+		label = alg.OaepParams.Label
+	}
+
+	msg, err := rsa.DecryptOAEP(hash, rand.Reader, k.priv, data, label)
+	if err != nil {
+		return nil, webcrypto.NewError(webcrypto.ErrOperationError, err.Error())
+	}
+
+	return msg, nil
 }
 
 func (a *SubtleCrypto) DeriveBits(algorithm webcrypto.Algorithm, baseKey webcrypto.CryptoKey, length uint64) ([]byte, error) {
@@ -161,12 +194,44 @@ func (a *SubtleCrypto) DeriveKey(algorithm webcrypto.Algorithm, baseKey webcrypt
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
-func (a *SubtleCrypto) Digest(algorithm webcrypto.Algorithm, data io.Reader) ([]byte, error) {
+func (a *SubtleCrypto) Digest(algorithm webcrypto.Algorithm, data []byte) ([]byte, error) {
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
-func (a *SubtleCrypto) Encrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data io.Reader) (any, error) {
-	return nil, errors.New("unimplemented")
+func (a *SubtleCrypto) Encrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data []byte) ([]byte, error) {
+	alg, err := getAlgorithm(algorithm)
+	if err != nil {
+		return nil, err
+	}
+	if alg.Name != rsaOaep {
+		return nil, webcrypto.NewError(webcrypto.ErrNotSupportedError, "encrypt not supported")
+	}
+
+	k, ok := key.(*CryptoKey)
+	if !ok {
+		return nil, webcrypto.NewError(webcrypto.ErrDataError, "key must be *rsa.CryptoKey")
+	}
+
+	if k.isPrivate {
+		return nil, webcrypto.NewError(webcrypto.ErrInvalidAccessError, "key must be public")
+	}
+
+	hash, err := getHash(k.alg.Hash)
+	if err != nil {
+		return nil, err
+	}
+
+	label := make([]byte, 0)
+	if alg.OaepParams != nil {
+		label = alg.OaepParams.Label
+	}
+
+	b, err := rsa.EncryptOAEP(hash, rand.Reader, k.pub, data, label)
+	if err != nil {
+		return nil, webcrypto.NewError(webcrypto.ErrOperationError, err.Error())
+	}
+
+	return b, nil
 }
 
 func (a *SubtleCrypto) ExportKey(format webcrypto.KeyFormat, key webcrypto.CryptoKey) (any, error) {
@@ -292,7 +357,7 @@ func (a *SubtleCrypto) generateKeyOaep(algorithm *HashedKeyGenParams, extractabl
 
 	// Create the CryptoKey object for the public key
 	pub := &CryptoKey{
-		pub:    key.PublicKey,
+		pub:    &key.PublicKey,
 		alg:    alg,
 		ext:    true,
 		usages: util.UsageIntersection([]webcrypto.KeyUsage{webcrypto.Encrypt, webcrypto.WrapKey}, keyUsages),
@@ -477,7 +542,7 @@ func (a *SubtleCrypto) importKeyJwk(keyData *webcrypto.JsonWebKey, algorithm *Al
 	pub.E = int(big.NewInt(0).SetBytes(e).Int64())
 	ck.alg.ModulusLength = uint64(pub.N.BitLen())
 	ck.alg.PublicExponent = *big.NewInt(int64(pub.E))
-	ck.pub = pub
+	ck.pub = &pub
 
 	// Extract private data if it exists
 	if keyData.D != "" {
@@ -536,7 +601,7 @@ func (a *SubtleCrypto) importKeyJwk(keyData *webcrypto.JsonWebKey, algorithm *Al
 	return ck, nil
 }
 
-func (a *SubtleCrypto) Sign(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data io.Reader) ([]byte, error) {
+func (a *SubtleCrypto) Sign(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data []byte) ([]byte, error) {
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
@@ -550,10 +615,33 @@ func (a *SubtleCrypto) UnwrapKey(format webcrypto.KeyFormat,
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
-func (a *SubtleCrypto) Verify(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, signature []byte, data io.Reader) (bool, error) {
+func (a *SubtleCrypto) Verify(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, signature []byte, data []byte) (bool, error) {
 	return false, webcrypto.ErrMethodNotSupported()
 }
 
