kopia lustrzana https://github.com/robinmoisson/staticrypt
refactor common crypto function (#141)
* dedupe common crypto functions * split build step, facto all uses of codec/cryptoEngine, rename * fix embed cryptojs path in cli Co-authored-by: Adam Hull <adam@hmlad.com>pull/147/head
rodzic
1ae32c3864
commit
4ca89dab35
|
@ -0,0 +1,38 @@
|
|||
function exitEarly(message) {
|
||||
console.log(message);
|
||||
process.exit(1);
|
||||
}
|
||||
exports.exitEarly = exitEarly;
|
||||
|
||||
/**
|
||||
* Check if a particular option has been set by the user. Useful for distinguishing default value with flag without
|
||||
* parameter.
|
||||
*
|
||||
* Ex use case: '-s' means "give me a salt", '-s 1234' means "use 1234 as salt"
|
||||
*
|
||||
* From https://github.com/yargs/yargs/issues/513#issuecomment-221412008
|
||||
*
|
||||
* @param option
|
||||
* @param yargs
|
||||
* @returns {boolean}
|
||||
*/
|
||||
function isOptionSetByUser(option, yargs) {
|
||||
function searchForOption(option) {
|
||||
return process.argv.indexOf(option) > -1;
|
||||
}
|
||||
|
||||
if (searchForOption(`-${option}`) || searchForOption(`--${option}`)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Handle aliases for same option
|
||||
for (let aliasIndex in yargs.parsed.aliases[option]) {
|
||||
const alias = yargs.parsed.aliases[option][aliasIndex];
|
||||
|
||||
if (searchForOption(`-${alias}`) || searchForOption(`--${alias}`))
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
exports.isOptionSetByUser = isOptionSetByUser;
|
152
cli/index.js
152
cli/index.js
|
@ -2,10 +2,15 @@
|
|||
|
||||
"use strict";
|
||||
|
||||
const CryptoJS = require("crypto-js");
|
||||
const fs = require("fs");
|
||||
const path = require("path");
|
||||
const Yargs = require("yargs");
|
||||
const cryptoEngine = require("../lib/cryptoEngine/cryptojsEngine");
|
||||
const codec = require("../lib/codec");
|
||||
const { convertCommonJSToBrowserJS, genFile} = require("../lib/formater");
|
||||
const { exitEarly, isOptionSetByUser } = require("./helpers");
|
||||
const { generateRandomSalt } = cryptoEngine;
|
||||
const { encode } = codec.init(cryptoEngine);
|
||||
|
||||
const SCRIPT_URL =
|
||||
"https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js";
|
||||
|
@ -14,76 +19,6 @@ const SCRIPT_TAG =
|
|||
SCRIPT_URL +
|
||||
'" integrity="sha384-lp4k1VRKPU9eBnPePjnJ9M2RF3i7PC30gXs70+elCVfgwLwx1tv5+ctxdtwxqZa7" crossorigin="anonymous"></script>';
|
||||
|
||||
/**
|
||||
* Salt and encrypt a msg with a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*/
|
||||
function encrypt(msg, hashedPassphrase) {
|
||||
var iv = CryptoJS.lib.WordArray.random(128 / 8);
|
||||
|
||||
var encrypted = CryptoJS.AES.encrypt(msg, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC,
|
||||
});
|
||||
|
||||
// iv will be hex 16 in length (32 characters)
|
||||
// we prepend it to the ciphertext for use in decryption
|
||||
return iv.toString() + encrypted.toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Salt and hash the passphrase so it can be stored in localStorage without opening a password reuse vulnerability.
|
||||
*
|
||||
* @param {string} passphrase
|
||||
* @param {string} salt
|
||||
* @returns string
|
||||
*/
|
||||
function hashPassphrase(passphrase, salt) {
|
||||
var hashedPassphrase = CryptoJS.PBKDF2(passphrase, salt, {
|
||||
keySize: 256 / 32,
|
||||
iterations: 1000,
|
||||
});
|
||||
|
||||
return hashedPassphrase.toString();
|
||||
}
|
||||
|
||||
function generateRandomSalt() {
|
||||
return CryptoJS.lib.WordArray.random(128 / 8).toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a particular option has been set by the user. Useful for distinguishing default value with flag without
|
||||
* parameter.
|
||||
*
|
||||
* Ex use case: '-s' means "give me a salt", '-s 1234' means "use 1234 as salt"
|
||||
*
|
||||
* From https://github.com/yargs/yargs/issues/513#issuecomment-221412008
|
||||
*
|
||||
* @param option
|
||||
* @param yargs
|
||||
* @returns {boolean}
|
||||
*/
|
||||
function isOptionSetByUser(option, yargs) {
|
||||
function searchForOption(option) {
|
||||
return process.argv.indexOf(option) > -1;
|
||||
}
|
||||
|
||||
if (searchForOption(`-${option}`) || searchForOption(`--${option}`)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Handle aliases for same option
|
||||
for (let aliasIndex in yargs.parsed.aliases[option]) {
|
||||
const alias = yargs.parsed.aliases[option][aliasIndex];
|
||||
|
||||
if (searchForOption(`-${alias}`) || searchForOption(`--${alias}`))
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
const yargs = Yargs.usage("Usage: staticrypt <filename> <passphrase> [options]")
|
||||
.option("c", {
|
||||
alias: "config",
|
||||
|
@ -201,11 +136,10 @@ else {
|
|||
|
||||
// validate the salt
|
||||
if (salt.length !== 32 || /[^a-f0-9]/.test(salt)) {
|
||||
console.log(
|
||||
exitEarly(
|
||||
"The salt should be a 32 character long hexadecimal string (only [0-9a-f] characters allowed)"
|
||||
+ "\nDetected salt: " + salt
|
||||
);
|
||||
console.log("Detected salt: " + salt);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
// write salt to config file
|
||||
|
@ -223,34 +157,24 @@ let contents;
|
|||
try {
|
||||
contents = fs.readFileSync(input, "utf8");
|
||||
} catch (e) {
|
||||
console.log("Failure: input file does not exist!");
|
||||
process.exit(1);
|
||||
exitEarly("Failure: input file does not exist!");
|
||||
}
|
||||
|
||||
// encrypt input
|
||||
const hashedPassphrase = hashPassphrase(passphrase, salt);
|
||||
const encrypted = encrypt(contents, hashedPassphrase);
|
||||
// we use the hashed passphrase in the HMAC because this is effectively what will be used a passphrase (so we can store
|
||||
// it in localStorage safely, we don't use the clear text passphrase)
|
||||
const hmac = CryptoJS.HmacSHA256(
|
||||
encrypted,
|
||||
CryptoJS.SHA256(hashedPassphrase).toString()
|
||||
).toString();
|
||||
const encryptedMessage = hmac + encrypted;
|
||||
const encryptedMessage = encode(contents, passphrase, salt);
|
||||
|
||||
// create crypto-js tag (embedded or not)
|
||||
let cryptoTag = SCRIPT_TAG;
|
||||
if (namedArgs.embed) {
|
||||
try {
|
||||
const embedContents = fs.readFileSync(
|
||||
path.join(__dirname, "..", "kryptojs-3.1.9-1.min"),
|
||||
path.join(__dirname, "..", "lib", "kryptojs-3.1.9-1.min.js"),
|
||||
"utf8"
|
||||
);
|
||||
|
||||
cryptoTag = "<script>" + embedContents + "</script>";
|
||||
} catch (e) {
|
||||
console.log("Failure: embed file does not exist!");
|
||||
process.exit(1);
|
||||
exitEarly("Failure: embed file does not exist!");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -261,10 +185,8 @@ const data = {
|
|||
encrypted: encryptedMessage,
|
||||
instructions: namedArgs.instructions,
|
||||
is_remember_enabled: namedArgs.noremember ? "false" : "true",
|
||||
output_file_path:
|
||||
namedArgs.output !== null
|
||||
? namedArgs.output
|
||||
: input.replace(/\.html$/, "") + "_encrypted.html",
|
||||
js_codec: convertCommonJSToBrowserJS("../lib/codec"),
|
||||
js_crypto_engine: convertCommonJSToBrowserJS("../lib/cryptoEngine/cryptojsEngine"),
|
||||
passphrase_placeholder: namedArgs.passphrasePlaceholder,
|
||||
remember_duration_in_days: namedArgs.remember,
|
||||
remember_me: namedArgs.rememberLabel,
|
||||
|
@ -272,46 +194,8 @@ const data = {
|
|||
title: namedArgs.title,
|
||||
};
|
||||
|
||||
genFile(data);
|
||||
const outputFilePath = namedArgs.output !== null
|
||||
? namedArgs.output
|
||||
: input.replace(/\.html$/, "") + "_encrypted.html";
|
||||
|
||||
/**
|
||||
* Fill the template with provided data and writes it to output file.
