;(function(){ /* Security, Encryption, and Authorization: SEA.js */ // NECESSARY PRE-REQUISITE: http://gun.js.org/explainers/data/security.html /* THIS IS AN EARLY ALPHA!!! */ var nodeCrypto = require('crypto'); var ecCrypto = require('eccrypto'); var Gun = (typeof window !== 'undefined' ? window : global).Gun || require('./gun'); // Following enable Web Cryptography API use in NodeJS var crypto = (typeof window !== 'undefined' && window.crypto) || { subtle: require('subtle') }; var TextEncoder = (typeof window !== 'undefined' && window.TextEncoder) || require('text-encoding').TextEncoder; var TextDecoder = (typeof window !== 'undefined' && window.TextDecoder) || require('text-encoding').TextDecoder; if(typeof Buffer === 'undefined'){ var Buffer = require('buffer').Buffer; } var pbkdf2 = { hash: 'SHA-256', // Was 'SHA-1' iter: 50000, ks: 64 }; var ecdh = { enc: (typeof window !== 'undefined' && 'secp256r1') || 'prime256v1' }; var aes = { enc: 'aes-256-cbc' }; // let's extend the gun chain with a `user` function. // only one user can be logged in at a time, per gun instance. Gun.chain.user = function(){ var root = this.back(-1); // always reference the root gun instance. var user = root._.user || (root._.user = root.chain()); // create a user context. user.create = User.create; // attach a factory method to it. user.auth = User.auth; // and a login method. user.remember = User.remember; // and a credentials persisting method. return user; // return the user! } // EXAMPLE! Use it this way: ;(function(){return; localStorage.clear(); var gun = Gun(); var user = gun.user(); Gun.on('auth', function(at){ // do something once logged in. }); Gun.on('secure', function(at){ // enforce some rules about shared app level data var no; if(no){ return } this.to.next(at); }); user.create("test", "password"); // create a user from a username alias and a password phrase. user.auth("test", "password"); // authenticate and log in the user! }()); // How does it work? function User(){}; // Well first we have to actually create a user. That is what this function does. User.create = function(alias, pass, cb){ var root = this.back(-1); var doCreate = function(resolve, reject){ // Because more than 1 user might have the same username, we treat the alias as a list of those users. root.get('alias/'+alias).get(function(at, ev){ ev.off(); if(at.put){ // If we can enforce that a user name is already taken, it might be nice to try, but this is not guaranteed. var err = 'User already created!'; Gun.log(err); return reject({err: err}); } var user = {alias: alias, salt: Gun.text.random(64)}; // pseudo-randomly create a salt, then use CryptoJS's PBKDF2 function to extend the password with it. SEA.proof(pass, user.salt).then(function(proof){ // this will take some short amount of time to produce a proof, which slows brute force attacks. SEA.pair().then(function(pair){ // now we have generated a brand new ECDSA key pair for the user account. user.pub = pair.pub; // the user's public key doesn't need to be signed. But everything else needs to be signed with it! SEA.write(alias, pair.priv).then(function(sAlias){ user.alias = sAlias; return SEA.write(user.salt, pair.priv); }).then(function(sSalt){ user.salt = sSalt; // to keep the private key safe, we AES encrypt it with the proof of work! return SEA.en(pair.priv, proof); }).then(function(encVal){ return SEA.write(encVal, pair.priv); }).then(function(sAuth){ user.auth = sAuth; var tmp = 'pub/'+pair.pub; //console.log("create", user, pair.pub); // awesome, now we can actually save the user with their public key as their ID. root.get(tmp).put(user); // next up, we want to associate the alias with the public key. So we add it to the alias list. var ref = root.get('alias/'+alias).put(Gun.obj.put({}, tmp, Gun.val.rel.ify(tmp))); // callback that the user has been created. (Note: ok = 0 because we didn't wait for disk to ack) resolve({ok: 0, pub: pair.pub}); }); }); }); }); }; if (cb){doCreate(cb, cb)} else {return new Promise(doCreate)} }; // now that we have created a user, we want to authenticate them! User.auth = function(props, cb){ var alias = props.alias, pass = props.pass, newpass = props.newpass; var root = this.back(-1); var doAuth = function(resolve, reject){ // load all public keys associated with the username alias we want to log in with. root.get('alias/'+alias).get(function(at, ev){ ev.off(); if(!at.put){ // if no user, don't do anything. var err = 'No user!'; Gun.log(err); return reject({err: err}); } // then attempt to log into each one until we find ours! // (if two users have the same username AND the same password... that would be bad) Gun.obj.map(at.put, function(val, key){ // grab the account associated with this public key. root.get(key).get(function(at, ev){ key = key.slice(4); ev.off(); if(!at.put){return} // attempt to PBKDF2 extend the password with the salt. (Verifying the signature gives us the plain text salt.) SEA.read(at.put.salt, key).then(function(salt){ return SEA.proof(pass, salt); }).then(function(proof){ // the proof of work is evidence that we've spent some time/effort trying to log in, this slows brute force. return SEA.read(at.put.auth, key).then(function(auth){ return SEA.de(auth, proof); }); }).then(function(priv){ // now we have AES decrypted the private key, from when we encrypted it with the proof at registration. if(priv){ // if we were successful, then that means... // we're logged in! function doLogin(){ var user = root._.user; // add our credentials in-memory only to our root gun instance user._ = at.gun._; // so that way we can use the credentials to encrypt/decrypt data user._.is = user.is = {}; // that is input/output through gun (see below) user._.sea = priv; user._.pub = key; //console.log("authorized", user._); // callbacks success with the user data credentials. resolve(user._); // emit an auth event, useful for page redirects and stuff. Gun.on('auth', user._); } if(newpass) { // password update so encrypt private key using new pwd + salt var newsalt = Gun.text.random(64); SEA.proof(newpass, newsalt).then(function(proof){ SEA.en(priv, proof).then(function(encVal){ return SEA.write(encVal, priv).then(function(sAuth){ return { pub: key, auth: sAuth }; }); }).then(function(user){ return SEA.write(alias, priv).then(function(sAlias){ user.alias = sAlias; return user; }); }).then(function(user){ return SEA.write(newsalt, priv).then(function(sSalt){ user.salt = sSalt; return user; }); }).then(function(user){ var tmp = 'pub/'+key; // awesome, now we can update the user using public key ID. root.get(tmp).put(user); // then we're done doLogin(); }); }); } else { doLogin(); } return; } // Or else we failed to log in... }).catch(function(e){ Gun.log('Failed to sign in!'); reject({err: 'Attempt failed'}); }); }); // if (!found) { // reject({err: 'Public key does not exist!'}) // } }); }); }; if (cb){doAuth(cb, cb)} else {return new Promise(doAuth)} }; // now that we have created a user, we want to authenticate them! User.remember = function(props, cb){ var doRemember = function(resolve, reject){ Gun.log('User.remember is TODO: still'); reject({ err: 'Not implemented.' }); } if (cb){doRemember(cb, cb)} else {return new Promise(doRemember)} }; // After we have a GUN extension to make user registration/login easy, we then need to handle everything else. // We do this with a GUN adapter, we first listen to when a gun instance is created (and when its options change) Gun.on('opt', function(at){ if(!at.sea){ // only add SEA once per instance, on the "at" context. at.sea = {own: {}}; at.gun.on('in', security, at); // now listen to all input data, acting as a firewall. at.gun.on('out', signature, at); // and output listeners, to encrypt outgoing data. } this.to.next(at); // make sure to call the "next" middleware adapter. }); // Alright, this next adapter gets run at the per node level in the graph database. // This will let us verify that every property on a node has a value signed by a public key we trust. // If the signature does not match, the data is just `undefined` so it doesn't get passed on. // If it does match, then we transform the in-memory "view" of the data into its plain value (without the signature). // Now NOTE! Some data is "system" data, not user data. Example: List of public keys, aliases, etc. // This data is self-enforced (the value can only match its ID), but that is handled in the `security` function. // From the self-enforced data, we can see all the edges in the graph that belong to a public key. // Example: pub/ASDF is the ID of a node with ASDF as its public key, signed alias and salt, and // its encrypted private key, but it might also have other signed values on it like `profile = ` edge. // Using that directed edge's ID, we can then track (in memory) which IDs belong to which keys. // Here is a problem: Multiple public keys can "claim" any node's ID, so this is dangerous! // This means we should ONLY trust our "friends" (our key ring) public keys, not any ones. // I have not yet added that to SEA yet in this alpha release. That is coming soon, but beware in the meanwhile! Gun.on('node', function(at){ // TODO: Warning: Need to switch to `gun.on('node')`! Do not use `Gun.on('node'` in your apps! var own = (at.gun.back(-1)._).sea.own, soul = at.get, pub = own[soul] || soul.slice(4), vertex = (at.gun._).put; Gun.node.is(at.put, function(val, key, node){ // for each property on the node. SEA.read(val, pub).then(function(data){ vertex[key] = node[key] = val = data; // verify signature and get plain value. if(val && val['#'] && (key = Gun.val.rel.is(val))){ // if it is a relation / edge if('alias/' === soul.slice(0,6)){ return } // if it is itself own[key] = pub; // associate the public key with a node } }); }); }) // signature handles data output, it is a proxy to the security function. function signature(at){ at.user = at.gun.back(-1)._.user; security.call(this, at); } // okay! The security function handles all the heavy lifting. // It needs to deal read and write of input and output of system data, account/public key data, and regular data. // This is broken down into some pretty clear edge cases, let's go over them: function security(at){ var cat = this.as, sea = cat.sea, to = this.to; if(at.get){ // if there is a request to read data from us, then... var soul = at.get['#']; if(soul){ // for now, only allow direct IDs to be read. if('alias' === soul){ // Allow reading the list of usernames/aliases in the system? return to.next(at); // yes. } else if('alias/' === soul.slice(0,6)){ // Allow reading the list of public keys associated with an alias? return to.next(at); // yes. } else { // Allow reading everything? return to.next(at); // yes // TODO: No! Make this a callback/event that people can filter on. } } } if(at.put){ // if there is a request to write data to us, then... var no, tmp, u; Gun.obj.map(at.put, function(node, soul){ // for each over every node in the graph if(no){ return no = true } if(Gun.obj.empty(node, '_')){ return } // ignore empty updates, don't reject them. if('alias' === soul){ // special case for shared system data, the list of aliases. Gun.obj.map(node, function(val, key){ // for each over the node to look at each property/value. if('_' === key){ return } // ignore meta data if(!val){ return no = true } // data MUST exist if('alias/'+key !== Gun.val.rel.is(val)){ // in fact, it must be EXACTLY equal to itself return no = true; // if it isn't, reject. } }); } else if('alias/' === soul.slice(0,6)){ // special case for shared system data, the list of public keys for an alias. Gun.obj.map(node, function(val, key){ // for each over the node to look at each property/value. if('_' === key){ return } // ignore meta data if(!val){ return no = true } // data MUST exist if(key === Gun.val.rel.is(val)){ return } // and the ID must be EXACTLY equal to its property return no = true; // that way nobody can tamper with the list of public keys. }); } else if('pub/' === soul.slice(0,4)){ // special case, account data for a public key. tmp = soul.slice(4); // ignore the 'pub/' prefix on the public key. Gun.obj.map(node, function(val, key){ // for each over the account data, looking at each property/value. if('_' === key){ return } // ignore meta data. if('pub' === key){ if(val === tmp){ return } // the account MUST have a `pub` property that equals the ID of the public key. return no = true; // if not, reject the update. } if(at.user){ // if we are logged in if(tmp === at.user._.pub){ // as this user SEA.write(val, at.user._.sea).then(function(data){ val = node[key] = data; // then sign our