mirror of
https://github.com/bitwarden/browser.git
synced 2024-12-03 13:33:32 +01:00
replace sjcl cryptoservice implementation with forge
This commit is contained in:
parent
bca7592c77
commit
52b89455d7
38
gulpfile.js
38
gulpfile.js
@ -17,7 +17,8 @@ var gulp = require('gulp'),
|
|||||||
settings = require('./settings.json'),
|
settings = require('./settings.json'),
|
||||||
project = require('./package.json'),
|
project = require('./package.json'),
|
||||||
jshint = require('gulp-jshint'),
|
jshint = require('gulp-jshint'),
|
||||||
_ = require('lodash');
|
_ = require('lodash'),
|
||||||
|
webpack = require('webpack-stream');
|
||||||
|
|
||||||
var paths = {};
|
var paths = {};
|
||||||
paths.dist = './dist/';
|
paths.dist = './dist/';
|
||||||
@ -42,7 +43,7 @@ gulp.task('lint', function () {
|
|||||||
gulp.task('build', function (cb) {
|
gulp.task('build', function (cb) {
|
||||||
return runSequence(
|
return runSequence(
|
||||||
'clean',
|
'clean',
|
||||||
['lib', 'less', 'settings', 'lint'],
|
['lib', 'webpack', 'less', 'settings', 'lint'],
|
||||||
cb);
|
cb);
|
||||||
});
|
});
|
||||||
|
|
||||||
@ -142,10 +143,6 @@ gulp.task('lib', ['clean:lib'], function () {
|
|||||||
src: paths.npmDir + 'angular-messages/*messages*.js',
|
src: paths.npmDir + 'angular-messages/*messages*.js',
|
||||||
dest: paths.libDir + 'angular-messages'
|
dest: paths.libDir + 'angular-messages'
|
||||||
},
|
},
|
||||||
{
|
|
||||||
src: [paths.npmDir + 'sjcl/core/cbc.js', paths.npmDir + 'sjcl/core/bitArray.js', paths.npmDir + 'sjcl/sjcl.js'],
|
|
||||||
dest: paths.libDir + 'sjcl'
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
src: paths.npmDir + 'ngstorage/*.js',
|
src: paths.npmDir + 'ngstorage/*.js',
|
||||||
dest: paths.libDir + 'ngstorage'
|
dest: paths.libDir + 'ngstorage'
|
||||||
@ -178,6 +175,33 @@ gulp.task('lib', ['clean:lib'], function () {
|
|||||||
return merge(tasks);
|
return merge(tasks);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
gulp.task('webpack', ['webpack:forge']);
|
||||||
|
|
||||||
|
gulp.task('webpack:forge', function () {
|
||||||
|
var forgeDir = paths.npmDir + '/node-forge/lib/';
|
||||||
|
|
||||||
|
return gulp.src([
|
||||||
|
forgeDir + 'pbkdf2.js',
|
||||||
|
forgeDir + 'aes.js',
|
||||||
|
forgeDir + 'hmac.js',
|
||||||
|
forgeDir + 'sha256.js',
|
||||||
|
forgeDir + 'random.js',
|
||||||
|
forgeDir + 'forge.js'
|
||||||
|
]).pipe(webpack({
|
||||||
|
output: {
|
||||||
|
filename: 'forge.js',
|
||||||
|
library: 'forge',
|
||||||
|
libraryTarget: 'umd'
|
||||||
|
},
|
||||||
|
node: {
|
||||||
|
Buffer: false,
|
||||||
|
process: false,
|
||||||
|
crypto: false,
|
||||||
|
setImmediate: false
|
||||||
|
}
|
||||||
|
})).pipe(gulp.dest(paths.libDir + 'forge'));
|
||||||
|
});
|
||||||
|
|
||||||
gulp.task('settings', function () {
|
gulp.task('settings', function () {
|
||||||
return config()
|
return config()
|
||||||
.pipe(gulp.dest(paths.webroot + 'app'));
|
.pipe(gulp.dest(paths.webroot + 'app'));
|
||||||
@ -290,8 +314,6 @@ gulp.task('dist:js:app', function () {
|
|||||||
gulp.task('dist:js:lib', function () {
|
gulp.task('dist:js:lib', function () {
|
||||||
return gulp
|
return gulp
