Allow supplying entropy for ecc key generation

2024-10-09 16:00:03 +01:00 · 2024-10-09 16:00:03 +01:00 · 8b3b890776
commit 8b3b890776
parent a0337780b7
8 changed files with 67 additions and 29 deletions
--- a/src/crypto/crypto.js
+++ b/src/crypto/crypto.js
@ -311,10 +311,11 @@ export function serializeParams(algo, params) {
 * @param {module:enums.publicKey} algo - The public key algorithm
 * @param {Integer} bits - Bit length for RSA keys
 * @param {module:type/oid} oid - Object identifier for ECC keys
+ * @param {Uint8Array|null} randomSeed - Optional: use Uint8Array as source of entropy. Must be long enough to not run out of random bytes. Will be mutated to destroy the bytes as they are read.
 * @returns {Promise<{ publicParams: {Object}, privateParams: {Object} }>} The parameters referenced by name.
 * @async
 */
-export function generateParams(algo, bits, oid) {
+export function generateParams(algo, bits, oid, randomSeed = null) {
  switch (algo) {
    case enums.publicKey.rsaEncrypt:
    case enums.publicKey.rsaEncryptSign:
@ -330,12 +331,12 @@ export function generateParams(algo, bits, oid) {
        publicParams: { oid: new OID(oid), Q }
      }));
    case enums.publicKey.eddsaLegacy:
-      return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
+      return publicKey.elliptic.generate(oid, randomSeed).then(({ oid, Q, secret }) => ({
        privateParams: { seed: secret },
        publicParams: { oid: new OID(oid), Q }
      }));
    case enums.publicKey.ecdh:
-      return publicKey.elliptic.generate(oid).then(({ oid, Q, secret, hash, cipher }) => ({
+      return publicKey.elliptic.generate(oid, randomSeed).then(({ oid, Q, secret, hash, cipher }) => ({
        privateParams: { d: secret },
        publicParams: {
          oid: new OID(oid),
--- a/src/crypto/public_key/elliptic/oid_curves.js
+++ b/src/crypto/public_key/elliptic/oid_curves.js
@ -132,7 +132,7 @@ const curves = {
 };

 class CurveWithOID {
-  constructor(oidOrName, params) {
+  constructor(oidOrName, params, useRandomSeed) {
    try {
      if (util.isArray(oidOrName) ||
          util.isUint8Array(oidOrName)) {
@ -158,9 +158,9 @@ class CurveWithOID {
    this.node = params.node && curves[this.name];
    this.web = params.web && curves[this.name];
    this.payloadSize = params.payloadSize;
-    if (this.web && util.getWebCrypto()) {
+    if (!useRandomSeed && this.web && util.getWebCrypto()) {
      this.type = 'web';
-    } else if (this.node && util.getNodeCrypto()) {
+    } else if (!useRandomSeed && this.node && util.getNodeCrypto()) {
      this.type = 'node';
    } else if (this.name === 'curve25519') {
      this.type = 'curve25519';
@ -169,7 +169,7 @@ class CurveWithOID {
    }
  }

-  async genKeyPair() {
+  async genKeyPair(randomSeed = null) {
    let keyPair;
    switch (this.type) {
      case 'web':
@ -182,7 +182,7 @@ class CurveWithOID {
      case 'node':
        return nodeGenKeyPair(this.name);
      case 'curve25519': {
-        const privateKey = getRandomBytes(32);
+        const privateKey = getRandomBytes(32, randomSeed);
        privateKey[0] = (privateKey[0] & 127) | 64;
        privateKey[31] &= 248;
        const secretKey = privateKey.slice().reverse();
@ -191,7 +191,7 @@ class CurveWithOID {
        return { publicKey, privateKey };
      }
      case 'ed25519': {
-        const privateKey = getRandomBytes(32);
+        const privateKey = getRandomBytes(32, randomSeed);
        const keyPair = nacl.sign.keyPair.fromSeed(privateKey);
        const publicKey = util.concatUint8Array([new Uint8Array([0x40]), keyPair.publicKey]);
        return { publicKey, privateKey };
@ -199,17 +199,17 @@ class CurveWithOID {
    }
    const indutnyCurve = await getIndutnyCurve(this.name);
    keyPair = await indutnyCurve.genKeyPair({
-      entropy: util.uint8ArrayToString(getRandomBytes(32))
+      entropy: util.uint8ArrayToString(getRandomBytes(32, randomSeed))
    });
    return { publicKey: new Uint8Array(keyPair.getPublic('array', false)), privateKey: keyPair.getPrivate().toArrayLike(Uint8Array) };
  }
 }

-async function generate(curve) {
+async function generate(curve, randomSeed = null) {
  const BigInteger = await util.getBigInteger();

