--- /dev/null
+// Copyright 2015 Joyent, Inc.
+
+module.exports = {
+ read: read,
+ write: write
+};
+
+var assert = require('assert-plus');
+var asn1 = require('asn1');
+var crypto = require('crypto');
+var algs = require('../algs');
+var utils = require('../utils');
+var Key = require('../key');
+var PrivateKey = require('../private-key');
+
+var pkcs1 = require('./pkcs1');
+var pkcs8 = require('./pkcs8');
+var sshpriv = require('./ssh-private');
+var rfc4253 = require('./rfc4253');
+
+var errors = require('../errors');
+
+/*
+ * For reading we support both PKCS#1 and PKCS#8. If we find a private key,
+ * we just take the public component of it and use that.
+ */
+function read(buf, options, forceType) {
+ var input = buf;
+ if (typeof (buf) !== 'string') {
+ assert.buffer(buf, 'buf');
+ buf = buf.toString('ascii');
+ }
+
+ var lines = buf.trim().split('\n');
+
+ var m = lines[0].match(/*JSSTYLED*/
+ /[-]+[ ]*BEGIN ([A-Z0-9]+ )?(PUBLIC|PRIVATE) KEY[ ]*[-]+/);
+ assert.ok(m, 'invalid PEM header');
+
+ var m2 = lines[lines.length - 1].match(/*JSSTYLED*/
+ /[-]+[ ]*END ([A-Z0-9]+ )?(PUBLIC|PRIVATE) KEY[ ]*[-]+/);
+ assert.ok(m2, 'invalid PEM footer');
+
+ /* Begin and end banners must match key type */
+ assert.equal(m[2], m2[2]);
+ var type = m[2].toLowerCase();
+
+ var alg;
+ if (m[1]) {
+ /* They also must match algorithms, if given */
+ assert.equal(m[1], m2[1], 'PEM header and footer mismatch');
+ alg = m[1].trim();
+ }
+
+ var headers = {};
+ while (true) {
+ lines = lines.slice(1);
+ m = lines[0].match(/*JSSTYLED*/
+ /^([A-Za-z0-9-]+): (.+)$/);
+ if (!m)
+ break;
+ headers[m[1].toLowerCase()] = m[2];
+ }
+
+ var cipher, key, iv;
+ if (headers['proc-type']) {
+ var parts = headers['proc-type'].split(',');
+ if (parts[0] === '4' && parts[1] === 'ENCRYPTED') {
+ if (typeof (options.passphrase) === 'string') {
+ options.passphrase = new Buffer(
+ options.passphrase, 'utf-8');
+ }
+ if (!Buffer.isBuffer(options.passphrase)) {
+ throw (new errors.KeyEncryptedError(
+ options.filename, 'PEM'));
+ } else {
+ parts = headers['dek-info'].split(',');
+ assert.ok(parts.length === 2);
+ cipher = parts[0].toLowerCase();
+ iv = new Buffer(parts[1], 'hex');
+ key = utils.opensslKeyDeriv(cipher, iv,
+ options.passphrase, 1).key;
+ }
+ }
+ }
+
+ /* Chop off the first and last lines */
+ lines = lines.slice(0, -1).join('');
+ buf = new Buffer(lines, 'base64');
+
+ if (cipher && key && iv) {
+ var cipherStream = crypto.createDecipheriv(cipher, key, iv);
+ var chunk, chunks = [];
+ cipherStream.once('error', function (e) {
+ if (e.toString().indexOf('bad decrypt') !== -1) {
+ throw (new Error('Incorrect passphrase ' +
+ 'supplied, could not decrypt key'));
+ }
+ throw (e);
+ });
+ cipherStream.write(buf);
+ cipherStream.end();
+ while ((chunk = cipherStream.read()) !== null)
+ chunks.push(chunk);
+ buf = Buffer.concat(chunks);
+ }
+
+ /* The new OpenSSH internal format abuses PEM headers */
+ if (alg && alg.toLowerCase() === 'openssh')
+ return (sshpriv.readSSHPrivate(type, buf));
+ if (alg && alg.toLowerCase() === 'ssh2')
+ return (rfc4253.readType(type, buf));
+
+ var der = new asn1.BerReader(buf);
+ der.originalInput = input;
+
+ /*
+ * All of the PEM file types start with a sequence tag, so chop it
+ * off here
+ */
+ der.readSequence();
+
+ /* PKCS#1 type keys name an algorithm in the banner explicitly */
+ if (alg) {
+ if (forceType)
+ assert.strictEqual(forceType, 'pkcs1');
+ return (pkcs1.readPkcs1(alg, type, der));
+ } else {
+ if (forceType)
+ assert.strictEqual(forceType, 'pkcs8');
+ return (pkcs8.readPkcs8(alg, type, der));
+ }
+}
+
+function write(key, options, type) {
+ assert.object(key);
+
+ var alg = {'ecdsa': 'EC', 'rsa': 'RSA', 'dsa': 'DSA'}[key.type];
+ var header;
+
+ var der = new asn1.BerWriter();
+
+ if (PrivateKey.isPrivateKey(key)) {
+ if (type && type === 'pkcs8') {
+ header = 'PRIVATE KEY';
+ pkcs8.writePkcs8(der, key);
+ } else {
+ if (type)
+ assert.strictEqual(type, 'pkcs1');
+ header = alg + ' PRIVATE KEY';
+ pkcs1.writePkcs1(der, key);
+ }
+
+ } else if (Key.isKey(key)) {
+ if (type && type === 'pkcs1') {
+ header = alg + ' PUBLIC KEY';
+ pkcs1.writePkcs1(der, key);
+ } else {
+ if (type)
+ assert.strictEqual(type, 'pkcs8');
+ header = 'PUBLIC KEY';
+ pkcs8.writePkcs8(der, key);
+ }
+
+ } else {
+ throw (new Error('key is not a Key or PrivateKey'));
+ }
+
+ var tmp = der.buffer.toString('base64');
+ var len = tmp.length + (tmp.length / 64) +
+ 18 + 16 + header.length*2 + 10;
+ var buf = new Buffer(len);
+ var o = 0;
+ o += buf.write('-----BEGIN ' + header + '-----\n', o);
+ for (var i = 0; i < tmp.length; ) {
+ var limit = i + 64;
+ if (limit > tmp.length)
+ limit = tmp.length;
+ o += buf.write(tmp.slice(i, limit), o);
+ buf[o++] = 10;
+ i = limit;
+ }
+ o += buf.write('-----END ' + header + '-----\n', o);
+
+ return (buf.slice(0, o));
+}