|
||||
*
|
||||
* @param data
|
||||
*/
|
||||
function genFile(data) {
|
||||
let templateContents;
|
||||
|
||||
try {
|
||||
templateContents = fs.readFileSync(namedArgs.f, "utf8");
|
||||
} catch (e) {
|
||||
console.log("Failure: could not read template!");
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
const renderedTemplate = render(templateContents, data);
|
||||
|
||||
try {
|
||||
fs.writeFileSync(data.output_file_path, renderedTemplate);
|
||||
} catch (e) {
|
||||
console.log("Failure: could not generate output file!");
|
||||
process.exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Replace the placeholder tags (between '{tag}') in 'tpl' string with provided data.
|
||||
*
|
||||
* @param tpl
|
||||
* @param data
|
||||
* @returns string
|
||||
*/
|
||||
function render(tpl, data) {
|
||||
return tpl.replace(/{(.*?)}/g, function (_, key) {
|
||||
if (data && data[key] !== undefined) {
|
||||
return data[key];
|
||||
}
|
||||
|
||||
return "";
|
||||
});
|
||||
}
|
||||
genFile(data, outputFilePath, namedArgs.f);
|
||||
|
|
|
@ -165,8 +165,144 @@
|
|||
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js" integrity="sha384-lp4k1VRKPU9eBnPePjnJ9M2RF3i7PC30gXs70+elCVfgwLwx1tv5+ctxdtwxqZa7" crossorigin="anonymous"></script>
|
||||
|
||||
<script>
|
||||
var cryptoEngine = ((function(){
|
||||
const exports = {};
|
||||
|
||||
/**
|
||||
* Salt and encrypt a msg with a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*/
|
||||
function encrypt(msg, hashedPassphrase) {
|
||||
var iv = CryptoJS.lib.WordArray.random(128 / 8);
|
||||
|
||||
var encrypted = CryptoJS.AES.encrypt(msg, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC,
|
||||
});
|
||||
|
||||
// iv will be hex 16 in length (32 characters)
|
||||
// we prepend it to the ciphertext for use in decryption
|
||||
return iv.toString() + encrypted.toString();
|
||||
}
|
||||
exports.encrypt = encrypt;
|
||||
|
||||
/**
|
||||
* Decrypt a salted msg using a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*
|
||||
* @param {string} encryptedMsg
|
||||
* @param {string} hashedPassphrase
|
||||
* @returns {string}
|
||||
*/
|
||||
function decrypt(encryptedMsg, hashedPassphrase) {
|
||||
var iv = CryptoJS.enc.Hex.parse(encryptedMsg.substr(0, 32));
|
||||
var encrypted = encryptedMsg.substring(32);
|
||||
|
||||
return CryptoJS.AES.decrypt(encrypted, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC,
|
||||
}).toString(CryptoJS.enc.Utf8);
|
||||
}
|
||||
exports.decrypt = decrypt;
|
||||
|
||||
/**
|
||||
* Salt and hash the passphrase so it can be stored in localStorage without opening a password reuse vulnerability.
|
||||
*
|
||||
* @param {string} passphrase
|
||||
* @param {string} salt
|
||||
* @returns string
|
||||
*/
|
||||
function hashPassphrase(passphrase, salt) {
|
||||
var hashedPassphrase = CryptoJS.PBKDF2(passphrase, salt, {
|
||||
keySize: 256 / 32,
|
||||
iterations: 1000,
|
||||
});
|
||||
|
||||
return hashedPassphrase.toString();
|
||||
}
|
||||
exports.hashPassphrase = hashPassphrase;
|
||||
|
||||
function generateRandomSalt() {
|
||||
return CryptoJS.lib.WordArray.random(128 / 8).toString();
|
||||
}
|
||||
exports.generateRandomSalt = generateRandomSalt;
|
||||
|
||||
function signMessage(hashedPassphrase, message) {
|
||||
return CryptoJS.HmacSHA256(
|
||||
message,
|
||||
CryptoJS.SHA256(hashedPassphrase).toString()
|
||||
).toString();
|
||||
}
|
||||
exports.signMessage = signMessage;
|
||||
|
||||
return exports;
|
||||
})())
|
||||
var codec = ((function(){
|
||||
const exports = {};
|
||||
/**
|
||||
* Initialize the codec with the provided cryptoEngine - this return functions to encode and decode messages.
|
||||
*
|
||||
* @param cryptoEngine - the engine to use for encryption / decryption
|
||||
*/
|
||||
function init(cryptoEngine) {
|
||||
const exports = {};
|
||||
/**
|
||||
* Top-level function for encoding a message.
|
||||
* Includes passphrase hashing, encryption, and signing.
|
||||
*
|
||||
* @param {string} msg
|
||||
* @param {string} passphrase
|
||||
* @param {string} salt
|
||||
*
|
||||
* @returns {string} The encoded text
|
||||
*/
|
||||
function encode(msg, passphrase, salt) {
|
||||
const hashedPassphrase = cryptoEngine.hashPassphrase(passphrase, salt);
|
||||
const encrypted = cryptoEngine.encrypt(msg, hashedPassphrase);
|
||||
// we use the hashed passphrase in the HMAC because this is effectively what will be used a passphrase (so we can store
|
||||
// it in localStorage safely, we don't use the clear text passphrase)
|
||||
const hmac = cryptoEngine.signMessage(hashedPassphrase, encrypted);
|
||||
|
||||
return hmac + encrypted;
|
||||
}
|
||||
exports.encode = encode;
|
||||
|
||||
/**
|
||||
* Top-level function for decoding a message.
|
||||
* Includes signature check, an decryption.
