Upstream/bitwarden-browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser.git synced 2024-10-10 06:08:34 +02:00
Code Issues Projects Releases Wiki Activity
2e2998bb8b
bitwarden-browser/src/app/services/cryptoService.js

540 lines
18 KiB
JavaScript
Raw Normal View History

initial commit of source
2015-12-09 04:35:05 +01:00
angular
.module('bit.services')
promisify makekeypair and generate keys on login
2017-04-14 00:18:32 +02:00
.factory('cryptoService', function ($sessionStorage, constants, $q) {
initial commit of source
2015-12-09 04:35:05 +01:00
var _service = {},
_key,
crypto adjustments for new account enc key
2017-05-31 16:25:25 +02:00
_encKey,
handle legacy encrypt-then-mac scheme
2017-04-19 22:45:16 +02:00
_legacyEtmKey,
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
_orgKeys,
share login modal
2017-02-28 06:18:11 +01:00
_privateKey,
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
_publicKey;
initial commit of source
2015-12-09 04:35:05 +01:00
_service.setKey = function (key) {
_key = key;
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
$sessionStorage.key = _key.keyB64;
initial commit of source
2015-12-09 04:35:05 +01:00
};
change password with new enc key
2017-05-31 18:21:06 +02:00
_service.setEncKey = function (encKey, key, alreadyDecrypted) {
if (alreadyDecrypted) {
_encKey = encKey;
$sessionStorage.encKey = _encKey.keyB64;
return;
}
crypto adjustments for new account enc key
2017-05-31 16:25:25 +02:00
try {
change password with new enc key
2017-05-31 18:21:06 +02:00
var encKeyBytes = _service.decrypt(encKey, key, 'raw');
crypto adjustments for new account enc key
2017-05-31 16:25:25 +02:00
$sessionStorage.encKey = forge.util.encode64(encKeyBytes);
_encKey = new SymmetricCryptoKey(encKeyBytes);
}
catch (e) {
console.log('Cannot set enc key. Decryption failed.');
}
};
set private key when logging in
2017-02-21 06:29:15 +01:00
_service.setPrivateKey = function (privateKeyCt, key) {
try {
Set private key from asn1 on initial set
2017-03-10 02:59:10 +01:00
var privateKeyBytes = _service.decrypt(privateKeyCt, key, 'raw');
$sessionStorage.privateKey = forge.util.encode64(privateKeyBytes);
resolve lint errors
2017-03-22 04:07:38 +01:00
_privateKey = forge.pki.privateKeyFromAsn1(forge.asn1.fromDer(privateKeyBytes));
set private key when logging in
2017-02-21 06:29:15 +01:00
}
catch (e) {
console.log('Cannot set private key. Decryption failed.');
}
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
};
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
_service.setOrgKeys = function (orgKeysCt, privateKey) {
share profile promise result when called at same time
2017-03-28 04:22:56 +02:00
if (!orgKeysCt || Object.keys(orgKeysCt).length === 0) {
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
return;
}
subvault list UI updates
2017-04-02 04:17:28 +02:00
_service.clearOrgKeys();
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
var orgKeysb64 = {},
user vault associations
2017-03-14 03:54:57 +01:00
_orgKeys = {},
setKey = false;
access control on orgs pages
2017-03-28 03:55:39 +02:00
for (var orgId in orgKeysCt) {
if (orgKeysCt.hasOwnProperty(orgId)) {
try {
cleanup crypto API
2017-04-19 15:27:38 +02:00
var decBytes = _service.rsaDecrypt(orgKeysCt[orgId].key, privateKey);
rename CryptoKey to SymmetricCryptoKey
2017-04-22 20:39:40 +02:00
var decKey = new SymmetricCryptoKey(decBytes);
cleanup crypto API
2017-04-19 15:27:38 +02:00
_orgKeys[orgId] = decKey;
orgKeysb64[orgId] = decKey.keyB64;
access control on orgs pages
2017-03-28 03:55:39 +02:00
setKey = true;
}
catch (e) {
generate enc key on registration
2017-05-31 17:05:52 +02:00
console.log('Cannot set org key for ' + orgId + '. Decryption failed.');
access control on orgs pages
2017-03-28 03:55:39 +02:00
}
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
