From d6138347d7676a11070ca1206c3ce926b282f3d6 Mon Sep 17 00:00:00 2001 From: Pepijn Verlaan Date: Thu, 7 Sep 2017 15:38:13 +0200 Subject: [PATCH 1/2] Remove bias when generating secrets --- index.js | 16 ++++++++++------ test/generate.js | 3 +-- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/index.js b/index.js index 59eb6ad..a9ae067 100644 --- a/index.js +++ b/index.js @@ -511,13 +511,13 @@ exports.generateSecret = function generateSecret (options) { } // generate an ascii key - var key = this.generateSecretASCII(length, symbols); + var keyBytes = crypto.randomBytes(length || 32); // return a SecretKey with ascii, hex, and base32 var SecretKey = {}; - SecretKey.ascii = key; - SecretKey.hex = Buffer(key, 'ascii').toString('hex'); - SecretKey.base32 = base32.encode(Buffer(key)).toString().replace(/=/g, ''); + SecretKey.ascii = encodeASCII(keyBytes, symbols); + SecretKey.hex = keyBytes.toString('hex'); + SecretKey.base32 = base32.encode(keyBytes).toString().replace(/=/g, ''); // generate some qr codes if requested if (qr_codes) { @@ -560,14 +560,18 @@ exports.generate_key = util.deprecate(function (options) { */ exports.generateSecretASCII = function generateSecretASCII (length, symbols) { var bytes = crypto.randomBytes(length || 32); - var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz'; + return encodeASCII(bytes, symbols); +}; + +function encodeASCII (bytes, symbols) { + var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghijklmnopqrstuvwxyz'; if (symbols) { set += '!@#$%^&*()<>?/[]{},.:;'; } var output = ''; for (var i = 0, l = bytes.length; i < l; i++) { - output += set[Math.floor(bytes[i] / 255.0 * (set.length - 1))]; + output += set[Math.floor(bytes[i] / 256.0 * set.length)]; } return output; }; diff --git a/test/generate.js b/test/generate.js index e0e7f25..257608a 100644 --- a/test/generate.js +++ b/test/generate.js @@ -23,8 +23,7 @@ describe('Generator tests', function () { assert.isUndefined(secret.google_auth_qr, 'Google Auth QR should not be returned'); // check encodings - assert.equal(Buffer(secret.hex, 'hex').toString('ascii'), secret.ascii, 'Should have encoded correct hex string'); - assert.equal(base32.decode(secret.base32).toString('ascii'), secret.ascii, 'Should have encoded correct base32 string'); + assert.equal(base32.decode(secret.base32).toString('hex'), secret.hex, 'Should have encoded correct base32 string'); }); it('Generation with custom key length', function () { From 9aee69d865eae942edcc4c39d4b42e7271809c6d Mon Sep 17 00:00:00 2001 From: Pepijn Verlaan Date: Sat, 14 Jul 2018 02:44:20 +0200 Subject: [PATCH 2/2] Replace misplaced T with Y in set of characters --- index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.js b/index.js index a9ae067..60123de 100644 --- a/index.js +++ b/index.js @@ -564,7 +564,7 @@ exports.generateSecretASCII = function generateSecretASCII (length, symbols) { }; function encodeASCII (bytes, symbols) { - var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghijklmnopqrstuvwxyz'; + var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; if (symbols) { set += '!@#$%^&*()<>?/[]{},.:;'; }