-  curve = new CurveWithOID(curve);
-  const keyPair = await curve.genKeyPair();
+  curve = new CurveWithOID(curve, null, randomSeed != null);
+  const keyPair = await curve.genKeyPair(randomSeed);
  const Q = new BigInteger(keyPair.publicKey).toUint8Array();
  const secret = new BigInteger(keyPair.privateKey).toUint8Array('be', curve.payloadSize);
  return {
--- a/src/crypto/public_key/rsa.js
+++ b/src/crypto/public_key/rsa.js
@ -166,13 +166,13 @@ export async function decrypt(data, n, e, d, p, q, u, randomPayload) {
 *                                  RSA private prime p, RSA private prime q, u = p ** -1 mod q
 * @async
 */
-export async function generate(bits, e) {
+export async function generate(bits, e, randomSeed = null) {
  const BigInteger = await util.getBigInteger();

  e = new BigInteger(e);

  // Native RSA keygen using Web Crypto
-  if (util.getWebCrypto()) {
+  if (!randomSeed && util.getWebCrypto()) {
    const keyGenOpt = {
      name: 'RSASSA-PKCS1-v1_5',
      modulusLength: bits, // the specified keysize in bits
@ -197,7 +197,7 @@ export async function generate(bits, e) {
      // Since p and q are switched in places, u is the inverse of jwk.q
      u: b64ToUint8Array(jwk.qi)
    };
-  } else if (util.getNodeCrypto() && nodeCrypto.generateKeyPair && RSAPrivateKey) {
+  } else if (!randomSeed && util.getNodeCrypto() && nodeCrypto.generateKeyPair && RSAPrivateKey) {
    const opts = {
      modulusLength: bits,
      publicExponent: e.toNumber(),
--- a/src/crypto/random.js
+++ b/src/crypto/random.js
@ -31,9 +31,29 @@ const nodeCrypto = util.getNodeCrypto();
 * @param {Integer} length - Length in bytes to generate
 * @returns {Uint8Array} Random byte array.
 */
-export function getRandomBytes(length) {
+export function getRandomBytes(length, randomSeed) {
  const buf = new Uint8Array(length);
-  if (nodeCrypto) {
+  if (randomSeed != null) {
+    if (! (randomSeed instanceof Uint8Array) || randomSeed.length < length) {
+      throw new Error('Invalid type or length for randomSeed');
+    }
+    
+    // clear with all-ones instead of all-zeros to distinguish between an empty
+    // uint8Array from a cleared one while debugging
+    var cleared = true;
+    for (var i = 0; i < length; i++) {
+      cleared = cleared && (randomSeed[i] == 255);
+      buf[i] = randomSeed[i];
+      randomSeed[i] = 255;
+    }
+    for (var j = length; j < randomSeed.length; j++) {
+      randomSeed[j] = 0;
+    }
+    
+    if (cleared) {
+      throw new Error("randomSeed's first " + length + " bytes have been cleared with all-ones, already-used randomSeed Uint8Array?")
+    }
+  } else if (nodeCrypto) {
    const bytes = nodeCrypto.randomBytes(buf.length);
    buf.set(bytes);
  } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
--- a/src/key/factory.js
+++ b/src/key/factory.js
@ -76,17 +76,33 @@ function createKey(packetlist) {
 * @param {Object} config - Full configuration
 * @param {Array<Object>} options.subkeys         (optional) options for each subkey, default to main key options. e.g. [{sign: true, passphrase: '123'}]
 *                                                  sign parameter defaults to false, and indicates whether the subkey should sign rather than encrypt
+ * @param {Array<Uint8Array>|null} [randomSeed] - Optional: use Uint8Arrays (one for each subkey) as source of entropy for ecc key generation. Must be long enough to not run out of random bytes. Will be mutated to discard the bytes as they are read.
 * @returns {Promise<{{ key: PrivateKey, revocationCertificate: String }}>}
 * @async
 * @static
 * @private
 */
-export async function generate(options, config) {
+export async function generate(options, config, randomSeed = null) {
  options.sign = true; // primary key is always a signing key
  options = helper.sanitizeKeyOptions(options);
+  let getRandomSeed = (index) => {
+    if (randomSeed == null) {
+      return null;
+    } else if (index >= randomSeed.length) {
+      throw new Error('randomSeed does not have a seed for each key/subkey (need at least ' + index + ')');
+    } else {
+      var s = randomSeed[index];
+      randomSeed[index] = null;
+      if (s instanceof Uint8Array && s.length == 32) {
+        return s;
+      } else {
+        throw new Error('randomSeed element ' + index + ' does not contain a Unit8Array(32)');
+      }
+    }
+  };
  options.subkeys = options.subkeys.map((subkey, index) => helper.sanitizeKeyOptions(options.subkeys[index], options));
-  let promises = [helper.generateSecretKey(options, config)];
-  promises = promises.concat(options.subkeys.map(options => helper.generateSecretSubkey(options, config)));
+  let promises = [helper.generateSecretKey(options, config, getRandomSeed(0))];
+  promises = promises.concat(options.subkeys.map((options, subkeyIndex) => helper.generateSecretSubkey(options, config, getRandomSeed(1 + subkeyIndex))));
  const packets = await Promise.all(promises);

