mirror
/
libresilient
kopia lustrzana https://gitlab.com/rysiekpl/libresilient
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność
libresilient/plugins/signed-integrity/cli.js

244 wiersze
7.6 KiB
JavaScript
Czysty Wina Historia

/* ========================================================================= *\
|* === Signed Integrity: content integrity using signed integrity data === *|
\* ========================================================================= */
/**
* signed-integrity plugin's deploy/utility functions
*
* this code expects a Deno runtime:
* https://deno.land/
*/
/**
* helper function, converting binary to base64
* this need not be extremely fast, since it will only be used on digests
*
* binary_data - data to convert to base64
*/
let binToBase64 = (binary_data) => {
return btoa(
(new Uint8Array(binary_data))
.reduce((bin, byte)=>{
return bin += String.fromCharCode(byte)
}, '')
)
}
/**
* generate an ECDSA P-384 keypair and export it as a JWK
* https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#json_web_key
*/
let genKeypair = async () => {
let keypair = await crypto.subtle.generateKey({
name: "ECDSA",
namedCurve: "P-384"
},
true,
["sign", "verify"]
);
let exported_keypair = {
publicKey: await crypto.subtle.exportKey("jwk", keypair.publicKey),
privateKey: await crypto.subtle.exportKey("jwk", keypair.privateKey)
}
return JSON.stringify(exported_keypair)
}
/**
* get a public key from a provided private key file
*
* keyfile - a path to a file containing the private key
*/
let getPubkey = async (keyfile) => {
// we only want to process one file
if (Array.isArray(keyfile)) {
keyfile = keyfile[0]
}
//
var keydata = JSON.parse(await Deno.readTextFile(keyfile));
// the key can be either in a CryptoKeyPair structure, or directly in CryptoKey structure
// standardize!
if ("privateKey" in keydata) {
keydata = keydata.privateKey
}
// make the key public by deleting private parts and modifying key_ops
// ref. https://stackoverflow.com/a/57571350
delete keydata.d;
keydata.key_ops = ['verify']
// import the key, thus making sure data is valid and makes sense
let key = await crypto.subtle.importKey(
"jwk",
keydata,
{
name: 'ECDSA',
namedCurve: 'P-384'
},
true,
['verify']
)
// export it again
return JSON.stringify(await crypto.subtle.exportKey("jwk", key))
}
/**
* get integrity digests for a given path
*
* path - path to a file whose digest is to be generated
* algos - array of SubtleCrypto.digest-compatible algorithm names
*/
let getFileIntegrity = async (path, algos) => {
var result = []
// open the file and get some info on it
const file = await Deno.open(
path,
{ read: true }
);
const fileInfo = await file.stat();
// are we working with a file?
if (fileInfo.isFile) {
//console.log(`+-- reading: ${path}`)
// initialize
var content = new Uint8Array()
var buf = new Uint8Array(1000);
// read the first batch
var numread = file.readSync(buf);
// read the rest, if there is anything to read
while (numread !== null) {
//console.log(` +-- read: ${numread}`)
//console.log(` +-- length: ${content.length}`)
// there has to be a better way...
var new_content = new Uint8Array(content.length + numread);
//console.log(` +-- new length: ${new_content.length}`)
new_content.set(content)
if (buf.length === numread) {
new_content.set(buf, content.length)
} else {
new_content.set(buf.slice(0, numread), content.length)
}
content = new_content
// read some more
numread = file.readSync(buf);
}
//console.log(' +-- done.')
//console.log('+-- calculating digests')
for (const algo of algos) {
//console.log(` +-- ${algo}`)
var digest = algo.toLowerCase().replace('-', '') + '-' + binToBase64(await crypto.subtle.digest(algo, content))
//console.log(digest)
result.push(digest)
}
//console.log(`+-- file done: ${path}`)
// we are not working with a file
} else {
result = false;
}
// putting this in a try-catch block as the file
// is apparently being auto-closed?
// https://issueantenna.com/repo/denoland/deno/issues/15442
try {
await file.close();
} catch (BadResource) {}
// return the result
return result
}
/**
* generate integrity files for provided paths
*
* paths - paths to files for which integrity files are to be generated
* keyfile - path of the file containing the private key to use
* extension - file extension to use when saving integrity files (default: ".integrity")
*/
let genSignedIntegrity = async (paths, keyfile, extension='.integrity') => {
// load the key
var keydata = JSON.parse(await Deno.readTextFile(keyfile));
// the key can be either in a CryptoKeyPair structure, or directly in CryptoKey structure
// standardize!
if ("privateKey" in keydata) {
keydata = keydata.privateKey
}
// import the key, thus making sure data is valid and makes sense
let privkey = await crypto.subtle.importKey(
"jwk",
keydata,
{
name: 'ECDSA',
namedCurve: 'P-384'
},
true,
['sign']
)
// TODO: implement shit
}
// this never changes
const pluginName = "signed-integrity"
const pluginDescription = "Fetching signed integrity data and using it to verify content.\nCLI used to generate subresource integrity tokens and save them in integrity files."
const pluginVersion = 'COMMIT_UNKNOWN'
const pluginActions = {
"gen-keypair": {
run: genKeypair,
description: "generate a keypair and export it as a JSON Web Key"
},
"get-pubkey": {
run: getPubkey,
description: "print out a public key derived from the provided private key",
arguments: {
'_': {
name: "keyfile",
description: "file containing the private key in JSON Web Key format"
}
}
},
"gen-integrity": {
run: genSignedIntegrity,
description: "generate integrity files for given paths",
arguments: {
'_': {
name: "file",
description: "paths to generate signed integrity files for"
},
keyfile: {
description: "path to the file containing a private key in JSON Web Key format",
string: true
},
extension: {
description: "file extension to use when saving integrity files",
default: '.integrity',
string: true
}
}
}
}
export {
pluginName as name,
pluginDescription as description,
pluginVersion as version,
pluginActions as actions
}
Reference in New Issue View Git Blame Kopiuj bezpośredni odnośnik