Upstream/bitwarden-browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser.git synced 2024-12-04 13:44:00 +01:00
Code Issues Projects Releases Wiki Activity

replace sjcl cryptoservice implementation with forge

Browse Source
This commit is contained in:
Kyle Spearrin 2017-02-11 13:03:48 -05:00
parent bca7592c77
commit 52b89455d7
4 changed files with 77 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
gulpfile.js
View File

@ -17,7 +17,8 @@ var gulp = require('gulp'),
settings = require('./settings.json'), settings = require('./settings.json'),
project = require('./package.json'), project = require('./package.json'),
jshint = require('gulp-jshint'), jshint = require('gulp-jshint'),
_ = require('lodash'); _ = require('lodash'),
webpack = require('webpack-stream');
var paths = {}; var paths = {};
paths.dist = './dist/'; paths.dist = './dist/';
@ -42,7 +43,7 @@ gulp.task('lint', function () {
gulp.task('build', function (cb) { gulp.task('build', function (cb) {
return runSequence( return runSequence(
'clean', 'clean',
['lib', 'less', 'settings', 'lint'], ['lib', 'webpack', 'less', 'settings', 'lint'],
cb); cb);
}); });
@ -142,10 +143,6 @@ gulp.task('lib', ['clean:lib'], function () {
src: paths.npmDir + 'angular-messages/*messages*.js', src: paths.npmDir + 'angular-messages/*messages*.js',
dest: paths.libDir + 'angular-messages' dest: paths.libDir + 'angular-messages'
}, },
{
src: [paths.npmDir + 'sjcl/core/cbc.js', paths.npmDir + 'sjcl/core/bitArray.js', paths.npmDir + 'sjcl/sjcl.js'],
dest: paths.libDir + 'sjcl'
},
{ {
src: paths.npmDir + 'ngstorage/*.js', src: paths.npmDir + 'ngstorage/*.js',
dest: paths.libDir + 'ngstorage' dest: paths.libDir + 'ngstorage'
@ -178,6 +175,33 @@ gulp.task('lib', ['clean:lib'], function () {
return merge(tasks); return merge(tasks);
}); });
gulp.task('webpack', ['webpack:forge']);
gulp.task('webpack:forge', function () {
var forgeDir = paths.npmDir + '/node-forge/lib/';
return gulp.src([
forgeDir + 'pbkdf2.js',
forgeDir + 'aes.js',
forgeDir + 'hmac.js',
forgeDir + 'sha256.js',
forgeDir + 'random.js',
forgeDir + 'forge.js'
]).pipe(webpack({
output: {
filename: 'forge.js',
library: 'forge',
libraryTarget: 'umd'
},
node: {
Buffer: false,
process: false,
crypto: false,
setImmediate: false
}
})).pipe(gulp.dest(paths.libDir + 'forge'));
});
gulp.task('settings', function () { gulp.task('settings', function () {
return config() return config()
.pipe(gulp.dest(paths.webroot + 'app')); .pipe(gulp.dest(paths.webroot + 'app'));
@ -290,8 +314,6 @@ gulp.task('dist:js:app', function () {
gulp.task('dist:js:lib', function () { gulp.task('dist:js:lib', function () {
return gulp return gulp
.src([ .src([
paths.libDir + 'sjcl/sjcl.js',
paths.libDir + 'sjcl/*.js',
paths.libDir + 'angulartics/angulartics.js', paths.libDir + 'angulartics/angulartics.js',
paths.libDir + '**/*.js', paths.libDir + '**/*.js',
'!' + paths.libDir + '**/*.min.js', '!' + paths.libDir + '**/*.min.js',

5
package.json
View File

@ -24,7 +24,6 @@
"jquery": "2.2.4", "jquery": "2.2.4",
"font-awesome": "4.6.3", "font-awesome": "4.6.3",
"bootstrap": "3.3.6", "bootstrap": "3.3.6",
"sjcl": "1.0.3",
"angular": "1.5.6", "angular": "1.5.6",
"angular-resource": "1.5.6", "angular-resource": "1.5.6",
"angular-bootstrap-npm": "0.14.3", "angular-bootstrap-npm": "0.14.3",
@ -42,6 +41,8 @@
"clipboard": "1.5.12", "clipboard": "1.5.12",
"ngclipboard": "1.1.1", "ngclipboard": "1.1.1",
"angulartics": "1.1.2", "angulartics": "1.1.2",
"angulartics-google-analytics": "0.2.1" "angulartics-google-analytics": "0.2.1",
"node-forge": "0.7.0",
"webpack-stream": "3.2.0"
} }
} }

