1 | "use strict";
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 | Object.defineProperty(exports, "__esModule", { value: true });
|
10 | exports.Crypto = void 0;
|
11 | const crypto = require("crypto");
|
12 | const os = require("os");
|
13 | const path_1 = require("path");
|
14 | const ts_types_1 = require("@salesforce/ts-types");
|
15 | const kit_1 = require("@salesforce/kit");
|
16 | const logger_1 = require("../logger");
|
17 | const messages_1 = require("../messages");
|
18 | const cache_1 = require("../util/cache");
|
19 | const global_1 = require("../global");
|
20 | const keyChain_1 = require("./keyChain");
|
21 | const secureBuffer_1 = require("./secureBuffer");
|
22 | const TAG_DELIMITER = ':';
|
23 | const BYTE_COUNT_FOR_IV = 6;
|
24 | const ALGO = 'aes-256-gcm';
|
25 | const AUTH_TAG_LENGTH = 32;
|
26 | const ENCRYPTED_CHARS = /[a-f0-9]/;
|
27 | const KEY_NAME = 'sfdx';
|
28 | const ACCOUNT = 'local';
|
29 | messages_1.Messages.importMessagesDirectory((0, path_1.join)(__dirname));
|
30 | const messages = messages_1.Messages.load('@salesforce/core', 'encryption', [
|
31 | 'keychainPasswordCreationError',
|
32 | 'invalidEncryptedFormatError',
|
33 | 'authDecryptError',
|
34 | 'macKeychainOutOfSync',
|
35 | ]);
|
36 | const makeSecureBuffer = (password) => {
|
37 | const newSb = new secureBuffer_1.SecureBuffer();
|
38 | newSb.consume(Buffer.from((0, ts_types_1.ensure)(password), 'utf8'));
|
39 | return newSb;
|
40 | };
|
41 |
|
42 |
|
43 |
|
44 | const keychainPromises = {
|
45 | |
46 |
|
47 |
|
48 |
|
49 |
|
50 |
|
51 |
|
52 | getPassword(_keychain, service, account) {
|
53 | const cacheKey = `${global_1.Global.DIR}:${service}:${account}`;
|
54 | const sb = cache_1.Cache.get(cacheKey);
|
55 | if (!sb) {
|
56 | return new Promise((resolve, reject) => _keychain.getPassword({ service, account }, (err, password) => {
|
57 | if (err)
|
58 | return reject(err);
|
59 | cache_1.Cache.set(cacheKey, makeSecureBuffer(password));
|
60 | return resolve({ username: account, password: (0, ts_types_1.ensure)(password) });
|
61 | }));
|
62 | }
|
63 | else {
|
64 | const pw = sb.value((buffer) => buffer.toString('utf8'));
|
65 | cache_1.Cache.set(cacheKey, makeSecureBuffer(pw));
|
66 | return new Promise((resolve) => resolve({ username: account, password: (0, ts_types_1.ensure)(pw) }));
|
67 | }
|
68 | },
|
69 | |
70 |
|
71 |
|
72 |
|
73 |
|
74 |
|
75 |
|
76 |
|
77 | setPassword(_keychain, service, account, password) {
|
78 | return new Promise((resolve, reject) => _keychain.setPassword({ service, account, password }, (err) => {
|
79 | if (err)
|
80 | return reject(err);
|
81 | return resolve({ username: account, password });
|
82 | }));
|
83 | },
|
84 | };
|
85 |
|
86 |
|
87 |
|
88 | class Crypto extends kit_1.AsyncOptionalCreatable {
|
89 | |
90 |
|
91 |
|
92 |
|
93 |
|
94 |
|
95 |
|
96 | constructor(options) {
|
97 | super(options);
|
98 | this.key = new secureBuffer_1.SecureBuffer();
|
99 | this.options = options ?? {};
|
100 | }
|
101 | encrypt(text) {
|
102 | if (text == null) {
|
103 | return;
|
104 | }
|
105 | if (this.key == null) {
|
106 | throw messages.createError('keychainPasswordCreationError');
|
107 | }
|
108 | const iv = crypto.randomBytes(BYTE_COUNT_FOR_IV).toString('hex');
|
109 | return this.key.value((buffer) => {
|
110 | const cipher = crypto.createCipheriv(ALGO, buffer.toString('utf8'), iv);
|
111 | let encrypted = cipher.update(text, 'utf8', 'hex');
|
112 | encrypted += cipher.final('hex');
|