|
||||
*
|
||||
* @param {string} signedMsg
|
||||
* @param {string} hashedPassphrase
|
||||
*
|
||||
* @returns {Object} {success: true, decoded: string} | {success: false, message: string}
|
||||
*/
|
||||
function decode(signedMsg, hashedPassphrase) {
|
||||
const encryptedHMAC = signedMsg.substring(0, 64);
|
||||
const encryptedMsg = signedMsg.substring(64);
|
||||
const decryptedHMAC = cryptoEngine.signMessage(hashedPassphrase, encryptedMsg);
|
||||
|
||||
if (decryptedHMAC !== encryptedHMAC) {
|
||||
return { success: false, message: "Signature mismatch" };
|
||||
}
|
||||
return {
|
||||
success: true,
|
||||
decoded: cryptoEngine.decrypt(encryptedMsg, hashedPassphrase),
|
||||
};
|
||||
}
|
||||
exports.decode = decode;
|
||||
|
||||
return exports;
|
||||
}
|
||||
exports.init = init;
|
||||
|
||||
return exports;
|
||||
})())
|
||||
var decode = codec.init(cryptoEngine).decode;
|
||||
|
||||
// variables to be filled when generating the file
|
||||
var encryptedMsg = '65a0577162396cc1bddae60b8f435291ff7a69644825b98bfc636a29089a28efbc9417689b983f2048bb776ca66eb25fU2FsdGVkX19n36H4ocM7GbaeFVganWX86ZTHEZk2w12z3z7rqWDW8OESK8MmGtbnPJetgyWi3jpz3iI+rE/gSilJkhQ2YR/4yCBintGLeh1hCgX+XPBEDT0w+ri4uqUWCxDUIvzyUhbnf1ZD2WsK9wmDHwRwF9YcucHXuyS7/GlUcVsYERzxxDd9frN6DbubNNbdY/QtG+vtmLSwHGZtwQ==',
|
||||
var encryptedMsg = 'ff5ad376d50045dbd99489b68b5eaaca32904aa15ce3ec2a87e3e1ed4a4303b25d9a27ba3fb37cf8cc7a7ebdd075c1ccU2FsdGVkX1+/KUkAwOJH8g3jpasSyXB9awiVeP9zgYmhVwAYRie7BiUsNogQndwHPSSKM4QSfNCPLxrpCyEaPWgPa0+QzYWcMdlgL8GLfrg1h5mvSyQdIpLHLlH55m3DbvcjlITPY4kYY6pXevzhnEDzoDxXhSgLSTKU3NROGOusjQ8S4B4dzExJIq6kifuLceP8eAdHea6M2cmd99/dLQ==',
|
||||
salt = 'b93bbaf35459951c47721d1f3eaeb5b9',
|
||||
isRememberEnabled = true,
|
||||
rememberDurationInDays = 0; // 0 means forever
|
||||
|
@ -175,25 +311,6 @@
|
|||
var rememberPassphraseKey = 'staticrypt_passphrase',
|
||||
rememberExpirationKey = 'staticrypt_expiration';
|
||||
|
||||
/**
|
||||
* Decrypt a salted msg using a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*
|
||||
* @param encryptedMsg
|
||||
* @param hashedPassphrase
|
||||
* @returns
|
||||
*/
|
||||
function decryptMsg(encryptedMsg, hashedPassphrase) {
|
||||
var iv = CryptoJS.enc.Hex.parse(encryptedMsg.substr(0, 32))
|
||||
var encrypted = encryptedMsg.substring(32);
|
||||
|
||||
return CryptoJS.AES.decrypt(encrypted, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC
|
||||
}).toString(CryptoJS.enc.Utf8);
|
||||
}
|
||||
|
||||
/**
|
||||
* Decrypt our encrypted page, replace the whole HTML.
|
||||
*
|
||||
|
@ -201,35 +318,17 @@
|
|||
* @returns
|
||||
*/
|
||||
function decryptAndReplaceHtml(hashedPassphrase) {
|
||||
var encryptedHMAC = encryptedMsg.substring(0, 64),
|
||||
encryptedHTML = encryptedMsg.substring(64),
|
||||
decryptedHMAC = CryptoJS.HmacSHA256(encryptedHTML, CryptoJS.SHA256(hashedPassphrase).toString()).toString();
|
||||
|
||||
if (decryptedHMAC !== encryptedHMAC) {
|
||||
var result = decode(encryptedMsg, hashedPassphrase);
|
||||
if (!result.success) {
|
||||
return false;
|
||||
}
|
||||
|
||||
var plainHTML = decryptMsg(encryptedHTML, hashedPassphrase);
|
||||
var plainHTML = result.decoded;
|
||||
|
||||
document.write(plainHTML);
|
||||
document.close();
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Salt and hash the passphrase so it can be stored in localStorage without opening a password reuse vulnerability.
|
||||
*
|
||||
* @param passphrase
|
||||
* @returns
|
||||
*/
|
||||
function hashPassphrase(passphrase) {
|
||||
return CryptoJS.PBKDF2(passphrase, salt, {
|
||||
keySize: 256 / 32,
|
||||
iterations: 1000
|
||||
}).toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Clear localstorage from staticrypt related values
|
||||
*/
|
||||
|
@ -284,7 +383,7 @@
|
|||
shouldRememberPassphrase = document.getElementById('staticrypt-remember').checked;
|
||||
|
||||
// decrypt and replace the whole page
|
||||
var hashedPassphrase = hashPassphrase(passphrase);
|
||||
var hashedPassphrase = cryptoEngine.hashPassphrase(passphrase, salt);
|
||||
var isDecryptionSuccessful = decryptAndReplaceHtml(hashedPassphrase);
|
||||
|
||||
if (isDecryptionSuccessful) {
|
||||
|
|
300
index.html
300
index.html
|
@ -65,7 +65,7 @@
|
|||
</p>
|
||||
<p>
|
||||
Download your encrypted string in a HTML page with a password prompt you can upload anywhere (see <a
|
||||
target="_blank" href="example/example_encrypted.html">example</a>).
|
||||
target="_blank" href="../example/example_encrypted.html">example</a>).
|
||||
</p>
|
||||
<p>
|
||||
The tool is also available as <a href="https://npmjs.com/package/staticrypt">a CLI on NPM</a> and is <a
|
||||
|
@ -210,25 +210,245 @@ Your encrypted string</pre>
|
|||
<!--
|
||||
Filename changed to circumvent adblockers that mistake it for a crypto miner (see https://github.com/robinmoisson/staticrypt/issues/107)
|
||||
-->
|
||||
<script src="lib/kryptojs-3.1.9-1.min.js"></script>
|
||||
<script src="../lib/kryptojs-3.1.9-1.min.js"></script>
|
||||
|
||||
<script src="https://cdn.ckeditor.com/4.7.0/standard/ckeditor.js"></script>
|
||||
|
||||
<script id="cryptoEngine">
|
||||
window.cryptoEngine = ((function(){
|
||||
const exports = {};
|
||||
|
||||
/**
|
||||
* Salt and encrypt a msg with a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*/
|
||||
function encrypt(msg, hashedPassphrase) {
|
||||
var iv = CryptoJS.lib.WordArray.random(128 / 8);
|
||||
|
||||
var encrypted = CryptoJS.AES.encrypt(msg, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC,
|
||||
});
|
||||
|
||||
// iv will be hex 16 in length (32 characters)
|
||||
// we prepend it to the ciphertext for use in decryption
|
||||
return iv.toString() + encrypted.toString();
|
||||
}
|
||||
exports.encrypt = encrypt;
|
||||
|
||||
/**
|
||||
* Decrypt a salted msg using a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*
|
||||
* @param {string} encryptedMsg
|
||||
* @param {string} hashedPassphrase
|
||||
* @returns {string}
|
||||
*/
|
||||
function decrypt(encryptedMsg, hashedPassphrase) {
|
||||
var iv = CryptoJS.enc.Hex.parse(encryptedMsg.substr(0, 32));
|
||||
var encrypted = encryptedMsg.substring(32);
|
||||
|
||||
return CryptoJS.AES.decrypt(encrypted, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC,
|
||||
}).toString(CryptoJS.enc.Utf8);
|
||||
}
|
||||
exports.decrypt = decrypt;
|
||||
|
||||
/**
|
||||
* Salt and hash the passphrase so it can be stored in localStorage without opening a password reuse vulnerability.
