UNPKG

crypto-shelf

Version:

Library collection for password hashing, HMAC-based signature generation, and symmetric encryption. Build on top of Node's crypto module

github.com/richterdennis/crypto-shelf

richterdennis/crypto-shelf

113 lines (87 loc) 2.99 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
import { randomBytes, getCipherInfo, scrypt, createCipheriv, createDecipheriv, } from 'node:crypto'; import { promisify } from 'node:util'; import { merge } from './util.js'; const scryptAsync = promisify(scrypt); const DEFAULT_SALT = Buffer.from('Eu372mYdUcdOzo2KrCdav2twN5CbTcmzGnvRKxxv5Rc', 'base64'); const AUTHENTICATED_ENCRYPTION_MODES = new Set(['gcm', 'ccm', 'ocb']); const AUTHENTICATED_ENCRYPTION_CIPHERS = new Set(['chacha20-poly1305']); export const defaults = { algorithm: 'aes-256-gcm', // Use aes-*-gcm, chacha20-poly1305 or aes-*-ocb for strong encryption encoding: 'base64url', aad: null, // additional authentication data }; export function generateSalt(options = {}) { const { encoding, saltLength = 32 } = merge(defaults, options); const salt = randomBytes(saltLength); return encoding ? salt.toString(encoding) : salt; } export async function generateKey(passphrase, salt = null, options = {}) { const { algorithm, encoding } = merge(defaults, options); if (salt && !Buffer.isBuffer(salt)) salt = Buffer.from(salt, encoding); if (!salt) salt = DEFAULT_SALT; const { keyLength } = getCipherInfo(algorithm); return await scryptAsync( passphrase, salt, keyLength, ); } export function encrypt(key, str, options = {}) { const { algorithm, encoding, aad } = merge(defaults, options); const { ivLength, authTagLength, mode } = getInfo(algorithm); const iv = randomBytes(ivLength); const cipher = createCipheriv(algorithm, key, iv, { authTagLength }); if (mode === 'ccm') { cipher.setAutoPadding(false); } if (authTagLength && aad) { cipher.setAAD(Buffer.from(aad, 'utf8'), { plaintextLength: Buffer.byteLength(str), }); } const encrypted = Buffer.concat([ iv, cipher.update(str, 'utf8'), cipher.final(), authTagLength ? cipher.getAuthTag() : Buffer.alloc(0), ]); return encoding ? encrypted.toString(encoding) : encrypted; } export function decrypt(key, str, options = {}) { const { algorithm, encoding, aad } = merge(defaults, options); const { ivLength, authTagLength, mode } = getInfo(algorithm); const encrypted = Buffer.from(str, encoding); const iv = encrypted.subarray(0, ivLength); const decipher = createDecipheriv(algorithm, key, iv, { authTagLength }); if (mode === 'ccm') { decipher.setAutoPadding(false); } if (authTagLength && aad) { decipher.setAAD(Buffer.from(aad, 'utf8'), { plaintextLength: encrypted.length - ivLength - authTagLength, }); } if (authTagLength) decipher.setAuthTag(encrypted.subarray(encrypted.length - authTagLength)); return decipher.update( encrypted.subarray(ivLength, encrypted.length - authTagLength), 'utf8', ) + decipher.final('utf8'); } function getInfo(algorithm) { const { ivLength, mode } = getCipherInfo(algorithm); const usingAuth = ( AUTHENTICATED_ENCRYPTION_MODES.has(mode) || AUTHENTICATED_ENCRYPTION_CIPHERS.has(algorithm) ); return { ivLength: ivLength || 0, authTagLength: usingAuth ? 16 : 0, mode, }; }