|
||||||
.src([
|
.src([
|
||||||
paths.libDir + 'sjcl/sjcl.js',
|
|
||||||
paths.libDir + 'sjcl/*.js',
|
|
||||||
paths.libDir + 'angulartics/angulartics.js',
|
paths.libDir + 'angulartics/angulartics.js',
|
||||||
paths.libDir + '**/*.js',
|
paths.libDir + '**/*.js',
|
||||||
'!' + paths.libDir + '**/*.min.js',
|
'!' + paths.libDir + '**/*.min.js',
|
||||||
|
@ -24,7 +24,6 @@
|
|||||||
"jquery": "2.2.4",
|
"jquery": "2.2.4",
|
||||||
"font-awesome": "4.6.3",
|
"font-awesome": "4.6.3",
|
||||||
"bootstrap": "3.3.6",
|
"bootstrap": "3.3.6",
|
||||||
"sjcl": "1.0.3",
|
|
||||||
"angular": "1.5.6",
|
"angular": "1.5.6",
|
||||||
"angular-resource": "1.5.6",
|
"angular-resource": "1.5.6",
|
||||||
"angular-bootstrap-npm": "0.14.3",
|
"angular-bootstrap-npm": "0.14.3",
|
||||||
@ -42,6 +41,8 @@
|
|||||||
"clipboard": "1.5.12",
|
"clipboard": "1.5.12",
|
||||||
"ngclipboard": "1.1.1",
|
"ngclipboard": "1.1.1",
|
||||||
"angulartics": "1.1.2",
|
"angulartics": "1.1.2",
|
||||||
"angulartics-google-analytics": "0.2.1"
|
"angulartics-google-analytics": "0.2.1",
|
||||||
|
"node-forge": "0.7.0",
|
||||||
|
"webpack-stream": "3.2.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -4,15 +4,11 @@ angular
|
|||||||
.factory('cryptoService', function ($sessionStorage) {
|
.factory('cryptoService', function ($sessionStorage) {
|
||||||
var _service = {},
|
var _service = {},
|
||||||
_key,
|
_key,
|
||||||
_b64Key,
|
_b64Key;
|
||||||
_aes,
|
|
||||||
_aesWithMac;
|
|
||||||
|
|
||||||
sjcl.beware["CBC mode is dangerous because it doesn't protect message integrity."]();
|
|
||||||
|
|
||||||
_service.setKey = function (key) {
|
_service.setKey = function (key) {
|
||||||
_key = key;
|
_key = key;
|
||||||
$sessionStorage.key = sjcl.codec.base64.fromBits(key);
|
$sessionStorage.key = forge.util.encode64(key);
|
||||||
};
|
};
|
||||||
|
|
||||||
_service.getKey = function (b64) {
|
_service.getKey = function (b64) {
|
||||||
@ -24,11 +20,11 @@ angular
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($sessionStorage.key) {
|
if ($sessionStorage.key) {
|
||||||
_key = sjcl.codec.base64.toBits($sessionStorage.key);
|
_key = forge.util.decode64($sessionStorage.key);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (b64 && b64 === true) {
|
if (b64 && b64 === true) {
|
||||||
_b64Key = sjcl.codec.base64.fromBits(_key);
|
_b64Key = forge.util.encode64(_key);
|
||||||
return _b64Key;
|
return _b64Key;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -37,24 +33,29 @@ angular
|
|||||||
|
|
||||||
_service.getEncKey = function (key) {
|
_service.getEncKey = function (key) {
|
||||||
key = key || _service.getKey();
|
key = key || _service.getKey();
|
||||||
return key.slice(0, 4);
|
|
||||||
|
var buffer = forge.util.createBuffer(key);
|
||||||
|
return buffer.getBytes(16);
|
||||||
};
|
};
|
||||||
|
|
||||||
_service.getMacKey = function (key) {
|
_service.getMacKey = function (key) {
|
||||||
key = key || _service.getKey();
|
key = key || _service.getKey();
|
||||||
return key.slice(4);
|
|
||||||
|
var buffer = forge.util.createBuffer(key);
|
||||||
|
buffer.getBytes(16); // skip first half
|
||||||
|
return buffer.getBytes(16);