104
src/app/services/cryptoService.js
View File

@ -4,15 +4,11 @@ angular
.factory('cryptoService', function ($sessionStorage) { .factory('cryptoService', function ($sessionStorage) {
var _service = {}, var _service = {},
_key, _key,
_b64Key, _b64Key;
_aes,
_aesWithMac;
sjcl.beware["CBC mode is dangerous because it doesn't protect message integrity."]();
_service.setKey = function (key) { _service.setKey = function (key) {
_key = key; _key = key;
$sessionStorage.key = sjcl.codec.base64.fromBits(key); $sessionStorage.key = forge.util.encode64(key);
}; };
_service.getKey = function (b64) { _service.getKey = function (b64) {
@ -24,11 +20,11 @@ angular
} }
if ($sessionStorage.key) { if ($sessionStorage.key) {
_key = sjcl.codec.base64.toBits($sessionStorage.key); _key = forge.util.decode64($sessionStorage.key);
} }
if (b64 && b64 === true) { if (b64 && b64 === true) {
_b64Key = sjcl.codec.base64.fromBits(_key); _b64Key = forge.util.encode64(_key);
return _b64Key; return _b64Key;
} }
@ -37,24 +33,29 @@ angular
_service.getEncKey = function (key) { _service.getEncKey = function (key) {
key = key || _service.getKey(); key = key || _service.getKey();
return key.slice(0, 4);
var buffer = forge.util.createBuffer(key);
return buffer.getBytes(16);
}; };
_service.getMacKey = function (key) { _service.getMacKey = function (key) {
key = key || _service.getKey(); key = key || _service.getKey();
return key.slice(4);
var buffer = forge.util.createBuffer(key);
buffer.getBytes(16); // skip first half
return buffer.getBytes(16);
}; };
_service.clearKey = function () { _service.clearKey = function () {
_key = _b64Key = _aes = _aesWithMac = null; _key = _b64Key = null;
delete $sessionStorage.key; delete $sessionStorage.key;
}; };
_service.makeKey = function (password, salt, b64) { _service.makeKey = function (password, salt, b64) {
var key = sjcl.misc.pbkdf2(password, salt, 5000, 256, null); var key = forge.pbkdf2(password, salt, 5000, 256 / 8, 'sha256');
if (b64 && b64 === true) { if (b64 && b64 === true) {
return sjcl.codec.base64.fromBits(key); return forge.util.encode64(key);
} }
return key; return key;
@ -69,24 +70,8 @@ angular
throw 'Invalid parameters.'; throw 'Invalid parameters.';
} }
var hashBits = sjcl.misc.pbkdf2(key, password, 1, 256, null); var hashBits = forge.pbkdf2(key, password, 1, 256 / 8, 'sha256');
return sjcl.codec.base64.fromBits(hashBits); return forge.util.encode64(hashBits);
};
_service.getAes = function () {
if (!_aes && _service.getKey()) {
_aes = new sjcl.cipher.aes(_service.getKey());
}
return _aes;
};
_service.getAesWithMac = function () {
if (!_aesWithMac && _service.getKey()) {
_aesWithMac = new sjcl.cipher.aes(_service.getEncKey());
}
return _aesWithMac;
}; };
_service.encrypt = function (plaintextValue, key) { _service.encrypt = function (plaintextValue, key) {
@ -103,22 +88,21 @@ angular
encKey = key || _service.getKey(); encKey = key || _service.getKey();
} }
var response = {}; var buffer = forge.util.createBuffer(plaintextValue, 'utf8');
var params = { var ivBytes = forge.random.getBytesSync(16);
mode: 'cbc', var cipher = forge.cipher.createCipher('AES-CBC', encKey);
iv: sjcl.random.randomWords(4, 10) cipher.start({ iv: ivBytes });
}; cipher.update(buffer);
