Browse Source

Added additional passphrase security using vaults

tags/v0.6
Kim Grytøyr 2 years ago
parent
commit
9ca64e30df
8 changed files with 49 additions and 8 deletions
  1. +21
    -2
      cli-script/npaste
  2. +2
    -0
      cli-script/v.sh
  3. +1
    -0
      cli-script/vaults
  4. +4
    -0
      src/lib/paste.js
  5. +8
    -2
      src/public/javascripts/decrypt.js
  6. +7
    -2
      src/public/javascripts/syntax.js
  7. +3
    -1
      src/views/image.jade
  8. +3
    -1
      src/views/text.jade

+ 21
- 2
cli-script/npaste View File

@@ -9,6 +9,8 @@ usage() {
printf "\t-h --help\n"
printf "\t-p --plaintext No syntax highlighting.\n"
printf "\t--age When to delete this item. Syntax: n[m|h|d|y], where n is an integer. minutes, hours, days, years. Example: 1h. Default: 0, ie. never deleted.\n"
printf "\t--encrypt The paste will be encrypted using a secret key not known to the server.\n"
printf "\t--vault If using --encrypt, this will also encrypt it with a password that is not in the URL.\n"
printf "\t--archive The paste will be restorable for the submitter with the archive flag.\n"
printf "\t--no-archive The paste will NOT be archived, regardless of default defined in config file.\n"
printf "\t--no-auto-pipe Don't use auto pipe command as defined in config file\n"
@@ -46,6 +48,7 @@ api_request() {
NPASTE_IS_PLAINTEXT=0
NPASTE_AGE=0
NPASTE_CONFIG="$HOME/.config/npaste/cli.conf"
NPASTE_VAULTS="$HOME/.config/npaste/vaults"
NPASTE_FILE="-" # default stdin
NPASTE_USE_AUTO_PIPE_COMMAND=1
NPASTE_ARCHIVE=0
@@ -73,6 +76,9 @@ while [ "$1" != "" ]; do
--encrypt)
NPASTE_ENCRYPT=1
;;
--vault)
NPASTE_VAULT=$VALUE
;;
--archive)
NPASTE_ARCHIVE=1
;;
@@ -185,11 +191,24 @@ else
fi

if [ "$NPASTE_DO_ENCRYPT" = "1" ]; then
# encrypt file
NPASTE_VAULT_KEY=""
if [ "$NPASTE_VAULT" ]; then
while IFS=':' read -ra VAULTS; do
if [ "${VAULTS[0]}" = "$NPASTE_VAULT" ]; then
NPASTE_VAULT_KEY="${VAULTS[1]}"
fi
done <<< $(cat $NPASTE_VAULTS)
if [ -z "$NPASTE_VAULT_KEY" ]; then
echo "Unable to find vault key for $NPASTE_VAULT"
exit
fi
fi

# create random encryption key
KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $NPASTE_ENCRYPTION_KEY_LENGTH | head -n 1)

# upload file to npaste
NPASTE_PASTE_URL=$(cat $NPASTE_FILE | base64 | gpg --armor --batch --passphrase "$KEY" --symmetric | api_request $NPASTE_USERNAME $NPASTE_APIKEY $NPASTE_URL "-F paste=@-" "-F plain=$NPASTE_IS_PLAINTEXT" "-F age=$NPASTE_AGE" "-F archive=$NPASTE_DO_ARCHIVE" "-F mimetype=$MIME_TYPE" "-F encrypted=1")
NPASTE_PASTE_URL=$(cat $NPASTE_FILE | base64 | gpg --armor --batch --passphrase "$KEY$NPASTE_VAULT_KEY" --symmetric | api_request $NPASTE_USERNAME $NPASTE_APIKEY $NPASTE_URL "-F paste=@-" "-F plain=$NPASTE_IS_PLAINTEXT" "-F age=$NPASTE_AGE" "-F archive=$NPASTE_DO_ARCHIVE" "-F mimetype=$MIME_TYPE" "-F encrypted=1" "-F vault=$NPASTE_VAULT")
else
NPASTE_PASTE_URL=$(cat $NPASTE_FILE | api_request $NPASTE_USERNAME $NPASTE_APIKEY $NPASTE_URL "-F paste=@-" "-F plain=$NPASTE_IS_PLAINTEXT" "-F age=$NPASTE_AGE" "-F archive=$NPASTE_DO_ARCHIVE" "-F encrypted=0")
fi