}
}
user vault associations
2017-03-14 03:54:57 +01:00
if (setKey) {
$sessionStorage.orgKeys = orgKeysb64;
}
else {
_orgKeys = null;
}
add new org to profile
2017-03-12 02:46:33 +01:00
};
resolve lint errors
2017-04-03 15:30:21 +02:00
_service.addOrgKey = function (orgId, encOrgKey, privateKey) {
add new org to profile
2017-03-12 02:46:33 +01:00
_orgKeys = _service.getOrgKeys();
if (!_orgKeys) {
_orgKeys = {};
}
var orgKeysb64 = $sessionStorage.orgKeys;
if (!orgKeysb64) {
orgKeysb64 = {};
}
try {
cleanup crypto API
2017-04-19 15:27:38 +02:00
var decBytes = _service.rsaDecrypt(encOrgKey, privateKey);
rename CryptoKey to SymmetricCryptoKey
2017-04-22 20:39:40 +02:00
var decKey = new SymmetricCryptoKey(decBytes);
cleanup crypto API
2017-04-19 15:27:38 +02:00
_orgKeys[orgId] = decKey;
orgKeysb64[orgId] = decKey.keyB64;
add new org to profile
2017-03-12 02:46:33 +01:00
}
catch (e) {
user vault associations
2017-03-14 03:54:57 +01:00
_orgKeys = null;
add new org to profile
2017-03-12 02:46:33 +01:00
console.log('Cannot set org key. Decryption failed.');
}
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
$sessionStorage.orgKeys = orgKeysb64;
};
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
_service.getKey = function () {
if (!_key && $sessionStorage.key) {
rename CryptoKey to SymmetricCryptoKey
2017-04-22 20:39:40 +02:00
_key = new SymmetricCryptoKey($sessionStorage.key, true);
initial commit of source
2015-12-09 04:35:05 +01:00
}
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
if (!_key) {
throw 'key unavailable';
initial commit of source
2015-12-09 04:35:05 +01:00
}
return _key;
};
crypto adjustments for new account enc key
2017-05-31 16:25:25 +02:00
_service.getEncKey = function () {
if (!_encKey && $sessionStorage.encKey) {
_encKey = new SymmetricCryptoKey($sessionStorage.encKey, true);
}
return _encKey;
};
change email/password adjustments
2017-04-17 20:53:26 +02:00
_service.getPrivateKey = function (outputEncoding) {
outputEncoding = outputEncoding || 'native';
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
if (_privateKey) {
change email/password adjustments
2017-04-17 20:53:26 +02:00
if (outputEncoding === 'raw') {
var privateKeyAsn1 = forge.pki.privateKeyToAsn1(_privateKey);
var privateKeyPkcs8 = forge.pki.wrapRsaPrivateKey(privateKeyAsn1);
return forge.asn1.toDer(privateKeyPkcs8).getBytes();
}
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
return _privateKey;
}
if ($sessionStorage.privateKey) {
share login modal
2017-02-28 06:18:11 +01:00
var privateKeyBytes = forge.util.decode64($sessionStorage.privateKey);
_privateKey = forge.pki.privateKeyFromAsn1(forge.asn1.fromDer(privateKeyBytes));
change email/password adjustments
2017-04-17 20:53:26 +02:00
if (outputEncoding === 'raw') {
return privateKeyBytes;
}
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
}
return _privateKey;
};
share login modal
2017-02-28 06:18:11 +01:00
_service.getPublicKey = function () {
if (_publicKey) {
return _publicKey;
}
var privateKey = _service.getPrivateKey();
if (!privateKey) {
return null;
}
_publicKey = forge.pki.setRsaPublicKey(privateKey.n, privateKey.e);
return _publicKey;
};
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
_service.getOrgKeys = function () {
if (_orgKeys) {
return _orgKeys;
}
if ($sessionStorage.orgKeys) {
org key fixes
2017-03-10 04:28:14 +01:00
var orgKeys = {},
setKey = false;
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
for (var orgId in $sessionStorage.orgKeys) {
if ($sessionStorage.orgKeys.hasOwnProperty(orgId)) {
rename CryptoKey to SymmetricCryptoKey
2017-04-22 20:39:40 +02:00
orgKeys[orgId] = new SymmetricCryptoKey($sessionStorage.orgKeys[orgId], true);
org key fixes
2017-03-10 04:28:14 +01:00
setKey = true;
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
}
}
org key fixes
