feat: add functions to convert PrivateKey to CryptoKeyPair (#3061)

Adds `privateKeyToCryptoKeyPair` and `privateKeyFromCryptoKeyPair`
functions to convert libp2p ECDSA/RSA private keys to WebCrypto
`CryptoKeyPair` objects and back.

Author: achingbrain

packages/crypto/src/keys/ecdsa/ecdsa.ts

@@ -57,9 +57,16 @@ export class ECDSAPrivateKey implements ECDSAPrivateKeyInterface {
   public readonly publicKey: ECDSAPublicKey
   private _raw?: Uint8Array
 
-  constructor (jwk: JsonWebKey, publicKey: JsonWebKey) {
+  constructor (jwk: JsonWebKey) {
     this.jwk = jwk
-    this.publicKey = new ECDSAPublicKey(publicKey)
+    this.publicKey = new ECDSAPublicKey({
+      crv: jwk.crv,
+      ext: jwk.ext,
+      key_ops: ['verify'],
+      kty: 'EC',
+      x: jwk.x,
+      y: jwk.y
+    })
   }
 
   get raw (): Uint8Array {

packages/crypto/src/keys/ecdsa/utils.ts

@@ -61,11 +61,6 @@ export function pkiMessageToECDSAPrivateKey (message: any): ECDSAPrivateKey {
       d,
       x,
       y
-    }, {
-      ...P_256_KEY_JWK,
-      key_ops: ['verify'],
-      x,
-      y
     })
   }
 
@@ -79,11 +74,6 @@ export function pkiMessageToECDSAPrivateKey (message: any): ECDSAPrivateKey {
       d,
       x,
       y
-    }, {
-      ...P_384_KEY_JWK,
-      key_ops: ['verify'],
-      x,
-      y
     })
   }
 
@@ -97,11 +87,6 @@ export function pkiMessageToECDSAPrivateKey (message: any): ECDSAPrivateKey {
       d,
       x,
       y
-    }, {
-      ...P_521_KEY_JWK,
-      key_ops: ['verify'],
-      x,
-      y
     })
   }
 
@@ -215,7 +200,7 @@ function getOID (curve?: string): Uint8Array {
 export async function generateECDSAKeyPair (curve: Curve = 'P-256'): Promise<ECDSAPrivateKey> {
   const key = await generateECDSAKey(curve)
 
-  return new ECDSAPrivateKeyClass(key.privateKey, key.publicKey)
+  return new ECDSAPrivateKeyClass(key.privateKey)
 }
 
 export function ensureECDSAKey (key: Uint8Array, length: number): Uint8Array {

packages/crypto/src/keys/index.ts

@@ -9,14 +9,15 @@
  */
 
 import { InvalidParametersError, UnsupportedKeyTypeError } from '@libp2p/interface'
+import { ECDSAPrivateKey as ECDSAPrivateKeyClass } from './ecdsa/ecdsa.js'
 import { ECDSA_P_256_OID, ECDSA_P_384_OID, ECDSA_P_521_OID } from './ecdsa/index.js'
 import { generateECDSAKeyPair, pkiMessageToECDSAPrivateKey, pkiMessageToECDSAPublicKey, unmarshalECDSAPrivateKey, unmarshalECDSAPublicKey } from './ecdsa/utils.js'
 import { privateKeyLength as ed25519PrivateKeyLength, publicKeyLength as ed25519PublicKeyLength } from './ed25519/index.js'
 import { generateEd25519KeyPair, generateEd25519KeyPairFromSeed, unmarshalEd25519PrivateKey, unmarshalEd25519PublicKey } from './ed25519/utils.js'
 import * as pb from './keys.js'
 import { decodeDer } from './rsa/der.js'
 import { RSAES_PKCS1_V1_5_OID } from './rsa/index.js'
-import { pkcs1ToRSAPrivateKey, pkixToRSAPublicKey, generateRSAKeyPair, pkcs1MessageToRSAPrivateKey, pkixMessageToRSAPublicKey } from './rsa/utils.js'
+import { pkcs1ToRSAPrivateKey, pkixToRSAPublicKey, generateRSAKeyPair, pkcs1MessageToRSAPrivateKey, pkixMessageToRSAPublicKey, jwkToRSAPrivateKey } from './rsa/utils.js'
 import { privateKeyLength as secp256k1PrivateKeyLength, publicKeyLength as secp256k1PublicKeyLength } from './secp256k1/index.js'
 import { generateSecp256k1KeyPair, unmarshalSecp256k1PrivateKey, unmarshalSecp256k1PublicKey } from './secp256k1/utils.js'
 import type { Curve } from './ecdsa/index.js'
@@ -237,3 +238,55 @@ function toCurve (curve: any): Curve {
 
