Encrypt OTP secret

author: Chocobozzz <me@florianbigard.com> 2022-10-10 11:12:23 +0200
committer: Chocobozzz <me@florianbigard.com> 2022-10-10 11:12:23 +0200
commit: a3e5f804ad821f6979e8735b0569b1209986fedc (patch)
tree: 5b34a6bd6b3cb1c5e3eed32a72d02922100d53dc /server/helpers/peertube-crypto.ts
parent: a0da6f90d16027b385a67da6a5691b163626a363 (diff)
download: PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.gz
PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.zst
PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.zip
1 files changed, 43 insertions, 4 deletions
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts
index dcf47ce76..ae7d11800 100644
--- a/server/helpers/peertube-crypto.ts
+++ b/server/helpers/peertube-crypto.ts
@@ -1,11 +1,11 @@
 import { compare, genSalt, hash } from 'bcrypt'
-import { createSign, createVerify } from 'crypto'
+import { createCipheriv, createDecipheriv, createSign, createVerify } from 'crypto'
 import { Request } from 'express'
 import { cloneDeep } from 'lodash'
 import { sha256 } from '@shared/extra-utils'
-import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
+import { BCRYPT_SALT_SIZE, ENCRYPTION, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
 import { MActor } from '../types/models'
-import { generateRSAKeyPairPromise, promisify1, promisify2 } from './core-utils'
+import { generateRSAKeyPairPromise, promisify1, promisify2, randomBytesPromise, scryptPromise } from './core-utils'
 import { jsonld } from './custom-jsonld-signature'
 import { logger } from './logger'
@@ -21,7 +21,9 @@ function createPrivateAndPublicKeys () {
  return generateRSAKeyPairPromise(PRIVATE_RSA_KEY_SIZE)
 }
+// ---------------------------------------------------------------------------
 // User password checks
+// ---------------------------------------------------------------------------
 function comparePassword (plainPassword: string, hashPassword: string) {
  if (!plainPassword) return Promise.resolve(false)
@@ -35,7 +37,9 @@ async function cryptPassword (password: string) {
  return bcryptHashPromise(password, salt)
 }
+// ---------------------------------------------------------------------------
 // HTTP Signature
+// ---------------------------------------------------------------------------
 function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean {
  if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) {
@@ -64,7 +68,9 @@ function parseHTTPSignature (req: Request, clockSkew?: number) {
  return parsed
 }
+// ---------------------------------------------------------------------------
 // JSONLD
+// ---------------------------------------------------------------------------
 function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> {
  if (signedDocument.signature.type === 'RsaSignature2017') {
@@ -114,6 +120,8 @@ async function signJsonLDObject <T> (byActor: MActor, data: T) {
  return Object.assign(data, { signature })
 }
+// ---------------------------------------------------------------------------
 function buildDigest (body: any) {
  const rawBody = typeof body === 'string' ? body : JSON.stringify(body)
@@ -121,6 +129,34 @@ function buildDigest (body: any) {
 }
 // ---------------------------------------------------------------------------
+// Encryption
+// ---------------------------------------------------------------------------
+async function encrypt (str: string, secret: string) {
+  const iv = await randomBytesPromise(ENCRYPTION.IV)
+  const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
+  const cipher = createCipheriv(ENCRYPTION.ALGORITHM, key, iv)
+  let encrypted = iv.toString(ENCRYPTION.ENCODING) + ':'
+  encrypted += cipher.update(str, 'utf8', ENCRYPTION.ENCODING)
+  encrypted += cipher.final(ENCRYPTION.ENCODING)
+  return encrypted
+}
+async function decrypt (encryptedArg: string, secret: string) {
+  const [ ivStr, encryptedStr ] = encryptedArg.split(':')
+  const iv = Buffer.from(ivStr, 'hex')
+  const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
+  const decipher = createDecipheriv(ENCRYPTION.ALGORITHM, key, iv)
+  return decipher.update(encryptedStr, ENCRYPTION.ENCODING, 'utf8') + decipher.final('utf8')
+}
+// ---------------------------------------------------------------------------
 export {
  isHTTPSignatureDigestValid,
@@ -131,7 +167,10 @@ export {
  comparePassword,
  createPrivateAndPublicKeys,
  cryptPassword,
-  signJsonLDObject
+  signJsonLDObject,
+  encrypt,
+  decrypt
 }
 // ---------------------------------------------------------------------------
author	Chocobozzz <me@florianbigard.com>	2022-10-10 11:12:23 +0200
committer	Chocobozzz <me@florianbigard.com>	2022-10-10 11:12:23 +0200
commit	a3e5f804ad821f6979e8735b0569b1209986fedc (patch)
tree	5b34a6bd6b3cb1c5e3eed32a72d02922100d53dc /server/helpers/peertube-crypto.ts
parent	a0da6f90d16027b385a67da6a5691b163626a363 (diff)
download	PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.gz PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.zst PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.zip