2017-03-10 04:28:14 +01:00
if (setKey) {
_orgKeys = orgKeys;
}
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
}
return _orgKeys;
};
_service.getOrgKey = function (orgId) {
var orgKeys = _service.getOrgKeys();
if (!orgKeys || !(orgId in orgKeys)) {
return null;
}
return orgKeys[orgId];
resolve lint errors
2017-03-22 04:07:38 +01:00
};
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
initial commit of source
2015-12-09 04:35:05 +01:00
_service.clearKey = function () {
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
_key = null;
handle legacy encrypt-then-mac scheme
2017-04-19 22:45:16 +02:00
_legacyEtmKey = null;
initial commit of source
2015-12-09 04:35:05 +01:00
delete $sessionStorage.key;
};
crypto adjustments for new account enc key
2017-05-31 16:25:25 +02:00
_service.clearEncKey = function () {
_encKey = null;
delete $sessionStorage.encKey;
};
share login modal
2017-02-28 06:18:11 +01:00
_service.clearKeyPair = function () {
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
_privateKey = null;
share login modal
2017-02-28 06:18:11 +01:00
_publicKey = null;
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
delete $sessionStorage.privateKey;
};
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
_service.clearOrgKeys = function () {
user vault associations
2017-03-14 03:54:57 +01:00
_orgKeys = null;
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
delete $sessionStorage.orgKeys;
};
delete organization
2017-04-11 16:52:16 +02:00
_service.clearOrgKey = function (orgId) {
if (_orgKeys.hasOwnProperty(orgId)) {
delete _orgKeys[orgId];
}
if ($sessionStorage.orgKeys.hasOwnProperty(orgId)) {
delete $sessionStorage.orgKeys[orgId];
}
};
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
_service.clearKeys = function () {
_service.clearKey();
crypto adjustments for new account enc key
2017-05-31 16:25:25 +02:00
_service.clearEncKey();
share login modal
2017-02-28 06:18:11 +01:00
_service.clearKeyPair();
org keys and optimized org profile load for sidenav
2017-03-07 05:54:06 +01:00
_service.clearOrgKeys();
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
};
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
_service.makeKey = function (password, salt) {
var keyBytes = forge.pbkdf2(forge.util.encodeUtf8(password), forge.util.encodeUtf8(salt),
utf8 encode params for key derivation
2017-02-16 01:03:56 +01:00
5000, 256 / 8, 'sha256');
rename CryptoKey to SymmetricCryptoKey
2017-04-22 20:39:40 +02:00
return new SymmetricCryptoKey(keyBytes);
initial commit of source
2015-12-09 04:35:05 +01:00
};
generate enc key on registration
2017-05-31 17:05:52 +02:00
_service.makeEncKey = function (key) {
var encKey = forge.random.getBytesSync(512 / 8);
var encKeyEnc = _service.encrypt(encKey, key, 'raw');
return {
encKey: new SymmetricCryptoKey(encKey),
encKeyEnc: encKeyEnc
};
};
promisify makekeypair and generate keys on login
2017-04-14 00:18:32 +02:00
_service.makeKeyPair = function (key) {
var deferred = $q.defer();
primary worker for forge key generation
2017-05-16 02:58:16 +02:00
forge.pki.rsa.generateKeyPair({
bits: 2048,
workers: 2,
workerScript: '/lib/forge/prime.worker.min.js'
}, function (error, keypair) {
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
if (error) {
promisify makekeypair and generate keys on login
2017-04-14 00:18:32 +02:00
deferred.reject(error);
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
return;
}
serialize private key to pkcs8 format
2017-03-11 02:49:50 +01:00
var privateKeyAsn1 = forge.pki.privateKeyToAsn1(keypair.privateKey);
var privateKeyPkcs8 = forge.pki.wrapRsaPrivateKey(privateKeyAsn1);
var privateKeyBytes = forge.asn1.toDer(privateKeyPkcs8).getBytes();
promisify makekeypair and generate keys on login
2017-04-14 00:18:32 +02:00
var privateKeyEncCt = _service.encrypt(privateKeyBytes, key, 'raw');