   throw new InvalidParametersError('Unsupported curve, should be P-256, P-384 or P-521')
 }
+
+/**
+ * Convert a libp2p RSA or ECDSA private key to a WebCrypto CryptoKeyPair
+ */
+export async function privateKeyToCryptoKeyPair (privateKey: PrivateKey): Promise<CryptoKeyPair> {
+  if (privateKey.type === 'RSA') {
+    return {
+      privateKey: await crypto.subtle.importKey('jwk', privateKey.jwk, {
+        name: 'RSASSA-PKCS1-v1_5',
+        hash: { name: 'SHA-256' }
+      }, true, ['sign']),
+      publicKey: await crypto.subtle.importKey('jwk', privateKey.publicKey.jwk, {
+        name: 'RSASSA-PKCS1-v1_5',
+        hash: { name: 'SHA-256' }
+      }, true, ['verify'])
+    }
+  }
+
+  if (privateKey.type === 'ECDSA') {
+    return {
+      privateKey: await crypto.subtle.importKey('jwk', privateKey.jwk, {
+        name: 'ECDSA',
+        namedCurve: privateKey.jwk.crv ?? 'P-256'
+      }, true, ['sign']),
+      publicKey: await crypto.subtle.importKey('jwk', privateKey.publicKey.jwk, {
+        name: 'ECDSA',
+        namedCurve: privateKey.publicKey.jwk.crv ?? 'P-256'
+      }, true, ['verify'])
+    }
+  }
+
+  throw new InvalidParametersError('Only RSA and ECDSA keys are supported')
+}
+
+/**
+ * Convert a RSA or ECDSA WebCrypto CryptoKeyPair to a libp2p private key
+ */
+export async function privateKeyFromCryptoKeyPair (keyPair: CryptoKeyPair): Promise<PrivateKey> {
+  if (keyPair.privateKey.algorithm.name === 'RSASSA-PKCS1-v1_5') {
+    const jwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey)
+
+    return jwkToRSAPrivateKey(jwk)
+  }
+
+  if (keyPair.privateKey.algorithm.name === 'ECDSA') {
+    const jwk = await crypto.subtle.exportKey('jwk', keyPair.privateKey)
+
+    return new ECDSAPrivateKeyClass(jwk)
+  }
+
+  throw new InvalidParametersError('Only RSA and ECDSA keys are supported')
+}

packages/crypto/test/keys/ecdsa.spec.ts

@@ -6,7 +6,7 @@ import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
 import { toString as uint8ArrayToString } from 'uint8arrays/to-string'
 import { randomBytes } from '../../src/index.js'
 import { unmarshalECDSAPrivateKey, unmarshalECDSAPublicKey } from '../../src/keys/ecdsa/utils.js'
-import { generateKeyPair, privateKeyFromProtobuf, privateKeyFromRaw, publicKeyFromProtobuf, publicKeyFromRaw } from '../../src/keys/index.js'
+import { privateKeyToCryptoKeyPair, generateKeyPair, privateKeyFromProtobuf, privateKeyFromRaw, publicKeyFromProtobuf, publicKeyFromRaw, privateKeyFromCryptoKeyPair } from '../../src/keys/index.js'
 import { PrivateKey, PublicKey } from '../../src/keys/keys.js'
 import pbKeys from '../fixtures/ecdsa.js'
 import fixtures from '../fixtures/go-key-ed25519.js'
@@ -39,20 +39,23 @@ describe('ECDSA', function () {
     expect(res).to.be.be.true()
   })
 
-  it.skip('signs a list', async () => {
+  it('signs a list', async () => {
     const text = new Uint8ArrayList(
       randomBytes(512),
       randomBytes(512)
     )
     const sig = await key.sign(text)
-
-    await expect(key.sign(text.subarray()))
-      .to.eventually.deep.equal(sig, 'list did not have same signature as a single buffer')
+    const sig2 = await key.sign(text.subarray())
 
     await expect(key.publicKey.verify(text, sig))
       .to.eventually.be.true('did not verify message as list')
     await expect(key.publicKey.verify(text.subarray(), sig))
       .to.eventually.be.true('did not verify message as single buffer')
+
+    await expect(key.publicKey.verify(text, sig2))
+      .to.eventually.be.true('did not verify message as list')
+    await expect(key.publicKey.verify(text.subarray(), sig2))
+      .to.eventually.be.true('did not verify message as single buffer')
   })
 
   CURVES.forEach(curve => {
@@ -210,4 +213,12 @@ describe('ECDSA', function () {
       expect(sig).to.eql(fixtures.redundantPubKey.signature)
     })
   })
+
+  it('exports to CryptoKeyPair', async () => {
+    const key = await generateKeyPair('ECDSA')
+    const keyPair = await privateKeyToCryptoKeyPair(key)
+    const key2 = await privateKeyFromCryptoKeyPair(keyPair)
+
+    expect(key.publicKey.toCID()).to.deep.equal(key2.publicKey.toCID())
+  })
 })

