changed crypto functions to not directly use WebCrypto

This commit is contained in:
tigerbot 2017-03-20 17:41:20 -06:00
parent 01580dd6b3
commit 695df45a1d
3 changed files with 32 additions and 65 deletions

View File

@ -15,13 +15,13 @@
return pbkdf2.pbkdf2Sync(password, Buffer(salt), 8192, 16, 'sha256');
}
function encrypt(key, data, iv) {
function encrypt(key, iv, data) {
var cipher = aes.createCipheriv('aes-128-gcm', Buffer(key), Buffer(iv));
return Buffer.concat([cipher.update(Buffer(data)), cipher.final(), cipher.getAuthTag()]);
}
function decrypt(key, data, iv) {
function decrypt(key, iv, data) {
var decipher = aes.createDecipheriv('aes-128-gcm', Buffer(key), Buffer(iv));
decipher.setAuthTag(Buffer(data.slice(-16)));

View File

@ -39,13 +39,13 @@
});
};
webCrypto.encrypt = function (rawKey, data, iv) {
webCrypto.encrypt = function (rawKey, iv, data) {
return crypto.subtle.importKey('raw', rawKey, {name: 'AES-GCM'}, false, ['encrypt'])
.then(function (key) {
return crypto.subtle.encrypt({name: 'AES-GCM', iv: iv}, key, data);
});
};
webCrypto.decrypt = function (rawKey, data, iv) {
webCrypto.decrypt = function (rawKey, iv, data) {
return crypto.subtle.importKey('raw', rawKey, {name: 'AES-GCM'}, false, ['decrypt'])
.then(function (key) {
return crypto.subtle.decrypt({name: 'AES-GCM', iv: iv}, key, data);
@ -131,10 +131,10 @@
return webCrypto.pbkdf2('password', zeroBuf);
});
checkResult('encrypt', OAUTH3._base64.bufferToUrlSafe(encBuf), function () {
return webCrypto.encrypt(keyBuf, dataBuf, zeroBuf.slice(0, 12));
return webCrypto.encrypt(keyBuf, zeroBuf.slice(0, 12), dataBuf);
});
checkResult('decrypt', OAUTH3._base64.bufferToUrlSafe(dataBuf), function () {
return webCrypto.decrypt(keyBuf, encBuf, zeroBuf.slice(0, 12));
return webCrypto.decrypt(keyBuf, zeroBuf.slice(0, 12), encBuf);
});
var jwk = {
@ -158,7 +158,7 @@
}
checkWebCrypto();
OAUTH3.crypto.fingerprintJWK = function (jwk) {
OAUTH3.crypto.thumbprintJwk = function (jwk) {
var keys;
if (jwk.kty === 'EC') {
keys = ['crv', 'x', 'y'];
@ -178,55 +178,33 @@
}
var jwkStr = '{' + keys.map(function (name) { return name+':'+jwk[name]; }).join(',') + '}';
return window.crypto.subtle.digest({name: 'SHA-256'}, OAUTH3._binStr.binStrToBuffer(jwkStr))
.then(OAUTH3._base64.bufferToUrlSafe);
return OAUTH3.crypto.core.sha256(OAUTH3._binStr.binStrToBuffer(jwkStr))
.then(OAUTH3._base64.bufferToUrlSafe);
};
OAUTH3.crypto._createKey = function (ppid) {
var kekPromise, ecdsaPromise, secretPromise;
var kekPromise, ecdsaPromise;
var salt = window.crypto.getRandomValues(new Uint8Array(16));
kekPromise = window.crypto.subtle.importKey('raw', OAUTH3._binStr.binStrToBuffer(ppid), {name: 'PBKDF2'}, false, ['deriveKey'])
.then(function (key) {
var opts = {name: 'PBKDF2', salt: salt, iterations: 8192, hash: {name: 'SHA-256'}};
return window.crypto.subtle.deriveKey(opts, key, {name: 'AES-GCM', length: 128}, false, ['encrypt']);
});
kekPromise = OAUTH3.crypto.core.pbkdf2(ppid, salt);
ecdsaPromise = window.crypto.subtle.generateKey({name: 'ECDSA', namedCurve: 'P-256'}, true, ['sign', 'verify'])
ecdsaPromise = OAUTH3.crypto.core.genEcdsaKeyPair()
.then(function (keyPair) {
function tweakJWK(jwk) {
return OAUTH3.crypto.fingerprintJWK(jwk).then(function (kid) {
delete jwk.ext;
jwk.alg = 'ES256';
jwk.kid = kid;
return jwk;
});
}
return OAUTH3.PromiseA.all([
window.crypto.subtle.exportKey('jwk', keyPair.privateKey).then(tweakJWK)
, window.crypto.subtle.exportKey('jwk', keyPair.publicKey).then(tweakJWK)