|
||||
*
|
||||
* @param {string} passphrase
|
||||
* @param {string} salt
|
||||
* @returns string
|
||||
*/
|
||||
function hashPassphrase(passphrase, salt) {
|
||||
var hashedPassphrase = CryptoJS.PBKDF2(passphrase, salt, {
|
||||
keySize: 256 / 32,
|
||||
iterations: 1000,
|
||||
});
|
||||
|
||||
return hashedPassphrase.toString();
|
||||
}
|
||||
exports.hashPassphrase = hashPassphrase;
|
||||
|
||||
function generateRandomSalt() {
|
||||
return CryptoJS.lib.WordArray.random(128 / 8).toString();
|
||||
}
|
||||
exports.generateRandomSalt = generateRandomSalt;
|
||||
|
||||
function signMessage(hashedPassphrase, message) {
|
||||
return CryptoJS.HmacSHA256(
|
||||
message,
|
||||
CryptoJS.SHA256(hashedPassphrase).toString()
|
||||
).toString();
|
||||
}
|
||||
exports.signMessage = signMessage;
|
||||
|
||||
return exports;
|
||||
})())
|
||||
</script>
|
||||
|
||||
<script id="codec">
|
||||
window.codec = ((function(){
|
||||
const exports = {};
|
||||
/**
|
||||
* Initialize the codec with the provided cryptoEngine - this return functions to encode and decode messages.
|
||||
*
|
||||
* @param cryptoEngine - the engine to use for encryption / decryption
|
||||
*/
|
||||
function init(cryptoEngine) {
|
||||
const exports = {};
|
||||
/**
|
||||
* Top-level function for encoding a message.
|
||||
* Includes passphrase hashing, encryption, and signing.
|
||||
*
|
||||
* @param {string} msg
|
||||
* @param {string} passphrase
|
||||
* @param {string} salt
|
||||
*
|
||||
* @returns {string} The encoded text
|
||||
*/
|
||||
function encode(msg, passphrase, salt) {
|
||||
const hashedPassphrase = cryptoEngine.hashPassphrase(passphrase, salt);
|
||||
const encrypted = cryptoEngine.encrypt(msg, hashedPassphrase);
|
||||
// we use the hashed passphrase in the HMAC because this is effectively what will be used a passphrase (so we can store
|
||||
// it in localStorage safely, we don't use the clear text passphrase)
|
||||
const hmac = cryptoEngine.signMessage(hashedPassphrase, encrypted);
|
||||
|
||||
return hmac + encrypted;
|
||||
}
|
||||
exports.encode = encode;
|
||||
|
||||
/**
|
||||
* Top-level function for decoding a message.
|
||||
* Includes signature check, an decryption.
|
||||
*
|
||||
* @param {string} signedMsg
|
||||
* @param {string} hashedPassphrase
|
||||
*
|
||||
* @returns {Object} {success: true, decoded: string} | {success: false, message: string}
|
||||
*/
|
||||
function decode(signedMsg, hashedPassphrase) {
|
||||
const encryptedHMAC = signedMsg.substring(0, 64);
|
||||
const encryptedMsg = signedMsg.substring(64);
|
||||
const decryptedHMAC = cryptoEngine.signMessage(hashedPassphrase, encryptedMsg);
|
||||
|
||||
if (decryptedHMAC !== encryptedHMAC) {
|
||||
return { success: false, message: "Signature mismatch" };
|
||||
}
|
||||
return {
|
||||
success: true,
|
||||
decoded: cryptoEngine.decrypt(encryptedMsg, hashedPassphrase),
|
||||
};
|
||||
}
|
||||
exports.decode = decode;
|
||||
|
||||
return exports;
|
||||
}
|
||||
exports.init = init;
|
||||
|
||||
return exports;
|
||||
})())
|
||||
</script>
|
||||
|
||||
<script id="formater">
|
||||
window.formater = ((function(){
|
||||
const exports = {};
|
||||
|
||||
/**
|
||||
* A dead-simple alternative to webpack or rollup for inlining simple
|
||||
* CommonJS modules in a browser <script>.
|
||||
* - Wraps the module in an immediately invoked function that returns `exports`.
|
||||
*
|
||||
* @param {string} modulePath
|
||||
*/
|
||||
function convertCommonJSToBrowserJS(modulePath) {
|
||||
const resolvedPath = path.join(__dirname, ...modulePath.split("/")) + ".js";
|
||||
const moduleText = fs
|
||||
.readFileSync(resolvedPath, "utf8")
|
||||
.replaceAll(/^.*\brequire\(.*$\n/gm, "");
|
||||
|
||||
return `
|
||||
((function(){
|
||||
const exports = {};
|
||||
${moduleText}
|
||||
return exports;
|
||||
})())
|
||||
`.trim();
|
||||
}
|
||||
exports.convertCommonJSToBrowserJS = convertCommonJSToBrowserJS;
|
||||
|
||||
|
||||
/**
|
||||
* Replace the placeholder tags (between '{tag}') in the template string with provided data.
|
||||
*
|
||||
* @param {string} templateString
|
||||
* @param {Object} data
|
||||
*
|
||||
* @returns string
|
||||
*/
|
||||
function renderTemplate(templateString, data) {
|
||||
return templateString.replace(/{(.*?)}/g, function (_, key) {
|
||||
if (data && data[key] !== undefined) {
|
||||
return data[key];
|
||||
}
|
||||
|
||||
return "";
|
||||
});
|
||||
}
|
||||
exports.renderTemplate = renderTemplate;
|
||||
|
||||
/**
|
||||
* Fill the template with provided data and writes it to output file.
|
||||
*
|
||||
* @param {Object} data
|
||||
* @param {string} outputFilePath
|
||||
* @param {string} inputFilePath
|
||||
*/
|
||||
function genFile(data, outputFilePath, inputFilePath) {
|
||||
let templateContents;
|
||||
|
||||
try {
|
||||
templateContents = fs.readFileSync(inputFilePath, "utf8");
|
||||
} catch (e) {
|
||||
exitEarly("Failure: could not read template!");
|
||||
}
|
||||
|
||||
const renderedTemplate = renderTemplate(templateContents, data);
|
||||
|
||||
try {
|
||||
fs.writeFileSync(outputFilePath, renderedTemplate);
|
||||
} catch (e) {
|
||||
exitEarly("Failure: could not generate output file!");
|
||||
}
|
||||
}
|
||||
exports.genFile = genFile;
|
||||
|
||||
return exports;
|
||||
})())
|
||||
</script>
|
||||
|
||||
<script>
|
||||
var encode = codec.init(cryptoEngine).encode;
|
||||
|
||||
// enable CKEDIRTOR
|
||||
CKEDITOR.replace('instructions');
|
||||
|
||||
var htmlToDownload;
|
||||
|
||||
var renderTemplate = function (tpl, data) {
|
||||
return tpl.replace(/{(.*?)}/g, function (_, key) {
|
||||
if (data && data[key] !== undefined) {
|
||||
return data[key];
|
||||
}
|
||||
|
||||
return '';
|
||||
});
|
||||
};
|
||||
/**
|
||||
* Extract js code from <script> tag and return it as a string
|
||||
*
|
||||
* @param id
|
||||
* @returns
|
||||
*/
|
||||
var getScriptAsString = function (id) {
|
||||
return document.getElementById(id)
|
||||
.innerText.replace(/window\.\w+ = /, '');
|
||||
}
|
||||
|
||||
/**
|
||||
* Fill the password prompt template with data provided.
|
||||
|
@ -238,7 +458,7 @@ Filename changed to circumvent adblockers that mistake it for a crypto miner (se
|
|||
var request = new XMLHttpRequest();
|
||||
request.open('GET', 'lib/password_template.html', true);
|
||||
request.onload = function () {
|
||||
var renderedTmpl = renderTemplate(request.responseText, data);
|
||||
var renderedTmpl = formater.renderTemplate(request.responseText, data);
|
||||
|
||||
var downloadLink = document.querySelector('a.download');
|
||||
downloadLink.href = 'data:text/html,' + encodeURIComponent(renderedTmpl);
|
||||
|
@ -263,44 +483,6 @@ Filename changed to circumvent adblockers that mistake it for a crypto miner (se
|
|||
request.send();
|
||||
};
|
||||
|
||||
/**
|
||||
* Salt and encrypt a msg with a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*/
|
||||
function encrypt(msg, hashedPassphrase) {
|
||||
var iv = CryptoJS.lib.WordArray.random(128 / 8);
|
||||
|
||||
var encrypted = CryptoJS.AES.encrypt(msg, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC
|
||||
});
|
||||
|
||||
// iv will be hex 16 in length (32 characters)
|
||||
// we prepend it to the ciphertext for use in decryption
|
||||
return iv.toString() + encrypted.toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Salt and hash the passphrase so it can be stored in localStorage without opening a password reuse vulnerability.
