coolaj86
/
oauth3.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

changed crypto functions to not directly use WebCrypto

This commit is contained in:
tigerbot 2017-03-20 17:41:20 -06:00
parent 01580dd6b3
commit 695df45a1d
3 changed files with 32 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
browserify/crypto.fallback.js
View File

@ -15,13 +15,13 @@
return pbkdf2.pbkdf2Sync(password, Buffer(salt), 8192, 16, 'sha256'); return pbkdf2.pbkdf2Sync(password, Buffer(salt), 8192, 16, 'sha256');
} }
function encrypt(key, data, iv) { function encrypt(key, iv, data) {
var cipher = aes.createCipheriv('aes-128-gcm', Buffer(key), Buffer(iv)); var cipher = aes.createCipheriv('aes-128-gcm', Buffer(key), Buffer(iv));
return Buffer.concat([cipher.update(Buffer(data)), cipher.final(), cipher.getAuthTag()]); return Buffer.concat([cipher.update(Buffer(data)), cipher.final(), cipher.getAuthTag()]);
} }
function decrypt(key, data, iv) { function decrypt(key, iv, data) {
var decipher = aes.createDecipheriv('aes-128-gcm', Buffer(key), Buffer(iv)); var decipher = aes.createDecipheriv('aes-128-gcm', Buffer(key), Buffer(iv));
decipher.setAuthTag(Buffer(data.slice(-16))); decipher.setAuthTag(Buffer(data.slice(-16)));

