UNPKG

knxultimate

Version:

KNX IP protocol implementation for Node. This is the ENGINE of Node-Red KNX-Ultimate node.

github.com/Supergiovane/KNXUltimate

Supergiovane/KNXUltimate

169 lines (147 loc) 4.65 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
/** * Implements KNX Secure cryptographic primitives. * * Written in Italy with love, sun and passion, by Massimo Saccani. * * Released under the MIT License. * Use at your own risk; the author assumes no liability for damages. */ /** * Encryption and Decryption functions for KNX Secure */ import * as crypto from 'crypto' import { bytePad } from './util' /** * Calculate the message authentication code (MAC) for a message with AES-CBC * @param key - 16-byte AES key * @param additionalData - Additional data to be included in the MAC calculation * @param payload - Optional payload data * @param block0 - Optional block 0 (defaults to 16 zero bytes) * @returns MAC (16 bytes) */ export function calculateMessageAuthenticationCodeCBC( key: Buffer, additionalData: Buffer, payload: Buffer = Buffer.alloc(0), block0: Buffer = Buffer.alloc(16), ): Buffer { // Concatenate block0 + additional data length (2 bytes) + additional data + payload const additionalDataLength = Buffer.alloc(2) additionalDataLength.writeUInt16BE(additionalData.length, 0) // Use Buffer.from for better type compatibility const blocks = Buffer.from( Buffer.concat([block0, additionalDataLength, additionalData, payload]), ) // Apply padding to ensure blocks are multiple of 16 bytes const paddedBlocks = bytePad(blocks, 16) // Use AES-CBC with zero IV const iv = Buffer.alloc(16) // Use key.slice(0, 16) to ensure key is exactly 16 bytes const cipher = crypto.createCipheriv('aes-128-cbc', key.slice(0, 16), iv) cipher.setAutoPadding(false) // We've already padded manually const encrypted = Buffer.from( Buffer.concat([cipher.update(paddedBlocks), cipher.final()]), ) // Return last 16 bytes (MAC) return Buffer.from(encrypted.slice(encrypted.length - 16)) } /** * Decrypt data from SecureWrapper * @param key - 16-byte AES key * @param counter0 - Initial counter value (16 bytes) * @param mac - MAC value (16 bytes) * @param payload - Encrypted payload * @returns Tuple of [decrypted data, MAC-TR for verification] */ export function decryptCtr( key: Buffer, counter0: Buffer, mac: Buffer, payload: Buffer = Buffer.alloc(0), ): [Buffer, Buffer] { // For AES-CTR in Node.js, we need to ensure the counter is properly formatted const cipher = crypto.createDecipheriv( 'aes-128-ctr', key.slice(0, 16), counter0.slice(0, 16), ) // MAC is encrypted with counter 0 const macTr = Buffer.from(cipher.update(mac)) // Decrypt the payload const decryptedData = Buffer.from( Buffer.concat([cipher.update(payload), cipher.final()]), ) return [decryptedData, macTr] } /** * Encrypt data with AES-CTR * @param key - 16-byte AES key * @param counter0 - Initial counter value (16 bytes) * @param macCbc - CBC-MAC value (16 bytes) * @param payload - Data to encrypt * @returns Tuple of [encrypted payload, encrypted MAC] */ export function encryptDataCtr( key: Buffer, counter0: Buffer, macCbc: Buffer, payload: Buffer = Buffer.alloc(0), ): [Buffer, Buffer] { // Use AES-CTR for encryption const cipher = crypto.createCipheriv( 'aes-128-ctr', key.slice(0, 16), counter0.slice(0, 16), ) // Encrypt MAC with counter 0 const encryptedMac = Buffer.from(cipher.update(macCbc)) // Encrypt the payload const encryptedData = Buffer.from( Buffer.concat([cipher.update(payload), cipher.final()]), ) return [encryptedData, encryptedMac] } /** * Derive device authentication password using PBKDF2 * @param deviceAuthenticationPassword - Password string * @returns 16-byte derived key */ export function deriveDeviceAuthenticationPassword( deviceAuthenticationPassword: string, ): Buffer { return crypto.pbkdf2Sync( Buffer.from(deviceAuthenticationPassword, 'latin1'), 'device-authentication-code.1.secure.ip.knx.org', 65536, 16, 'sha256', ) } /** * Derive user password using PBKDF2 * @param passwordString - Password string * @returns 16-byte derived key */ export function deriveUserPassword(passwordString: string): Buffer { return crypto.pbkdf2Sync( Buffer.from(passwordString, 'latin1'), 'user-password.1.secure.ip.knx.org', 65536, 16, 'sha256', ) } /** * Generate an ECDH key pair using X25519 * @returns Tuple of [privateKey, publicKey] */ export function generateEcdhKeyPair(): [crypto.KeyObject, Buffer] { // Generate private key const privateKey = crypto.generateKeyPairSync('x25519').privateKey // Export public key - Note: raw format is not directly supported in types, using 'as any' const publicKey = crypto.createPublicKey(privateKey).export({ format: 'der', type: 'spki', }) return [privateKey, Buffer.from(publicKey)] }