Merge pull request #40 from dajiaji/add-support-for-x25519

Add support for DHKEM(X25519, HKDF-SHA256).

README.md

@@ -52,7 +52,7 @@ This library works on both web browsers and Node.js (<b>currently, Deno is not s
 | DHKEM (P-256, HKDF-SHA256)  | ✅      |  ✅     |      |
 | DHKEM (P-384, HKDF-SHA384)  | ✅      |  ✅     |      |
 | DHKEM (P-521, HKDF-SHA512)  | ✅      |  ✅     |      |
-| DHKEM (X25519, HKDF-SHA256) |         |         |      |
+| DHKEM (X25519, HKDF-SHA256) | ✅      |  ✅     |      |
 | DHKEM (X448, HKDF-SHA512)   |         |         |      |
 
 ### Key Derivation Functions (KDFs)

package.json

@@ -62,6 +62,7 @@
     "url": "https://github.com/dajiaji/hpke-js/issues"
   },
   "dependencies": {
-    "@stablelib/chacha20poly1305": "^1.0.1"
+    "@stablelib/chacha20poly1305": "^1.0.1",
+    "@stablelib/x25519": "^1.0.2"
   }
 }

src/cipherSuite.ts

@@ -46,6 +46,7 @@ export class CipherSuite {
       case Kem.DhkemP256HkdfSha256:
       case Kem.DhkemP384HkdfSha384:
       case Kem.DhkemP521HkdfSha512:
+      case Kem.DhkemX25519HkdfSha256:
         break;
       default:
         throw new errors.InvalidParamError('Invalid KEM id');

src/identifiers.ts

@@ -18,8 +18,8 @@ export enum Kem {
   DhkemP384HkdfSha384 = 0x0011,
   /** DHKEM (P-521, HKDF-SHA512). */
   DhkemP521HkdfSha512 = 0x0012,
-  // /** DHKEM (X25519, HKDF-SHA256) */
-  // DhkemX25519HkdfSha256 = 0x0020,
+  /** DHKEM (X25519, HKDF-SHA256) */
+  DhkemX25519HkdfSha256 = 0x0020,
   // /** DHKEM (X448, HKDF-SHA512) */
   // DhkemX448HkdfSha512 = 0x0021,
 }

src/kemContext.ts

@@ -3,6 +3,7 @@ import type { SenderContextParams } from './interfaces/senderContextParams';
 import type { RecipientContextParams } from './interfaces/recipientContextParams';
 
 import { Ec } from './kemPrimitives/ec';
+import { X25519 } from './kemPrimitives/x25519';
 import { Kem } from './identifiers';
 import { KdfCommon } from './kdfCommon';
 import { isCryptoKeyPair, i2Osp, concat, concat3 } from './utils/misc';
@@ -28,10 +29,13 @@ export class KemContext extends KdfCommon {
       case Kem.DhkemP384HkdfSha384:
         algHash = { name: 'HMAC', hash: 'SHA-384', length: 384 };
         break;
-      default:
-        // case Kem.DhkemP521HkdfSha512:
+      case Kem.DhkemP521HkdfSha512:
         algHash = { name: 'HMAC', hash: 'SHA-512', length: 512 };
         break;
+      default:
+        // case Kem.DhkemX25519HkdfSha256:
+        algHash = { name: 'HMAC', hash: 'SHA-256', length: 256 };
+        break;
     }
     super(api, suiteId, algHash);
 
@@ -44,11 +48,15 @@ export class KemContext extends KdfCommon {
         this._prim = new Ec(kem, this, this._api);
         this._nSecret = 48;
         break;
-      default:
-        // case Kem.DhkemP521HkdfSha512:
+      case Kem.DhkemP521HkdfSha512:
         this._prim = new Ec(kem, this, this._api);
         this._nSecret = 64;
         break;
+      default:
+        // case Kem.DhkemX25519HkdfSha256:
+        this._prim = new X25519(this);
+        this._nSecret = 32;
+        break;
     }
     return;
   }

src/kemPrimitives/ec.ts

@@ -28,7 +28,6 @@ const PKCS8_ALG_ID_P_521 = new Uint8Array([
 
 export class Ec implements KemPrimitives {
 
-  private _kem: Kem;
   private _hkdf: KdfCommon;
   private _api: SubtleCrypto;
   private _alg: EcKeyGenParams;
@@ -43,10 +42,9 @@ export class Ec implements KemPrimitives {
   private _pkcs8AlgId: Uint8Array;
 
