Options
All
  • Public
  • Public/Protected
  • All
Menu

@ndn/keychain

This package is part of NDNts, Named Data Networking libraries for the modern web.

This package provides basic signing algorithms and certificate management features.

Signing Algorithms

This package implements signature types defined in NDN Packet Format 0.3:

  • DigestSha256 (in @ndn/packet package)
    • signing and verification
  • SignatureSha256WithRsa (RSASSA-PKCS1-v1_5)
    • signing and verification
    • KeyLocator .Name
    • KeyLocator .KeyDigest
  • SignatureSha256WithEcdsa
    • signing and verification
    • KeyLocator .Name
    • KeyLocator .KeyDigest
  • SignatureHmacWithSha256
    • signing and verification
    • KeyLocator matching

Both Interest and Data are signable.

  • sign Interest
    • put certificate name in KeyLocator
    • generate SigNonce, SigTime, SigSeqNum
  • verify Interest
    • check ParametersSha256DigestComponent
    • check SigNonce, SigTime, SigSeqNum
  • sign Data
    • put certificate name in KeyLocator
  • verify Data

The implementation uses Web Crypto API.

  • Modern browsers natively support WebCrypto.
  • Most browsers restrict WebCrypto to secure contexts only. During development, you may use http://localhost or ngrok.
  • In Node.js, @peculiar/webcrypto wraps Node.js Crypto API and exports them as WebCrypto.

Certificate Management and Storage

Certificate class provides basic operations with NDN Certificate Format 2.0.

  • generate self-signed certificate
  • issue certificate to another public key
  • import certificate as PublicKey for RSASSA-PKCS1-v1_5 and ECDSA

KeyChain class provides storage of PrivateKey and Certificate. It could be ephemeral or persistent. KeyChain.createTemp() creates an in-memory ephemeral keychain. KeyChain.open(locator) opens a persistent keychain.

Persistent keychain in Node.js uses JSON files as underlying storage. The locator argument should be a filesystem directory where these files are stored. Private keys are saved as JSON Web Key (JWK) format, so that it's important to protect the storage directory. It is unsafe to create multiple KeyChain instances on the same storage directory, or access the same keychain from multiple Node.js processes.

Persistent keychain in browser uses IndexedDB API. The locator argument determines the database name(s). Private keys are saved as non-extractable CryptoKey objects.

Known issues:

  • In Firefox, persistent keychain stores JWK instead of CryptoKey, due to Mozilla Bug 1545813.
  • In Firefox, persistent keychain is unusable in a Private Browsing window, due to Mozilla Bug 781982.
  • In iOS and macOS Safari, ECDSA P-521 curve is not supported.

Index

References

Namespaces

Classes

Interfaces

Type aliases

Variables

Functions

Object literals

References

AES

AES:

AES

AES:

AES

AES:

CertNaming

CertNaming:

