1.1.12 • Published 1 year ago

futoin-secvault v1.1.12

Weekly downloads
4
License
Apache-2.0
Repository
github
Last release
1 year ago

NPM Version NPM Downloads Build Status stable

NPM

About

FutoIn Secure Vault (SV) is a concept to minimize sensitive cryptographic data exposure in projects. It allows different type of key management, data encryption and signing.

This reference implementation is based on encrypted SQL storage. However, the same interface can be implemented in Host Secure Modules (HSM) on demand.

Features:

  • Key types:
    • AES
    • RSA
    • HMAC
    • Password (plain password)
  • Key derivation:
    • PBKDF2
    • HKDF
  • Key manipulations:
    • Generation
    • Injection
    • Encrypted injection
    • Plain exposure
    • Encrypted exposure
    • Wipe out
    • Derivation
    • Public key exposure
  • Data manipulations
    • Encryption & Decryption
    • Signing & Verification

Documentation --> FutoIn Guide

Reference implementation of:

Author: Andrey Galkin

Installation for Node.js

Command line:

$ npm install futoin-secvault --save

or:

$ yarn add futoin-secvault --save

Examples

API documentation

Classes

DataFace

Data Face

Kind: global class

DataService

Data Service

Kind: global class

KeyFace

Keys Face

Kind: global class

KeyService

Key Service

Kind: global class

BaseFace

Base Face with neutral common registration functionality

Kind: global class
Note: Not official API

BaseFace.LATEST_VERSION

Latest supported FTN13 version

Kind: static property of BaseFace

BaseFace.PING_VERSION

Latest supported FTN4 version

Kind: static property of BaseFace

BaseFace.register(as, ccm, name, endpoint, credentials, options)

CCM registration helper

Kind: static method of BaseFace

ParamTypeDefaultDescription
asAsyncStepssteps interface
ccmAdvancedCCMCCM instance
namestringCCM registration name
endpoint*see AdvancedCCM#register
credentials*see AdvancedCCM#register
optionsobject{}interface options
options.versionstring"1.0"interface version to use

BaseService

Base Service with common registration logic

Kind: global class

new BaseService(storage, options)

C-tor

ParamTypeDefaultDescription
storageStoragelow-level storage instance
optionsobjectpassed to superclass c-tor
options.failure_limitinteger10000limit crypt key decrypt failures

BaseService.register(as, executor, storage, options) ⇒ LimitsService

Register futoin.xfers.limits interface with Executor

Kind: static method of BaseService
Returns: LimitsService - instance

ParamTypeDescription
asAsyncStepssteps interface
executorExecutorexecutor instance
storageStoragelow-level storage instance
optionsobjectimplementation defined options

AESPlugin

AES plugin

Kind: global class

AESPlugin.register()

Register this plugin

Kind: static method of AESPlugin

HKDFPlugin

HKDF plugin

Kind: global class

HKDFPlugin.register()

Register this plugin

Kind: static method of HKDFPlugin

HMACPlugin

HMAC plugin

Kind: global class

HMACPlugin.register()

Register this plugin

Kind: static method of HMACPlugin

PasswordPlugin

Password plugin

Allows passwords from 4 to 255 unicode characters in length. Supports custom characters set through options.chars.

Supports secure password verification.

Kind: global class

PasswordPlugin.register()

Register this plugin

Kind: static method of PasswordPlugin

PBKDF2Plugin

PBKDF2 plugin

Kind: global class

PBKDF2Plugin.register()

Register this plugin

Kind: static method of PBKDF2Plugin

RSAPlugin

RSA plugin

Kind: global class

RSAPlugin.register()

Register this plugin

Kind: static method of RSAPlugin

VaultPlugin

Base for SecVault plugins

Kind: global class

vaultPlugin.defaultBits()

Default bits to use, if applicable

Kind: instance method of VaultPlugin

vaultPlugin.isAsymetric() ⇒ boolean

Check if type conforms to asymmetric cryptography requirements

Kind: instance method of VaultPlugin
Returns: boolean - true, if assymetric

vaultPlugin.generate(as, options)

Generate new key

Kind: instance method of VaultPlugin
Note: passes raw key buffer to the next step

ParamTypeDescription
asAsyncStepsAsyncSteps interface
optionsobjectimplementation-defined options
options.bitsintegerkey length, if applicable

vaultPlugin.validateKey(as, key)

Validate key data

Kind: instance method of VaultPlugin

ParamTypeDescription
asAsyncStepsAsyncSteps interface
keyBufferkey data to validate

vaultPlugin.derive(as, base, bits, hash, options)

Derive new key

Kind: instance method of VaultPlugin
Note: passes raw key buffer to the next step

ParamTypeDefaultDescription
asAsyncStepsAsyncSteps interface
baseBufferbase key as is
bitsintegerkey length
hashstringhash name to use
optionsobjectimplementation-defined options
options.saltstring"''"salt, if any
options.infostring"''"info, if any
options.roundsinteger1000rounds, if any

vaultPlugin.pubkey(as, key, options)

Get public key from private key

Kind: instance method of VaultPlugin
Note: passes raw key buffer to the next step

ParamTypeDescription
asAsyncStepsAsyncSteps interface
keyBufferraw private key
optionsobjectimplementation-defined options

vaultPlugin.encrypt(as, key, data, options)

