Spaces:

Rakshitjan
/

cps_b2c

Sleeping

App Files Files Community

Rakshitjan commited on Nov 26, 2025

Commit

3b5eda5

verified ·

1 Parent(s): ef4f573

Create crypto_utils_b2c.js

Browse files

Files changed (1) hide show

crypto_utils_b2c.js +204 -0

crypto_utils_b2c.js ADDED Viewed

	@@ -0,0 +1,204 @@

+const crypto = require("crypto");
+/**
+ * crypto_utils.js
+ * Hybrid Encryption: AES-256-GCM + RSA-OAEP + SHA256withRSA
+ *
+ * Functions Exposed:
+ *   encryptString(text)
+ *   decryptString(encryptedText)
+ *
+ * Required ENV variables:
+ *   PRIVATE_KEY   (PKCS8 private key)
+ *   PUBLIC_CERT   (X.509 certificate)
+ */
+/* -------------------------------------------------------
+   PEM NORMALIZATION HELPERS (for raw Base64 input)
+-------------------------------------------------------- */
+function wrapPrivateKey(key) {
+  if (!key) throw new Error("Missing PRIVATE_KEY");
+  if (key.includes("BEGIN")) return key; // Already PEM
+  const clean = key.replace(/\s+/g, "");
+  return `-----BEGIN PRIVATE KEY-----
+${clean.match(/.{1,64}/g).join("\n")}
+-----END PRIVATE KEY-----`;
+}
+function wrapCertificate(cert) {
+  if (!cert) throw new Error("Missing PUBLIC_CERT");
+  if (cert.includes("BEGIN")) return cert; // Already PEM
+  const clean = cert.replace(/\s+/g, "");
+  return `-----BEGIN CERTIFICATE-----
+${clean.match(/.{1,64}/g).join("\n")}
+-----END CERTIFICATE-----`;
+}
+/* -------------------------------------------------------
+   LOAD KEYS
+-------------------------------------------------------- */
+const PRIVATE_KEY = wrapPrivateKey(process.env.PRIVATE_KEY);
+const PUBLIC_CERT = wrapCertificate(process.env.PUBLIC_CERT);
+/* -------------------------------------------------------
+   AES-256-GCM IMPLEMENTATION
+-------------------------------------------------------- */
+function aesEncrypt(plainText, key, iv) {
+  const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(plainText, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([encrypted, tag]).toString("base64");
+}
+function aesDecrypt(cipherBase64, key, iv) {
+  const buffer = Buffer.from(cipherBase64, "base64");
+  const tag = buffer.slice(buffer.length - 16);
+  const ciphertext = buffer.slice(0, buffer.length - 16);
+  const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  const decrypted = Buffer.concat([
+    decipher.update(ciphertext),
+    decipher.final()
+  ]);
+  return decrypted.toString("utf8");
+}
+/* -------------------------------------------------------
+   RSA HELPERS
+-------------------------------------------------------- */
+function rsaEncryptBase64(str) {
+  return crypto
+    .publicEncrypt(
+      {
+        key: PUBLIC_CERT,
+        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+      },
+      Buffer.from(str, "utf8")
+    )
+    .toString("base64");
+}
+function rsaDecryptToString(b64) {
+  return crypto
+    .privateDecrypt(
+      {
+        key: PRIVATE_KEY,
+        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+      },
+      Buffer.from(b64, "base64")
+    )
+    .toString("utf8");
+}
+/* -------------------------------------------------------
+   SIGN / VERIFY HELPERS
+-------------------------------------------------------- */
+function signData(data) {
+  const sign = crypto.createSign("RSA-SHA256");
+  sign.update(data);
+  sign.end();
+  return sign.sign(PRIVATE_KEY).toString("base64");
+}
+function verifyData(data, signatureB64) {
+  const verify = crypto.createVerify("RSA-SHA256");
+  verify.update(data);
+  verify.end();
+  return verify.verify(PUBLIC_CERT, Buffer.from(signatureB64, "base64"));
+}
+/* -------------------------------------------------------
+   PUBLIC FUNCTIONS
+-------------------------------------------------------- */
+/**
+ * Encrypt a plain string using:
+ * AES-256-GCM + RSA-OAEP + SHA256withRSA
+ */
+function encryptStringB2C(text) {
+  try {
+    const aesKey = crypto.randomBytes(32); // 256-bit
+    const iv = crypto.randomBytes(16);     // 128-bit
+    // AES encrypt
+    const aesCipher = aesEncrypt(text, aesKey, iv);
+    // Signature over AES ciphertext (Base64)
+    const signature = signData(aesCipher);
+    // RSA encrypted AES key
+    const encryptedKey = rsaEncryptBase64(aesKey.toString("base64"));
+    // Assemble: header : iv : cipher : signature
+    const payload = [
+      encryptedKey,
+      iv.toString("base64"),
+      aesCipher,
+      signature
+    ].join(":");
+    // Final base64 wrapper
+    return Buffer.from(payload, "utf8").toString("base64");
+  } catch (err) {
+    console.error("Encryption error:", err.message);
+    throw new Error("Failed to encrypt data");
+  }
+}
+/**
+ * Decrypt the hybrid AES/RSA encrypted Base64 payload
+ */
+function decryptStringB2C(encryptedText) {
+  try {
+    const decoded = Buffer.from(encryptedText, "base64").toString("utf8");
+    const parts = decoded.split(":");
+    if (parts.length < 4) throw new Error("Invalid encrypted payload");
+    const [encryptedKey, iv64, cipher64, signature64] = parts;
+    // RSA decrypt AES key
+    const aesKeyBase64 = rsaDecryptToString(encryptedKey);
+    const aesKey = Buffer.from(aesKeyBase64, "base64");
+    // Verify signature
+    if (!verifyData(cipher64, signature64)) {
+      throw new Error("Signature verification failed");
+    }
+    const iv = Buffer.from(iv64, "base64");
+    // AES decrypt
+    return aesDecrypt(cipher64, aesKey, iv);
+  } catch (err) {
+    console.error("Decryption error:", err.message);
+    throw new Error("Failed to decrypt data");
+  }
+}
+/* -------------------------------------------------------
+   EXPORTS
+-------------------------------------------------------- */
+module.exports = {
+  encryptStringB2C,
+  decryptStringB2C
+};