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
serialize private key to pkcs8 format
2017-03-11 02:49:50 +01:00
var publicKeyAsn1 = forge.pki.publicKeyToAsn1(keypair.publicKey);
var publicKeyBytes = forge.asn1.toDer(publicKeyAsn1).getBytes();
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
promisify makekeypair and generate keys on login
2017-04-14 00:18:32 +02:00
deferred.resolve({
publicKey: forge.util.encode64(publicKeyBytes),
privateKeyEnc: privateKeyEncCt
});
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
});
promisify makekeypair and generate keys on login
2017-04-14 00:18:32 +02:00
return deferred.promise;
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
};
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
_service.makeShareKeyCt = function () {
return _service.rsaEncrypt(forge.random.getBytesSync(512 / 8));
share login modal
2017-02-28 06:18:11 +01:00
};
initial commit of source
2015-12-09 04:35:05 +01:00
_service.hashPassword = function (password, key) {
if (!key) {
key = _service.getKey();
}
if (!password || !key) {
throw 'Invalid parameters.';
}
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
var hashBits = forge.pbkdf2(key.key, forge.util.encodeUtf8(password), 1, 256 / 8, 'sha256');
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
return forge.util.encode64(hashBits);
encrypt-then-mac support
2016-12-09 04:21:46 +01:00
};
set private key when logging in
2017-02-21 06:29:15 +01:00
_service.encrypt = function (plainValue, key, plainValueEncoding) {
crypto adjustments for new account enc key
2017-05-31 16:25:25 +02:00
key = key || _service.getEncKey() || _service.getKey();
initial commit of source
2015-12-09 04:35:05 +01:00
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
if (!key) {
throw 'Encryption key unavailable.';
initial commit of source
2015-12-09 04:35:05 +01:00
}
set private key when logging in
2017-02-21 06:29:15 +01:00
plainValueEncoding = plainValueEncoding || 'utf8';
var buffer = forge.util.createBuffer(plainValue, plainValueEncoding);
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
var ivBytes = forge.random.getBytesSync(16);
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
var cipher = forge.cipher.createCipher('AES-CBC', key.encKey);
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
cipher.start({ iv: ivBytes });
cipher.update(buffer);
cipher.finish();
initial commit of source
2015-12-09 04:35:05 +01:00
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
var iv = forge.util.encode64(ivBytes);
var ctBytes = cipher.output.getBytes();
var ct = forge.util.encode64(ctBytes);
encrypt-then-mac support
2016-12-09 04:21:46 +01:00
var cipherString = iv + '|' + ct;
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
if (key.macKey) {
constant time equality for mac check on decrypt
2017-04-27 17:35:30 +02:00
var mac = computeMac(ctBytes, ivBytes, key.macKey, true);
encrypt-then-mac support
2016-12-09 04:21:46 +01:00
cipherString = cipherString + '|' + mac;
}
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
return key.encType + '.' + cipherString;
initial commit of source
2015-12-09 04:35:05 +01:00
};
share login modal
2017-02-28 06:18:11 +01:00
_service.rsaEncrypt = function (plainValue, publicKey) {
publicKey = publicKey || _service.getPublicKey();
if (!publicKey) {
throw 'Public key unavailable.';
}
org user invites and confirmation
2017-03-05 02:41:45 +01:00
if (typeof publicKey === 'string') {
var publicKeyBytes = forge.util.decode64(publicKey);
publicKey = forge.pki.publicKeyFromAsn1(forge.asn1.fromDer(publicKeyBytes));
}
share login modal
2017-02-28 06:18:11 +01:00
var encryptedBytes = publicKey.encrypt(plainValue, 'RSA-OAEP', {
Add support for OAEP SHA1 digest. Note that iOS does not support any other OAEP format, such as SHA256.