CertStore

Re-exports CertStore

CertStore

Re-exports CertStore

Certificate

Re-exports Certificate

Certificate

Re-exports Certificate

CounterIvGen

Re-exports CounterIvGen

CounterIvGen

Re-exports CounterIvGen

CryptoAlgorithm

Re-exports CryptoAlgorithm

CryptoAlgorithm

Re-exports CryptoAlgorithm

CryptoAlgorithmList

Re-exports CryptoAlgorithmList

CryptoAlgorithmList

Re-exports CryptoAlgorithmList

CryptoAlgorithmList

Re-exports CryptoAlgorithmList

ECDSA

Re-exports ECDSA

ECDSA

Re-exports ECDSA

ECDSA

Re-exports ECDSA

EcCurve

Re-exports EcCurve

EcCurve

Re-exports EcCurve

EcCurve

Re-exports EcCurve

EncryptionAlgorithm

Re-exports EncryptionAlgorithm

EncryptionAlgorithm

Re-exports EncryptionAlgorithm

EncryptionAlgorithmList

Re-exports EncryptionAlgorithmList

EncryptionAlgorithmList

Re-exports EncryptionAlgorithmList

EncryptionAlgorithmList

Re-exports EncryptionAlgorithmList

HMAC

Re-exports HMAC

HMAC

Re-exports HMAC

HMAC

Re-exports HMAC

IvGen

Re-exports IvGen

IvGen

Re-exports IvGen

KeyChain

Re-exports KeyChain

KeyChain

Re-exports KeyChain

KeyChainImplWebCrypto

Renames and re-exports crypto

KeyChainImplWebCrypto

Renames and re-exports crypto

KeyKind

Re-exports KeyKind

KeyKind

Re-exports KeyKind

KeyStore

Re-exports KeyStore

KeyStore

Re-exports KeyStore

NamedDecrypter

Re-exports NamedDecrypter

NamedDecrypter

Re-exports NamedDecrypter

NamedEncrypter

Re-exports NamedEncrypter

NamedEncrypter

Re-exports NamedEncrypter

NamedSigner

Re-exports NamedSigner

NamedSigner

Re-exports NamedSigner

NamedVerifier

Re-exports NamedVerifier

NamedVerifier

Re-exports NamedVerifier

PrivateKey

Re-exports PrivateKey

PrivateKey

Re-exports PrivateKey

PublicKey

Re-exports PublicKey

PublicKey

Re-exports PublicKey

RSA

Re-exports RSA

RSA

Re-exports RSA

RSA

Re-exports RSA

RSAOAEP

Re-exports RSAOAEP

RSAOAEP

Re-exports RSAOAEP

RSAOAEP

Re-exports RSAOAEP

RandomIvGen

Re-exports RandomIvGen

RandomIvGen

Re-exports RandomIvGen

RsaModulusLength

Re-exports RsaModulusLength

RsaModulusLength

Re-exports RsaModulusLength

RsaModulusLength

Re-exports RsaModulusLength

SecretKey

Re-exports SecretKey

SecretKey

Re-exports SecretKey

SigningAlgorithm

Re-exports SigningAlgorithm

SigningAlgorithm

Re-exports SigningAlgorithm

SigningAlgorithmList

Re-exports SigningAlgorithmList

SigningAlgorithmList

Re-exports SigningAlgorithmList

SigningAlgorithmList

Re-exports SigningAlgorithmList

ValidityPeriod

Re-exports ValidityPeriod

ValidityPeriod

Re-exports ValidityPeriod

createDecrypter

Re-exports createDecrypter

createDecrypter

Re-exports createDecrypter

createEncrypter

Re-exports createEncrypter

createEncrypter

Re-exports createEncrypter

createSigner

Re-exports createSigner

createSigner

Re-exports createSigner

createVerifier

Re-exports createVerifier

createVerifier

Re-exports createVerifier

generateEncryptionKey

Re-exports generateEncryptionKey

generateEncryptionKey

Re-exports generateEncryptionKey

generateSigningKey

Re-exports generateSigningKey

generateSigningKey

Re-exports generateSigningKey

Type aliases

EncryptionOptG

EncryptionOptG<I, Asym, G>: {} extends G ? [EncryptionAlgorithm<I, Asym, G>, undefined | G] : [EncryptionAlgorithm<I, Asym, G>, G]

Type parameters

  • I

  • Asym: boolean

  • G

GenParams_

GenParams_: GenParams

If

If<Cond, True, False, Unknown>: Cond extends true ? True : Cond extends false ? False : Unknown

Type parameters

  • Cond

  • True

  • False

  • Unknown = True | False

PrivateKey

PrivateKey: Key<"private">

Named private key.

PublicKey

PublicKey: Key<"public">

Named public key.

SecretKey

SecretKey: Key<"secret">

Named secret key.

SigningOptG

SigningOptG<I, Asym, G>: {} extends G ? [SigningAlgorithm<I, Asym, G>, undefined | G] : [SigningAlgorithm<I, Asym, G>, G]

Type parameters

  • I

  • Asym: boolean

  • G

Variables

Const CBC

CBC: Encryption<{}, GenParams> = new AesCommon("AES-CBC", "a3840ac4-b29d-4ab5-a255-2894ec254223", {secretKeyUsages: ["encrypt", "decrypt"],ivLength: 16,getIvGen: () => new RandomIvGen(16),allowAdditionalData: false,tagSize: 0,defaultInfo: {},})

AES-CBC encryption algorithm.

Const ContentTypeKEY

ContentTypeKEY: 2 = 2

Const CryptoAlgorithmList

CryptoAlgorithmList: CryptoAlgorithm[] = [...SigningAlgorithmList,...EncryptionAlgorithmList,]

Const DEFAULT_FRESHNESS

DEFAULT_FRESHNESS: 3600000 = 3600000

Const EVD

EVD: EvDecoder<ValidityPeriod> = new EvDecoder<ValidityPeriod>("ValidityPeriod", TT.ValidityPeriod).add(TT.NotBefore, (t, { text }) => t.notBefore = decodeTimestamp(text), { required: true }).add(TT.NotAfter, (t, { text }) => t.notAfter = decodeTimestamp(text), { required: true })

Const EncryptionAlgorithmList

EncryptionAlgorithmList: EncryptionAlgorithm[] = [AES.CBC,AES.CTR,AES.GCM,RSAOAEP,]

Const GCM

GCM: Encryption<{}, GenParams> = new AesCommon("AES-GCM", "a7e27aee-2f10-4150-bd6b-5e667c006274", {secretKeyUsages: ["encrypt", "decrypt"],ivLength: 12,getIvGen: (key) => gcmIvGen.get(key),allowAdditionalData: true,tagSize: 128 / 8,defaultInfo: {},})

AES-GCM encryption algorithm.

Const ISSUER_DEFAULT

ISSUER_DEFAULT: Component = new Component(TT.GenericNameComponent, "NDNts")

Default issuerId.

Const ISSUER_SELF

ISSUER_SELF: Component = new Component(TT.GenericNameComponent, "self")

Self-signed issuerId.

Const KEY

KEY: Component = new Component(TT.GenericNameComponent, "KEY")

'KEY' component.

