I'm using node.js 0.10.12. I have generated 2048-bit RSA keypairs that I store as .pem files locally.
Using the built-in 'crypto' library that comes with node, I am trying to decrypt a block of data encrypted with the public RSA key mentioned above.
I've gotten this far:
var privateKey = fs.readFileSync('private.pem', { encoding: 'utf8' });
var cryptOpt = { key: /* PEM encoded private key */ privKey };
var cred = crypto.createCredentials( cryptOpt );
var rsa = crypto.createDecipheriv( 'rsa', cred.?key-in-binary-format?, cred.?initialization vector? );
I'm not sure I'm on the right path here.
• I don't know where the key is stored in binary form inside 'cred'.
• I don't know what to put in initialization-vector parameter.
The data will be encrypted using standard libraries on iOS, which, to my knowledge, does not allow the user to specify an initialization vector when encrypting with RSA.
I haven't been able to extract much knowledge or understanding from the node.js crypto docs:
http://nodejs.org/api/crypto.html
As there isn't any asymmetric encryption happening in the nodejs, I think you are more or less lost in the woods. You will require another library if you want to encrypt anything with RSA. The openssl list-cipher-algorithms documentation that crypto.createCipher(algorithm, password) and crypto.createCipheriv(algorithm, key, iv) only lists symmetric algorithms such as AES and DES (etc.). An IV is only used for symmetric algorithms in general in either way. nodejs only seems to support RSA signing and verification.
I would really suggest to get deeper into the subject matter before continuing on your development path.
Related
I know I can verify plain message with following code:
const verify = crypto.createVerify('sha256')
verify.write(Buffer.from(message, 'base64'))
verify.end()
const verified = verify.verify(publicKey, signatureToVerify, 'base64')
But I need to verify against the already hashed message, instead of node hashing it for me. Is it possible to do it with node's crypto module?
I'm looking at Weixin's document, I found that they are using SHA-1. I feel like it's not secure, but then my friend said 'never mind, we use https', so I am wondering, is it important to use SHA-1 or others? When will https encrypt our request?
Thanks!
This is Weixin's document:
https://developers.weixin.qq.com/doc/offiaccount/en/Basic_Information/Access_Overview.html
private function checkSignature()
{
$signature = $\GET["signature"];
$timestamp = $\GET["timestamp"];
$nonce = $\GET["nonce"];
$token = TOKEN;
$tmpArr = array($token, $timestamp, $nonce);
sort($tmpArr, SORT_STRING);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );
if( $tmpStr == $signature ){
return true;
}else{
return false;
}
}
SHA-1 is a one way hash function. It should be avoided in most cases, but in your case WeChat doesn't offer you any alternative (though WeChat could of course modify their implementation in the future).
Also to answer your other question, which is when HTTPS encrypts your request; HTTPS is a protocol which ensures that the data in motion is secured and encrypted.
The moment a browser attempts to access a website that is secured by SSL, the browser and the web server get into a sequence of message exchanges which is also known as "SSL Handshake". The SSL Handshake happens behind the scene and it transparent to the user.
The handshake process leads to the establishment of a session key using the public and private key pair. The session key is then used to set up the SSL Connection.
Since symmetric cryptography is more efficient in terms of power, the PKI part is used only during the SSL Handshake to establish the symmetric session key. The data in motion is encrypted using the shared symmetric key.
I was have my ipn paypal my-prvkey.pem , my-pubcert.pem
like that and there was no problems
var httpsOptions = {
key: fs.readFileSync('./app/certsandkeys/my-prvkey.pem'),
cert: fs.readFileSync('./app/certsandkeys/my-pubcert.pem'),
requestCert: true
}
but after i added my site cert and keys that's created by openssl like that to my code
var httpsOptions = {
key: [fs.readFileSync('./app/certsandkeys/my-prvkey.pem'),fs.readFileSync('./app/certsandkeys/ssl/server.key')],
cert: [fs.readFileSync('./app/certsandkeys/my-pubcert.pem'),fs.readFileSync('./app/certsandkeys/ssl/server.crt')],
requestCert: true
}
now i get this error and i don't know why
Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
From the docs for options.key:
Multiple keys using different algorithms can be provided either as an
array of unencrypted key strings or ...
The tests use RSA and Eliptic Curve.. You almost certainly have and want two of the same algorithm keys, and it wont help you to use different algorithms since you have no way of knowing what a client will end up negotiating.
As in my answer for your other question, if you want different clients to get different key/chains then you may do so on the domain name using SNI and give the clients their respective hosts in URLs. There's no way to get client to examine two chains and then tell your sever which key to use.
I am using bcrypt package to generate encrypt passwords. I am using the code below to encrypt the password:
let bcrypt = require('bcrypt');
var hash = bcrypt.hashSync(password, 10);
It returns different hash for same password. But my requirement is that I need same hash for same password. Please let me is it possible using bcrypt package. If not please suggest me different package that I can use?
EDIT:
I am using oauth2-server package. And with this package I am generation token. So in this package there is no way to compare the hash. As that work is handled internally by the package. So I am looking for package that can give me same hash.
I am using nodejs for TLS 1.2 requests to a server, which requires client authentication. This means, that during the inital handshake the client has sign a hash value over random values negotiated between client and server.
In nodejs you have to supply the (e.g. RSA) key or the .pfx/.p12 file along with the according passphrase with the request:
var https = require('https'), fs = require('fs')
var options = {
host: url, path: func, method: 'POST',
pfx: fs.readFileSync('mycert.pfx'),
passphrase: 'mysecret',
secureProtocol: 'TLSv1_2_method'
}
var req = https.request(options, function (res) {
...
In fact you are handing out your signature infrastructure instead of just signing a single item.
Customers don't want that, they insist in usage of Windows Certificate Store for signature, or, even better, use a hardware token (smartcard, HSM) or a remote Key Vault that administers and protocols signature creation.
For this I would need a "sign" callback when the basic TLS handshake is done.
I've seen, that nodejs is using a SecureContext object, which is created by TLS.createSecureContext(). Is it possible to replace this object by your own implementation? What is its functional interface? Has anybody already done that?
Any other ideas?