  const key = await wrapKeyObject(packets[0], packets.slice(1), options, config);
--- a/src/key/helper.js
+++ b/src/key/helper.js
@ -14,20 +14,20 @@ import crypto from '../crypto';
 import util from '../util';
 import defaultConfig from '../config';

-export async function generateSecretSubkey(options, config) {
+export async function generateSecretSubkey(options, config, randomSeed = null) {
  const secretSubkeyPacket = new SecretSubkeyPacket(options.date, config);
  secretSubkeyPacket.packets = null;
  secretSubkeyPacket.algorithm = enums.write(enums.publicKey, options.algorithm);
-  await secretSubkeyPacket.generate(options.rsaBits, options.curve);
+  await secretSubkeyPacket.generate(options.rsaBits, options.curve, undefined, randomSeed);
  await secretSubkeyPacket.computeFingerprintAndKeyID();
  return secretSubkeyPacket;
 }

-export async function generateSecretKey(options, config) {
+export async function generateSecretKey(options, config, randomSeed = null) {
  const secretKeyPacket = new SecretKeyPacket(options.date, config);
  secretKeyPacket.packets = null;
  secretKeyPacket.algorithm = enums.write(enums.publicKey, options.algorithm);
-  await secretKeyPacket.generate(options.rsaBits, options.curve, options.config);
+  await secretKeyPacket.generate(options.rsaBits, options.curve, options.config, randomSeed);
  await secretKeyPacket.computeFingerprintAndKeyID();
  return secretKeyPacket;
 }
--- a/src/openpgp.js
+++ b/src/openpgp.js
@ -48,12 +48,13 @@ import { checkKeyRequirements } from './key/helper';
 *                                             default to main key options, except for `sign` parameter that defaults to false, and indicates whether the subkey should sign rather than encrypt
 * @param {'armored'|'binary'|'object'} [options.format='armored'] - format of the output keys
 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
+ * @param {Array<Uint8Array>|null} [randomSeed] - Optional: use Uint8Arrays (one for each primary + subkey) as source of entropy for ecc key generation. Must be long enough to not run out of random bytes. Will be mutated to discard the bytes as they are read.
 * @returns {Promise<Object>} The generated key object in the form:
 *                                     { privateKey:PrivateKey|Uint8Array|String, publicKey:PublicKey|Uint8Array|String, revocationCertificate:String }
 * @async
 * @static
 */
-export async function generateKey({ userIDs = [], passphrase, type = 'ecc', rsaBits = 4096, curve = 'curve25519', keyExpirationTime = 0, date = new Date(), subkeys = [{}], format = 'armored', config, ...rest }) {
+export async function generateKey({ userIDs = [], passphrase, type = 'ecc', rsaBits = 4096, curve = 'curve25519', keyExpirationTime = 0, date = new Date(), subkeys = [{}], format = 'armored', config, ...rest }, randomSeed = null) {
  config = { ...defaultConfig, ...config }; checkConfig(config);
  userIDs = toArray(userIDs);
  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);
@ -68,7 +69,7 @@ export async function generateKey({ userIDs = [], passphrase, type = 'ecc', rsaB
  const options = { userIDs, passphrase, type, rsaBits, curve, keyExpirationTime, date, subkeys };

  try {
-    const { key, revocationCertificate } = await generate(options, config);
+    const { key, revocationCertificate } = await generate(options, config, randomSeed);
    key.getKeys().forEach(({ keyPacket }) => checkKeyRequirements(keyPacket, config));

    return {
--- a/src/packet/secret_key.js
+++ b/src/packet/secret_key.js
@ -425,8 +425,8 @@ class SecretKeyPacket extends PublicKeyPacket {
    }
  }

-  async generate(bits, curve) {
-    const { privateParams, publicParams } = await crypto.generateParams(this.algorithm, bits, curve);
+  async generate(bits, curve, config = undefined, randomSeed = null) {
+    const { privateParams, publicParams } = await crypto.generateParams(this.algorithm, bits, curve, randomSeed);
    this.privateParams = privateParams;
    this.publicParams = publicParams;
    this.isEncrypted = false;