|
||||
*
|
||||
* @param {string} passphrase
|
||||
* @returns {{salt: string, hashedPassphrase: string}}
|
||||
*/
|
||||
function hashPassphrase(passphrase) {
|
||||
var salt = CryptoJS.lib.WordArray.random(128 / 8).toString();
|
||||
|
||||
var hashedPassphrase = CryptoJS.PBKDF2(passphrase, salt, {
|
||||
keySize: 256 / 32,
|
||||
iterations: 1000
|
||||
});
|
||||
|
||||
return {
|
||||
salt: salt,
|
||||
hashedPassphrase: hashedPassphrase.toString(),
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle form submission.
|
||||
*/
|
||||
|
@ -314,15 +496,8 @@ Filename changed to circumvent adblockers that mistake it for a crypto miner (se
|
|||
var unencrypted = document.getElementById('unencrypted_html').value,
|
||||
passphrase = document.getElementById('passphrase').value;
|
||||
|
||||
var hashed = hashPassphrase(passphrase);
|
||||
var hashedPassphrase = hashed.hashedPassphrase,
|
||||
salt = hashed.salt;
|
||||
|
||||
var encrypted = encrypt(unencrypted, hashedPassphrase),
|
||||
// we use the hashed passphrase in the HMAC because this is effectively what will be used a passphrase (so
|
||||
// we can store it localStorage safely, we don't use the clear text passphrase)
|
||||
hmac = CryptoJS.HmacSHA256(encrypted, CryptoJS.SHA256(hashedPassphrase).toString()).toString(),
|
||||
encryptedMsg = hmac + encrypted;
|
||||
var salt = cryptoEngine.generateRandomSalt();
|
||||
var encryptedMsg = encode(unencrypted, passphrase, salt);
|
||||
|
||||
var decryptButton = document.getElementById('decrypt_button').value,
|
||||
instructions = document.getElementById('instructions').value,
|
||||
|
@ -336,16 +511,18 @@ Filename changed to circumvent adblockers that mistake it for a crypto miner (se
|
|||
crypto_tag: '<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js" integrity="sha384-lp4k1VRKPU9eBnPePjnJ9M2RF3i7PC30gXs70+elCVfgwLwx1tv5+ctxdtwxqZa7" crossorigin="anonymous"></scr' + 'ipt>',
|
||||
decrypt_button: decryptButton ? decryptButton : 'DECRYPT',
|
||||
encrypted: encryptedMsg,
|
||||
salt: salt,
|
||||
instructions: instructions ? instructions : '',
|
||||
is_remember_enabled: isRememberEnabled ? 'true' : 'false',
|
||||
js_codec: getScriptAsString('codec'),
|
||||
js_crypto_engine: getScriptAsString('cryptoEngine'),
|
||||
passphrase_placeholder: passphrasePlaceholder ? passphrasePlaceholder : 'Passphrase',
|
||||
remember_duration_in_days: rememberDurationInDays.toString(),
|
||||
remember_me: rememberMe ? rememberMe : 'Remember me',
|
||||
salt: salt,
|
||||
title: pageTitle ? pageTitle : 'Protected Page',
|
||||
};
|
||||
|
||||
document.getElementById('encrypted_html_display').textContent = encrypted;
|
||||
document.getElementById('encrypted_html_display').textContent = encryptedMsg;
|
||||
|
||||
if (document.getElementById("embed-crypto").checked) {
|
||||
setFileToDownloadWithEmbeddedCrypto(data);
|
||||
|
@ -394,6 +571,5 @@ Filename changed to circumvent adblockers that mistake it for a crypto miner (se
|
|||
})
|
||||
</script>
|
||||
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -0,0 +1,55 @@
|
|||
/**
|
||||
* Initialize the codec with the provided cryptoEngine - this return functions to encode and decode messages.
|
||||
*
|
||||
* @param cryptoEngine - the engine to use for encryption / decryption
|
||||
*/
|
||||
function init(cryptoEngine) {
|
||||
const exports = {};
|
||||
/**
|
||||
* Top-level function for encoding a message.
|
||||
* Includes passphrase hashing, encryption, and signing.
|
||||
*
|
||||
* @param {string} msg
|
||||
* @param {string} passphrase
|
||||
* @param {string} salt
|
||||
*
|
||||
* @returns {string} The encoded text
|
||||
*/
|
||||
function encode(msg, passphrase, salt) {
|
||||
const hashedPassphrase = cryptoEngine.hashPassphrase(passphrase, salt);
|
||||
const encrypted = cryptoEngine.encrypt(msg, hashedPassphrase);
|
||||
// we use the hashed passphrase in the HMAC because this is effectively what will be used a passphrase (so we can store
|
||||
// it in localStorage safely, we don't use the clear text passphrase)
|
||||
const hmac = cryptoEngine.signMessage(hashedPassphrase, encrypted);
|
||||
|
||||
return hmac + encrypted;
|
||||
}
|
||||
exports.encode = encode;
|
||||
|
||||
/**
|
||||
* Top-level function for decoding a message.
|
||||
* Includes signature check, an decryption.
|
||||
*
|
||||
* @param {string} signedMsg
|
||||
* @param {string} hashedPassphrase
|
||||
*
|
||||
* @returns {Object} {success: true, decoded: string} | {success: false, message: string}
|
||||
*/
|
||||
function decode(signedMsg, hashedPassphrase) {
|
||||
const encryptedHMAC = signedMsg.substring(0, 64);
|
||||
const encryptedMsg = signedMsg.substring(64);
|
||||
const decryptedHMAC = cryptoEngine.signMessage(hashedPassphrase, encryptedMsg);
|
||||
|
||||
if (decryptedHMAC !== encryptedHMAC) {
|
||||
return { success: false, message: "Signature mismatch" };
|
||||
}
|
||||
return {
|
||||
success: true,
|
||||
decoded: cryptoEngine.decrypt(encryptedMsg, hashedPassphrase),
|
||||
};
|
||||
}
|
||||
exports.decode = decode;
|
||||
|
||||
return exports;
|
||||
}
|
||||
exports.init = init;
|
|
@ -0,0 +1,70 @@
|
|||
const CryptoJS = require("crypto-js");
|
||||
|
||||
/**
|
||||
* Salt and encrypt a msg with a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*/
|
||||
function encrypt(msg, hashedPassphrase) {
|
||||
var iv = CryptoJS.lib.WordArray.random(128 / 8);
|
||||
|
||||
var encrypted = CryptoJS.AES.encrypt(msg, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC,
|
||||
});
|
||||
|
||||
// iv will be hex 16 in length (32 characters)
|
||||
// we prepend it to the ciphertext for use in decryption
|
||||
return iv.toString() + encrypted.toString();
|
||||
}
|
||||
exports.encrypt = encrypt;
|
||||
|
||||
/**
|
||||
* Decrypt a salted msg using a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*
|
||||
* @param {string} encryptedMsg
|
||||
* @param {string} hashedPassphrase
|
||||
* @returns {string}
|
||||
*/
|
||||
function decrypt(encryptedMsg, hashedPassphrase) {
|
||||
var iv = CryptoJS.enc.Hex.parse(encryptedMsg.substr(0, 32));
|
||||
var encrypted = encryptedMsg.substring(32);
|
||||
|
||||
return CryptoJS.AES.decrypt(encrypted, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC,
|
||||
}).toString(CryptoJS.enc.Utf8);
|
||||
}
|
||||
exports.decrypt = decrypt;
|
||||
|
||||
/**
|
||||
* Salt and hash the passphrase so it can be stored in localStorage without opening a password reuse vulnerability.
