From bde3c2ca333c6b582c6275466d4f66cb6905a2a7 Mon Sep 17 00:00:00 2001 From: tigerbot Date: Mon, 13 Mar 2017 12:33:09 -0600 Subject: [PATCH] add an encrypted user secret key to the stored object --- oauth3.issuer.mock.js | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/oauth3.issuer.mock.js b/oauth3.issuer.mock.js index d59db8a..ea72fa7 100644 --- a/oauth3.issuer.mock.js +++ b/oauth3.issuer.mock.js @@ -49,13 +49,13 @@ }; OAUTH3.crypto._createKey = function (ppid) { - var kekPromise, ecdsaPromise; + var kekPromise, ecdsaPromise, secretPromise; var salt = window.crypto.getRandomValues(new Uint8Array(16)); kekPromise = window.crypto.subtle.importKey('raw', OAUTH3.utils.binaryStringToBuffer(ppid), {name: 'PBKDF2'}, false, ['deriveKey']) .then(function (key) { var opts = {name: 'PBKDF2', salt: salt, iterations: 8192, hash: {name: 'SHA-256'}}; - return window.crypto.subtle.deriveKey(opts, key, {name: 'AES-GCM', length: 256}, false, ['encrypt']); + return window.crypto.subtle.deriveKey(opts, key, {name: 'AES-GCM', length: 128}, false, ['encrypt']); }); ecdsaPromise = window.crypto.subtle.generateKey({name: 'ECDSA', namedCurve: 'P-256'}, true, ['sign', 'verify']) @@ -79,15 +79,29 @@ }); }); - return OAUTH3.PromiseA.all([kekPromise, ecdsaPromise]).then(function (keys) { - var jwkBuf = OAUTH3.utils.binaryStringToBuffer(JSON.stringify(keys[1].privateKey)); - var iv = window.crypto.getRandomValues(new Uint8Array(12)); - return window.crypto.subtle.encrypt({name: 'AES-GCM', iv: iv}, keys[0], jwkBuf).then(function (encrypted) { + secretPromise = window.crypto.subtle.generateKey({name: 'AES-GCM', length: 128}, true, ['encrypt', 'decrypt']) + .then(function (key) { + return window.crypto.subtle.exportKey('jwk', key); + }); + + return OAUTH3.PromiseA.all([kekPromise, ecdsaPromise, secretPromise]).then(function (keys) { + var ecdsaJwk = OAUTH3.utils.binaryStringToBuffer(JSON.stringify(keys[1].privateKey)); + var secretJwk = OAUTH3.utils.binaryStringToBuffer(JSON.stringify(keys[2])); + var ecdsaIv = window.crypto.getRandomValues(new Uint8Array(12)); + var secretIv = window.crypto.getRandomValues(new Uint8Array(12)); + + return OAUTH3.PromiseA.all([ + window.crypto.subtle.encrypt({name: 'AES-GCM', iv: ecdsaIv}, keys[0], ecdsaJwk) + , window.crypto.subtle.encrypt({name: 'AES-GCM', iv: secretIv}, keys[0], secretJwk) + ]) + .then(function (encrypted) { return { publicKey: keys[1].publicKey - , privateKey: OAUTH3._base64.btoa(OAUTH3.utils.bufferToBinaryString(encrypted)) + , privateKey: OAUTH3._base64.btoa(OAUTH3.utils.bufferToBinaryString(encrypted[0])) + , userSecret: OAUTH3._base64.btoa(OAUTH3.utils.bufferToBinaryString(encrypted[1])) , salt: OAUTH3._base64.btoa(OAUTH3.utils.bufferToBinaryString(salt)) - , iv: OAUTH3._base64.btoa(OAUTH3.utils.bufferToBinaryString(iv)) + , ecdsaIv: OAUTH3._base64.btoa(OAUTH3.utils.bufferToBinaryString(ecdsaIv)) + , secretIv: OAUTH3._base64.btoa(OAUTH3.utils.bufferToBinaryString(secretIv)) }; }); }); @@ -96,12 +110,12 @@ OAUTH3.crypto._decryptKey = function (ppid, storedObj) { var salt = OAUTH3.utils.binaryStringToBuffer(OAUTH3._base64.atob(storedObj.salt)); var encJwk = OAUTH3.utils.binaryStringToBuffer(OAUTH3._base64.atob(storedObj.privateKey)); - var iv = OAUTH3.utils.binaryStringToBuffer(OAUTH3._base64.atob(storedObj.iv)); + var iv = OAUTH3.utils.binaryStringToBuffer(OAUTH3._base64.atob(storedObj.ecdsaIv)); return window.crypto.subtle.importKey('raw', OAUTH3.utils.binaryStringToBuffer(ppid), {name: 'PBKDF2'}, false, ['deriveKey']) .then(function (key) { var opts = {name: 'PBKDF2', salt: salt, iterations: 8192, hash: {name: 'SHA-256'}}; - return window.crypto.subtle.deriveKey(opts, key, {name: 'AES-GCM', length: 256}, false, ['decrypt']); + return window.crypto.subtle.deriveKey(opts, key, {name: 'AES-GCM', length: 128}, false, ['decrypt']); }) .then(function (key) { return window.crypto.subtle.decrypt({name: 'AES-GCM', iv: iv}, key, encJwk);