updates as we output them. }); } // (if we are lying about our signature, other peer's will reject our update) } // TODO: this likely isn't working as expected SEA.read(val, tmp).then(function(data){ if(u === (val = data)){ // make sure the signature matches the account it claims to be on. return no = true; // reject any updates that are signed with a mismatched account. } }); }); } else if(at.user && (tmp = at.user._.sea)){ // not special case, if we are logged in, then Gun.obj.map(node, function(val, key){ // any data we output needs to if('_' === key){ return } SEA.write(val, tmp).then(function(data){ node[key] = data; // be signed by our logged in account. }); }); } else // TODO: BUG! These two if-statements are not exclusive to each other!!! if(tmp = sea.own[soul]){ // not special case, if we receive an update on an ID associated with a public key, then Gun.obj.map(node, function(val, key){ // for each over the property/values if('_' === key){ return } // TODO: this likely isn't working as expected SEA.read(val, tmp).then(function(data){ if(u === (val = data)){ // and verify they were signed by the associated public key! return no = true; // reject the update if it fails to match. } }); }); } else { // reject any/all other updates by default. return no = true; } }); if(no){ // if we got a rejection then... if(!at || !Gun.tag.secure){ return } Gun.on('secure', function(at){ // (below) emit a special event for the developer to handle security. this.off(); if(!at){ return } to.next(at); // and if they went ahead and explicitly called "next" (to us) with data, then approve. }); Gun.on('secure', at); return; // else wise, reject. } //console.log("SEA put", at.put); // if we did not get a rejection, then pass forward to the "next" adapter middleware. return to.next(at); } to.next(at); // pass forward any data we do not know how to handle or process (this allows custom security protocols). }; // Does enc/dec key like OpenSSL - works with CryptoJS encryption/decryption function makeKey(p, s) { var ps = Buffer.concat([ new Buffer(p, 'utf8'), s ]); var h128 = new Buffer(nodeCrypto.createHash('md5').update(ps).digest('hex'), 'hex'); // TODO: 'md5' is insecure, do we need OpenSSL compatibility anymore ? return Buffer.concat([ h128, new Buffer(nodeCrypto.createHash('md5').update( Buffer.concat([ h128, ps ]).toString('base64'), 'base64' ).digest('hex'), 'hex') ]); } var nHash = pbkdf2.hash.replace('-', '').toLowerCase(); // These SEA functions support both callback AND Promises var SEA = {}; // create a wrapper library around NodeJS crypto & ecCrypto and Web Crypto API. // now wrap the various AES, ECDSA, PBKDF2 functions we called above. SEA.proof = function(pass,salt,cb){ var doProof = (typeof window !== 'undefined' && function(resolve, reject){ crypto.subtle.importKey( // For browser crypto.subtle works fine 'raw', new TextEncoder().encode(pass), {name: 'PBKDF2'}, false, ['deriveBits'] ).then(function(key){ return crypto.subtle.deriveBits({ name: 'PBKDF2', iterations: pbkdf2.iter, salt: new TextEncoder().encode(salt), hash: pbkdf2.hash, }, key, pbkdf2.ks*8); }).then(function(result){ return new Buffer(result, 'binary').toString('base64'); }).then(resolve).catch(function(e){Gun.log(e); reject(e)}); }) || function(resolve, reject){ // For NodeJS crypto.pkdf2 rocks nodeCrypto.pbkdf2(pass,new Buffer(salt, 'utf8'),pbkdf2.iter,pbkdf2.ks,nHash,function(err,hash){ resolve(!err && hash && hash.toString('base64')); }); }; if(cb){doProof(cb, function(){cb()})} else {return new Promise(doProof)} }; SEA.pair = function(cb){ var doPair = function(resolve, reject){ var priv = nodeCrypto.randomBytes(32); resolve({ pub: new Buffer(ecCrypto.getPublic(priv), 'binary').toString('hex'), priv: new Buffer(priv, 'binary').toString('hex') }); }; if(cb){doPair(cb, function(){cb()})} else {return new Promise(doPair)} }; SEA.derive = function(m,p,cb){ var doDerive = function(resolve, reject){ ecCrypto.derive(new Buffer(p, 'hex'), new Buffer(m, 'hex')) .then(function(secret){ resolve(new Buffer(secret, 'binary').toString('hex')); }).catch(function(e){Gun.log(e); reject(e)}); }; if(cb){doDerive(cb, function(){cb()})} else {return new Promise(doDerive)} }; SEA.sign = function(m, p, cb){ var doSign = function(resolve, reject){ ecCrypto.sign( new Buffer(p, 'hex'), nodeCrypto.createHash(nHash).update(JSON.stringify(m), 'utf8').digest() ).then(function(sig){ resolve(new Buffer(sig, 'binary').toString('hex')); }).catch(function(e){Gun.log(e); reject(e)}); }; if(cb){doSign(cb, function(){cb()})} else {return new Promise(doSign)} }; SEA.verify = function(m, p, s, cb){ var doVerify = function(resolve, reject){ ecCrypto.verify( new Buffer(p, 'hex'), nodeCrypto.createHash(nHash).update(JSON.stringify(m), 'utf8').digest(), new Buffer(s, 'hex') ).then(function(){resolve(true)}).catch(function(e){Gun.log(e);reject(e)}) }; if(cb){doVerify(cb, function(){cb()})} else {return new Promise(doVerify)} }; SEA.en = function(m,p,cb){ var doEncrypt = function(resolve, reject){ var s = nodeCrypto.randomBytes(8); var iv = nodeCrypto.randomBytes(16); var r = {iv: iv.toString('hex'), s: s.toString('hex')}; var key = makeKey(p, s); if (typeof window !== 'undefined'){ // Browser doesn't run createCipheriv crypto.subtle.importKey('raw', key, 'AES-CBC', false, ['encrypt']) .then(function(aesKey){ crypto.subtle.encrypt({ name: 'AES-CBC', iv: iv }, aesKey, new TextEncoder().encode(JSON.stringify(m))).then(function(ct){ r.ct = new Buffer(ct, 'binary').toString('base64'); return JSON.stringify(r); }).then(resolve).catch(function(e){Gun.log(e); reject(e)}); }).catch(function(e){Gun.log(e); reject(e)}); } else { // NodeJS doesn't support crypto.subtle.importKey properly try{ var cipher = nodeCrypto.createCipheriv(aes.enc, key, iv); r.ct = cipher.update(m, 'utf8', 'base64'); r.ct += cipher.final('base64'); }catch(e){Gun.log(e); return reject(e)} resolve(JSON.stringify(r)); } }; if(cb){doEncrypt(cb, function(){cb()})} else {return new Promise(doEncrypt)} }; SEA.de = function(m,p,cb){ var doDecrypt = function(resolve, reject){ var d = JSON.parse(m); var key = makeKey(p, new Buffer(d.s, 'hex')); var iv = new Buffer(d.iv, 'hex'); if (typeof window !== 'undefined'){ // Browser doesn't run createDecipheriv crypto.subtle.importKey('raw', key, 'AES-CBC', false, ['decrypt']) .then(function(aesKey){ crypto.subtle.decrypt({ name: 'AES-CBC', iv: iv }, aesKey, new Buffer(d.ct, 'base64')).then(function(ct){ var ctUtf8 = new TextDecoder('utf8').decode(ct); var ret = JSON.parse(ctUtf8); return ret; }).then(resolve).catch(function(e){Gun.log(e); reject(e)}); }).catch(function(e){Gun.log(e); reject(e)}); } else { // NodeJS doesn't support crypto.subtle.importKey properly try{ var decipher = nodeCrypto.createDecipheriv(aes.enc, key, iv); r = decipher.update(d.ct, 'base64', 'utf8') + decipher.final('utf8'); }catch(e){Gun.log(e); return reject(e)} resolve(r); } }; if(cb){doDecrypt(cb, function(){cb()})} else {return new Promise(doDecrypt)} }; SEA.write = function(m,p,cb){ var doSign = function(resolve, reject) { SEA.sign(m, p).then(function(signature){ resolve('SEA'+JSON.stringify([m,signature])); }).catch(function(e){Gun.log(e); reject(e)}); }; if(cb){doSign(cb, function(){cb()})} else {return new Promise(doSign)} // TODO: what's this ? // return JSON.stringify([m,SEA.sign(m,p)]); }; SEA.read = function(m,p,cb){ var doRead = function(resolve, reject) { if(!m){ return resolve(); } if(!m.slice || 'SEA[' !== m.slice(0,4)){ return resolve(m); } m = m.slice(3); try{m = JSON.parse(m); }catch(e){ return reject(e); } m = m || ''; SEA.verify(m[0], p, m[1]).then(function(ok){ resolve(ok && m[0]); }); }; if(cb){doRead(cb, function(){cb()})} else {return new Promise(doRead)} }; Gun.SEA = SEA; // all done! // Obviously it is missing MANY necessary features. This is only an alpha release. // Please experiment with it, audit what I've done so far, and complain about what needs to be added. // SEA should be a full suite that is easy and seamless to use. // Again, scroll naer the top, where I provide an EXAMPLE of how to create a user and sign in. // Once logged in, the rest of the code you just read handled automatically signing/validating data. // But all other behavior needs to be equally easy, like opinionated ways of // Adding friends (trusted public keys), sending private messages, etc. // Cheers! Tell me what you think. module.exports = SEA; }());