Add CLI

Author: Ansimorph

.npmignore

@@ -0,0 +1,58 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Typescript v1 declaration files
+typings/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env

cli.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require("./dist/cli");

package-lock.json

@@ -4,9 +4,10 @@
   "description": "Webpack loader that decrypts assets encrypted by node-cipher",
   "repository": "https://github.com/Ansimorph/decryption-loader/",
   "main": "index.js",
+  "bin": "./cli.js",
   "scripts": {
     "build": "tsc --version && tsc",
-    "test": "jest"
+    "test": "npm run build && jest --runInBand"
   },
   "author": "Björn Ganslandt",
   "license": "MIT",
@@ -22,12 +23,13 @@
     "schema-utils": "^2.0.1"
   },
   "devDependencies": {
+    "@types/inquirer": "^6.5.0",
     "@types/loader-utils": "^2.0.1",
     "@types/webpack": "^4.41.17",
     "del": "^5.0.0",
+    "inquirer": "^7.2.0",
     "jest": "^26.0.1",
     "memory-fs": "^0.5.0",
-    "node-cipher": "^6.3.3",
     "prettier": "^2.0.5",
     "raw-loader": "^4.0.0",
     "typescript": "^3.9.5",

package.json

@@ -3,25 +3,27 @@
 
 # Decryption Loader
 
-Decrypt assets that were encrypted with [node-cipher][node-cipher-url] in webpack
+Decrypt assets with webpack
 
 ## Why?
 
-If your public repository includes files you can't share with the world, one solution is to encrypt them. [node-cipher][node-cipher-url] is a node-based cli for this purpose. Decryption-loader allows you to decrypt encrypted assets at build-time right in webpack.
+If your public repository includes files you can't share with the world, one solution is to encrypt them. Decryption-loader allows you to encrypt assets via CLI and decrypt them at build-time right in webpack.
 
 ## Install
 
 ```bash
 npm install decryption-loader
 ```
 
-To encrypt files, install [node-cipher][node-cipher-url]:
+## Encryption
 
 ```bash
-npm install node-cipher -g
+npx decryption-loader example.txt
 ```
 
-## Usage
+You will be prompted for a password and an encrypted file `example.txt.enc` is created.
+
+## Decryption
 
 **webpack.config.js**
 
@@ -47,14 +49,8 @@ Be careful: Your webpack configuration file is probably not a safe place to keep
 
 ## Options
 
-Decryption loader mirrors the [options available in node-cipher](https://github.com/nathanbuchar/node-cipher/blob/master/docs/using-the-node-js-api.md#options):
-
 -   **`password`** (string) _required_: The password used to derive the encryption key
--   **`algorithm`** (string): The algorithm used to encrypt the data. Run `nodecipher -A` for a complete list of available algorithms. Default is _cast5_
--   **`salt`** (string): The salt used to derive the encryption key. Default is _nodecipher_
--   **`iterations`** (number): The number of iterations used to derive the key. Default is _1000_
--   **`keylen`** (number): The byte length of the derived key. Default is _512_
--   **`digest`** (string): The hash function used to derive the key. Run `nodecipher -H` for a complete list of available hash algorithms Default is _sha1_
+-   **`salt`** (string): The salt used to derive the encryption key. Default is _secure_
 
 ## An Example
 
@@ -63,7 +59,7 @@ Decryption loader mirrors the [options available in node-cipher](https://github.
 Say you have `font.woff`, a commercial font that you want to include in your public repository, but can't because of licensing issues. Let's encrypt it to solve this problem:
 
 ```bash
-nodecipher enc font.woff font.woff.cast5 -p password
+npx decryption-loader font.woff
 ```
 