Encrypt arbitrary data

Kind: instance method of VaultPlugin
Note: Passes Buffer { edata | iv | authtag } to the next step

ParamTypeDefaultDescription
asAsyncStepsAsyncSteps interface
keyBufferraw key
dataBufferraw data
optionsobjectimplementation-defined options
options.ivBuffercustom IV, if needed
options.aadBufferadditional data, if supported

vaultPlugin.decrypt(as, key, edata, options)

Decrypt arbitrary data

Kind: instance method of VaultPlugin
Note: Passes Buffer of raw data to the next step

ParamTypeDescription
asAsyncStepsAsyncSteps interface
keyBufferraw key
edataobjectencrypted data as generated by encrypt
optionsobjectimplementation-defined options
options.aadstringadditional authentication data, if applicable

vaultPlugin.sign(as, key, data, options)

Encrypt arbitrary data

Kind: instance method of VaultPlugin
Note: Passes Buffer { sig } to the next step

ParamTypeDescription
asAsyncStepsAsyncSteps interface
keyBufferraw key
dataBufferraw data
optionsobjectimplementation-defined options
options.hashstringhash name, if applicable

vaultPlugin.verify(as, key, edata, sig, options)

Decrypt arbitrary data

Kind: instance method of VaultPlugin
Note: Passes Buffer of raw data to the next step

ParamTypeDescription
asAsyncStepsAsyncSteps interface
keyBufferraw key
edataobjectencrypted data as generated by encrypt
sigBuffersignature to verify
optionsobjectimplementation-defined options
options.hashstringhash name, if applicable

vaultPlugin.random(as, size)

Common API to generate random data

Kind: instance method of VaultPlugin
Note: Passes Buffer of renadom data to the next step

ParamTypeDescription
asAsyncStepsAsyncSteps interface
sizeintegerhow many bytes to generate

VaultPlugin.registerPlugin(name, impl)

Register plugin

Kind: static method of VaultPlugin

ParamTypeDescription
namestringplugin identifier
implVaultPluginplugin implementation

VaultPlugin.getPlugin(name) ⇒ VaultPlugin

Get plugin by name

Kind: static method of VaultPlugin
Returns: VaultPlugin - plugin instance

ParamTypeDescription
namestringplugin identifier

CachedStorageWrapper

Storage wapper with advanced caching & invalidation

Kind: global class

new CachedStorageWrapper(ccm, target, options)

C-tor

ParamTypeDescription
ccmAdvancedCCMCCM instance
targetStoragetarget slow storage
optionsobjectextra options for fine tune
options.evtpushExecutorobjectexecutor instace with PushService
options.cacheSizeintegermax cache entries
options.ttlMsintegerCache Time-To-Live in ms
options.syncDelayMsintegerCache Sync delay in ms
options.syncThreadsintegerCache Sync parallelism

DBStorage

Database Encrypted secret storage

Kind: global class

EncryptedStorage

Encrypted secret storage base

Assume there is

Kind: global class

encryptedStorage.setStorageSecret(as, secret, cipher_opts, kdf_opts)

Configure common storage secret which is used to encrypt keys

Kind: instance method of EncryptedStorage

ParamTypeDefaultDescription
asAsyncStepsAsyncSteps interface
secretBuffersome arbitrary secret
cipher_optsobject{}options for encryption/decryption
cipher_opts.typestring"AES"cipher type
cipher_opts.bitsinteger256key length for KDF
cipher_opts.modestring"GCM"cipher block mode
cipher_opts.aadstring"SecVault"additional auth data
kdf_optsobject | null{}KDF options, null to disable
kdf_opts.typestring"HKDF"KDF type
kdf_opts.saltstring"SecVault"KDF salt
kdf_opts.infostring"KEK"info parameter for HKDF
kdf_opts.roundsstring1000rounds for PBKDF2

encryptedStorage.isLocked() ⇒ boolean

Check if storage is locked

Kind: instance method of EncryptedStorage
Returns: boolean - true, if locked

KeyInfo

Sealed key info

Kind: global class

new KeyInfo(info)

C-tor

ParamTypeDefaultDescription
infoobject{}optional default values

SQLStorage

SQL secret storage

Kind: global class

new SQLStorage(ccm, options)

C-tor

ParamTypeDefaultDescription
ccmAdvancedCCMCCM instance with registered 'secvault' DB
optionsobjectoptions
options.key_tablestring"enc_keys"name of encrypted key table

Storage

Secret storage base

Kind: global class

futoinvaultkeyscryptographyaesrsaencryptionsignature
@futoin/specsfutoin-hkdffutoin-uuidlodashlru-cachepem
@infinitebrahmanuniverse/nolb-fut@everything-registry/sub-chunk-1713
1.1.12

1 year ago

1.1.11

1 year ago

1.1.10

3 years ago

1.1.9

3 years ago

1.1.8

4 years ago

1.1.7

4 years ago

1.1.6

5 years ago

1.1.5

5 years ago

1.1.4

5 years ago

1.1.3

5 years ago

1.1.2

6 years ago

1.1.1

6 years ago

1.1.0

6 years ago

1.0.2

6 years ago

1.0.1

6 years ago

1.0.0

6 years ago

0.9.7

6 years ago

0.9.6

6 years ago

0.9.5

6 years ago

0.9.4

6 years ago

0.9.3

6 years ago

0.9.2

6 years ago

0.9.1

6 years ago

0.9.0

6 years ago