Merge pull request #10 from fryl0ch/master

fixes for #3 and #4
kunalpanchal · Oct 11, 2019 · ec1df6c · ec1df6c
2 parents b5f3b3c + bd31f9d
commit ec1df6c
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -79,7 +79,8 @@ $ secure-env --option <VALUE> <file-path-which-is-to-be-encrypted>
 | ------ | ------ | ------ |
 | --secret <secretKey> | Specify the secret Key which would be later used to decrypt the file. | `mySecret` |
 | --out <file-path> | The encrypted file path that would be created. | `env.enc` |
-| --algo <algoName> | The encryption algorithm that is to be used to encrypt the env file. | `aes192` |
+| --algo <algoName> | The encryption algorithm that is to be used to encrypt the env file. | `aes256` |
+| --decrypt | prints the decrypted text to stdout
 
 
 ### Decryption
@@ -97,7 +98,7 @@ require('secure-env')({path:'/custom/path/to/your/env/vars'});
 
 #### Decryption Algorithm
 
-Default: `aes192`
+Default: `aes256`
 
 You may specify the encryption algorithm for your file containing environment variables
 using this option.
@@ -147,6 +148,13 @@ Source-env uses these open source projects to work properly:
 
 * [Minimist][minimist] - Argument parser without all the fanciful decoration.
 
+## Contributors
+
+<a href="https://github.com/kunalpanchal/secure-env/graphs/contributors">
+  <img src="https://contributors-img.firebaseapp.com/image?repo=kunalpanchal/secure-env" />
+</a>
+
+
 ## Acknowledgements
 
 Source-env is inspired from and also uses code references from these open source projects:

diff --git a/lib/cli.js b/lib/cli.js
@@ -4,14 +4,19 @@
  * --secret <secretKey>  | -s <secretKey>
  * --out <file-path> | -o <file-path>
  * --algo <algoName> |  -a <algoName>
+ * --algo <algoName> |  -a <algoName>
+ * --decrypt | -d
  */
 
 const argv = require('minimist')(process.argv.slice(2))
+const log = require('./utils/log')
 const outputFile = argv.outputFile || argv.o
 const inputFile = argv._[0]
 const secret = argv.secret || argv.s
 const encryptionAlgo = argv.algo || argv.a
 
 const cryptography = require('./cryptography')
 
-cryptography.encrypt({ secret, inputFile, outputFile, encryptionAlgo })
+
+if (argv.decrypt || argv.d) log(cryptography.decrypt({secret, outputFile, encryptionAlgo}),'info')
+	else cryptography.encrypt({ secret, inputFile, outputFile, encryptionAlgo });
diff --git a/lib/cryptography.js b/lib/cryptography.js
@@ -8,19 +8,25 @@ const log = require('./utils/log')
  * --secret <secretKey>  | -s <secretKey>
  * --out <file-path> | -o <file-path>
  * --algo <algoName> |  -a <algoName>
+ * --decrypt | -d 
  */
 
 module.exports.decrypt = (options) => {
   try {
     const secret = options.secret || 'mySecret'
     const inputFile = options.file || '.env.enc'
-    const decryptionAlgo = options.decryptionAlgo || 'aes192'
+    const decryptionAlgo = options.decryptionAlgo || 'aes256'
+    const ivLength = options.ivLength || 16
 
     if (!fs.existsSync(inputFile)) throw `${inputFile} does not exist.`
     if (!secret || typeof (secret) !== 'string') throw 'No SecretKey provided.'
 
-    const decipher = crypto.createDecipher(decryptionAlgo, secret)
-    let decrypted = decipher.update(fs.readFileSync(inputFile), 'hex', 'utf8')
+    const fileBuffer = fs.readFileSync(inputFile)
+    const iv = fileBuffer.slice(0, ivLength)
+    const ciphertext = fileBuffer.slice(ivLength, fileBuffer.length)
+    const key = crypto.createHash('sha256').update(String(secret)).digest()
+    const decipher = crypto.createDecipheriv(decryptionAlgo, key, iv)
+    let decrypted = decipher.update(ciphertext, 'hex', 'utf8')
     decrypted += decipher.final('utf8')
     return decrypted
   } catch (e) {
@@ -33,13 +39,18 @@ module.exports.encrypt = (options) => {
     const secret = options.secret || 'mySecret'
     const inputFile = options.inputFile || '.env'
     const outputFilePath = options.outputFile || `${inputFile}.enc`
-    const encryptionAlgo = options.encryptionAlgo || 'aes192'
+    const encryptionAlgo = options.encryptionAlgo || 'aes256'
+    const ivLength = options.ivLength || 16
+    // presumably createCipheriv() should work for all the algo in ./openssl_list-cipher-algorithms.csv with the right key/iv length
 
     if (!fs.existsSync(inputFile)) throw `Error: ${inputFile} does not exist.`
     if (!secret || typeof (secret) !== 'string') throw 'No SecretKey provided.Use -s option to specify secret'
 
-    const cipher = crypto.createCipher(encryptionAlgo, secret)
+    const key = crypto.createHash('sha256').update(String(secret)).digest() // node v10.5.0+ should use crypto.scrypt(secret, salt, keylen[, options], callback)
+    const iv = crypto.randomBytes(ivLength)
+    const cipher = crypto.createCipheriv(encryptionAlgo, key, iv)
     const output = fs.createWriteStream(outputFilePath)
+    output.write(iv)
     fs.createReadStream(inputFile).pipe(cipher).pipe(output)
 
     output.on('finish', () => {

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "secure-env",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Use ENVs securely with encryption",
   "main": "dist/es5/lib/index.js",
   "preferGlobal": true,
@@ -37,4 +37,4 @@
   "dependencies": {
     "minimist": "^1.2.0"
   }
-}
+}