UNPKG

@autotelic/envelope-encryptor

Version:

Envelope encryption with configurable KMS

github.com/autotelic/envelope-encryptor

autotelic/envelope-encryptor

154 lines (128 loc) 3.73 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
'use strict'; var crypto = require('crypto'); var AWS = require('@aws-sdk/client-kms'); function _interopNamespaceDefault(e) { var n = Object.create(null); if (e) { Object.keys(e).forEach(function (k) { if (k !== 'default') { var d = Object.getOwnPropertyDescriptor(e, k); Object.defineProperty(n, k, d.get ? d : { enumerable: true, get: function () { return e[k]; } }); } }); } n.default = e; return Object.freeze(n); } var AWS__namespace = /*#__PURE__*/_interopNamespaceDefault(AWS); const awsKms = (keyId, config = {}, Client = AWS__namespace.KMS) => { const kms = new Client(config); const getDataKey = async () => { const { CiphertextBlob, Plaintext } = await kms .generateDataKey({ KeyId: keyId, KeySpec: 'AES_256' }); return { encryptedKey: (Buffer.from(CiphertextBlob)).toString('base64'), plaintextKey: Plaintext } }; const decryptDataKey = async key => { const { Plaintext } = await kms .decrypt({ CiphertextBlob: Buffer.from(key, 'base64') }); return Plaintext }; return { getDataKey, decryptDataKey } }; const dummyKms = () => { const getDataKey = async () => { const plaintextKey = crypto.randomBytes(32); return Promise.resolve({ encryptedKey: plaintextKey.toString('base64'), plaintextKey }) }; const decryptDataKey = async key => Promise.resolve(Buffer.from(key, 'base64')); return { getDataKey, decryptDataKey } }; const kekService = (base64Kek) => { const algorithm = 'aes256'; const encoding = 'hex'; const kek = Buffer.from(base64Kek, 'base64'); const getDataKey = async () => { const plaintextKey = Buffer.from(crypto.randomBytes(32)); const salt = Buffer.from(crypto.randomBytes(8)).toString('hex'); const cipher = crypto.createCipheriv(algorithm, kek, salt); const ciphertext = [ cipher.update(plaintextKey.toString('base64'), 'utf8', encoding), cipher.final(encoding) ].join(''); return Promise.resolve({ encryptedKey: `${ciphertext}:${salt}`, plaintextKey }) }; const decryptDataKey = async key => { const [ciphertext, salt] = key.split(':'); const decipher = crypto.createDecipheriv(algorithm, kek, salt); const decipheredtext = [ decipher.update(ciphertext, encoding, 'utf8'), decipher.final('utf8') ].join(''); return Buffer.from(decipheredtext, 'base64') }; return { getDataKey, decryptDataKey } }; const defaults = { encoding: 'hex' }; const createEnvelopeEncryptor = (keyService, options = defaults) => { const { encoding } = options; const algorithm = 'aes256'; const { getDataKey, decryptDataKey } = keyService; const encrypt = async (plaintext) => { const { encryptedKey, plaintextKey } = await getDataKey(); const salt = Buffer.from(crypto.randomBytes(8)).toString('hex'); const cipher = crypto.createCipheriv(algorithm, plaintextKey, salt); const ciphertext = [ cipher.update(plaintext, 'utf8', encoding), cipher.final(encoding) ].join(''); return { ciphertext, key: encryptedKey, salt } }; const decrypt = async ({ ciphertext, key, salt }) => { const dataKey = await decryptDataKey(key); const decipher = crypto.createDecipheriv(algorithm, dataKey, salt); return [ decipher.update(ciphertext, encoding, 'utf8'), decipher.final('utf8') ].join('') }; return { decrypt, encrypt } }; exports.awsKms = awsKms; exports.createEnvelopeEncryptor = createEnvelopeEncryptor; exports.dummyKms = dummyKms; exports.kekService = kekService;