Created
June 11, 2014 10:50
-
-
Save OlavHN/6fcb071ddabd399fe001 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var crypto = require('crypto'); | |
| var express = require('express'); | |
| var app = express(); | |
| // TODO: derive keys using pbkdf2 and some time step in the salt to get TTLs. | |
| var db = {}; | |
| var sever_secret = '123456'; | |
| var key_salt = '123456' | |
| app.get('/:id', extractHeader, deriveKeys, function(req, res, next) { | |
| if (!db[req.params.id]) return next('no key generated'); | |
| var pair = db[req.params.id]; | |
| var token = JSON.stringify({ | |
| msisdn: req.msisdn, | |
| time: Date.now() | |
| }); | |
| var encryptedToken = encrypt(pair, token); | |
| res.send(200, { | |
| status: 'ok', | |
| token: encryptedToken | |
| }); | |
| }); | |
| app.post('/:id', ensureTLS, function(req, res, next) { | |
| crypto.randomBytes(32, function(err, bytes) { | |
| if (err) return next(err); | |
| var pair = { | |
| key: bytes.slice(0, 16).toString('hex'), | |
| iv: bytes.slice(16).toString('hex') | |
| }; | |
| db[req.params.id] = pair; | |
| res.send(200, { | |
| status: 'ok', | |
| pair: pair, | |
| algorithm: 'aes-128-cbc', | |
| }); | |
| }); | |
| }); | |
| function encrypt(pair, token) { | |
| // Encrypt token with a server side secret | |
| var cipher1 = crypto.createCipher('aes-128-cbc', server_secret); | |
| var serverEncryptedToken = cipher1.update(token, 'utf8', 'base64') + cipher1.final('base64'); | |
| // Encrypt again with a key distributed to the client over TLS | |
| var cipher2 = crypto.createCipheriv('aes-128-cbc', pair.key, pair.iv); | |
| var doubleEncryptedToken = cipher2.update(serverEncryptedToken, 'utf8', 'base64') + cipher2.final('base64'); | |
| return doubleEncryptedToken; | |
| } | |
| function ensureTLS(req, res, next) { | |
| // TODO: function for verifying this request happened over a secure connection. | |
| next(); | |
| } | |
| function extractHeader(req, res, next) { | |
| var header = req.headers['x-nokia-msisdn']; | |
| if (!header) | |
| return res.send(403); | |
| req.msisdn = header; | |
| next(); | |
| } | |
| // Not done! | |
| function deriveKeys(req, res, next) { | |
| // TODO: Put restrictions on id or generate server side | |
| var id = req.params.id; | |
| crypto.pbkdf2(id, key_salt, 1000, 32, function(err, key) { | |
| if (err) return next(err); | |
| req.derivedKey = key; | |
| next(); | |
| }); | |
| } | |
| function error(err, req, res, next) { | |
| if (!err) return next(); | |
| console.error(err); | |
| res.end(500); | |
| } | |
| app.listen(process.env.PORT || 8080); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment