kopia lustrzana https://github.com/robinmoisson/staticrypt
402 wiersze
16 KiB
HTML
402 wiersze
16 KiB
HTML
<!doctype html>
|
|
<html>
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<title>StatiCrypt: Password protect static HTML</title>
|
|
<meta name="description" content="">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<link rel="stylesheet"
|
|
type="text/css"
|
|
href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
|
|
integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
|
|
crossorigin="anonymous">
|
|
<style>
|
|
a.no-style {
|
|
color: inherit;
|
|
text-decoration: inherit;
|
|
}
|
|
|
|
body {
|
|
font-size: 16px;
|
|
}
|
|
|
|
label.no-style {
|
|
font-weight: normal;
|
|
}
|
|
</style>
|
|
|
|
<script>
|
|
(function (i, s, o, g, r, a, m) {
|
|
i['GoogleAnalyticsObject'] = r;
|
|
i[r] = i[r] || function () {
|
|
(i[r].q = i[r].q || []).push(arguments)
|
|
}, i[r].l = 1 * new Date();
|
|
a = s.createElement(o),
|
|
m = s.getElementsByTagName(o)[0];
|
|
a.async = 1;
|
|
a.src = g;
|
|
m.parentNode.insertBefore(a, m)
|
|
})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga');
|
|
|
|
ga('create', 'UA-73629908-2', 'auto');
|
|
ga('send', 'pageview');
|
|
|
|
</script>
|
|
</head>
|
|
|
|
<body>
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-xs-12">
|
|
<h1>
|
|
StatiCrypt
|
|
<div class="pull-right">
|
|
<iframe src="https://ghbtns.com/github-btn.html?user=robinmoisson&repo=staticrypt&type=star&size=large"
|
|
frameborder="0" scrolling="0" width="80px" height="30px"></iframe>
|
|
<iframe src="https://ghbtns.com/github-btn.html?user=robinmoisson&repo=staticrypt&type=fork&size=large"
|
|
frameborder="0" scrolling="0" width="80px" height="30px"></iframe>
|
|
</div>
|
|
<br>
|
|
<small>Password protect a static HTML page</small>
|
|
</h1>
|
|
<p>
|
|
Based on the <a href="https://github.com/brix/crypto-js">crypto-js library</a>, StatiCrypt uses AES-256
|
|
to encrypt your string with your passphrase in your browser (client side).
|
|
</p>
|
|
<p>
|
|
Download your encrypted string in a HTML page with a password prompt you can upload anywhere (see <a
|
|
target="_blank" href="example_encrypted.html">example</a>).
|
|
</p>
|
|
<p>
|
|
The tool is also available as <a href="https://npmjs.com/package/staticrypt">a CLI on NPM</a> and is <a
|
|
href="https://github.com/robinmoisson/staticrypt">open source on GitHub</a>.
|
|
</p>
|
|
<br>
|
|
|
|
<h4>
|
|
<a class="no-style" id="toggle-concept" href="#">
|
|
<span id="toggle-concept-sign">►</span> HOW IT WORKS
|
|
</a>
|
|
</h4>
|
|
<div id="concept" class="hidden">
|
|
<p>
|
|
<b class="text-danger">Disclaimer</b> if you have extra sensitive banking data, you should probably
|
|
use something else!
|
|
</p>
|
|
<p>
|
|
StatiCrypt generates a static, password protected page that can be decrypted in-browser:
|
|
just send or upload the generated page to a place serving static content (github pages, for example)
|
|
and you're done: the javascript will prompt users for password, decrypt the page and load your HTML.
|
|
</p>
|
|
<p>
|
|
It basically encrypts your page and puts everything with a user-friendly way to use a password
|
|
in the new file.
|
|
<br>AES-256 is state of the art but <b>brute-force/dictionary attacks would be trivial to
|
|
do at a really fast pace: use a long, unusual passphrase!</b>
|
|
</p>
|
|
<p>
|
|
Feel free to contribute or report any thought to the
|
|
<a href="https://github.com/robinmoisson/staticrypt">GitHub project</a>!