|
||||||
};
|
};
|
||||||
|
|
||||||
_service.clearKey = function () {
|
_service.clearKey = function () {
|
||||||
_key = _b64Key = _aes = _aesWithMac = null;
|
_key = _b64Key = null;
|
||||||
delete $sessionStorage.key;
|
delete $sessionStorage.key;
|
||||||
};
|
};
|
||||||
|
|
||||||
_service.makeKey = function (password, salt, b64) {
|
_service.makeKey = function (password, salt, b64) {
|
||||||
var key = sjcl.misc.pbkdf2(password, salt, 5000, 256, null);
|
var key = forge.pbkdf2(password, salt, 5000, 256 / 8, 'sha256');
|
||||||
|
|
||||||
if (b64 && b64 === true) {
|
if (b64 && b64 === true) {
|
||||||
return sjcl.codec.base64.fromBits(key);
|
return forge.util.encode64(key);
|
||||||
}
|
}
|
||||||
|
|
||||||
return key;
|
return key;
|
||||||
@ -69,24 +70,8 @@ angular
|
|||||||
throw 'Invalid parameters.';
|
throw 'Invalid parameters.';
|
||||||
}
|
}
|
||||||
|
|
||||||
var hashBits = sjcl.misc.pbkdf2(key, password, 1, 256, null);
|
var hashBits = forge.pbkdf2(key, password, 1, 256 / 8, 'sha256');
|
||||||
return sjcl.codec.base64.fromBits(hashBits);
|
return forge.util.encode64(hashBits);
|
||||||
};
|
|
||||||
|
|
||||||
_service.getAes = function () {
|
|
||||||
if (!_aes && _service.getKey()) {
|
|
||||||
_aes = new sjcl.cipher.aes(_service.getKey());
|
|
||||||
}
|
|
||||||
|
|
||||||
return _aes;
|
|
||||||
};
|
|
||||||
|
|
||||||
_service.getAesWithMac = function () {
|
|
||||||
if (!_aesWithMac && _service.getKey()) {
|
|
||||||
_aesWithMac = new sjcl.cipher.aes(_service.getEncKey());
|
|
||||||
}
|
|
||||||
|
|
||||||
return _aesWithMac;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
_service.encrypt = function (plaintextValue, key) {
|
_service.encrypt = function (plaintextValue, key) {
|
||||||
@ -103,22 +88,21 @@ angular
|
|||||||
encKey = key || _service.getKey();
|
encKey = key || _service.getKey();
|
||||||
}
|
}
|
||||||
|
|
||||||
var response = {};
|
var buffer = forge.util.createBuffer(plaintextValue, 'utf8');
|
||||||
var params = {
|
var ivBytes = forge.random.getBytesSync(16);
|
||||||
mode: 'cbc',
|
var cipher = forge.cipher.createCipher('AES-CBC', encKey);
|
||||||
iv: sjcl.random.randomWords(4, 10)
|
cipher.start({ iv: ivBytes });
|
||||||
};
|
cipher.update(buffer);
|
||||||
|
cipher.finish();
|
||||||
var ctJson = sjcl.encrypt(encKey, plaintextValue, params, response);
|
|
||||||
|
|
||||||
var ct = ctJson.match(/"ct":"([^"]*)"/)[1];
|
|
||||||
var iv = sjcl.codec.base64.fromBits(response.iv);
|
|
||||||
|
|
||||||
|
var iv = forge.util.encode64(ivBytes);
|
||||||
|
var ctBytes = cipher.output.getBytes();
|
||||||
|
var ct = forge.util.encode64(ctBytes);
|
||||||
var cipherString = iv + '|' + ct;
|
var cipherString = iv + '|' + ct;
|
||||||
|
|
||||||
// TODO: Turn on whenever ready to support encrypt-then-mac
|
// TODO: Turn on whenever ready to support encrypt-then-mac
|
||||||
if (false) {
|
if (false) {
|
||||||
var mac = computeMac(ct, response.iv);
|
var mac = computeMac(ctBytes, ivBytes);
|
||||||
cipherString = cipherString + '|' + mac;
|
cipherString = cipherString + '|' + mac;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -126,7 +110,7 @@ angular
|
|||||||
};
|
};