]).then(function (jwkPair) {
return {
privateKey: jwkPair[0]
, publicKey: jwkPair[1]
};
return OAUTH3.crypto.thumbprintJwk(keyPair.publicKey).then(function (kid) {
keyPair.privateKey.alg = keyPair.publicKey.alg = 'ES256';
keyPair.privateKey.kid = keyPair.publicKey.kid = kid;
return keyPair;
});
});
secretPromise = window.crypto.subtle.generateKey({name: 'AES-GCM', length: 128}, true, ['encrypt', 'decrypt'])
.then(function (key) {
return window.crypto.subtle.exportKey('jwk', key);
});
return OAUTH3.PromiseA.all([kekPromise, ecdsaPromise, secretPromise]).then(function (keys) {
var ecdsaJwk = OAUTH3._binStr.binStrToBuffer(JSON.stringify(keys[1].privateKey));
var secretJwk = OAUTH3._binStr.binStrToBuffer(JSON.stringify(keys[2]));
return OAUTH3.PromiseA.all([kekPromise, ecdsaPromise]).then(function (keys) {
var ecdsaIv = window.crypto.getRandomValues(new Uint8Array(12));
var secretIv = window.crypto.getRandomValues(new Uint8Array(12));
var userSecret = window.crypto.getRandomValues(new Uint8Array(16));
return OAUTH3.PromiseA.all([
window.crypto.subtle.encrypt({name: 'AES-GCM', iv: ecdsaIv}, keys[0], ecdsaJwk)
, window.crypto.subtle.encrypt({name: 'AES-GCM', iv: secretIv}, keys[0], secretJwk)
OAUTH3.crypto.core.encrypt(keys[0], ecdsaIv, OAUTH3._binStr.binStrToBuffer(JSON.stringify(keys[1].privateKey)))
, OAUTH3.crypto.core.encrypt(keys[0], secretIv, userSecret)
])
.then(function (encrypted) {
return {
@ -246,28 +224,16 @@
var encJwk = OAUTH3._base64.urlSafeToBuffer(storedObj.privateKey);
var iv = OAUTH3._base64.urlSafeToBuffer(storedObj.ecdsaIv);
return window.crypto.subtle.importKey('raw', OAUTH3._binStr.binStrToBuffer(ppid), {name: 'PBKDF2'}, false, ['deriveKey'])
.then(function (key) {
var opts = {name: 'PBKDF2', salt: salt, iterations: 8192, hash: {name: 'SHA-256'}};
return window.crypto.subtle.deriveKey(opts, key, {name: 'AES-GCM', length: 128}, false, ['decrypt']);
})
.then(function (key) {
return window.crypto.subtle.decrypt({name: 'AES-GCM', iv: iv}, key, encJwk);
})
.then(OAUTH3._binStr.bufferToBinStr)
.then(JSON.parse)
.then(function (jwk) {
return window.crypto.subtle.importKey('jwk', jwk, {name: 'ECDSA', namedCurve: jwk.crv}, false, ['sign'])
return OAUTH3.crypto.core.pbkdf2(ppid, salt)
.then(function (key) {
key.kid = jwk.kid;
key.alg = jwk.alg;
return key;
});
});
return OAUTH3.crypto.core.decrypt(key, iv, encJwk);
})
.then(OAUTH3._binStr.bufferToBinStr)
.then(JSON.parse);
};
OAUTH3.crypto._getKey = function (ppid) {
return window.crypto.subtle.digest({name: 'SHA-256'}, OAUTH3._binStr.binStrToBuffer(ppid))
return OAUTH3.crypto.core.sha256(OAUTH3._binStr.binStrToBuffer(ppid))
.then(function (hash) {
var name = 'kek-' + OAUTH3._base64.bufferToUrlSafe(hash);
var promise;
@ -295,10 +261,11 @@
, OAUTH3._base64.encodeUrlSafe(JSON.stringify(payload, null))
].join('.');
return window.crypto.subtle.sign({name: 'ECDSA', hash: {name: 'SHA-256'}}, key, OAUTH3._binStr.binStrToBuffer(input))
.then(function (signature) {
return input + '.' + OAUTH3._base64.bufferToUrlSafe(signature);
});
return OAUTH3.crypto.core.sign(key, OAUTH3._binStr.binStrToBuffer(input))
.then(OAUTH3._base64.bufferToUrlSafe)
.then(function (signature) {
return input + '.' + signature;
});
});
};

View File

@ -2,7 +2,7 @@
"name": "oauth3",
"respository": {
"type": "git",
"url": "git+ssh://git@git.daplie.com:Daplie/oauth3.js.git"
"url": "git+ssh://git@git.daplie.com:OAuth3/oauth3.js.git"
},
"scripts": {
"install": "./node_modules/.bin/gulp"