|
|
</p>
|
|
</div>
|
|
<br>
|
|
</div>
|
|
</div>
|
|
<div class="row">
|
|
<div class="col-xs-12">
|
|
<form id="encrypt_form">
|
|
<div class="form-group">
|
|
<label for="passphrase">Passphrase</label>
|
|
<input type="password" class="form-control" id="passphrase"
|
|
placeholder="Passphrase (choose a long one!)">
|
|
</div>
|
|
|
|
<div class="form-group">
|
|
<label for="unencrypted_html">HTML/string to encrypt</label>
|
|
<textarea class="form-control"
|
|
id="unencrypted_html"
|
|
placeholder="<html><head>..."
|
|
rows="5"></textarea>
|
|
</div>
|
|
|
|
<div class="form-group">
|
|
<label class="no-style">
|
|
<input type="checkbox" id="remember" checked>
|
|
Add "Remember me" checkbox (append <code>?staticrypt_logout</code> to your URL to logout)
|
|
<small>
|
|
<abbr class="text-muted"
|
|
title="The password will be stored in clear text in the browser's localStorage upon entry by the user. See "More options" to set the expiration (default: none)">
|
|
(?)
|
|
</abbr>
|
|
</small>
|
|
</label>
|
|
</div>
|
|
|
|
<p>
|
|
<a href="#" id="toggle-extra-option">+ More options</a>
|
|
</p>
|
|
<div id="extra-options" class="hidden">
|
|
<div class="form-group">
|
|
<label for="title">Page title</label>
|
|
<input type="text" class="form-control" id="title" placeholder="Default: 'Protected Page'">
|
|
</div>
|
|
|
|
<div class="form-group">
|
|
<label for="instructions">Instructions to display the user</label>
|
|
<textarea class="form-control" id="instructions" placeholder="Default: nothing."></textarea>
|
|
</div>
|
|
|
|
<div class="form-group">
|
|
<label for="title">Passphrase input placeholder</label>
|
|
<input type="text" class="form-control" id="passphrase_placeholder"
|
|
placeholder="Default: 'Passphrase'">
|
|
</div>
|
|
|
|
<div class="form-group">
|
|
<label for="title">"Remember me" checkbox label</label>
|
|
<input type="text" class="form-control" id="remember_me" placeholder="Default: 'Remember me'">
|
|
</div>
|
|
|
|
<div class="form-group">
|
|
<label for="title">"Remember me" expiration in days</label>
|
|
<input type="number"
|
|
class="form-control"
|
|
id="remember_in_days"
|
|
step="any"
|
|
placeholder="Default: 0 (no expiration)">
|
|
<small class="form-text text-muted">
|
|
After this many days, the user will have to enter the passphrase again. Leave empty or set
|
|
to 0 for no expiration.
|
|
</small>
|
|
</div>
|
|
|
|
<div class="form-group">
|
|
<label for="title">Decrypt button label</label>
|
|
<input type="text" class="form-control" id="decrypt_button" placeholder="Default: 'DECRYPT'">
|
|
</div>
|
|
|
|
<div class="form-group">
|
|
<label class="no-style">
|
|
<input type="checkbox" id="embed-crypto" checked>
|
|
Embed crypto-js into your file
|
|
<small>
|
|
<abbr class="text-muted"
|
|
title="Leave checked to include crypto-js into your file so you can decrypt it offline. Uncheck to load crypto-js from a CDN (some adblockers might think it's a crypto miner).">
|
|
(?)
