-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcrypto.ts
66 lines (59 loc) · 1.74 KB
/
crypto.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import { encodeBase64 } from "@sigma/rust-base64";
import { decodeBase64 } from "@std/encoding/base64";
import { z } from "zod";
const key = await crypto.subtle.importKey(
"jwk",
JSON.parse(Deno.readTextFileSync("./secret/key.json")),
{ name: "AES-GCM", length: 256 },
true,
["encrypt", "decrypt"],
);
const prefix = "THINGS-AES-GCM-1984";
if (prefix.includes(":")) {
console.error("Prefix shouldn't contain the separating character (:)");
Deno.exit(1);
}
export async function thingsEncryptText(text: string): Promise<string> {
if (text.startsWith(`${prefix}:`)) {
// already encrypted
return text;
}
const iv = crypto.getRandomValues(new Uint8Array(12)); // 12-byte IV for AES-GCM
const encryptedData = await crypto.subtle.encrypt(
{
name: "AES-GCM",
iv: iv, // Initialization vector must be unique for each encryption
},
key,
new TextEncoder().encode(text),
);
return `${prefix}:${encodeBase64(iv)}:${encodeBase64(
new Uint8Array(encryptedData),
)}`;
}
export async function thingsDecryptText(text: string): Promise<string> {
if (!text.startsWith(`${prefix}:`)) {
// nothing to decrypt
return text;
}
// perf: we could remove the Zod check
const [textPrefix, ivString, dataEncryptedBase64] = z
.array(z.string())
.min(3)
.max(3)
.parse(text.split(":"));
if (prefix !== textPrefix) {
// perf: we could remove this check
throw new Error(`Invalid prefix found: ${textPrefix}`);
}
const decryptedData = await crypto.subtle.decrypt(
{
name: "AES-GCM",
// Must be the same IV as the one used for encryption
iv: decodeBase64(ivString),
},
key, // The same key used for encryption
decodeBase64(dataEncryptedBase64), // The encrypted data to decrypt
);
return new TextDecoder().decode(decryptedData);
}