From cc10ff441fce0db61fe483cb26f47bd6afc6a62a Mon Sep 17 00:00:00 2001 From: Dominik Korsa Date: Tue, 19 Jan 2021 20:56:57 +0100 Subject: [PATCH] Generate separate private key encrypt keys for each prompt --- backend/src/routes/oauth2/authorize.ts | 2 ++ backend/src/routes/website-api/resolvers/login-resolver.ts | 4 ++-- backend/src/types.ts | 1 + backend/src/utils/crypto.ts | 4 ++++ backend/src/utils/index.ts | 4 ++-- 5 files changed, 11 insertions(+), 4 deletions(-) diff --git a/backend/src/routes/oauth2/authorize.ts b/backend/src/routes/oauth2/authorize.ts index e05ed80..3316b8b 100644 --- a/backend/src/routes/oauth2/authorize.ts +++ b/backend/src/routes/oauth2/authorize.ts @@ -7,6 +7,7 @@ import { ParamError, ScopeError } from '../../errors'; import type { MyFastifyInstance, StudentsMode } from '../../types'; import { + createKey, getSessionData, isObject, parseScopeParam, validateOptionalParam, validateParam, } from '../../utils'; @@ -79,6 +80,7 @@ export default function registerAuthorize(server: MyFastifyInstance): void { value: request.query.code_challenge, }, studentsMode, + promptSecret: createKey(), }); await reply.redirect(urlJoin(websitePrefix, `/authenticate-prompt?prompt_id=${promptId}`)); diff --git a/backend/src/routes/website-api/resolvers/login-resolver.ts b/backend/src/routes/website-api/resolvers/login-resolver.ts index 8a2b4cc..0cce8ce 100644 --- a/backend/src/routes/website-api/resolvers/login-resolver.ts +++ b/backend/src/routes/website-api/resolvers/login-resolver.ts @@ -6,7 +6,7 @@ import { Arg, Ctx, Mutation, Resolver, } from 'type-graphql'; import { - encryptSymmetrical, encryptWithPublicKey, generatePrivatePublicPair, isObject, requireEnvHex, + encryptSymmetrical, encryptWithPublicKey, generatePrivatePublicPair, isObject, } from '../../../utils'; import { InvalidVulcanCredentialsError, UnknownPromptError } from '../errors'; import LoginResult from '../models/login-result'; @@ -39,7 +39,7 @@ export default class LoginResolver { const { privateKey, publicKey } = await generatePrivatePublicPair(); const encryptedPrivateKey = encryptSymmetrical( privateKey, - requireEnvHex('CREDENTIALS_PRIVATE_KEY_ENCRYPT_KEY'), + prompt.promptSecret, ); const encryptedPassword = encryptWithPublicKey(password, publicKey); console.log(diaryList.map((e) => e.serialized.info)); diff --git a/backend/src/types.ts b/backend/src/types.ts index 753b14f..08da259 100644 --- a/backend/src/types.ts +++ b/backend/src/types.ts @@ -24,6 +24,7 @@ export interface Prompt { method: 'plain' | 'S256'; }; studentsMode: StudentsMode; + promptSecret: Buffer; loginInfo?: { host: string; username: string; diff --git a/backend/src/utils/crypto.ts b/backend/src/utils/crypto.ts index 3b4d0dd..a9beab3 100644 --- a/backend/src/utils/crypto.ts +++ b/backend/src/utils/crypto.ts @@ -18,6 +18,10 @@ export function generatePrivatePublicPair(): Promise<{ }); } +export function createKey(): Buffer { + return crypto.randomBytes(32); +} + export function encryptSymmetrical(value: string, key: Buffer): string { const ivBuffer = crypto.randomBytes(16); const cipher = crypto.createCipheriv('aes-256-cbc', key, ivBuffer); diff --git a/backend/src/utils/index.ts b/backend/src/utils/index.ts index 5e8f700..c740007 100644 --- a/backend/src/utils/index.ts +++ b/backend/src/utils/index.ts @@ -11,8 +11,8 @@ export function requireEnv(name: string): string { return value; } -export function requireEnvHex(name: string): Buffer { - return Buffer.from(requireEnv(name), 'hex'); +export function requireEnvBase64(name: string): Buffer { + return Buffer.from(requireEnv(name), 'base64'); } export function parseIntStrict(value: string, radix = 10): number {