Support authenticating via certfp #1757
Conversation
Half-Shot
force-pushed
the
hs/cert-fp-initial
branch
from
20208b3
to
dd9e764
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Half-Shot
force-pushed
the
hs/cert-fp-initial
branch
from
92c10fa
to
0d8ba80
Compare
| const password = randomBytes(32).toString(ENCRYPTED_ENCODING); | ||
| const key = await scrypt(password, 'salt', 32) as Buffer; |
There was a problem hiding this comment.
As long as you're generating a random password, there's probably not much of a point in passing to scrypt, as it can be used directly as an AES key.
| const streamPromise = new Promise<string>((resolve, reject) => { | ||
| cipher.on('error', (err) => reject(err)); | ||
| cipher.on('end', () => resolve( | ||
| `lg:${secret}:${encrypted}` | ||
| )); | ||
| }); | ||
|
|
||
| cipher.on('data', (chunk) => { encrypted += chunk }); | ||
| cipher.write(plaintext); | ||
| cipher.end(); | ||
| return streamPromise; |
There was a problem hiding this comment.
Since the data to be written into the cipher is known to be just the provided plaintext, it'd be more direct to use cipher.update and cipher.final instead of bothering with stream callbacks.
| const [, keyPlusIvEnc, data] = encryptedString.split(':', 3); | ||
| const [keyB64, ivB64] = this.decrypt(keyPlusIvEnc).split('_'); |
There was a problem hiding this comment.
Is it guaranteed that the ciphertexts of encrypt() or the AES cipher won't contain underscores or colons that would interfere with these splits?
|
are you still intending on working on this? having storepass work on oftc would be really nice! |
|
This is an alternative to |
Fixes #1483, #747
Requires matrix-org/node-irc#110
Most of the work was already done in node-irc, so this just needs the bridge to store and pass through the certificate. I haven't yet implemented a way for users to pass the cert to the bridge. I am wary of passing it through the admin room directly as it would leave the cert in Matrix.
Perhaps we may have a HTTP submission page of some kind.