Const RSAOAEP

RSAOAEP: EncryptionAlgorithm<{}, true, GenParams> = new (class extends RsaCommon implements EncryptionAlgorithm<{}, true, RSA.GenParams> {constructor() {super("RSA-OAEP", "f9c1c143-a7a5-459c-8cdf-69c5f7191cfe",{ private: ["decrypt"], public: ["encrypt"] }, "SHA-1");}public makeLLEncrypt({ publicKey }: CryptoAlgorithm.PublicKey<{}>): LLEncrypt {return async ({plaintext,additionalData,}) => {const ciphertext = new Uint8Array(await crypto.subtle.encrypt({name: this.name,label: additionalData,}, publicKey, plaintext));return { ciphertext };};}public makeLLDecrypt({ privateKey }: CryptoAlgorithm.PrivateKey<{}>): LLDecrypt {return async ({ciphertext,additionalData,}) => {const plaintext = new Uint8Array(await crypto.subtle.decrypt({name: this.name,label: additionalData,}, privateKey, ciphertext));return { plaintext };};}})()

RSA-OAEP encryption algorithm.

Const SigningAlgorithmList

SigningAlgorithmList: SigningAlgorithm[] = [ECDSA,RSA,HMAC,]

Const blockSize

blockSize: 16 = 16

AES block size.

Const crypto

crypto: Crypto = new peculiarCrypto() as Crypto

Const crypto

crypto: Crypto = globalThis.crypto

Const ctrIvGen

ctrIvGen: DefaultWeakMap<SecretKey<Info>, IvGen> = new DefaultWeakMap<CryptoAlgorithm.SecretKey<CTR.Info>, IvGen>(({ info: { counterLength } }) => {return new CounterIvGen({ivLength: 16,counterBits: counterLength,blockSize,});})

Const gcmIvGen

gcmIvGen: DefaultWeakMap<SecretKey<{}>, IvGen> = new DefaultWeakMap<CryptoAlgorithm.SecretKey<{}>, IvGen>(() => new CounterIvGen({ivLength: 12,counterBits: 32,blockSize,}))

Const timestampRe

timestampRe: RegExp = /^(\d{4})(\d{2})(\d{2})T(\d{2})(\d{2})(\d{2})$/

Functions

createDecrypter

createEncrypter

createSigner

createVerifier

decodeTimestamp

  • decodeTimestamp(str: string): number

determineEcCurve

  • determineEcCurve(der: asn1.ElementBuffer): EcCurve | false

encodeTimestamp

  • encodeTimestamp(timestamp: number): Uint8Array

encodeTimestampString

  • encodeTimestampString(timestamp: number): string

findAlgo

generateEncryptionKey

generateKeyInternal

generateSigningKey

getKeyNameImpl

  • getKeyNameImpl(name: Name): Name | undefined

importNamedCurve

  • importNamedCurve(curve: EcCurve, spki: Uint8Array): Promise<CryptoKey>

importSpecificCurve

  • importSpecificCurve(curve: EcCurve, der: asn1.ElementBuffer): Promise<CryptoKey>

isCertName

  • isCertName(name: Name): boolean

isKeyName

  • isKeyName(name: Name): boolean

makeCertName

  • makeCertName(name: Name, opts?: Partial<Omit<CertNameFields, "subjectName">>): Name
  • Create certificate name from subject name, key name, or certificate name.

    Parameters

    • name: Name

      subject name, key name, or certificate name.

    • Default value opts: Partial<Omit<CertNameFields, "subjectName">> = {}

    Returns Name

makeGenParams

  • makeGenParams(curve: EcCurve): EcKeyGenParams & EcKeyImportParams

makeKeyName

  • makeKeyName(name: Name, opts?: Partial<Omit<KeyNameFields, "subjectName">>): Name
  • Create key name from subject name, key name, or certificate name.

    Parameters

    • name: Name

      subject name, key name, or certificate name.

    • Default value opts: Partial<Omit<KeyNameFields, "subjectName">> = {}

    Returns Name

openStores

openStores

parseCertName

parseKeyName

saveAsymmetric

saveSymmetric

toKeyName

  • toKeyName(name: Name): Name
  • Get key name from key name or certificate name.

    throws

    input name is neither key name nor certificate name.

    Parameters

    • name: Name

    Returns Name

toSubjectName

  • toSubjectName(name: Name): Name

toTimestamp

toUintHex

  • toUintHex(array: Uint8Array, start: number, end: number): string

Object literals

Const GenParams

GenParams: object

hash

hash: string = "SHA-256"

name

name: string = "HMAC"

Const NamedCurveOids

NamedCurveOids: object

2A8648CE3D030107

2A8648CE3D030107: "P-256" = "P-256"

2B81040022

2B81040022: "P-384" = "P-384"

2B81040023

2B81040023: "P-521" = "P-521"

Const PointSizes

PointSizes: object

P-256

P-256: number = 32

P-384

P-384: number = 48

P-521

P-521: number = 66

Const SignVerifyParams

SignVerifyParams: object

hash

hash: string = "SHA-256"

name

name: string = "ECDSA"

Legend

  • Namespace
  • Object literal
  • Variable
  • Function
  • Function with type parameter
  • Type alias
  • Type alias with type parameter
  • Interface
  • Interface with type parameter
  • Class
  • Class with type parameter
  • Enumeration

Generated using TypeDoc