81
oauth3.crypto.js
View File

@ -39,13 +39,13 @@
}); });
}; };
webCrypto.encrypt = function (rawKey, data, iv) { webCrypto.encrypt = function (rawKey, iv, data) {
return crypto.subtle.importKey('raw', rawKey, {name: 'AES-GCM'}, false, ['encrypt']) return crypto.subtle.importKey('raw', rawKey, {name: 'AES-GCM'}, false, ['encrypt'])
.then(function (key) { .then(function (key) {
return crypto.subtle.encrypt({name: 'AES-GCM', iv: iv}, key, data); return crypto.subtle.encrypt({name: 'AES-GCM', iv: iv}, key, data);
}); });
}; };
webCrypto.decrypt = function (rawKey, data, iv) { webCrypto.decrypt = function (rawKey, iv, data) {
return crypto.subtle.importKey('raw', rawKey, {name: 'AES-GCM'}, false, ['decrypt']) return crypto.subtle.importKey('raw', rawKey, {name: 'AES-GCM'}, false, ['decrypt'])
.then(function (key) { .then(function (key) {
return crypto.subtle.decrypt({name: 'AES-GCM', iv: iv}, key, data); return crypto.subtle.decrypt({name: 'AES-GCM', iv: iv}, key, data);
@ -131,10 +131,10 @@
return webCrypto.pbkdf2('password', zeroBuf); return webCrypto.pbkdf2('password', zeroBuf);
}); });
checkResult('encrypt', OAUTH3._base64.bufferToUrlSafe(encBuf), function () { checkResult('encrypt', OAUTH3._base64.bufferToUrlSafe(encBuf), function () {
return webCrypto.encrypt(keyBuf, dataBuf, zeroBuf.slice(0, 12)); return webCrypto.encrypt(keyBuf, zeroBuf.slice(0, 12), dataBuf);
}); });
checkResult('decrypt', OAUTH3._base64.bufferToUrlSafe(dataBuf), function () { checkResult('decrypt', OAUTH3._base64.bufferToUrlSafe(dataBuf), function () {
return webCrypto.decrypt(keyBuf, encBuf, zeroBuf.slice(0, 12)); return webCrypto.decrypt(keyBuf, zeroBuf.slice(0, 12), encBuf);
}); });
var jwk = { var jwk = {
@ -158,7 +158,7 @@
} }
checkWebCrypto(); checkWebCrypto();
OAUTH3.crypto.fingerprintJWK = function (jwk) { OAUTH3.crypto.thumbprintJwk = function (jwk) {
var keys; var keys;
if (jwk.kty === 'EC') { if (jwk.kty === 'EC') {
keys = ['crv', 'x', 'y']; keys = ['crv', 'x', 'y'];
@ -178,55 +178,33 @@
} }
var jwkStr = '{' + keys.map(function (name) { return name+':'+jwk[name]; }).join(',') + '}'; var jwkStr = '{' + keys.map(function (name) { return name+':'+jwk[name]; }).join(',') + '}';
return window.crypto.subtle.digest({name: 'SHA-256'}, OAUTH3._binStr.binStrToBuffer(jwkStr)) return OAUTH3.crypto.core.sha256(OAUTH3._binStr.binStrToBuffer(jwkStr))
.then(OAUTH3._base64.bufferToUrlSafe); .then(OAUTH3._base64.bufferToUrlSafe);
}; };
OAUTH3.crypto._createKey = function (ppid) { OAUTH3.crypto._createKey = function (ppid) {
var kekPromise, ecdsaPromise, secretPromise; var kekPromise, ecdsaPromise;
var salt = window.crypto.getRandomValues(new Uint8Array(16)); var salt = window.crypto.getRandomValues(new Uint8Array(16));
kekPromise = window.crypto.subtle.importKey('raw', OAUTH3._binStr.binStrToBuffer(ppid), {name: 'PBKDF2'}, false, ['deriveKey']) kekPromise = OAUTH3.crypto.core.pbkdf2(ppid, salt);
.then(function (key) {
var opts = {name: 'PBKDF2', salt: salt, iterations: 8192, hash: {name: 'SHA-256'}};
return window.crypto.subtle.deriveKey(opts, key, {name: 'AES-GCM', length: 128}, false, ['encrypt']);
});
ecdsaPromise = window.crypto.subtle.generateKey({name: 'ECDSA', namedCurve: 'P-256'}, true, ['sign', 'verify']) ecdsaPromise = OAUTH3.crypto.core.genEcdsaKeyPair()
.then(function (keyPair) { .then(function (keyPair) {
function tweakJWK(jwk) { return OAUTH3.crypto.thumbprintJwk(keyPair.publicKey).then(function (kid) {
return OAUTH3.crypto.fingerprintJWK(jwk).then(function (kid) { keyPair.privateKey.alg = keyPair.publicKey.alg = 'ES256';
delete jwk.ext; keyPair.privateKey.kid = keyPair.publicKey.kid = kid;
jwk.alg = 'ES256'; return keyPair;
jwk.kid = kid;
return jwk;
});
}
return OAUTH3.PromiseA.all([
window.crypto.subtle.exportKey('jwk', keyPair.privateKey).then(tweakJWK)
, window.crypto.subtle.exportKey('jwk', keyPair.publicKey).then(tweakJWK)
]).then(function (jwkPair) {
return {
