70 lines
3.0 KiB
JavaScript
70 lines
3.0 KiB
JavaScript
|
"use strict";
|
||
|
|
Object.defineProperty(exports, "__esModule", {
|
||
|
|
value: true
|
||
|
|
});
|
||
|
|
0 && (module.exports = {
|
||
|
|
encryptWithSecret: null,
|
||
|
|
decryptWithSecret: null
|
||
|
|
});
|
||
|
|
function _export(target, all) {
|
||
|
|
for(var name in all)Object.defineProperty(target, name, {
|
||
|
|
enumerable: true,
|
||
|
|
get: all[name]
|
||
|
|
});
|
||
|
|
}
|
||
|
|
_export(exports, {
|
||
|
|
encryptWithSecret: function() {
|
||
|
|
return encryptWithSecret;
|
||
|
|
},
|
||
|
|
decryptWithSecret: function() {
|
||
|
|
return decryptWithSecret;
|
||
|
|
}
|
||
|
|
});
|
||
|
|
const _crypto = /*#__PURE__*/ _interop_require_default(require("crypto"));
|
||
|
|
function _interop_require_default(obj) {
|
||
|
|
return obj && obj.__esModule ? obj : {
|
||
|
|
default: obj
|
||
|
|
};
|
||
|
|
}
|
||
|
|
// Background:
|
||
|
|
// https://security.stackexchange.com/questions/184305/why-would-i-ever-use-aes-256-cbc-if-aes-256-gcm-is-more-secure
|
||
|
|
const CIPHER_ALGORITHM = `aes-256-gcm`, CIPHER_KEY_LENGTH = 32, CIPHER_IV_LENGTH = 16, CIPHER_TAG_LENGTH = 16, CIPHER_SALT_LENGTH = 64;
|
||
|
|
const PBKDF2_ITERATIONS = 100000 // https://support.1password.com/pbkdf2/
|
||
|
|
;
|
||
|
|
function encryptWithSecret(secret, data) {
|
||
|
|
const iv = _crypto.default.randomBytes(CIPHER_IV_LENGTH);
|
||
|
|
const salt = _crypto.default.randomBytes(CIPHER_SALT_LENGTH);
|
||
|
|
// https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2sync_password_salt_iterations_keylen_digest
|
||
|
|
const key = _crypto.default.pbkdf2Sync(secret, salt, PBKDF2_ITERATIONS, CIPHER_KEY_LENGTH, `sha512`);
|
||
|
|
const cipher = _crypto.default.createCipheriv(CIPHER_ALGORITHM, key, iv);
|
||
|
|
const encrypted = Buffer.concat([
|
||
|
|
cipher.update(data, `utf8`),
|
||
|
|
cipher.final()
|
||
|
|
]);
|
||
|
|
// https://nodejs.org/api/crypto.html#crypto_cipher_getauthtag
|
||
|
|
const tag = cipher.getAuthTag();
|
||
|
|
return Buffer.concat([
|
||
|
|
// Data as required by:
|
||
|
|
// Salt for Key: https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2sync_password_salt_iterations_keylen_digest
|
||
|
|
// IV: https://nodejs.org/api/crypto.html#crypto_class_decipher
|
||
|
|
// Tag: https://nodejs.org/api/crypto.html#crypto_decipher_setauthtag_buffer
|
||
|
|
salt,
|
||
|
|
iv,
|
||
|
|
tag,
|
||
|
|
encrypted
|
||
|
|
]).toString(`hex`);
|
||
|
|
}
|
||
|
|
function decryptWithSecret(secret, encryptedData) {
|
||
|
|
const buffer = Buffer.from(encryptedData, `hex`);
|
||
|
|
const salt = buffer.slice(0, CIPHER_SALT_LENGTH);
|
||
|
|
const iv = buffer.slice(CIPHER_SALT_LENGTH, CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH);
|
||
|
|
const tag = buffer.slice(CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH, CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH + CIPHER_TAG_LENGTH);
|
||
|
|
const encrypted = buffer.slice(CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH + CIPHER_TAG_LENGTH);
|
||
|
|
// https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2sync_password_salt_iterations_keylen_digest
|
||
|
|
const key = _crypto.default.pbkdf2Sync(secret, salt, PBKDF2_ITERATIONS, CIPHER_KEY_LENGTH, `sha512`);
|
||
|
|
const decipher = _crypto.default.createDecipheriv(CIPHER_ALGORITHM, key, iv);
|
||
|
|
decipher.setAuthTag(tag);
|
||
|
|
return decipher.update(encrypted) + decipher.final(`utf8`);
|
||
|
|
}
|
||
|
|
|
||
|
|
//# sourceMappingURL=crypto-utils.js.map
|