]>
Commit | Line | Data |
---|---|---|
9f10b292 C |
1 | 'use strict' |
2 | ||
26d7d31b | 3 | const bcrypt = require('bcrypt') |
f0f5567b C |
4 | const crypto = require('crypto') |
5 | const fs = require('fs') | |
6 | const openssl = require('openssl-wrapper') | |
f0f5567b | 7 | const ursa = require('ursa') |
9f10b292 | 8 | |
e861452f | 9 | const constants = require('../initializers/constants') |
f0f5567b | 10 | const logger = require('./logger') |
9f10b292 | 11 | |
f0f5567b | 12 | const algorithm = 'aes-256-ctr' |
9f10b292 | 13 | |
f0f5567b | 14 | const peertubeCrypto = { |
c4403b29 C |
15 | checkSignature, |
16 | comparePassword, | |
17 | createCertsIfNotExist, | |
18 | cryptPassword, | |
19 | decrypt, | |
20 | encrypt, | |
21 | sign | |
9f10b292 C |
22 | } |
23 | ||
bc503c2a C |
24 | function checkSignature (publicKey, rawData, hexSignature) { |
25 | const crt = ursa.createPublicKey(publicKey) | |
26 | const isValid = crt.hashAndVerify('sha256', new Buffer(rawData).toString('hex'), hexSignature, 'hex') | |
27 | return isValid | |
9f10b292 C |
28 | } |
29 | ||
26d7d31b C |
30 | function comparePassword (plainPassword, hashPassword, callback) { |
31 | bcrypt.compare(plainPassword, hashPassword, function (err, isPasswordMatch) { | |
32 | if (err) return callback(err) | |
33 | ||
34 | return callback(null, isPasswordMatch) | |
35 | }) | |
36 | } | |
37 | ||
9f10b292 C |
38 | function createCertsIfNotExist (callback) { |
39 | certsExist(function (exist) { | |
40 | if (exist === true) { | |
41 | return callback(null) | |
42 | } | |
43 | ||
44 | createCerts(function (err) { | |
45 | return callback(err) | |
dac0a531 | 46 | }) |
9f10b292 C |
47 | }) |
48 | } | |
dac0a531 | 49 | |
26d7d31b C |
50 | function cryptPassword (password, callback) { |
51 | bcrypt.genSalt(constants.BCRYPT_SALT_SIZE, function (err, salt) { | |
52 | if (err) return callback(err) | |
53 | ||
54 | bcrypt.hash(password, salt, function (err, hash) { | |
55 | return callback(err, hash) | |
56 | }) | |
57 | }) | |
58 | } | |
59 | ||
9f10b292 | 60 | function decrypt (key, data, callback) { |
e861452f | 61 | fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) { |
9f10b292 | 62 | if (err) return callback(err) |
dac0a531 | 63 | |
bc503c2a C |
64 | const myPrivateKey = ursa.createPrivateKey(file) |
65 | const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8') | |
66 | const decryptedData = symetricDecrypt(data, decryptedKey) | |
dac0a531 | 67 | |
bc503c2a | 68 | return callback(null, decryptedData) |
9f10b292 C |
69 | }) |
70 | } | |
dac0a531 | 71 | |
bc503c2a C |
72 | function encrypt (publicKey, data, callback) { |
73 | const crt = ursa.createPublicKey(publicKey) | |
dac0a531 | 74 | |
9f10b292 C |
75 | symetricEncrypt(data, function (err, dataEncrypted) { |
76 | if (err) return callback(err) | |
dac0a531 | 77 | |
f0f5567b C |
78 | const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex') |
79 | const encrypted = { | |
9f10b292 C |
80 | data: dataEncrypted.crypted, |
81 | key: key | |
82 | } | |
dac0a531 | 83 | |
9f10b292 C |
84 | callback(null, encrypted) |
85 | }) | |
86 | } | |
dac0a531 | 87 | |
9f10b292 | 88 | function sign (data) { |
e861452f | 89 | const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem')) |
f0f5567b | 90 | const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex') |
dac0a531 | 91 | |
9f10b292 C |
92 | return signature |
93 | } | |
dac0a531 | 94 | |
9f10b292 | 95 | // --------------------------------------------------------------------------- |
dac0a531 | 96 | |
9f10b292 | 97 | module.exports = peertubeCrypto |
dac0a531 | 98 | |
9f10b292 | 99 | // --------------------------------------------------------------------------- |
dac0a531 | 100 | |
9f10b292 | 101 | function certsExist (callback) { |
e861452f | 102 | fs.exists(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (exists) { |
9f10b292 C |
103 | return callback(exists) |
104 | }) | |
105 | } | |
106 | ||
107 | function createCerts (callback) { | |
108 | certsExist(function (exist) { | |
109 | if (exist === true) { | |
f0f5567b | 110 | const string = 'Certs already exist.' |
9f10b292 C |
111 | logger.warning(string) |
112 | return callback(new Error(string)) | |
113 | } | |
114 | ||
115 | logger.info('Generating a RSA key...') | |
e861452f C |
116 | |
117 | let options = { | |
118 | 'out': constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', | |
119 | '2048': false | |
120 | } | |
121 | openssl.exec('genrsa', options, function (err) { | |
9f10b292 C |
122 | if (err) { |
123 | logger.error('Cannot create private key on this pod.') | |
124 | return callback(err) | |
dac0a531 | 125 | } |
9f10b292 | 126 | logger.info('RSA key generated.') |
dac0a531 | 127 | |
e861452f C |
128 | options = { |
129 | 'in': constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', | |
130 | 'pubout': true, | |
131 | 'out': constants.CONFIG.STORAGE.CERT_DIR + 'peertube.pub' | |
132 | } | |
9f10b292 | 133 | logger.info('Manage public key...') |
e861452f | 134 | openssl.exec('rsa', options, function (err) { |
dac0a531 | 135 | if (err) { |
9f10b292 | 136 | logger.error('Cannot create public key on this pod.') |
dac0a531 C |
137 | return callback(err) |
138 | } | |
dac0a531 | 139 | |
9f10b292 C |
140 | logger.info('Public key managed.') |
141 | return callback(null) | |
142 | }) | |
dac0a531 | 143 | }) |
9f10b292 C |
144 | }) |
145 | } | |
146 | ||
147 | function generatePassword (callback) { | |
148 | crypto.randomBytes(32, function (err, buf) { | |
149 | if (err) return callback(err) | |
150 | ||
151 | callback(null, buf.toString('utf8')) | |
152 | }) | |
153 | } | |
154 | ||
155 | function symetricDecrypt (text, password) { | |
f0f5567b C |
156 | const decipher = crypto.createDecipher(algorithm, password) |
157 | let dec = decipher.update(text, 'hex', 'utf8') | |
9f10b292 C |
158 | dec += decipher.final('utf8') |
159 | return dec | |
160 | } | |
161 | ||
162 | function symetricEncrypt (text, callback) { | |
163 | generatePassword(function (err, password) { | |
164 | if (err) return callback(err) | |
165 | ||
f0f5567b C |
166 | const cipher = crypto.createCipher(algorithm, password) |
167 | let crypted = cipher.update(text, 'utf8', 'hex') | |
9f10b292 C |
168 | crypted += cipher.final('hex') |
169 | callback(null, { crypted: crypted, password: password }) | |
170 | }) | |
171 | } |