 func (a *SubtleCrypto) WrapKey(format webcrypto.KeyFormat, key webcrypto.CryptoKey, wrappingKey webcrypto.CryptoKey, wrapAlgorithm webcrypto.Algorithm) (any, error) {
 	return nil, webcrypto.ErrMethodNotSupported()
 }
+
+func getAlgorithm(algorithm webcrypto.Algorithm) (*Algorithm, error) {
+	alg, ok := algorithm.(*Algorithm)
+	if !ok {
+		return nil, webcrypto.NewError(webcrypto.ErrDataError, "algorithm must be *rsa.Algorithm")
+	}
+	return alg, nil
+}
+
+func getHash(hash string) (hash.Hash, error) {
+	switch hash {
+	case "SHA-1":
+		return sha1.New(), nil
+	case "SHA-256":
+		return sha256.New(), nil
+	case "SHA-384":
+		return sha512.New384(), nil
+	case "SHA-512":
+		return sha512.New(), nil
+	default:
+		return nil, webcrypto.NewError(webcrypto.ErrNotSupportedError, fmt.Sprintf("hash %s not supported", hash))
+	}
+}

algorithms/rsa/rsa_test.go

@@ -15,6 +15,7 @@
 package rsa
 
 import (
+	"bytes"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/base64"
@@ -24,6 +25,41 @@ import (
 	"github.com/armortal/webcrypto-go"
 )
 
+func TestEncryptDecrypt(t *testing.T) {
+	subtle := &SubtleCrypto{}
+	key, err := subtle.GenerateKey(&Algorithm{
+		Name: "RSA-OAEP",
+		HashedKeyGenParams: &HashedKeyGenParams{
+			KeyGenParams: KeyGenParams{
+				ModulusLength:  2048,
+				PublicExponent: *big.NewInt(65537),
+			},
+			Hash: "SHA-256",
+		},
+	}, true, webcrypto.Decrypt, webcrypto.Encrypt)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	msg := []byte("helloworld")
+	b, err := subtle.Encrypt(&Algorithm{
+		Name: "RSA-OAEP",
+	}, key.(*CryptoKeyPair).PublicKey(), msg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	v, err := subtle.Decrypt(&Algorithm{
+		Name: "RSA-OAEP",
+	}, key.(*CryptoKeyPair).PrivateKey(), b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(msg, v) {
+		t.Fatal("msg mismatch")
+	}
+}
+
 func TestOaep_ExportKey(t *testing.T) {
 	subtle := &SubtleCrypto{}
 	key, err := subtle.GenerateKey(&Algorithm{

algorithms/sha/sha.go

@@ -21,7 +21,6 @@ import (
 	"crypto/sha256"
 	"crypto/sha512"
 	"hash"
-	"io"
 
 	"github.com/armortal/webcrypto-go"
 )
@@ -52,7 +51,7 @@ type subtleCrypto struct {
 	name string
 }
 
-func (a *subtleCrypto) Decrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data io.Reader) (any, error) {
+func (a *subtleCrypto) Decrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data []byte) ([]byte, error) {
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
@@ -64,7 +63,7 @@ func (a *subtleCrypto) DeriveKey(algorithm webcrypto.Algorithm, baseKey webcrypt
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
-func (a *subtleCrypto) Digest(algorithm webcrypto.Algorithm, data io.Reader) ([]byte, error) {
+func (a *subtleCrypto) Digest(algorithm webcrypto.Algorithm, data []byte) ([]byte, error) {
 	alg, ok := algorithm.(*Algorithm)
 	if !ok {
 		return nil, webcrypto.NewError(webcrypto.ErrDataError, "algorithm is not *sha.Algorithm")
@@ -82,16 +81,11 @@ func (a *subtleCrypto) Digest(algorithm webcrypto.Algorithm, data io.Reader) ([]
 	default:
 		return nil, webcrypto.NewError(webcrypto.ErrNotSupportedError, "algorithm name is not a valid SHA algorithm")
 	}
-	// TODO should read x bytes at a time
-	b, err := io.ReadAll(data)
-	if err != nil {
-		return nil, err
-	}
-	hash.Write(b)
+	hash.Write(data)
 	return hash.Sum(nil), nil
 }
 
-func (a *subtleCrypto) Encrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data io.Reader) (any, error) {
+func (a *subtleCrypto) Encrypt(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data []byte) ([]byte, error) {
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
@@ -107,7 +101,7 @@ func (a *subtleCrypto) ImportKey(format webcrypto.KeyFormat, keyData any, algori
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
-func (a *subtleCrypto) Sign(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data io.Reader) ([]byte, error) {
+func (a *subtleCrypto) Sign(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, data []byte) ([]byte, error) {
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
@@ -121,7 +115,7 @@ func (a *subtleCrypto) UnwrapKey(format webcrypto.KeyFormat,
 	return nil, webcrypto.ErrMethodNotSupported()
 }
 
-func (a *subtleCrypto) Verify(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, signature []byte, data io.Reader) (bool, error) {
+func (a *subtleCrypto) Verify(algorithm webcrypto.Algorithm, key webcrypto.CryptoKey, signature []byte, data []byte) (bool, error) {
 	return false, webcrypto.ErrMethodNotSupported()
 }