   constructor(kem: Kem, hkdf: KdfCommon, api: SubtleCrypto) {
-    this._kem = kem;
     this._hkdf = hkdf;
     this._api = api;
-    switch (this._kem) {
+    switch (kem) {
       case Kem.DhkemP256HkdfSha256:
         this._alg = { name: 'ECDH', namedCurve: 'P-256' };
         this._nPk = 65;

src/kemPrimitives/x25519.ts

@@ -0,0 +1,108 @@
+import { generateKeyPair, scalarMultBase, sharedKey } from '@stablelib/x25519';
+
+import type { KemPrimitives } from '../interfaces/kemPrimitives';
+import type { KdfCommon } from '../kdfCommon';
+
+import { Kem } from '../identifiers';
+import { i2Osp } from '../utils/misc';
+
+import * as consts from '../consts';
+
+export class XCryptoKey implements CryptoKey {
+
+  public readonly key: Uint8Array;
+  public readonly type: 'public' | 'private';
+  public readonly extractable: boolean = true;
+  public readonly algorithm: KeyAlgorithm = { name: 'X25519' };
+  public readonly usages: KeyUsage[] = consts.KEM_USAGES;
+
+  constructor(key: Uint8Array, type: 'public' | 'private') {
+    this.key = key;
+    this.type = type;
+  }
+}
+
+export class X25519 implements KemPrimitives {
+
+  private _hkdf: KdfCommon;
+  private _nPk: number;
+  private _nSk: number;
+
+  constructor(hkdf: KdfCommon) {
+    this._hkdf = hkdf;
+    this._nPk = 32;
+    this._nSk = 32;
+  }
+
+  public async serializePublicKey(key: CryptoKey): Promise<ArrayBuffer> {
+    return await this._serializePublicKey(key as XCryptoKey);
+  }
+
+  public async deserializePublicKey(key: ArrayBuffer): Promise<CryptoKey> {
+    return await this._deserializePublicKey(key);
+  }
+
+  public async derivePublicKey(key: CryptoKey): Promise<CryptoKey> {
+    return await this._derivePublicKey(key as XCryptoKey);
+  }
+
+  public async generateKeyPair(): Promise<CryptoKeyPair> {
+    return await this._generateKeyPair();
+  }
+
+  public async deriveKeyPair(ikm: ArrayBuffer): Promise<CryptoKeyPair> {
+    const dkpPrk = await this._hkdf.labeledExtract(consts.EMPTY, consts.LABEL_DKP_PRK, new Uint8Array(ikm));
+    const rawSk = await this._hkdf.labeledExpand(dkpPrk, consts.LABEL_SK, consts.EMPTY, this._nSk);
+    const sk = new XCryptoKey(new Uint8Array(rawSk), 'private');
+    return {
+      privateKey: sk,
+      publicKey: await this.derivePublicKey(sk),
+    };
+  }
+
+  public async dh(sk: CryptoKey, pk: CryptoKey): Promise<ArrayBuffer> {
+    return await this._dh(sk as XCryptoKey, pk as XCryptoKey);
+  }
+
+  private _serializePublicKey(k: XCryptoKey): Promise<ArrayBuffer> {
+    return new Promise((resolve) => {
+      resolve(k.key.buffer);
+    });
+  }
+
+  private _deserializePublicKey(k: ArrayBuffer): Promise<CryptoKey> {
+    return new Promise((resolve, reject) => {
+      if (k.byteLength !== this._nPk) {
+        reject(new Error('invalid public key for the ciphersuite'));
+      } else {
+        resolve(new XCryptoKey(new Uint8Array(k), 'public'));
+      }
+    });
+  }
+
+  private _derivePublicKey(k: XCryptoKey): Promise<CryptoKey> {
+    return new Promise((resolve) => {
+      resolve(new XCryptoKey(scalarMultBase(k.key), 'public'));
+    });
+  }
+
+  private _generateKeyPair(): Promise<CryptoKeyPair> {
+    return new Promise((resolve) => {
+      const kp = generateKeyPair();
+      resolve({
+        publicKey: new XCryptoKey(kp.publicKey, 'public'),
+        privateKey: new XCryptoKey(kp.secretKey, 'private'),
+      });
+    });
+  }
+
+  private _dh(sk: XCryptoKey, pk: XCryptoKey): Promise<ArrayBuffer> {
+    return new Promise((resolve, reject) => {
+      try {
+        resolve(sharedKey(sk.key, pk.key));
+      } catch (e: unknown) {
+        reject(e);
+      }
+    });
+  }
+}