Timo/crypto-helper
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

refactoring, asymmetric signatures and encryption
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Timo Hocker
2021-01-06 15:13:04 +01:00
parent 612686a224
commit ecd0195aee
14 changed files with 749 additions and 392 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
lib/encryption.js Normal file
View File

@ -0,0 +1,110 @@
'use strict';
const crypto = require ('crypto');
const encryption_mode_cbc_256 = {
algorithm: 'aes-256-cbc',
nonce_size: 16,
key_size: 32,
hash: 'sha256',
salt_size: 16,
iterations: 32767
};
const encryption_mode_cbc_256_quick = {
algorithm: 'aes-256-cbc',
nonce_size: 16,
key_size: 32,
hash: 'sha256',
salt_size: 16,
iterations: 32
};
const encryption_mode_cbc_128 = {
algorithm: 'aes-128-cbc',
nonce_size: 16,
key_size: 16,
hash: 'sha256',
salt_size: 16,
iterations: 40
};
/**
* encrypt plain text with aes
*
* @param {string} text plaintext
* @param {string} pass password
* @param {object} mode encryption mode
* @returns {string} encrypted
*/
function encrypt_aes (text, pass, mode = encryption_mode_cbc_256) {
const salt = crypto.randomBytes (mode.salt_size);
// eslint-disable-next-line no-sync
const key = crypto.pbkdf2Sync (
Buffer.from (pass),
salt,
mode.iterations,
mode.key_size,
mode.hash
);
const nonce = crypto.randomBytes (mode.nonce_size);
const cipher = crypto.createCipheriv (mode.algorithm, key, nonce);
return Buffer.concat ([
salt,
nonce,
cipher.update (Buffer.from (text)),
cipher.final ()
])
.toString ('base64');
}
/**
* decrypt an aes string
*
* @param {string} ciphertext encrypted text
* @param {string} pass password
* @param {object} mode encryption mode
* @param {boolean} rethrow rethrow exceptions instead of returning null
* @returns {string} plaintext
*/
function decrypt_aes (
ciphertext,
pass,
mode = encryption_mode_cbc_256,
rethrow = false
) {
try {
let buf = Buffer.from (ciphertext, 'base64');
const salt = buf.slice (0, mode.salt_size);
buf = buf.slice (mode.salt_size);
// eslint-disable-next-line no-sync
const key = crypto.pbkdf2Sync (
Buffer.from (pass),
salt,
mode.iterations,
mode.key_size,
mode.hash
);
const nonce = buf.slice (0, mode.nonce_size);
buf = buf.slice (mode.nonce_size);
const cipher = crypto.createDecipheriv (mode.algorithm, key, nonce);
return Buffer.concat ([
cipher.update (buf),
cipher.final ()
])
.toString ();
}
catch (e) {
if (rethrow)
throw e;
}
return null;
}
module.exports = {
decrypt_aes,
encrypt_aes,
encryption_mode_cbc_128,
encryption_mode_cbc_256,
encryption_mode_cbc_256_quick
};

34
lib/hashing.js Normal file
View File

@ -0,0 +1,34 @@
'use strict';
const crypto = require ('crypto');
/**
* creates a sha256 hash
*
* @param {any} data input
* @returns {string} hash
*/
function checksum (data) {
const md = crypto.createHash ('sha256');
md.update (String (data));
return md.digest ('hex');
}
/**
* creates a sha512 hash
*
* @param {string} str string input
* @param {string} salt salt
* @returns {string} salt
*/
function hash_sha512 (str, salt) {
const md = crypto.createHash ('sha512');
md.update (str);
md.update (salt);
return md.digest ('hex');
}
module.exports = {
hash_sha512,
checksum
};

46
lib/random.js Normal file
View File

@ -0,0 +1,46 @@
'use strict';
const crypto = require ('crypto');
/**
* creates a random string
*
* @param {number} len string length default: 8
* @returns {string} random string
*/
function random_string (len = 8) {
if (len < 1)
throw new Error ('invalid length');
return crypto.randomBytes (Math.ceil (len * 3 / 4))
.toString ('base64')
.substr (0, len);
}
/**
* creates a random hexadecimal string
*
* @param {number} len length
* @returns {string} hex string
*/
function random_hex (len = 8) {
if (len < 1)
throw new Error ('invalid length');
return crypto.randomBytes (Math.ceil (len / 2))
.toString ('hex')
.substr (0, len);
}
/**
* creates a 64 character long random hex string
*
* @returns {string} salt
*/
function create_salt () {
return random_hex (64);
}
module.exports = {
create_salt,
random_hex,
random_string
};

