-
Notifications
You must be signed in to change notification settings - Fork 28k
/
Copy pathcrypto-utils.ts
77 lines (64 loc) · 2.37 KB
/
crypto-utils.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import crypto from 'crypto'
// Background:
// https://security.stackexchange.com/questions/184305/why-would-i-ever-use-aes-256-cbc-if-aes-256-gcm-is-more-secure
const CIPHER_ALGORITHM = `aes-256-gcm`,
CIPHER_KEY_LENGTH = 32, // https://stackoverflow.com/a/28307668/4397028
CIPHER_IV_LENGTH = 16, // https://stackoverflow.com/a/28307668/4397028
CIPHER_TAG_LENGTH = 16,
CIPHER_SALT_LENGTH = 64
const PBKDF2_ITERATIONS = 100_000 // https://support.1password.com/pbkdf2/
export function encryptWithSecret(secret: Buffer, data: string): string {
const iv = crypto.randomBytes(CIPHER_IV_LENGTH)
const salt = crypto.randomBytes(CIPHER_SALT_LENGTH)
// https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2sync_password_salt_iterations_keylen_digest
const key = crypto.pbkdf2Sync(
secret,
salt,
PBKDF2_ITERATIONS,
CIPHER_KEY_LENGTH,
`sha512`
)
const cipher = crypto.createCipheriv(CIPHER_ALGORITHM, key, iv)
const encrypted = Buffer.concat([cipher.update(data, `utf8`), cipher.final()])
// https://nodejs.org/api/crypto.html#crypto_cipher_getauthtag
const tag = cipher.getAuthTag()
return Buffer.concat([
// Data as required by:
// Salt for Key: https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2sync_password_salt_iterations_keylen_digest
// IV: https://nodejs.org/api/crypto.html#crypto_class_decipher
// Tag: https://nodejs.org/api/crypto.html#crypto_decipher_setauthtag_buffer
salt,
iv,
tag,
encrypted,
]).toString(`hex`)
}
export function decryptWithSecret(
secret: Buffer,
encryptedData: string
): string {
const buffer = Buffer.from(encryptedData, `hex`)
const salt = buffer.slice(0, CIPHER_SALT_LENGTH)
const iv = buffer.slice(
CIPHER_SALT_LENGTH,
CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH
)
const tag = buffer.slice(
CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH,
CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH + CIPHER_TAG_LENGTH
)
const encrypted = buffer.slice(
CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH + CIPHER_TAG_LENGTH
)
// https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2sync_password_salt_iterations_keylen_digest
const key = crypto.pbkdf2Sync(
secret,
salt,
PBKDF2_ITERATIONS,
CIPHER_KEY_LENGTH,
`sha512`
)
const decipher = crypto.createDecipheriv(CIPHER_ALGORITHM, key, iv)
decipher.setAuthTag(tag)
return decipher.update(encrypted) + decipher.final(`utf8`)
}