packages/crypto/test/keys/ed25519.spec.ts

@@ -5,7 +5,7 @@ import { Uint8ArrayList } from 'uint8arraylist'
 import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
 import { randomBytes } from '../../src/index.js'
 import { unmarshalEd25519PrivateKey, unmarshalEd25519PublicKey } from '../../src/keys/ed25519/utils.js'
-import { generateKeyPair, generateKeyPairFromSeed, privateKeyFromProtobuf, privateKeyFromRaw, publicKeyFromProtobuf, publicKeyFromRaw } from '../../src/keys/index.js'
+import { generateKeyPair, generateKeyPairFromSeed, privateKeyFromProtobuf, privateKeyFromRaw, publicKeyFromProtobuf, publicKeyFromRaw, privateKeyToCryptoKeyPair } from '../../src/keys/index.js'
 import fixtures from '../fixtures/go-key-ed25519.js'
 import { testGarbage } from '../helpers/test-garbage-error-handling.js'
 import type { Ed25519PrivateKey } from '@libp2p/interface'
@@ -171,6 +171,13 @@ describe('ed25519', function () {
     expect(isPublicKey(key.publicKey)).to.be.true()
   })
 
+  it('fails to export to CryptoKeyPair', async () => {
+    const key = await generateKeyPair('Ed25519')
+
+    await expect(privateKeyToCryptoKeyPair(key)).to.eventually.be.rejected
+      .with.property('message', 'Only RSA and ECDSA keys are supported')
+  })
+
   describe('go interop', () => {
     // @ts-check
     it('verifies with data from go', async () => {

packages/crypto/test/keys/rsa.spec.ts

@@ -8,7 +8,7 @@ import { create } from 'multiformats/hashes/digest'
 import { Uint8ArrayList } from 'uint8arraylist'
 import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
 import { randomBytes } from '../../src/index.js'
-import { generateKeyPair, privateKeyFromProtobuf, privateKeyFromRaw, privateKeyToProtobuf, publicKeyFromProtobuf, publicKeyFromRaw, publicKeyToProtobuf } from '../../src/keys/index.js'
+import { privateKeyFromCryptoKeyPair, generateKeyPair, privateKeyFromProtobuf, privateKeyFromRaw, privateKeyToProtobuf, publicKeyFromProtobuf, publicKeyFromRaw, publicKeyToProtobuf, privateKeyToCryptoKeyPair } from '../../src/keys/index.js'
 import * as pb from '../../src/keys/keys.js'
 import { RSAPrivateKey as RSAPrivateKeyClass, RSAPublicKey as RSAPublicKeyClass } from '../../src/keys/rsa/rsa.js'
 import { MAX_RSA_KEY_SIZE, jwkToPkcs1, jwkToPkix, jwkToRSAPrivateKey, pkcs1ToJwk, pkcs1ToRSAPrivateKey, pkixToJwk, pkixToRSAPublicKey } from '../../src/keys/rsa/utils.js'
@@ -279,6 +279,14 @@ describe('RSA', function () {
       roundTrip(RSA_KEY_8192_BITS)
     })
   })
+
+  it('exports to CryptoKeyPair', async () => {
+    const key = await generateKeyPair('RSA')
+    const keyPair = await privateKeyToCryptoKeyPair(key)
+    const key2 = await privateKeyFromCryptoKeyPair(keyPair)
+
+    expect(key.publicKey.toCID()).to.deep.equal(key2.publicKey.toCID())
+  })
 })
 
 function bufToBn (u8: Uint8Array): bigint {

packages/crypto/test/keys/secp256k1.spec.ts

@@ -5,7 +5,7 @@ import { expect } from 'aegir/chai'
 import { Uint8ArrayList } from 'uint8arraylist'
 import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
 import { randomBytes } from '../../src/index.js'
-import { generateKeyPair, privateKeyFromRaw, privateKeyToProtobuf, publicKeyFromRaw, publicKeyToProtobuf } from '../../src/keys/index.js'
+import { generateKeyPair, privateKeyFromRaw, privateKeyToProtobuf, publicKeyFromRaw, publicKeyToProtobuf, privateKeyToCryptoKeyPair } from '../../src/keys/index.js'
 import { KeyType, PrivateKey, PublicKey } from '../../src/keys/keys.js'
 import { hashAndSign, hashAndVerify } from '../../src/keys/secp256k1/index.js'
 import { unmarshalSecp256k1PrivateKey, unmarshalSecp256k1PublicKey, compressSecp256k1PublicKey, computeSecp256k1PublicKey, decompressSecp256k1PublicKey, generateSecp256k1PrivateKey, validateSecp256k1PrivateKey, validateSecp256k1PublicKey } from '../../src/keys/secp256k1/utils.js'
@@ -200,6 +200,13 @@ describe('crypto functions', () => {
     const recompressed = compressSecp256k1PublicKey(decompressed)
     expect(recompressed).to.equalBytes(pubKey)
   })
+
+  it('fails to export to CryptoKeyPair', async () => {
+    const key = await generateKeyPair('secp256k1')
+
+    await expect(privateKeyToCryptoKeyPair(key)).to.eventually.be.rejected
+      .with.property('message', 'Only RSA and ECDSA keys are supported')
+  })
 })
 
 describe('go interop', () => {