2017-04-21 19:46:07 +02:00
md: forge.md.sha1.create()
share login modal
2017-02-28 06:18:11 +01:00
});
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
Add support for OAEP SHA1 digest. Note that iOS does not support any other OAEP format, such as SHA256.
2017-04-21 19:46:07 +02:00
return constants.encType.Rsa2048_OaepSha1_B64 + '.' + forge.util.encode64(encryptedBytes);
lint fixes
2017-03-01 04:53:19 +01:00
};
share login modal
2017-02-28 06:18:11 +01:00
set private key when logging in
2017-02-21 06:29:15 +01:00
_service.decrypt = function (encValue, key, outputEncoding) {
crypto adjustments for new account enc key
2017-05-31 16:25:25 +02:00
key = key || _service.getEncKey() || _service.getKey();
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
added encType header to ciphers
2017-04-07 05:00:33 +02:00
var headerPieces = encValue.split('.'),
encType,
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
encPieces;
added encType header to ciphers
2017-04-07 05:00:33 +02:00
if (headerPieces.length === 2) {
try {
encType = parseInt(headerPieces[0]);
encPieces = headerPieces[1].split('|');
}
catch (e) {
return null;
}
}
else {
encPieces = encValue.split('|');
handle legacy encrypt-then-mac scheme
2017-04-19 22:45:16 +02:00
encType = encPieces.length === 3 ? constants.encType.AesCbc128_HmacSha256_B64 :
constants.encType.AesCbc256_B64;
}
if (encType === constants.encType.AesCbc128_HmacSha256_B64 && key.encType === constants.encType.AesCbc256_B64) {
// Old encrypt-then-mac scheme, swap out the key
rename CryptoKey to SymmetricCryptoKey
2017-04-22 20:39:40 +02:00
_legacyEtmKey = _legacyEtmKey ||
new SymmetricCryptoKey(key.key, false, constants.encType.AesCbc128_HmacSha256_B64);
handle legacy encrypt-then-mac scheme
2017-04-19 22:45:16 +02:00
key = _legacyEtmKey;
initial commit of source
2015-12-09 04:35:05 +01:00
}
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
if (encType !== key.encType) {
throw 'encType unavailable.';
}
added encType header to ciphers
2017-04-07 05:00:33 +02:00
switch (encType) {
move some values to constants for better sharing
2017-04-11 00:55:18 +02:00
case constants.encType.AesCbc128_HmacSha256_B64:
added encType header to ciphers
2017-04-07 05:00:33 +02:00
if (encPieces.length !== 3) {
return null;
}
break;
move some values to constants for better sharing
2017-04-11 00:55:18 +02:00
case constants.encType.AesCbc256_HmacSha256_B64:
added encType header to ciphers
2017-04-07 05:00:33 +02:00
if (encPieces.length !== 3) {
return null;
}
break;
move some values to constants for better sharing
2017-04-11 00:55:18 +02:00
case constants.encType.AesCbc256_B64:
added encType header to ciphers
2017-04-07 05:00:33 +02:00
if (encPieces.length !== 2) {
return null;
}
break;
default:
return null;
}
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
var ivBytes = forge.util.decode64(encPieces[0]);
var ctBytes = forge.util.decode64(encPieces[1]);