113 | const tag = cipher.getAuthTag().toString('hex');
|
114 | return `${iv}${encrypted}${TAG_DELIMITER}${tag}`;
|
115 | });
|
116 | }
|
117 | decrypt(text) {
|
118 | if (text == null) {
|
119 | return;
|
120 | }
|
121 | const tokens = text.split(TAG_DELIMITER);
|
122 | if (tokens.length !== 2) {
|
123 | throw messages.createError('invalidEncryptedFormatError');
|
124 | }
|
125 | const tag = tokens[1];
|
126 | const iv = tokens[0].substring(0, BYTE_COUNT_FOR_IV * 2);
|
127 | const secret = tokens[0].substring(BYTE_COUNT_FOR_IV * 2, tokens[0].length);
|
128 | return this.key.value((buffer) => {
|
129 | const decipher = crypto.createDecipheriv(ALGO, buffer.toString('utf8'), iv);
|
130 | let dec;
|
131 | try {
|
132 | decipher.setAuthTag(Buffer.from(tag, 'hex'));
|
133 | dec = decipher.update(secret, 'hex', 'utf8');
|
134 | dec += decipher.final('utf8');
|
135 | }
|
136 | catch (err) {
|
137 | const error = messages.createError('authDecryptError', [err.message], [], err);
|
138 | const useGenericUnixKeychain = kit_1.env.getBoolean('SFDX_USE_GENERIC_UNIX_KEYCHAIN') || kit_1.env.getBoolean('USE_GENERIC_UNIX_KEYCHAIN');
|
139 | if (os.platform() === 'darwin' && !useGenericUnixKeychain) {
|
140 | error.actions = [messages.getMessage('macKeychainOutOfSync')];
|
141 | }
|
142 | throw error;
|
143 | }
|
144 | return dec;
|
145 | });
|
146 | }
|
147 | |
148 |
|
149 |
|
150 |
|
151 |
|
152 |
|
153 |
|
154 |
|
155 | isEncrypted(text) {
|
156 | if (text == null) {
|
157 | return false;
|
158 | }
|
159 | const tokens = text.split(TAG_DELIMITER);
|
160 | if (tokens.length !== 2) {
|
161 | return false;
|
162 | }
|
163 | const tag = tokens[1];
|
164 | const value = tokens[0];
|
165 | return (tag.length === AUTH_TAG_LENGTH &&
|
166 | value.length >= BYTE_COUNT_FOR_IV &&
|
167 | ENCRYPTED_CHARS.test(tag) &&
|
168 | ENCRYPTED_CHARS.test(tokens[0]));
|
169 | }
|
170 | |
171 |
|
172 |
|
173 | close() {
|
174 | if (!this.noResetOnClose) {
|
175 | this.key.clear();
|
176 | }
|
177 | }
|
178 | |
179 |
|
180 |
|
181 | async init() {
|
182 | const logger = await logger_1.Logger.child('crypto');
|
183 | if (!this.options.platform) {
|
184 | this.options.platform = os.platform();
|
185 | }
|
186 | logger.debug(`retryStatus: ${this.options.retryStatus}`);
|
187 | this.noResetOnClose = !!this.options.noResetOnClose;
|
188 | try {
|
189 | this.key.consume(Buffer.from((await keychainPromises.getPassword(await this.getKeyChain(this.options.platform), KEY_NAME, ACCOUNT))
|
190 | .password, 'utf8'));
|
191 | }
|
192 | catch (err) {
|
193 |
|
194 | if (err.name === 'PasswordNotFoundError') {
|
195 |
|
196 | if (this.options.retryStatus === 'KEY_SET') {
|
197 | logger.debug('a key was set but the retry to get the password failed.');
|
198 | throw err;
|
199 | }
|
200 | else {
|
201 | logger.debug('password not found in keychain attempting to created one and re-init.');
|
202 | }
|
203 | const key = crypto.randomBytes(Math.ceil(16)).toString('hex');
|
204 |
|
205 | await keychainPromises.setPassword((0, ts_types_1.ensure)(this.options.keychain), KEY_NAME, ACCOUNT, key);
|
206 | return this.init();
|
207 | }
|
208 | else {
|
209 | throw err;
|
210 | }
|
211 | }
|
212 | }
|
213 | async getKeyChain(platform) {
|
214 | if (!this.options.keychain) {
|
215 | this.options.keychain = await (0, keyChain_1.retrieveKeychain)(platform);
|
216 | }
|
217 | return this.options.keychain;
|
218 | }
|
219 | }
|
220 | exports.Crypto = Crypto;
|
221 |
|
\ | No newline at end of file |