 ### 2: Store password
@@ -106,7 +102,7 @@ module.exports = {
     module: {
         rules: [
             {
-                test: /\.(cast5)$/,
+                test: /\.(enc)$/,
                 use: [
                     {
                         loader: "file-loader",
@@ -125,8 +121,7 @@ module.exports = {
 };
 ```
 
-And we're done. The encrypted file is now decrypted and then processed by file-loader as `font.woff`. You can reference the encrypted file `font.woff.cast5` in your CSS like a normal font file.
+And we're done. The encrypted file is now decrypted and then processed by file-loader as `font.woff`. You can reference the encrypted file `font.woff.enc` in your CSS like a normal font file.
 
 [npm]: https://img.shields.io/npm/v/decryption-loader.svg
 [npm-url]: https://npmjs.com/package/decryption-loader
-[node-cipher-url]: https://www.npmjs.com/package/node-cipher

readme.md

@@ -0,0 +1,25 @@
+/* Taken from https://medium.com/@brandonstilson/lets-encrypt-files-with-node-85037bea8c0e */
+
+import { Transform, TransformOptions } from "stream";
+
+class AppendInitVect extends Transform {
+  private initVector: Buffer;
+  private appended: boolean;
+
+  constructor(initVector: Buffer, options?: TransformOptions) {
+    super(options);
+    this.initVector = initVector;
+    this.appended = false;
+  }
+
+  _transform(chunk: any, _encoding: string, callback: Function) {
+    if (!this.appended) {
+      this.push(this.initVector);
+      this.appended = true;
+    }
+    this.push(chunk);
+    callback();
+  }
+}
+
+export = AppendInitVect;

src/AppendInitVector.ts

@@ -0,0 +1,38 @@
+import inquirer from "inquirer";
+import { encryptFile } from "./cryptoUtils";
+
+const fileName = process.argv[2];
+
+function cannotBeEmpty(value: string) {
+  if (value && value !== "") {
+    return true;
+  }
+
+  return "Password cannot be empty";
+}
+
+function fail() {
+  console.log("Usage: node cli.ts FILENAME");
+  process.exit(1);
+}
+
+function main() {
+  if (!fileName) {
+    fail();
+  }
+
+  inquirer
+    .prompt([
+      {
+        type: "password",
+        message: "Enter a password",
+        name: "password",
+        validate: cannotBeEmpty,
+      },
+    ])
+    .then((answers) => {
+      encryptFile(fileName, answers.password);
+    });
+}
+
+main();

src/cli.ts

@@ -0,0 +1,60 @@
+import {
+  pbkdf2Sync,
+  BinaryLike,
+  createDecipheriv,
+  createCipheriv,
+  randomBytes,
+} from "crypto";
+import { createReadStream, createWriteStream } from "fs";
+import * as path from "path";
+import AppendInitVector from "./AppendInitVector";
+
+const ITERATIONS = 1000;
+const KEY_LENGTH = 32;
+const DIGEST = "sha1";
+const CIPHER = "aes-256-cbc";
+const DEFAULT_SALT = "secure";
+const IV_LENGTH = 16;
+
+export function getKey(
+  password: BinaryLike,
+  salt: BinaryLike = DEFAULT_SALT
+): Buffer {
+  return pbkdf2Sync(password, salt, ITERATIONS, KEY_LENGTH, DIGEST);
+}
+
+export function getDecipher(key: Buffer, iv: Buffer) {
+  return createDecipheriv(CIPHER, key, iv);
+}
+
+export function getCipher(key: Buffer, iv: Buffer) {
+  return createCipheriv(CIPHER, key, iv);
+}
+
+export function getIVFromBuffer(buffer: Buffer): Buffer {
+  const iv = Buffer.alloc(IV_LENGTH);
+  buffer.copy(iv, 0, 0, IV_LENGTH);
+
+  return iv;
+}
+
+export function getCipherTextFromBuffer(buffer: Buffer): Buffer {
+  const ciphertext = Buffer.alloc(IV_LENGTH);
+  buffer.copy(ciphertext, 0, IV_LENGTH, buffer.length);
+
+  return ciphertext;
+}
+
+export function encryptFile(file: string, key: string, salt?: string) {
+  // Generate a secure, pseudo random initialization vector.
+  const initVector = randomBytes(IV_LENGTH);
+
+  // Generate a cipher key from the password.
+  const readStream = createReadStream(file);
+  const cipher = getCipher(getKey(key, salt), initVector);
+  const appendInitVect = new AppendInitVector(initVector);
+  // Create a write stream with a different file extension.
+  const writeStream = createWriteStream(path.join(file + ".enc"));
+
+  readStream.pipe(cipher).pipe(appendInitVect).pipe(writeStream);
+}

src/cryptoUtils.ts

@@ -1,4 +1,3 @@
-import { createDecipher, pbkdf2Sync } from "crypto";
 import * as webpack from "webpack";
 import * as loaderUtils from "loader-utils";