|
||||
*
|
||||
* @param {string} passphrase
|
||||
* @param {string} salt
|
||||
* @returns string
|
||||
*/
|
||||
function hashPassphrase(passphrase, salt) {
|
||||
var hashedPassphrase = CryptoJS.PBKDF2(passphrase, salt, {
|
||||
keySize: 256 / 32,
|
||||
iterations: 1000,
|
||||
});
|
||||
|
||||
return hashedPassphrase.toString();
|
||||
}
|
||||
exports.hashPassphrase = hashPassphrase;
|
||||
|
||||
function generateRandomSalt() {
|
||||
return CryptoJS.lib.WordArray.random(128 / 8).toString();
|
||||
}
|
||||
exports.generateRandomSalt = generateRandomSalt;
|
||||
|
||||
function signMessage(hashedPassphrase, message) {
|
||||
return CryptoJS.HmacSHA256(
|
||||
message,
|
||||
CryptoJS.SHA256(hashedPassphrase).toString()
|
||||
).toString();
|
||||
}
|
||||
exports.signMessage = signMessage;
|
|
@ -0,0 +1,73 @@
|
|||
const path = require("path");
|
||||
const fs = require("fs");
|
||||
const { exitEarly } = require("../cli/helpers");
|
||||
|
||||
/**
|
||||
* A dead-simple alternative to webpack or rollup for inlining simple
|
||||
* CommonJS modules in a browser <script>.
|
||||
* - Removes all lines containing require().
|
||||
* - Wraps the module in an immediately invoked function that returns `exports`.
|
||||
*
|
||||
* @param {string} modulePath
|
||||
*/
|
||||
function convertCommonJSToBrowserJS(modulePath) {
|
||||
const resolvedPath = path.join(__dirname, ...modulePath.split("/")) + ".js";
|
||||
const moduleText = fs
|
||||
.readFileSync(resolvedPath, "utf8")
|
||||
.replaceAll(/^.*\brequire\(.*$\n/gm, "");
|
||||
|
||||
return `
|
||||
((function(){
|
||||
const exports = {};
|
||||
${moduleText}
|
||||
return exports;
|
||||
})())
|
||||
`.trim();
|
||||
}
|
||||
exports.convertCommonJSToBrowserJS = convertCommonJSToBrowserJS;
|
||||
|
||||
|
||||
/**
|
||||
* Replace the placeholder tags (between '{tag}') in the template string with provided data.
|
||||
*
|
||||
* @param {string} templateString
|
||||
* @param {Object} data
|
||||
*
|
||||
* @returns string
|
||||
*/
|
||||
function renderTemplate(templateString, data) {
|
||||
return templateString.replace(/{(.*?)}/g, function (_, key) {
|
||||
if (data && data[key] !== undefined) {
|
||||
return data[key];
|
||||
}
|
||||
|
||||
return "";
|
||||
});
|
||||
}
|
||||
exports.renderTemplate = renderTemplate;
|
||||
|
||||
/**
|
||||
* Fill the template with provided data and writes it to output file.
|
||||
*
|
||||
* @param {Object} data
|
||||
* @param {string} outputFilePath
|
||||
* @param {string} inputFilePath
|
||||
*/
|
||||
function genFile(data, outputFilePath, inputFilePath) {
|
||||
let templateContents;
|
||||
|
||||
try {
|
||||
templateContents = fs.readFileSync(inputFilePath, "utf8");
|
||||
} catch (e) {
|
||||
exitEarly("Failure: could not read template!");
|
||||
}
|
||||
|
||||
const renderedTemplate = renderTemplate(templateContents, data);
|
||||
|
||||
try {
|
||||
fs.writeFileSync(outputFilePath, renderedTemplate);
|
||||
} catch (e) {
|
||||
exitEarly("Failure: could not generate output file!");
|
||||
}
|
||||
}
|
||||
exports.genFile = genFile;
|
|
@ -165,6 +165,10 @@
|
|||
{crypto_tag}
|
||||
|
||||
<script>
|
||||
var cryptoEngine = {js_crypto_engine}
|
||||
var codec = {js_codec}
|
||||
var decode = codec.init(cryptoEngine).decode;
|
||||
|
||||
// variables to be filled when generating the file
|
||||
var encryptedMsg = '{encrypted}',
|
||||
salt = '{salt}',
|
||||
|
@ -175,25 +179,6 @@
|
|||
var rememberPassphraseKey = 'staticrypt_passphrase',
|
||||
rememberExpirationKey = 'staticrypt_expiration';
|
||||
|
||||
/**
|
||||
* Decrypt a salted msg using a password.
|
||||
* Inspired by https://github.com/adonespitogo
|
||||
*
|
||||
* @param {string} encryptedMsg
|
||||
* @param {string} hashedPassphrase
|
||||
* @returns {string}
|
||||
*/
|
||||
function decryptMsg(encryptedMsg, hashedPassphrase) {
|
||||
var iv = CryptoJS.enc.Hex.parse(encryptedMsg.substr(0, 32))
|
||||
var encrypted = encryptedMsg.substring(32);
|
||||
|
||||
return CryptoJS.AES.decrypt(encrypted, hashedPassphrase, {
|
||||
iv: iv,
|
||||
padding: CryptoJS.pad.Pkcs7,
|
||||
mode: CryptoJS.mode.CBC
|
||||
}).toString(CryptoJS.enc.Utf8);
|
||||
}
|
||||
|
||||
/**
|
||||
* Decrypt our encrypted page, replace the whole HTML.
|
||||
*
|
||||
|
@ -201,35 +186,17 @@
|
|||
* @returns {boolean}
|
||||
*/
|
||||
function decryptAndReplaceHtml(hashedPassphrase) {
|
||||
var encryptedHMAC = encryptedMsg.substring(0, 64),
|
||||
encryptedHTML = encryptedMsg.substring(64),
|
||||
decryptedHMAC = CryptoJS.HmacSHA256(encryptedHTML, CryptoJS.SHA256(hashedPassphrase).toString()).toString();
|
||||
|
||||
if (decryptedHMAC !== encryptedHMAC) {
|
||||
var result = decode(encryptedMsg, hashedPassphrase);
|
||||
if (!result.success) {
|
||||
return false;
|
||||
}
|
||||
|
||||
var plainHTML = decryptMsg(encryptedHTML, hashedPassphrase);
|
||||
var plainHTML = result.decoded;
|
||||
|
||||
document.write(plainHTML);
|
||||
document.close();
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Salt and hash the passphrase so it can be stored in localStorage without opening a password reuse vulnerability.