|
|
</abbr>
|
|
</small>
|
|
</label>
|
|
</div>
|
|
</div>
|
|
|
|
<button class="btn btn-primary pull-right" type="submit">Generate passphrase protected HTML</button>
|
|
</form>
|
|
</div>
|
|
</div>
|
|
|
|
<div class="row mb-5">
|
|
<div class="col-xs-12">
|
|
<h2>Encrypted HTML</h2>
|
|
<p><a class="btn btn-success download"
|
|
download="encrypted.html"
|
|
id="download-link"
|
|
disabled="disabled">Download html file with password prompt</a></p>
|
|
<pre id="encrypted_html_display">
|
|
Your encrypted string</pre>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<!--
|
|
Crypto JS 3.1.9-1
|
|
Copied as is from https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.js
|
|
Filename changed to circumvent adblockers that mistake it for a crypto miner (see https://github.com/robinmoisson/staticrypt/issues/107)
|
|
-->
|
|
<script src="kryptojs-3.1.9-1-lib.js"></script>
|
|
|
|
<script src="https://cdn.ckeditor.com/4.7.0/standard/ckeditor.js"></script>
|
|
|
|
<script>
|
|
// enable CKEDIRTOR
|
|
CKEDITOR.replace('instructions');
|
|
|
|
var htmlToDownload;
|
|
|
|
var renderTemplate = function (tpl, data) {
|
|
return tpl.replace(/{(.*?)}/g, function (_, key) {
|
|
if (data && data[key] !== undefined) {
|
|
return data[key];
|
|
}
|
|
|
|
return '';
|
|
});
|
|
};
|
|
|
|
/**
|
|
* Fill the password prompt template with data provided.
|
|
* @param data
|
|
*/
|
|
var setFileToDownload = function (data) {
|
|
var request = new XMLHttpRequest();
|
|
request.open('GET', 'password_template.html', true);
|
|
request.onload = function () {
|
|
var renderedTmpl = renderTemplate(request.responseText, data);
|
|
|
|
var downloadLink = document.querySelector('a.download');
|
|
downloadLink.href = 'data:text/html,' + encodeURIComponent(renderedTmpl);
|
|
downloadLink.removeAttribute('disabled');
|
|
|
|
htmlToDownload = renderedTmpl;
|
|
};
|
|
request.send();
|
|
};
|
|
|
|
/**
|
|
* Download crypto-js lib to embed it in the generated file, update the file when done.
|
|
* @param data
|
|
*/
|
|
var setFileToDownloadWithEmbeddedCrypto = function (data) {
|
|
var request = new XMLHttpRequest();
|
|
request.open('GET', 'kryptojs-3.1.9-1-lib.js', true);
|
|
request.onload = function () {
|
|
data['crypto_tag'] = '<script>' + request.responseText + '</scr' + 'ipt>';
|
|
setFileToDownload(data);
|
|
};
|
|
request.send();
|
|
};
|
|
|
|
/**
|
|
* Salt and encrypt a msg with a password.
|
|
* Inspired by https://github.com/adonespitogo
|
|
*/
|
|
function encrypt(msg, hashedPassphrase) {
|
|
var iv = CryptoJS.lib.WordArray.random(128 / 8);
|
|
|
|
var encrypted = CryptoJS.AES.encrypt(msg, hashedPassphrase, {
|
|
iv: iv,
|
|
padding: CryptoJS.pad.Pkcs7,
|
|
mode: CryptoJS.mode.CBC
|
|
});
|
|
|
|
// iv will be hex 16 in length (32 characters)
|
|
// we prepend it to the ciphertext for use in decryption
|
|
return iv.toString() + encrypted.toString();
|
|
}
|
|
|
|
/**
|
|
* Salt and hash the passphrase so it can be stored in localStorage without opening a password reuse vulnerability.
|
|
*
|
|
* @param {string} passphrase
|
|
* @returns {{salt: string, hashedPassphrase: string}}
|
|
*/
|
|
function hashPassphrase(passphrase) {
|
|
var salt = CryptoJS.lib.WordArray.random(128 / 8).toString();
|
|
|
|
var hashedPassphrase = CryptoJS.PBKDF2(passphrase, salt, {
|
|
keySize: 256 / 32,
|
|
iterations: 1000
|
|
});
|
|
|
|
return {
|
|
salt: salt,
|
|
hashedPassphrase: hashedPassphrase.toString(),
|
|
};
|
|
}
|
|
|
|
/**
|
|
* Handle form submission.
