Improved DB records encryption support.

2025-03-09 15:40:18 +00:00 · 2019-10-03 13:32:54 -07:00 · 2019-10-03 13:32:54 -07:00 · 5af831a0aa
commit 5af831a0aa
parent a34d4385a3
5 changed files with 33 additions and 11 deletions
--- a/db.js
+++ b/db.js
@ -195,6 +195,18 @@ module.exports.CreateDB = function (parent, func) {
    obj.getValueOfTheDay = function (id, startValue, func) { obj.Get(id, function (err, docs) { var date = new Date(), t = date.toLocaleDateString(); if (docs.length == 1) { var r = docs[0]; if (r.day == t) { func({ _id: id, value: r.value, day: t }); return; } } func({ _id: id, value: startValue, day: t }); }); };
    obj.escapeBase64 = function escapeBase64(val) { return (val.replace(/\+/g, '@').replace(/\//g, '$')); }

+    // Encrypt an database object
+    obj.performRecordEncryptionRecode = function (func) {
+        var count = 0;
+        obj.GetAllType('user', function (err, docs) {
+            if (err == null) { for (var i in docs) { count++; obj.Set(docs[i]); } }
+            obj.GetAllType('node', function (err, docs) {
+                if (err == null) { for (var i in docs) { count++; obj.Set(docs[i]); } }
+                func(count);
+            });
+        });
+    }
+
    // Encrypt an database object
    function performTypedRecordDecrypt(data) {
        if ((obj.dbRecordsDecryptKey == null) || (typeof data != 'object')) return data;
@ -237,10 +249,11 @@ module.exports.CreateDB = function (parent, func) {
    // Encrypt an object and return a base64.
    function performRecordEncrypt(plainobj) {
        if (obj.dbRecordsEncryptKey == null) return null;
-        const iv = parent.crypto.randomBytes(16);
-        const aes = parent.crypto.createCipheriv('aes-256-cbc', obj.dbRecordsEncryptKey, iv);
+        const iv = parent.crypto.randomBytes(12);
+        const aes = parent.crypto.createCipheriv('aes-256-gcm', obj.dbRecordsEncryptKey, iv);
        var ciphertext = aes.update(JSON.stringify(plainobj));
-        ciphertext = Buffer.concat([iv, ciphertext, aes.final()]);
+        var cipherfinal = aes.final();
+        ciphertext = Buffer.concat([iv, aes.getAuthTag(), ciphertext, cipherfinal]);
        return ciphertext.toString('base64');
    }

@ -248,12 +261,17 @@ module.exports.CreateDB = function (parent, func) {
    function performRecordDecrypt(ciphertext) {
        if (obj.dbRecordsDecryptKey == null) return null;
        const ciphertextBytes = Buffer.from(ciphertext, 'base64');
-        const iv = ciphertextBytes.slice(0, 16);
-        const data = ciphertextBytes.slice(16);
-        const aes = parent.crypto.createDecipheriv('aes-256-cbc', obj.dbRecordsDecryptKey, iv);
-        var plaintextBytes = Buffer.from(aes.update(data));
-        plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]);
-        return JSON.parse(plaintextBytes.toString());
+        const iv = ciphertextBytes.slice(0, 12);
+        const data = ciphertextBytes.slice(28);
+        const aes = parent.crypto.createDecipheriv('aes-256-gcm', obj.dbRecordsDecryptKey, iv);
+        aes.setAuthTag(ciphertextBytes.slice(12, 16));
+        var plaintextBytes, r;
+        try {
+            plaintextBytes = Buffer.from(aes.update(data));
+            plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]);
+            r = JSON.parse(plaintextBytes.toString());
+        } catch (e) { throw "Incorrect DbRecordsDecryptKey/DbRecordsEncryptKey or invalid database _CRYPT data: " + e; }
+        return r;
    }

    // Clone an object (TODO: Make this more efficient)