+ 2
- 0
cli-script/v.sh View File

@@ -0,0 +1,2 @@
#/bin/sh


+ 1
- 0
cli-script/vaults View File

@@ -0,0 +1 @@
ibooking:12345

+ 4
- 0
src/lib/paste.js View File

@@ -186,6 +186,10 @@ const add = (req, res, next) => {
// deleting the file
metadata.archive = req.body.archive == 1 ? true : false;

if (req.body.vault) {
metadata.vault = req.body.vault;
}

// Create .meta file
// TODO: Move this to function or module
fs.writeFileSync(config.path + filename + '.meta', JSON.stringify(metadata));


+ 8
- 2
src/public/javascripts/decrypt.js View File

@@ -14,12 +14,18 @@ ready(() => {
// Encryption stuff
if (window.location.hash) {
console.log("Decrypting image..");

let passphrase = '';
if (window.vault) {
passphrase = prompt("Enter passphrase for vault '" + window.vault + "':");
}

const data = document.getElementById('data').innerHTML;

try {
options = {
message: openpgp.message.readArmored(data),
password: window.location.hash.substr(1),
password: window.location.hash.substr(1) + passphrase,
};
}
catch (e) {
@@ -36,7 +42,7 @@ ready(() => {
document.getElementById('decrypting').style.display = 'none';
}).catch(function(error) {
const errorDiv = document.getElementById('error');
errorDiv.innerHTML = 'Unable to decrypt message. You probably have the wrong decryption key.';
errorDiv.innerHTML = 'Unable to decrypt message. You probably have the wrong decryption key or passphrase.';
errorDiv.style.display = 'block';
document.getElementById('decrypting').style.display = 'none';
});


+ 7
- 2
src/public/javascripts/syntax.js View File

@@ -57,11 +57,16 @@ ready(() => {
openpgp.initWorker({ path:'/javascripts/openpgp.worker.min.js' });

console.log("Decrypting text..");
let passphrase = '';
if (window.vault) {
passphrase = prompt("Enter passphrase for vault '" + window.vault + "':");
}

const data = document.getElementById('paste').innerHTML;
try {
options = {
message: openpgp.message.readArmored(data),
password: window.location.hash.substr(1),
password: window.location.hash.substr(1) + passphrase,
};
}
catch (e) {
@@ -81,7 +86,7 @@ ready(() => {
document.getElementById('decrypting').style.display = 'none';
}).catch(function(error) {
const errorDiv = document.getElementById('error');
errorDiv.innerHTML = 'Unable to decrypt message. You probably have the wrong decryption key.';
errorDiv.innerHTML = 'Unable to decrypt message. You probably have the wrong decryption key or passphrase.';
errorDiv.style.display = 'block';
document.getElementById('decrypting').style.display = 'none';
});


+ 3
- 1
src/views/image.jade View File

@@ -4,7 +4,9 @@ block head
if paste.encrypted === true
script(src='/javascripts/openpgp.min.js')
script(src='/javascripts/decrypt.js')

if paste.vault
script.
window.vault = '#{paste.vault}';
block content
#content
include header.jade


+ 3
- 1
src/views/text.jade View File

@@ -8,7 +8,9 @@ block head
script(src='/javascripts/syntax.js')
link(rel='stylesheet', href='/stylesheets/gruvbox-dark.css')
link(rel='stylesheet', href='/stylesheets/line-numbers.css')

if paste.vault
script.
window.vault = '#{paste.vault}';
block content
#content
include header.jade


Loading…
Cancel
Save