|
||||
*
|
||||
* @param {string} passphrase
|
||||
* @returns {string}
|
||||
*/
|
||||
function hashPassphrase(passphrase) {
|
||||
return CryptoJS.PBKDF2(passphrase, salt, {
|
||||
keySize: 256 / 32,
|
||||
iterations: 1000
|
||||
}).toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Clear localstorage from staticrypt related values
|
||||
*/
|
||||
|
@ -284,7 +251,7 @@
|
|||
shouldRememberPassphrase = document.getElementById('staticrypt-remember').checked;
|
||||
|
||||
// decrypt and replace the whole page
|
||||
var hashedPassphrase = hashPassphrase(passphrase);
|
||||
var hashedPassphrase = cryptoEngine.hashPassphrase(passphrase, salt);
|
||||
var isDecryptionSuccessful = decryptAndReplaceHtml(hashedPassphrase);
|
||||
|
||||
if (isDecryptionSuccessful) {
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
# Usage: `npm run build`
|
||||
# NPM establishes a reliable working directory
|
||||
# Build the website files
|
||||
# Should be run with "npm run build" - npm handles the pathing better (so no "#!/usr/bin/env" bash on top)
|
||||
|
||||
# Encrypt the example file
|
||||
# encrypt the example file
|
||||
npx . example/example.html test \
|
||||
--no-embed \
|
||||
--salt b93bbaf35459951c47721d1f3eaeb5b9 \
|
||||
--instructions "Enter \"test\" to unlock the page"
|
||||
|
||||
# build the index.html file
|
||||
node ./scripts/buildIndex.js
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
const { convertCommonJSToBrowserJS, genFile} = require("../lib/formater");
|
||||
|
||||
const data = {
|
||||
js_codec: convertCommonJSToBrowserJS("../lib/codec"),
|
||||
js_crypto_engine: convertCommonJSToBrowserJS("../lib/cryptoEngine/cryptojsEngine"),
|
||||
js_formater: convertCommonJSToBrowserJS("../lib/formater"),
|
||||
};
|
||||
|
||||
genFile(data, "./index.html", "./scripts/index_template.html");
|
|
@ -0,0 +1,370 @@
|
|||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>StatiCrypt: Password protect static HTML</title>
|
||||
<meta name="description" content="">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<link rel="stylesheet"
|
||||
type="text/css"
|
||||
href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
|
||||
integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
|
||||
crossorigin="anonymous">
|
||||
<style>
|
||||
a.no-style {
|
||||
color: inherit;
|
||||
text-decoration: inherit;
|
||||
}
|
||||
|
||||
body {
|
||||
font-size: 16px;
|
||||
}
|
||||
|
||||
label.no-style {
|
||||
font-weight: normal;
|
||||
}
|
||||
</style>
|
||||
|
||||
<script>
|
||||
(function (i, s, o, g, r, a, m) {
|
||||
i['GoogleAnalyticsObject'] = r;
|
||||
i[r] = i[r] || function () {
|
||||
(i[r].q = i[r].q || []).push(arguments)
|
||||
}, i[r].l = 1 * new Date();
|
||||
a = s.createElement(o),
|
||||
m = s.getElementsByTagName(o)[0];
|
||||
a.async = 1;
|
||||
a.src = g;
|
||||
m.parentNode.insertBefore(a, m)
|
||||
})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga');
|
||||
|
||||
ga('create', 'UA-73629908-2', 'auto');
|
||||
ga('send', 'pageview');
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="row">
|
||||
<div class="col-xs-12">
|
||||
<h1>
|
||||
StatiCrypt
|
||||
<div class="pull-right">
|
||||
<iframe src="https://ghbtns.com/github-btn.html?user=robinmoisson&repo=staticrypt&type=star&size=large"
|
||||
frameborder="0" scrolling="0" width="80px" height="30px"></iframe>
|
||||
<iframe src="https://ghbtns.com/github-btn.html?user=robinmoisson&repo=staticrypt&type=fork&size=large"
|
||||
frameborder="0" scrolling="0" width="80px" height="30px"></iframe>
|
||||
</div>
|
||||
<br>
|
||||
<small>Password protect a static HTML page</small>
|
||||
</h1>
|
||||
<p>
|
||||
Based on the <a href="https://github.com/brix/crypto-js">crypto-js library</a>, StatiCrypt uses AES-256
|
||||
to encrypt your string with your passphrase in your browser (client side).
|
||||
</p>
|
||||
<p>
|
||||
Download your encrypted string in a HTML page with a password prompt you can upload anywhere (see <a
|
||||
target="_blank" href="../example/example_encrypted.html">example</a>).
|
||||
</p>
|
||||
<p>
|
||||
The tool is also available as <a href="https://npmjs.com/package/staticrypt">a CLI on NPM</a> and is <a
|
||||
href="https://github.com/robinmoisson/staticrypt">open source on GitHub</a>.
|
||||
</p>
|
||||
<br>
|
||||
|
||||
<h4>
|
||||
<a class="no-style" id="toggle-concept" href="#">
|
||||
<span id="toggle-concept-sign">►</span> HOW IT WORKS
|
||||
</a>
|
||||
</h4>
|
||||
<div id="concept" class="hidden">
|
||||
<p>
|
||||
<b class="text-danger">Disclaimer</b> if you have extra sensitive banking data, you should probably
|
||||
use something else!
|
||||
</p>
|
||||
<p>
|
||||
StatiCrypt generates a static, password protected page that can be decrypted in-browser:
|
||||
just send or upload the generated page to a place serving static content (github pages, for example)
|
||||
and you're done: the javascript will prompt users for password, decrypt the page and load your HTML.
|
||||
</p>
|
||||
<p>
|
||||
It basically encrypts your page and puts everything with a user-friendly way to use a password
|
||||
in the new file.
|
||||
<br>AES-256 is state of the art but <b>brute-force/dictionary attacks would be trivial to
|
||||
do at a really fast pace: use a long, unusual passphrase!</b>
|
||||
</p>
|
||||
<p>
|
||||
Feel free to contribute or report any thought to the
|
||||
<a href="https://github.com/robinmoisson/staticrypt">GitHub project</a>!
|
||||
</p>
|
||||
</div>
|
||||
<br>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row">
|
||||
<div class="col-xs-12">
|
||||
<form id="encrypt_form">
|
||||
<div class="form-group">
|
||||
<label for="passphrase">Passphrase</label>
|
||||
<input type="password" class="form-control" id="passphrase"
|
||||
placeholder="Passphrase (choose a long one!)">
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label for="unencrypted_html">HTML/string to encrypt</label>
|
||||
<textarea class="form-control"
|
||||
id="unencrypted_html"
|
||||
placeholder="<html><head>..."
|
||||
rows="5"></textarea>
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label class="no-style">
|
||||
<input type="checkbox" id="remember" checked>
|
||||
Add "Remember me" checkbox (append <code>?staticrypt_logout</code> to your URL to logout)
|
||||
<small>
|
||||
<abbr class="text-muted"
|
||||
title="The password will be stored in clear text in the browser's localStorage upon entry by the user. See "More options" to set the expiration (default: none)">
|
||||
(?)
|
||||
</abbr>
|
||||
</small>
|
||||
</label>
|
||||
</div>
|
||||
|
||||
<p>
|
||||
<a href="#" id="toggle-extra-option">+ More options</a>
|
||||
</p>
|
||||
<div id="extra-options" class="hidden">
|
||||
<div class="form-group">
|
||||
<label for="title">Page title</label>
|
||||
<input type="text" class="form-control" id="title" placeholder="Default: 'Protected Page'">
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label for="instructions">Instructions to display the user</label>
|
||||
<textarea class="form-control" id="instructions" placeholder="Default: nothing."></textarea>
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label for="title">Passphrase input placeholder</label>
|
||||
<input type="text" class="form-control" id="passphrase_placeholder"
|
||||
placeholder="Default: 'Passphrase'">
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label for="title">"Remember me" checkbox label</label>
|
||||
<input type="text" class="form-control" id="remember_me" placeholder="Default: 'Remember me'">
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label for="title">"Remember me" expiration in days</label>
|
||||
<input type="number"
|
||||
class="form-control"
|
||||
id="remember_in_days"
|
||||
step="any"
|
||||
placeholder="Default: 0 (no expiration)">
|
||||
<small class="form-text text-muted">
|
||||
After this many days, the user will have to enter the passphrase again. Leave empty or set
|
||||
to 0 for no expiration.
|
||||
</small>
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label for="title">Decrypt button label</label>
|
||||
<input type="text" class="form-control" id="decrypt_button" placeholder="Default: 'DECRYPT'">
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label class="no-style">
|
||||
<input type="checkbox" id="embed-crypto" checked>
|
||||
Embed crypto-js into your file
|
||||
<small>
|
||||
<abbr class="text-muted"
|
||||
title="Leave checked to include crypto-js into your file so you can decrypt it offline. Uncheck to load crypto-js from a CDN (some adblockers might think it's a crypto miner).">
|
||||
(?)