privateKey: jwkPair[0]
, publicKey: jwkPair[1]
};
}); });
}); });
secretPromise = window.crypto.subtle.generateKey({name: 'AES-GCM', length: 128}, true, ['encrypt', 'decrypt']) return OAUTH3.PromiseA.all([kekPromise, ecdsaPromise]).then(function (keys) {
.then(function (key) {
return window.crypto.subtle.exportKey('jwk', key);
});
return OAUTH3.PromiseA.all([kekPromise, ecdsaPromise, secretPromise]).then(function (keys) {
var ecdsaJwk = OAUTH3._binStr.binStrToBuffer(JSON.stringify(keys[1].privateKey));
var secretJwk = OAUTH3._binStr.binStrToBuffer(JSON.stringify(keys[2]));
var ecdsaIv = window.crypto.getRandomValues(new Uint8Array(12)); var ecdsaIv = window.crypto.getRandomValues(new Uint8Array(12));
var secretIv = window.crypto.getRandomValues(new Uint8Array(12)); var secretIv = window.crypto.getRandomValues(new Uint8Array(12));
var userSecret = window.crypto.getRandomValues(new Uint8Array(16));
return OAUTH3.PromiseA.all([ return OAUTH3.PromiseA.all([
window.crypto.subtle.encrypt({name: 'AES-GCM', iv: ecdsaIv}, keys[0], ecdsaJwk) OAUTH3.crypto.core.encrypt(keys[0], ecdsaIv, OAUTH3._binStr.binStrToBuffer(JSON.stringify(keys[1].privateKey)))
, window.crypto.subtle.encrypt({name: 'AES-GCM', iv: secretIv}, keys[0], secretJwk) , OAUTH3.crypto.core.encrypt(keys[0], secretIv, userSecret)
]) ])
.then(function (encrypted) { .then(function (encrypted) {
return { return {
@ -246,28 +224,16 @@
var encJwk = OAUTH3._base64.urlSafeToBuffer(storedObj.privateKey); var encJwk = OAUTH3._base64.urlSafeToBuffer(storedObj.privateKey);
var iv = OAUTH3._base64.urlSafeToBuffer(storedObj.ecdsaIv); var iv = OAUTH3._base64.urlSafeToBuffer(storedObj.ecdsaIv);
return window.crypto.subtle.importKey('raw', OAUTH3._binStr.binStrToBuffer(ppid), {name: 'PBKDF2'}, false, ['deriveKey']) return OAUTH3.crypto.core.pbkdf2(ppid, salt)
.then(function (key) { .then(function (key) {
var opts = {name: 'PBKDF2', salt: salt, iterations: 8192, hash: {name: 'SHA-256'}}; return OAUTH3.crypto.core.decrypt(key, iv, encJwk);
return window.crypto.subtle.deriveKey(opts, key, {name: 'AES-GCM', length: 128}, false, ['decrypt']);
})
.then(function (key) {
return window.crypto.subtle.decrypt({name: 'AES-GCM', iv: iv}, key, encJwk);
}) })
.then(OAUTH3._binStr.bufferToBinStr) .then(OAUTH3._binStr.bufferToBinStr)
.then(JSON.parse) .then(JSON.parse);
.then(function (jwk) {
return window.crypto.subtle.importKey('jwk', jwk, {name: 'ECDSA', namedCurve: jwk.crv}, false, ['sign'])
.then(function (key) {
key.kid = jwk.kid;
key.alg = jwk.alg;
return key;
});
});
}; };
OAUTH3.crypto._getKey = function (ppid) { OAUTH3.crypto._getKey = function (ppid) {
return window.crypto.subtle.digest({name: 'SHA-256'}, OAUTH3._binStr.binStrToBuffer(ppid)) return OAUTH3.crypto.core.sha256(OAUTH3._binStr.binStrToBuffer(ppid))
.then(function (hash) { .then(function (hash) {
var name = 'kek-' + OAUTH3._base64.bufferToUrlSafe(hash); var name = 'kek-' + OAUTH3._base64.bufferToUrlSafe(hash);
var promise; var promise;
@ -295,9 +261,10 @@
, OAUTH3._base64.encodeUrlSafe(JSON.stringify(payload, null)) , OAUTH3._base64.encodeUrlSafe(JSON.stringify(payload, null))
].join('.'); ].join('.');
return window.crypto.subtle.sign({name: 'ECDSA', hash: {name: 'SHA-256'}}, key, OAUTH3._binStr.binStrToBuffer(input)) return OAUTH3.crypto.core.sign(key, OAUTH3._binStr.binStrToBuffer(input))
.then(OAUTH3._base64.bufferToUrlSafe)
.then(function (signature) { .then(function (signature) {
return input + '.' + OAUTH3._base64.bufferToUrlSafe(signature); return input + '.' + signature;
}); });
}); });
}; };

2
package.json
View File

@ -2,7 +2,7 @@
"name": "oauth3", "name": "oauth3",
"respository": { "respository": {
"type": "git", "type": "git",
"url": "git+ssh://git@git.daplie.com:Daplie/oauth3.js.git" "url": "git+ssh://git@git.daplie.com:OAuth3/oauth3.js.git"
}, },
"scripts": { "scripts": {
"install": "./node_modules/.bin/gulp" "install": "./node_modules/.bin/gulp"