 import validateOptions from "schema-utils";
@@ -7,48 +6,33 @@ import {
   Schema,
   ValidationErrorConfiguration,
 } from "schema-utils/declarations/validate";
-
-const defaultOptions = {
-  password: "",
-  algorithm: "cast5-cbc",
-  salt: "nodecipher",
-  digest: "sha1",
-  iterations: 1000,
-  keylen: 512,
-};
+import { getKey, getDecipher, getIVFromBuffer, getCipherTextFromBuffer } from "./cryptoUtils";
 
 const validationErrorOptions = {
   name: "Decryption Loader",
 } as ValidationErrorConfiguration;
 
-function loader(
-  this: webpack.loader.LoaderContext,
-  ciphertext: any
-): Buffer {
+interface Options {
+  salt?: string,
+  password: string
+}
+
+function loader(this: webpack.loader.LoaderContext, content: any): Buffer {
   // Result can be cached
   this.cacheable && this.cacheable();
 
   // Get and validate options
-  const options = {
-    ...defaultOptions,
-    ...loaderUtils.getOptions(this),
-  };
+  const options = loaderUtils.getOptions(this) as unknown as Options;
 
   validateOptions(validationSchema as Schema, options, validationErrorOptions);
 
   // Derive Key from password
-  const key = pbkdf2Sync(
-    options.password,
-    options.salt,
-    options.iterations,
-    options.keylen,
-    options.digest
-  );
+  const key = getKey(options.password, options.salt);
 
   // Run Decryption
-  const decipher = createDecipher(options.algorithm, key.toString("hex"));
+  const decipher = getDecipher(key, getIVFromBuffer(content));
 
-  return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-};
+  return Buffer.concat([decipher.update(getCipherTextFromBuffer(content)), decipher.final()]);
+}
 
 export = loader;

src/index.ts

@@ -4,20 +4,8 @@
         "password": {
             "type": "string"
         },
-        "algorithm": {
-            "type": "string"
-        },
         "salt": {
             "type": "string"
-        },
-        "digest": {
-            "type": "string"
-        },
-        "iterations": {
-            "type": "number"
-        },
-        "keylen": {
-            "type": "number"
         }
     },
     "additionalProperties": false

src/options-schema.json

@@ -1,50 +1,36 @@
 const compiler = require("./compiler.js");
-const nodecipher = require("node-cipher");
-const crypto = require("crypto");
+const cryptoUtils = require("../dist/cryptoUtils");
 const del = require("del");
 
-async function enAndDecrypt(options) {
-    // Generate unique filename for encrypted file
-    const hash = crypto
-        .createHash("md5")
-        .update(JSON.stringify(options))
-        .digest("hex");
-    const filename = `fixture.txt.${hash}.enc`;
-
-    // Encrypt
-    const nodecipherConfig = {
-        input: "test/fixture.txt",
-        output: `test/${filename}`,
-    };
-
-    nodecipher.encryptSync(Object.assign(nodecipherConfig, options));
+const FILENAME = "test/fixture.txt";
+const FILENAME_ENCRYPTED = "test/fixture.txt.enc";
 
-    // Decrypt
-    const webpackConfig = {
-        loader: {
-            options: options,
-        },
-    };
-
-    return compiler(`${filename}`, webpackConfig).then(stats => {
-        const { source } = stats.toJson().modules[0];
-        expect(source).toBe("export default \"The Truth\";");
-
-        del.sync(`test/${filename}`);
-    });
+async function enAndDecrypt(options) {
+  // Encrypt
+  cryptoUtils.encryptFile(FILENAME, options.password, options.salt);
+
+  // Decrypt
+  const webpackConfig = {
+    loader: {
+      options: options,
+    },
+  };
+
+  return compiler("../" + FILENAME_ENCRYPTED, webpackConfig).then((stats) => {
+    const { source } = stats.toJson().modules[0];
+    expect(source).toContain('The Truth');
+
+    del.sync(FILENAME_ENCRYPTED);
+  });
 }
 
 test("Decrypt with default settings", () => {
-    return enAndDecrypt({ password: "passwörd" });
+  return enAndDecrypt({ password: "passwörd" });
 });
 
-test("Decrypt with non-default settings", () => {
-    return enAndDecrypt({
-        password: "passlörd",
-        algorithm: "aes-128-cbc",
-        salt: "pepper",
-        iterations: 2,
-        keylen: 256,
-        digest: "md5",
-    });
+test("Decrypt with custom salt", () => {
+  return enAndDecrypt({
+    password: "passlörd",
+    salt: "pepper",
+  });
 });