UNPKG

@linkedmink/passport-mutual-key-challenge

Version:

Implements a Passport strategy to authenticate the public key of a user by issuing a dynamic generated challenge

LinkedMink/passport-mutual-key-challenge

95 lines (79 loc) 2.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import crypto, { BinaryLike, KeyLike, KeyObject } from "crypto"; import { CryptographyOptions } from "./MutualKeyChallengeOptions"; import { isFunction, isKeyObject, isPromise } from "./Helpers/TypeCheck"; import { SignedMessage } from "./Types/Messages"; import { GetServerKeyFunc } from "./Types/Functions"; export class MessageVerifier { private readonly key: KeyObject | GetServerKeyFunc; constructor(key: GetServerKeyFunc | KeyLike, private readonly options: CryptographyOptions) { if (isFunction(key)) { this.key = key; } else { this.key = isKeyObject(key) ? key : crypto.createPrivateKey(key); } } async decryptAndVerify(pubKey: KeyLike, data: SignedMessage): Promise<Buffer | null> { const key = await this.serverKey(); const decrypted = crypto.privateDecrypt(this.encryptOptions(key), data.message); const isVerified = crypto.verify( this.options.hashAlgorithm, decrypted, this.verifyOptions(pubKey), data.signature ); return isVerified ? decrypted : null; } async encryptAndSign(pubKey: KeyLike, data: Buffer): Promise<SignedMessage> { const key = await this.serverKey(); const message = crypto.publicEncrypt(this.encryptOptions(pubKey), data); const signature = crypto.sign(this.options.hashAlgorithm, data, this.signOptions(key)); return { message, signature }; } async verify(pubKey: KeyLike, data: SignedMessage): Promise<boolean> { const key = await this.serverKey(); return crypto.verify( this.options.hashAlgorithm, data.message, this.verifyOptions(pubKey), data.signature ); } async sign(data: Buffer): Promise<SignedMessage> { const key = await this.serverKey(); const signature = crypto.sign(this.options.hashAlgorithm, data, this.signOptions(key)); return { message: data, signature }; } hash(data: BinaryLike): string { return crypto.createHash(this.options.hashAlgorithm).update(data).digest("base64"); } getNonce(): Buffer { return crypto.randomBytes(this.options.nonceSize); } private signOptions(key: KeyLike) { return { key: isKeyObject(key) ? key : crypto.createPrivateKey(key), padding: this.options.signaturePadding, }; } private verifyOptions(key: KeyLike) { return { key: isKeyObject(key) ? key : crypto.createPublicKey(key), padding: this.options.signaturePadding, }; } private encryptOptions(key: KeyLike) { return { key, oaepHash: this.options.hashAlgorithm, padding: this.options.messagePadding, }; } private async serverKey(): Promise<KeyObject> { if (isKeyObject(this.key)) { return this.key; } const keyResult = this.key(); const keyLike = isPromise(keyResult) ? await keyResult : keyResult; return isKeyObject(keyLike) ? keyLike : crypto.createPrivateKey(keyLike); } }