|
||||
</abbr>
|
||||
</small>
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<button class="btn btn-primary pull-right" type="submit">Generate passphrase protected HTML</button>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="row mb-5">
|
||||
<div class="col-xs-12">
|
||||
<h2>Encrypted HTML</h2>
|
||||
<p><a class="btn btn-success download"
|
||||
download="encrypted.html"
|
||||
id="download-link"
|
||||
disabled="disabled">Download html file with password prompt</a></p>
|
||||
<pre id="encrypted_html_display">
|
||||
Your encrypted string</pre>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!--
|
||||
Filename changed to circumvent adblockers that mistake it for a crypto miner (see https://github.com/robinmoisson/staticrypt/issues/107)
|
||||
-->
|
||||
<script src="../lib/kryptojs-3.1.9-1.min.js"></script>
|
||||
|
||||
<script src="https://cdn.ckeditor.com/4.7.0/standard/ckeditor.js"></script>
|
||||
|
||||
<script id="cryptoEngine">
|
||||
window.cryptoEngine = {js_crypto_engine}
|
||||
</script>
|
||||
|
||||
<script id="codec">
|
||||
window.codec = {js_codec}
|
||||
</script>
|
||||
|
||||
<script id="formater">
|
||||
window.formater = {js_formater}
|
||||
</script>
|
||||
|
||||
<script>
|
||||
var encode = codec.init(cryptoEngine).encode;
|
||||
|
||||
// enable CKEDIRTOR
|
||||
CKEDITOR.replace('instructions');
|
||||
|
||||
var htmlToDownload;
|
||||
|
||||
/**
|
||||
* Extract js code from <script> tag and return it as a string
|
||||
*
|
||||
* @param {string} id
|
||||
* @returns {string}
|
||||
*/
|
||||
var getScriptAsString = function (id) {
|
||||
return document.getElementById(id)
|
||||
.innerText.replace(/window\.\w+ = /, '');
|
||||
}
|
||||
|
||||
/**
|
||||
* Fill the password prompt template with data provided.
|
||||
* @param data
|
||||
*/
|
||||
var setFileToDownload = function (data) {
|
||||
var request = new XMLHttpRequest();
|
||||
request.open('GET', 'lib/password_template.html', true);
|
||||
request.onload = function () {
|
||||
var renderedTmpl = formater.renderTemplate(request.responseText, data);
|
||||
|
||||
var downloadLink = document.querySelector('a.download');
|
||||
downloadLink.href = 'data:text/html,' + encodeURIComponent(renderedTmpl);
|
||||
downloadLink.removeAttribute('disabled');
|
||||
|
||||
htmlToDownload = renderedTmpl;
|
||||
};
|
||||
request.send();
|
||||
};
|
||||
|
||||
/**
|
||||
* Download crypto-js lib to embed it in the generated file, update the file when done.
|
||||
* @param data
|
||||
*/
|
||||
var setFileToDownloadWithEmbeddedCrypto = function (data) {
|
||||
var request = new XMLHttpRequest();
|
||||
request.open('GET', 'lib/kryptojs-3.1.9-1.min.js', true);
|
||||
request.onload = function () {
|
||||
data['crypto_tag'] = '<script>' + request.responseText + '</scr' + 'ipt>';
|
||||
setFileToDownload(data);
|
||||
};
|
||||
request.send();
|
||||
};
|
||||
|
||||
/**
|
||||
* Handle form submission.
|
||||
*/
|
||||
document.getElementById('encrypt_form').addEventListener('submit', function (e) {
|
||||
e.preventDefault();
|
||||
|
||||
// update instruction textarea value with CKEDITOR content
|
||||
// (see https://stackoverflow.com/questions/3147670/ckeditor-update-textarea)
|
||||
CKEDITOR.instances['instructions'].updateElement();
|
||||
|
||||
var unencrypted = document.getElementById('unencrypted_html').value,
|
||||
passphrase = document.getElementById('passphrase').value;
|
||||
|
||||
var salt = cryptoEngine.generateRandomSalt();
|
||||
var encryptedMsg = encode(unencrypted, passphrase, salt);
|
||||
|
||||
var decryptButton = document.getElementById('decrypt_button').value,
|
||||
instructions = document.getElementById('instructions').value,
|
||||
isRememberEnabled = document.getElementById('remember').checked,
|
||||
pageTitle = document.getElementById('title').value.trim(),
|
||||
passphrasePlaceholder = document.getElementById('passphrase_placeholder').value.trim(),
|
||||
rememberDurationInDays = document.getElementById('remember_in_days').value || 0,
|
||||
rememberMe = document.getElementById('remember_me').value;
|
||||
|
||||
var data = {
|
||||
crypto_tag: '<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js" integrity="sha384-lp4k1VRKPU9eBnPePjnJ9M2RF3i7PC30gXs70+elCVfgwLwx1tv5+ctxdtwxqZa7" crossorigin="anonymous"></scr' + 'ipt>',
|
||||
decrypt_button: decryptButton ? decryptButton : 'DECRYPT',
|
||||
encrypted: encryptedMsg,
|
||||
instructions: instructions ? instructions : '',
|
||||
is_remember_enabled: isRememberEnabled ? 'true' : 'false',
|
||||
js_codec: getScriptAsString('codec'),
|
||||
js_crypto_engine: getScriptAsString('cryptoEngine'),
|
||||
passphrase_placeholder: passphrasePlaceholder ? passphrasePlaceholder : 'Passphrase',
|
||||
remember_duration_in_days: rememberDurationInDays.toString(),
|
||||
remember_me: rememberMe ? rememberMe : 'Remember me',
|
||||
salt: salt,
|
||||
title: pageTitle ? pageTitle : 'Protected Page',
|
||||
};
|
||||
|
||||
document.getElementById('encrypted_html_display').textContent = encryptedMsg;
|
||||
|
||||
if (document.getElementById("embed-crypto").checked) {
|
||||
setFileToDownloadWithEmbeddedCrypto(data);
|
||||
} else {
|
||||
setFileToDownload(data);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
document.getElementById('toggle-extra-option')
|
||||
.addEventListener('click', function (e) {
|
||||
e.preventDefault();
|
||||
document.getElementById('extra-options').classList.toggle('hidden');
|
||||
});
|
||||
|
||||
var isConceptShown = false;
|
||||
document.getElementById('toggle-concept')
|
||||
.addEventListener('click', function (e) {
|
||||
e.preventDefault();
|
||||
|
||||
isConceptShown = !isConceptShown;
|
||||
|
||||
document.getElementById('toggle-concept-sign').innerText = isConceptShown ? '▼' : '►';
|
||||
|
||||
document.getElementById('concept').classList.toggle('hidden');
|
||||
});
|
||||
|
||||
|
||||
/**
|
||||
* Browser specific download code.
|
||||
*/
|
||||
document.getElementById('download-link')
|
||||
.addEventListener('click', function (e) {
|
||||
|
||||
var isIE = (navigator.userAgent.indexOf("MSIE") !== -1) || (!!document.documentMode === true); // >= 10
|
||||
var isEdge = navigator.userAgent.indexOf("Edge") !== -1;
|
||||
|
||||
// download with MS specific feature
|
||||
if (htmlToDownload && (isIE || isEdge)) {
|
||||
e.preventDefault();
|
||||
var blobObject = new Blob([htmlToDownload]);
|
||||
window.navigator.msSaveOrOpenBlob(blobObject, 'encrypted.html');
|
||||
}
|
||||
|
||||
return true;
|
||||
})
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
Ładowanie…
Reference in New Issue