Browse Source

Added additional passphrase security using vaults

pull/4/head
Kim Grytøyr 4 years ago
parent
commit
9ca64e30df
  1. 23
      cli-script/npaste
  2. 2
      cli-script/v.sh
  3. 1
      cli-script/vaults
  4. 4
      src/lib/paste.js
  5. 10
      src/public/javascripts/decrypt.js
  6. 9
      src/public/javascripts/syntax.js
  7. 4
      src/views/image.jade
  8. 4
      src/views/text.jade

23
cli-script/npaste

@ -9,6 +9,8 @@ usage() {
printf "\t-h --help\n"
printf "\t-p --plaintext No syntax highlighting.\n"
printf "\t--age When to delete this item. Syntax: n[m|h|d|y], where n is an integer. minutes, hours, days, years. Example: 1h. Default: 0, ie. never deleted.\n"
printf "\t--encrypt The paste will be encrypted using a secret key not known to the server.\n"
printf "\t--vault If using --encrypt, this will also encrypt it with a password that is not in the URL.\n"
printf "\t--archive The paste will be restorable for the submitter with the archive flag.\n"
printf "\t--no-archive The paste will NOT be archived, regardless of default defined in config file.\n"
printf "\t--no-auto-pipe Don't use auto pipe command as defined in config file\n"
@ -46,6 +48,7 @@ api_request() {
NPASTE_IS_PLAINTEXT=0
NPASTE_AGE=0
NPASTE_CONFIG="$HOME/.config/npaste/cli.conf"
NPASTE_VAULTS="$HOME/.config/npaste/vaults"
NPASTE_FILE="-" # default stdin
NPASTE_USE_AUTO_PIPE_COMMAND=1
NPASTE_ARCHIVE=0
@ -73,6 +76,9 @@ while [ "$1" != "" ]; do
--encrypt)
NPASTE_ENCRYPT=1
;;
--vault)
NPASTE_VAULT=$VALUE
;;
--archive)
NPASTE_ARCHIVE=1
;;
@ -185,11 +191,24 @@ else
fi
if [ "$NPASTE_DO_ENCRYPT" = "1" ]; then
# encrypt file
NPASTE_VAULT_KEY=""
if [ "$NPASTE_VAULT" ]; then
while IFS=':' read -ra VAULTS; do
if [ "${VAULTS[0]}" = "$NPASTE_VAULT" ]; then
NPASTE_VAULT_KEY="${VAULTS[1]}"
fi
done <<< $(cat $NPASTE_VAULTS)
if [ -z "$NPASTE_VAULT_KEY" ]; then
echo "Unable to find vault key for $NPASTE_VAULT"
exit
fi
fi
# create random encryption key
KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $NPASTE_ENCRYPTION_KEY_LENGTH | head -n 1)
# upload file to npaste
NPASTE_PASTE_URL=$(cat $NPASTE_FILE | base64 | gpg --armor --batch --passphrase "$KEY" --symmetric | api_request $NPASTE_USERNAME $NPASTE_APIKEY $NPASTE_URL "-F paste=@-" "-F plain=$NPASTE_IS_PLAINTEXT" "-F age=$NPASTE_AGE" "-F archive=$NPASTE_DO_ARCHIVE" "-F mimetype=$MIME_TYPE" "-F encrypted=1")
NPASTE_PASTE_URL=$(cat $NPASTE_FILE | base64 | gpg --armor --batch --passphrase "$KEY$NPASTE_VAULT_KEY" --symmetric | api_request $NPASTE_USERNAME $NPASTE_APIKEY $NPASTE_URL "-F paste=@-" "-F plain=$NPASTE_IS_PLAINTEXT" "-F age=$NPASTE_AGE" "-F archive=$NPASTE_DO_ARCHIVE" "-F mimetype=$MIME_TYPE" "-F encrypted=1" "-F vault=$NPASTE_VAULT")
else
NPASTE_PASTE_URL=$(cat $NPASTE_FILE | api_request $NPASTE_USERNAME $NPASTE_APIKEY $NPASTE_URL "-F paste=@-" "-F plain=$NPASTE_IS_PLAINTEXT" "-F age=$NPASTE_AGE" "-F archive=$NPASTE_DO_ARCHIVE" "-F encrypted=0")
fi

2
cli-script/v.sh

@ -0,0 +1,2 @@
#/bin/sh

1
cli-script/vaults

@ -0,0 +1 @@
ibooking:12345

4
src/lib/paste.js

@ -186,6 +186,10 @@ const add = (req, res, next) => {
// deleting the file
metadata.archive = req.body.archive == 1 ? true : false;
if (req.body.vault) {
metadata.vault = req.body.vault;
}
// Create .meta file
// TODO: Move this to function or module
fs.writeFileSync(config.path + filename + '.meta', JSON.stringify(metadata));

10
src/public/javascripts/decrypt.js

@ -14,12 +14,18 @@ ready(() => {
// Encryption stuff
if (window.location.hash) {
console.log("Decrypting image..");
let passphrase = '';
if (window.vault) {
passphrase = prompt("Enter passphrase for vault '" + window.vault + "':");
}
const data = document.getElementById('data').innerHTML;
try {
options = {
message: openpgp.message.readArmored(data),
password: window.location.hash.substr(1),
password: window.location.hash.substr(1) + passphrase,
};
}
catch (e) {
@ -36,7 +42,7 @@ ready(() => {
document.getElementById('decrypting').style.display = 'none';
}).catch(function(error) {
const errorDiv = document.getElementById('error');
errorDiv.innerHTML = 'Unable to decrypt message. You probably have the wrong decryption key.';
errorDiv.innerHTML = 'Unable to decrypt message. You probably have the wrong decryption key or passphrase.';
errorDiv.style.display = 'block';
document.getElementById('decrypting').style.display = 'none';
});

9
src/public/javascripts/syntax.js

@ -57,11 +57,16 @@ ready(() => {
openpgp.initWorker({ path:'/javascripts/openpgp.worker.min.js' });
console.log("Decrypting text..");
let passphrase = '';
if (window.vault) {
passphrase = prompt("Enter passphrase for vault '" + window.vault + "':");
}
const data = document.getElementById('paste').innerHTML;
try {
options = {
message: openpgp.message.readArmored(data),
password: window.location.hash.substr(1),
password: window.location.hash.substr(1) + passphrase,
};
}
catch (e) {
@ -81,7 +86,7 @@ ready(() => {
document.getElementById('decrypting').style.display = 'none';
}).catch(function(error) {
const errorDiv = document.getElementById('error');
errorDiv.innerHTML = 'Unable to decrypt message. You probably have the wrong decryption key.';
errorDiv.innerHTML = 'Unable to decrypt message. You probably have the wrong decryption key or passphrase.';
errorDiv.style.display = 'block';
document.getElementById('decrypting').style.display = 'none';
});

4
src/views/image.jade

@ -4,7 +4,9 @@ block head
if paste.encrypted === true
script(src='/javascripts/openpgp.min.js')
script(src='/javascripts/decrypt.js')
if paste.vault
script.
window.vault = '#{paste.vault}';
block content
#content
include header.jade

4
src/views/text.jade

@ -8,7 +8,9 @@ block head
script(src='/javascripts/syntax.js')
link(rel='stylesheet', href='/stylesheets/gruvbox-dark.css')
link(rel='stylesheet', href='/stylesheets/line-numbers.css')
if paste.vault
script.
window.vault = '#{paste.vault}';
block content
#content
include header.jade

Loading…
Cancel
Save