98
lib/rsa.js Normal file
View File

@ -0,0 +1,98 @@
'use strict';
const crypto = require ('crypto');
/**
* generate a new rsa keypair
*
* @param {number} length the key length in bit. default: 2048
* @returns {Promise<{public_key: string, private_key: string}>} generated keys
*/
async function generate_keypair (length = 2048) {
const key = await new Promise (
(res, rej) => crypto.generateKeyPair (
'rsa',
{
modulusLength: length,
publicKeyEncoding: {
type: 'pkcs1',
format: 'pem'
},
privateKeyEncoding: {
type: 'pkcs8',
format: 'pem'
}
},
(err, public_key, private_key) => {
if (err)
rej (err);
res ({ public_key, private_key });
}
)
);
return key;
}
/**
* encrypts data using a public key
* it can only be decrypted with the corresponding private key
*
* @param {string} data data to encrypt
* @param {string} public_key public key
* @returns {string} encrypted data
*/
function asym_encrypt (data, public_key) {
return crypto.publicEncrypt (public_key, Buffer.from (data))
.toString ('base64');
}
/**
* decrypts data using a private key
*
* @param {string} data data to decrypt
* @param {string} private_key private key
* @returns {string} decrypted data
*/
function asym_decrypt (data, private_key) {
return crypto.privateDecrypt (private_key, Buffer.from (data, 'base64'))
.toString ();
}
/**
* creates a signature using a private key
* can later be verified using the corresponding public key
*
* @param {string} data data to sign
* @param {string} private_key private key
* @returns {string} signature
*/
function asym_sign (data, private_key) {
const sign = crypto.createSign ('sha256');
sign.write (data);
sign.end ();
return sign.sign (private_key, 'hex');
}
/**
* verifies a signature using a public key
*
* @param {string} data data to verify
* @param {string} public_key public key
* @param {string} signature signature to verify
* @returns {boolean} true if signature is valid
*/
function asym_verify (data, public_key, signature) {
const verify = crypto.createVerify ('sha256');
verify.write (data);
verify.end ();
return verify.verify (public_key, signature, 'hex');
}
module.exports = {
generate_keypair,
asym_encrypt,
asym_decrypt,
asym_sign,
asym_verify
};

126
lib/signatures.js Normal file
View File

@ -0,0 +1,126 @@
'use strict';
const encoding = require ('@sapphirecode/encoding-helper');
const { hash_sha512 } = require ('./hashing');
const { asym_sign, asym_verify } = require ('./rsa');
/**
* sign an object
*
* @param {any} obj object to sign
* @param {string} key key to use
* @param {string|Object} key_info key identifier
* @returns {string} signed object
*/
function sign_object (obj, key, key_info = null) {
const payload = {
iat: Date.now (),
obj,
...(typeof key_info === 'object' ? key_info : { key_info })
};
const str = encoding.to_b58 (JSON.stringify (payload));
const is_rsa = (/^-----BEGIN PRIVATE KEY-----/u).test (key);
const signature = is_rsa ? asym_sign (str, key) : hash_sha512 (str, key);
const token = encoding.to_b58 (signature, 'hex');
const res = `${str}.${token}.2`;
return res;
}
function parse_signature (str, key = null) {
let dec = str.split ('.');
const version = dec[2];
const res = {};
switch (version) {
case '2':
res.json = JSON.parse (encoding.to_utf8 (dec[0], 'base58'));
res.token = encoding.to_hex (dec[1], 'base58');
break;
default:
dec = decodeURIComponent (str)
.split ('.');
res.json = JSON.parse (
encoding.to_utf8 (dec[0], 'base64')
);
res.token = encoding.to_hex (dec[1], 'base64');
break;
}
if (key !== null) {
const string_key = typeof key === 'string' ? key : key (res.json);
res.is_rsa = (/^-----BEGIN RSA PUBLIC KEY-----/u).test (string_key);
res.hash = res.is_rsa
? asym_verify (dec[0], string_key, res.token)
: hash_sha512 (dec[0], string_key);
}
return res;
}
/**
* verify a signed object and return its info and contents
*
* @param {string} str string to verify
* @param {string|(Object)=>string} key used key
* @param {number|(Object)=>number} timeout timeout (optional)
* @returns {any} returns object if successful, else null
*/
function verify_signature_get_info (str, key, timeout = 0) {
if (typeof str !== 'string')
return null;
const { json, token, hash, is_rsa } = parse_signature (str, key);
if (is_rsa ? !hash : (token !== hash))
return null;
const time = Date.now () - json.iat;
const num_timeout = typeof timeout === 'number' ? timeout : timeout (json);
if (num_timeout === 0 || time <= num_timeout)
return json;
return null;
}
/**
* verify a signed object and return its contents
*
* @param {string} str string to verify
* @param {string|(Object)=>string} key used key
* @param {number|(Object)=>number} timeout timeout (optional)
* @returns {any} returns object if successful, else null
*/
function verify_signature (str, key, timeout = 0) {
const res = verify_signature_get_info (str, key, timeout);
if (res === null)
return null;
return res.obj;
}
/**
* get a signed object info and data
*
* @param {string} str string to decode
* @returns {any} data
*/
function get_signature_info (str) {
if (typeof str !== 'string')
return null;
const { json } = parse_signature (str);
return json;
}
/**
* decode a signed object without verifying the signature
*
* @param {string} str string to decode
* @returns {any} object
*/
function decode_signed (str) {
const info = get_signature_info (str);
if (info)
return info.obj;
return null;
}
module.exports = {
decode_signed,
get_signature_info,
sign_object,
verify_signature,
verify_signature_get_info
};