cipher.finish();
var ctJson = sjcl.encrypt(encKey, plaintextValue, params, response);
var ct = ctJson.match(/"ct":"([^"]*)"/)[1];
var iv = sjcl.codec.base64.fromBits(response.iv);
var iv = forge.util.encode64(ivBytes);
var ctBytes = cipher.output.getBytes();
var ct = forge.util.encode64(ctBytes);
var cipherString = iv + '|' + ct; var cipherString = iv + '|' + ct;
// TODO: Turn on whenever ready to support encrypt-then-mac // TODO: Turn on whenever ready to support encrypt-then-mac
if (false) { if (false) {
var mac = computeMac(ct, response.iv); var mac = computeMac(ctBytes, ivBytes);
cipherString = cipherString + '|' + mac; cipherString = cipherString + '|' + mac;
} }
@ -126,7 +110,7 @@ angular
}; };
_service.decrypt = function (encValue) { _service.decrypt = function (encValue) {
if (!_service.getAes() || !_service.getAesWithMac()) { if (!_service.getKey()) {
throw 'AES encryption unavailable.'; throw 'AES encryption unavailable.';
} }
@ -135,35 +119,33 @@ angular
return ''; return '';
} }
var ivBits = sjcl.codec.base64.toBits(encPieces[0]); var ivBytes = forge.util.decode64(encPieces[0]);
var ctBits = sjcl.codec.base64.toBits(encPieces[1]); var ctBytes = forge.util.decode64(encPieces[1]);
var computedMac = null; var computedMac = null;
if (encPieces.length === 3) { if (encPieces.length === 3) {
computedMac = computeMac(ctBits, ivBits); computedMac = computeMac(ctBytes, ivBytes);
if (computedMac !== encPieces[2]) { if (computedMac !== encPieces[2]) {
console.error('MAC failed.'); console.error('MAC failed.');
return ''; return '';
} }
} }
var decBits = sjcl.mode.cbc.decrypt(computedMac ? _service.getAesWithMac() : _service.getAes(), ctBits, ivBits, null); var ctBuffer = forge.util.createBuffer(ctBytes);
return sjcl.codec.utf8String.fromBits(decBits); var decipher = forge.cipher.createDecipher('AES-CBC', computedMac ? _service.getEncKey() : _service.getKey());
decipher.start({ iv: ivBytes });
decipher.update(ctBuffer);
decipher.finish();
return decipher.output.toString('utf8');
}; };
function computeMac(ct, iv) { function computeMac(ct, iv, macKey) {
if (typeof ct === 'string') { var hmac = forge.hmac.create();
ct = sjcl.codec.base64.toBits(ct); hmac.start('sha256', macKey || _service.getMacKey());
} hmac.update(iv + ct);
if (typeof iv === 'string') { var mac = hmac.digest();
iv = sjcl.codec.base64.toBits(iv); return forge.util.encode64(mac.getBytes());
}
var macKey = _service.getMacKey();
var hmac = new sjcl.misc.hmac(macKey, sjcl.hash.sha256);
var bits = iv.concat(ct);
var mac = hmac.encrypt(bits);
return sjcl.codec.base64.fromBits(mac);
} }
return _service; return _service;

5
src/index.html
View File

@ -55,10 +55,7 @@
<script src="lib/bootstrap/js/bootstrap.js"></script> <script src="lib/bootstrap/js/bootstrap.js"></script>
<script src="lib/admin-lte/js/app.js"></script> <script src="lib/admin-lte/js/app.js"></script>
<script src="lib/sjcl/sjcl.js"></script> <script src="lib/forge/forge.js"></script>
<script src="lib/sjcl/cbc.js"></script>
<script src="lib/sjcl/bitArray.js"></script>
<script src="lib/papaparse/papaparse.js"></script> <script src="lib/papaparse/papaparse.js"></script>
<script src="lib/clipboard/clipboard.js"></script> <script src="lib/clipboard/clipboard.js"></script>