initial commit of source
2015-12-09 04:35:05 +01:00
crypto fix for mac
2017-04-20 22:32:03 +02:00
if (key.macKey && encPieces.length > 2) {
constant time equality for mac check on decrypt
2017-04-27 17:35:30 +02:00
var macBytes = forge.util.decode64(encPieces[2]);
var computedMacBytes = computeMac(ctBytes, ivBytes, key.macKey, false);
protect mac comparisons from timing attacks
2017-04-27 18:00:32 +02:00
if (!macsEqual(key.macKey, macBytes, computedMacBytes)) {
encrypt-then-mac support
2016-12-09 04:21:46 +01:00
console.error('MAC failed.');
added encType header to ciphers
2017-04-07 05:00:33 +02:00
return null;
encrypt-then-mac support
2016-12-09 04:21:46 +01:00
}
}
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
var ctBuffer = forge.util.createBuffer(ctBytes);
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
var decipher = forge.cipher.createDecipher('AES-CBC', key.encKey);
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
decipher.start({ iv: ivBytes });
decipher.update(ctBuffer);
decipher.finish();
initial commit of source
2015-12-09 04:35:05 +01:00
updates to cryptoService for rsa keypairs
2017-02-21 04:21:14 +01:00
outputEncoding = outputEncoding || 'utf8';
if (outputEncoding === 'utf8') {
return decipher.output.toString('utf8');
}
else {
return decipher.output.getBytes();
}
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
};
encrypt-then-mac support
2016-12-09 04:21:46 +01:00
share login modal
2017-02-28 06:18:11 +01:00
_service.rsaDecrypt = function (encValue, privateKey) {
privateKey = privateKey || _service.getPrivateKey();
if (!privateKey) {
throw 'Private key unavailable.';
}
added encType header to ciphers
2017-04-07 05:00:33 +02:00
var headerPieces = encValue.split('.'),
encType,
encPiece;
if (headerPieces.length === 1) {
Add support for OAEP SHA1 digest. Note that iOS does not support any other OAEP format, such as SHA256.
2017-04-21 19:46:07 +02:00
encType = constants.encType.Rsa2048_OaepSha256_B64;
added encType header to ciphers
2017-04-07 05:00:33 +02:00
encPiece = headerPieces[0];
}
else if (headerPieces.length === 2) {
try {
encType = parseInt(headerPieces[0]);
encPiece = headerPieces[1];
}
catch (e) {
return null;
}
}
Add support for OAEP SHA1 digest. Note that iOS does not support any other OAEP format, such as SHA256.
2017-04-21 19:46:07 +02:00
var ctBytes = forge.util.decode64(encPiece);
var md;
if (encType === constants.encType.Rsa2048_OaepSha256_B64) {
md = forge.md.sha256.create();
}
else if (encType === constants.encType.Rsa2048_OaepSha1_B64) {
md = forge.md.sha1.create();
}
else {
throw 'encType unavailable.';
added encType header to ciphers
2017-04-07 05:00:33 +02:00
}
share login modal
2017-02-28 06:18:11 +01:00
var decBytes = privateKey.decrypt(ctBytes, 'RSA-OAEP', {
Add support for OAEP SHA1 digest. Note that iOS does not support any other OAEP format, such as SHA256.