|
|
*/
|
|
document.getElementById('encrypt_form').addEventListener('submit', function (e) {
|
|
e.preventDefault();
|
|
|
|
// update instruction textarea value with CKEDITOR content
|
|
// (see https://stackoverflow.com/questions/3147670/ckeditor-update-textarea)
|
|
CKEDITOR.instances['instructions'].updateElement();
|
|
|
|
var unencrypted = document.getElementById('unencrypted_html').value,
|
|
passphrase = document.getElementById('passphrase').value;
|
|
|
|
var hashed = hashPassphrase(passphrase);
|
|
var hashedPassphrase = hashed.hashedPassphrase,
|
|
salt = hashed.salt;
|
|
|
|
var encrypted = encrypt(unencrypted, hashedPassphrase),
|
|
// we use the hashed passphrase in the HMAC because this is effectively what will be used a passphrase (so
|
|
// we can store it localStorage safely, we don't use the clear text passphrase)
|
|
hmac = CryptoJS.HmacSHA256(encrypted, CryptoJS.SHA256(hashedPassphrase).toString()).toString(),
|
|
encryptedMsg = hmac + encrypted;
|
|
|
|
var decryptButton = document.getElementById('decrypt_button').value,
|
|
instructions = document.getElementById('instructions').value,
|
|
isRememberEnabled = document.getElementById('remember').checked,
|
|
pageTitle = document.getElementById('title').value.trim(),
|
|
passphrasePlaceholder = document.getElementById('passphrase_placeholder').value.trim(),
|
|
rememberDurationInDays = document.getElementById('remember_in_days').value || 0,
|
|
rememberMe = document.getElementById('remember_me').value;
|
|
|
|
var data = {
|
|
crypto_tag: '<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js" integrity="sha384-lp4k1VRKPU9eBnPePjnJ9M2RF3i7PC30gXs70+elCVfgwLwx1tv5+ctxdtwxqZa7" crossorigin="anonymous"></scr' + 'ipt>',
|
|
decrypt_button: decryptButton ? decryptButton : 'DECRYPT',
|
|
encrypted: encryptedMsg,
|
|
salt: salt,
|
|
instructions: instructions ? instructions : '',
|
|
is_remember_enabled: isRememberEnabled ? 'true' : 'false',
|
|
passphrase_placeholder: passphrasePlaceholder ? passphrasePlaceholder : 'Passphrase',
|
|
remember_duration_in_days: rememberDurationInDays.toString(),
|
|
remember_me: rememberMe ? rememberMe : 'Remember me',
|
|
title: pageTitle ? pageTitle : 'Protected Page',
|
|
};
|
|
|
|
document.getElementById('encrypted_html_display').textContent = encrypted;
|
|
|
|
if (document.getElementById("embed-crypto").checked) {
|
|
setFileToDownloadWithEmbeddedCrypto(data);
|
|
} else {
|
|
setFileToDownload(data);
|
|
}
|
|
|
|
});
|
|
|
|
document.getElementById('toggle-extra-option')
|
|
.addEventListener('click', function (e) {
|
|
e.preventDefault();
|
|
document.getElementById('extra-options').classList.toggle('hidden');
|
|
});
|
|
|
|
var isConceptShown = false;
|
|
document.getElementById('toggle-concept')
|
|
.addEventListener('click', function (e) {
|
|
e.preventDefault();
|
|
|
|
isConceptShown = !isConceptShown;
|
|
|
|
document.getElementById('toggle-concept-sign').innerText = isConceptShown ? '▼' : '►';
|
|
|
|
document.getElementById('concept').classList.toggle('hidden');
|
|
});
|
|
|
|
|
|
/**
|
|
* Browser specific download code.
|
|
*/
|
|
document.getElementById('download-link')
|
|
.addEventListener('click', function (e) {
|
|
|
|
var isIE = (navigator.userAgent.indexOf("MSIE") !== -1) || (!!document.documentMode === true); // >= 10
|
|
var isEdge = navigator.userAgent.indexOf("Edge") !== -1;
|
|
|
|
// download with MS specific feature
|
|
if (htmlToDownload && (isIE || isEdge)) {
|
|
e.preventDefault();
|
|
var blobObject = new Blob([htmlToDownload]);
|
|
window.navigator.msSaveOrOpenBlob(blobObject, 'encrypted.html');
|
|
}
|
|
|
|
return true;
|
|
})
|
|
</script>
|
|
|
|
|
|
</body>
|
|
</html>
|