Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop node-rsa & node-forge #460

Open
ad-m opened this issue Oct 28, 2019 · 2 comments
Open

Drop node-rsa & node-forge #460

ad-m opened this issue Oct 28, 2019 · 2 comments

Comments

@ad-m
Copy link
Collaborator

ad-m commented Oct 28, 2019

We use node-rsa in command vm passwordreset.

Public-API expect data:

  • username
  • modulus - modulus from RSA key-pair
  • exponent - exponent from RSA key-pair

NodeJS develop standard library for crypto in area of asymmetric cryptography. Upstream issue nodejs/node#30045 (see also nodejs/node#26854 ) exists to expose that information eg. as publicExponent.
@ad-m
Copy link
Collaborator Author

ad-m commented Oct 28, 2019

Until NodeJS expose exponent & modulus information drop node-forge is also tricky.

For Vault, we accept PEM certificates, but the public-API for a virtual machine verifies the key more accurately.

const KEY_TYPE = Buffer.from("000000077373682d727361", "hex");
const PUBLIC_EXPONENT = Buffer.from("0000000301000100000101", "hex");
const MAGIC_SSH_HEADER = Buffer.concat([
    KEY_TYPE, 
    PUBLIC_EXPONENT
]);
// Consists:
// * length of key type
// * key type as string
// * length of public exponent
// * public exponent as bytes
// * length of modulus
// See https://stackoverflow.com/a/12750816/4017156 for details 
const MAGIC_PEM_FOOTER = Buffer.from("0203010001", "hex");
// Consists:
// * length of public exponent
// * public exponent
// See https://crypto.stackexchange.com/questions/55887/why-do-rsa-public-keys-begin-with-3048024100 for details
const endsWith = (buf, searchvalue) => buf.slice(buf.length - searchvalue.length).compare(searchvalue) == 0;

const generateKeyPair = (comment) => {
    const publicExponent = 0x10001; // default public exponent in NodeJS
    return new Promise((resolve, reject) => crypto.generateKeyPair('rsa', {
        modulusLength: 4096,
        publicExponent,
        publicKeyEncoding: {
            type: 'spki',
            format: 'pem'
        },
        privateKeyEncoding: {
            type: 'pkcs8',
            format: 'pem'
        }
    }, (err, pub, privateKey) => {
        if (err) return reject(err);
        const body = Buffer.from(
            pub.split("\n").filter(x => !x.includes('-----')).join(''),
            'base64'
        );
        if (!endsWith(body, MAGIC_PEM_FOOTER)) {
            return reject(new Error('Unable to convert PEM to SSH key. Verify key size.'));
        }
        const modulus = body.slice(32, body.length - MAGIC_PEM_FOOTER.length)
        const publicKey = [
            'ssh-rsa',
            Buffer.concat([
                MAGIC_SSH_HEADER,
                modulus,
            ]).toString('base64'),
            comment
        ].join(' ');
        return resolve({ publicKey, privateKey })
    }));
};

@fredericosilva
Copy link
Collaborator

fredericosilva commented Oct 29, 2019 via email

@ad-m ad-m changed the title Drop node-rsa Drop node-rsa & node-forge Mar 4, 2020
@ad-m ad-m mentioned this issue Mar 27, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fredericosilva @ad-m