2017-04-21 19:46:07 +02:00
md: md
share login modal
2017-02-28 06:18:11 +01:00
});
return decBytes;
lint fixes
2017-03-01 04:53:19 +01:00
};
share login modal
2017-02-28 06:18:11 +01:00
constant time equality for mac check on decrypt
2017-04-27 17:35:30 +02:00
function computeMac(ct, iv, macKey, b64Output) {
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
var hmac = forge.hmac.create();
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
hmac.start('sha256', macKey);
replace sjcl cryptoservice implementation with forge
2017-02-11 19:03:48 +01:00
hmac.update(iv + ct);
var mac = hmac.digest();
constant time equality for mac check on decrypt
2017-04-27 17:35:30 +02:00
return b64Output ? forge.util.encode64(mac.getBytes()) : mac.getBytes();
}
comment update
2017-04-27 18:14:11 +02:00
// Safely compare two MACs in a way that protects against timing attacks (Double HMAC Verification).
protect mac comparisons from timing attacks
2017-04-27 18:00:32 +02:00
// ref: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/
function macsEqual(macKey, mac1, mac2) {
var hmac = forge.hmac.create();
constant time equality for mac check on decrypt
2017-04-27 17:35:30 +02:00
protect mac comparisons from timing attacks
2017-04-27 18:00:32 +02:00
hmac.start('sha256', macKey);
hmac.update(mac1);
mac1 = hmac.digest().getBytes();
hmac.start(null, null);
hmac.update(mac2);
mac2 = hmac.digest().getBytes();
constant time equality for mac check on decrypt
2017-04-27 17:35:30 +02:00
protect mac comparisons from timing attacks
2017-04-27 18:00:32 +02:00
return mac1 === mac2;
encrypt-then-mac support
2016-12-09 04:21:46 +01:00
}
rename CryptoKey to SymmetricCryptoKey
2017-04-22 20:39:40 +02:00
function SymmetricCryptoKey(keyBytes, b64KeyBytes, encType) {
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
if (b64KeyBytes) {
keyBytes = forge.util.decode64(keyBytes);
}
if (!keyBytes) {
throw 'Must provide keyBytes';
}
var buffer = forge.util.createBuffer(keyBytes);
if (!buffer || buffer.length() === 0) {
throw 'Couldn\'t make buffer';
}
cleanup crypto API
2017-04-19 15:27:38 +02:00
var bufferLength = buffer.length();
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
if (encType === null || encType === undefined) {
cleanup crypto API
2017-04-19 15:27:38 +02:00
if (bufferLength === 32) {
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
encType = constants.encType.AesCbc256_B64;
}
cleanup crypto API
2017-04-19 15:27:38 +02:00
else if (bufferLength === 64) {
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
encType = constants.encType.AesCbc256_HmacSha256_B64;
}
else {
throw 'Unable to determine encType.';
}
}
this.key = keyBytes;
this.keyB64 = forge.util.encode64(keyBytes);
this.encType = encType;
cleanup crypto API
2017-04-19 15:27:38 +02:00
if (encType === constants.encType.AesCbc256_B64 && bufferLength === 32) {
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
this.encKey = keyBytes;
this.macKey = null;
}
cleanup crypto API
2017-04-19 15:27:38 +02:00
else if (encType === constants.encType.AesCbc128_HmacSha256_B64 && bufferLength === 32) {
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
this.encKey = buffer.getBytes(16); // first half
this.macKey = buffer.getBytes(16); // second half
}
cleanup crypto API
2017-04-19 15:27:38 +02:00
else if (encType === constants.encType.AesCbc256_HmacSha256_B64 && bufferLength === 64) {
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
this.encKey = buffer.getBytes(32); // first half
this.macKey = buffer.getBytes(32); // second half
}
else {
cleanup crypto API
2017-04-19 15:27:38 +02:00
throw 'Unsupported encType/key length.';
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
}
fix lint errors
2017-04-19 15:03:47 +02:00
}
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
initial commit of source
2015-12-09 04:35:05 +01:00
return _service;
wrap key into new CryptoKey object
2017-04-19 04:28:49 +02:00
});
Reference in New Issue Copy Permalink