|
||||||
|
|
||||||
_service.decrypt = function (encValue) {
|
_service.decrypt = function (encValue) {
|
||||||
if (!_service.getAes() || !_service.getAesWithMac()) {
|
if (!_service.getKey()) {
|
||||||
throw 'AES encryption unavailable.';
|
throw 'AES encryption unavailable.';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -135,35 +119,33 @@ angular
|
|||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
var ivBits = sjcl.codec.base64.toBits(encPieces[0]);
|
var ivBytes = forge.util.decode64(encPieces[0]);
|
||||||
var ctBits = sjcl.codec.base64.toBits(encPieces[1]);
|
var ctBytes = forge.util.decode64(encPieces[1]);
|
||||||
|
|
||||||
var computedMac = null;
|
var computedMac = null;
|
||||||
if (encPieces.length === 3) {
|
if (encPieces.length === 3) {
|
||||||
computedMac = computeMac(ctBits, ivBits);
|
computedMac = computeMac(ctBytes, ivBytes);
|
||||||
if (computedMac !== encPieces[2]) {
|
if (computedMac !== encPieces[2]) {
|
||||||
console.error('MAC failed.');
|
console.error('MAC failed.');
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var decBits = sjcl.mode.cbc.decrypt(computedMac ? _service.getAesWithMac() : _service.getAes(), ctBits, ivBits, null);
|
var ctBuffer = forge.util.createBuffer(ctBytes);
|
||||||
return sjcl.codec.utf8String.fromBits(decBits);
|
var decipher = forge.cipher.createDecipher('AES-CBC', computedMac ? _service.getEncKey() : _service.getKey());
|
||||||
|
decipher.start({ iv: ivBytes });
|
||||||
|
decipher.update(ctBuffer);
|
||||||
|
decipher.finish();
|
||||||
|
|
||||||
|
return decipher.output.toString('utf8');
|
||||||
};
|
};
|
||||||
|
|
||||||
function computeMac(ct, iv) {
|
function computeMac(ct, iv, macKey) {
|
||||||
if (typeof ct === 'string') {
|
var hmac = forge.hmac.create();
|
||||||
ct = sjcl.codec.base64.toBits(ct);
|
hmac.start('sha256', macKey || _service.getMacKey());
|
||||||
}
|
hmac.update(iv + ct);
|
||||||
if (typeof iv === 'string') {
|
var mac = hmac.digest();
|
||||||
iv = sjcl.codec.base64.toBits(iv);
|
return forge.util.encode64(mac.getBytes());
|
||||||
}
|
|
||||||
|
|
||||||
var macKey = _service.getMacKey();
|
|
||||||
var hmac = new sjcl.misc.hmac(macKey, sjcl.hash.sha256);
|
|
||||||
var bits = iv.concat(ct);
|
|
||||||
var mac = hmac.encrypt(bits);
|
|
||||||
return sjcl.codec.base64.fromBits(mac);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return _service;
|
return _service;
|
||||||
|
@ -55,10 +55,7 @@
|
|||||||
<script src="lib/bootstrap/js/bootstrap.js"></script>
|
<script src="lib/bootstrap/js/bootstrap.js"></script>
|
||||||
<script src="lib/admin-lte/js/app.js"></script>
|
<script src="lib/admin-lte/js/app.js"></script>
|
||||||
|
|
||||||
<script src="lib/sjcl/sjcl.js"></script>
|
<script src="lib/forge/forge.js"></script>
|
||||||
<script src="lib/sjcl/cbc.js"></script>
|
|
||||||
<script src="lib/sjcl/bitArray.js"></script>
|
|
||||||
|
|
||||||
<script src="lib/papaparse/papaparse.js"></script>
|
<script src="lib/papaparse/papaparse.js"></script>
|
||||||
<script src="lib/clipboard/clipboard.js"></script>
|
<script src="lib/clipboard/clipboard.js"></script>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user