KNET Payment Gateway Integration in Next.js - javascript

I need to integrate KNET payment gateway in a Next.js application. But I wasn't able to find any documentation or example for that.
Can anyone please help me and provide any idea how to integrate the KNET in Javascript.


After some more research, here is how I was able to integrate KNET in Next.js:
import * as crypto from 'crypto'
const pkcs5Pad = (text: string) => {
const blocksize = 16
const pad = blocksize - (text.length % blocksize)
return text + pad.toString().repeat(pad)
}
const aesEncrypt = (text: string, key: string) => {
const AES_METHOD = 'aes-128-cbc'
const content = pkcs5Pad(text)
try {
const cipher = crypto.createCipheriv(AES_METHOD, new Buffer(key), key)
let encrypted = cipher.update(content)
encrypted = Buffer.concat([encrypted, cipher.final()])
return `${encrypted.toString('hex')}`
} catch (err) {
/* empty */
}
}
const aesDecrypt = (text: string) => {
const AES_METHOD = 'aes-128-cbc'
const key = process.env.termResourceKey
const decipher = crypto.createDecipheriv(
AES_METHOD,
new Buffer(key as string),
key as string
)
const encryptedText = new Buffer(text, 'hex')
let decrypted = decipher.update(encryptedText)
decrypted = Buffer.concat([decrypted, decipher.final()])
return decrypted.toString()
}
const initiateKnetPayment = () => {
const kpayUrl = process.env.kpayUrl // https://www.kpay.com.kw/kpg/PaymentHTTP.htm for production or https://www.kpaytest.com.kw/kpg/PaymentHTTP.htm for test
const tranportalId = process.env.tranportalId
const tranportalPassword = process.env.tranportalPassword
const termResourceKey = process.env.termResourceKey
const responseUrl = process.env.kpayResponseUrl
const errorUrl = process.env.kpayErrorUrl
const paramData = {
currencycode: '414',
id: tranportalId,
password: tranportalPassword,
action: '1',
langid: 'AR',
amt: 20, // amount
responseURL: responseUrl,
errorURL: errorUrl,
trackid: Math.random(),
udf3: 12345678 // 8 digit numeric value as customer identifier
}
let params = ''
Object.keys(paramData).forEach((key) => {
params += `${key}=${paramData[key as keyof typeof paramData]}&`
})
const encryptedParams = aesEncrypt(params, termResourceKey)
params = `${encryptedParams}&tranportalId=${tranportalId}&responseURL=${responseUrl}&errorURL=${errorUrl}`
const url = `${kpayUrl}?param=paymentInit&trandata=${params}`
Router.push(url)
}

Related

crypto.subtle decrypting compact jwe with ECDH-ES+A128KW - The operation failed for an operation-specific reason

I am trying to decrypt a compact JWE formatted response message with the crypto.subtle libraries.
I am sending to the Server my public key in JWK format with curve algo ECDH-ES+A128KW, encryption A256GCM, curve name P-256.
The server sends me back a compact JWE response.
As I understand this flow, it should be something like:
Client sends the public key to the Server
Server responds to client back the compact JWE message
Client derives the shared AES 128 KW key based on servers public key and own private key
Client unwraps the AES 128 GCM key using the shared AES 128 KW key
Clients decrypts the ciphertext using the AES 128 GCM key.
When my code reaches the unwrapKey step, i am only getting the error The operation failed for an operation-specific reason. At the moment I fail to find the problem.
My code looks like this right now:
export const decryptCompactJWE = async (
compactJWE: string,
privateKey: CryptoKey
) => {
const [protectedHeader, encryptedKey, iv, ciphertext, tag] =
compactJWE.split(".");
const header = JSON.parse(Buffer.from(protectedHeader, "base64").toString());
console.log("header:", header);
const publicKey = await crypto.subtle.importKey(
"jwk",
header.epk,
{
name: "ECDH",
namedCurve: "P-256",
},
true,
["deriveKey", "deriveBits"]
);
const derivedKey = await crypto.subtle.deriveKey(
{ name: "ECDH", public: publicKey },
privateKey,
{ name: "AES-KW", length: 128 },
true,
["unwrapKey"]
);
const myJWK = await crypto.subtle.exportKey("jwk", derivedKey);
console.log("jwk", myJWK);
const myAESKey = await crypto.subtle.unwrapKey(
"raw",
Buffer.from(encryptedKey, "base64url"),
derivedKey,
"AES-KW",
{ name: "AES-GCM" },
false,
["decrypt"]
);
console.log(myAESKey);
return crypto.subtle.decrypt(
{ name: "AES-GCM", iv: Buffer.from(iv, "base64url") },
myAESKey,
Buffer.from(ciphertext, "base64url")
);
};
Here is my test data:
const privateKey = {
kty: "EC",
crv: "P-256",
ext: true,
key_ops: ["deriveKey", "deriveBits"],
d: "vPZxnkg-j1xZ_8BZfH6jIvV52NvG2pxsZhmYgI9BEec",
x: "CorZZG9qa5korQ6eVLenbFz2QyGKkpoEYlAJxF1JzGA",
y: "yIEnQSGlMNVp6JEzZO3QvjQ0UDAwepzUZqwgsv0OTQE",
};
const JWE_RESPONSE = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhHQ00iLCJraWQiOiJhYmMxMjMiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiNmNReW1GUlJSTjVkVHdoOHA5dWx1NkgwS3paSkRGcm4xdjFKb2NzVURCUSIsInkiOiJTSGliQjFEMnBHMmVMbUxMV09HTTB4UUtCRDFpM3ZtZjJRNjZIM2RnbzJ3IiwiY3J2IjoiUC0yNTYifX0.OwriqBm-PXkIj_QwbqKZRVxql0sja2-p.UrZs5Ixu_rFCxpCw.z9Rfhw.m6AgqKsttsp9TV2dREgbWw";
So far I looked up a all examples I could find to implement this and based on those it kinda looks okay. The debugger is not stepping into the native crypto.subtle code and the error message is also not telling much about what is going wrong for me. The existing examples I found so far, are mostly less complex and skip the key derive part.

WebCrypto is a low level API that in particular does not support JWT/JWS/JWE, so decrypting the token with WebCrypto alone means a corresponding effort, since some functionalities have to be implemented by yourself.
According to the header, the token is encrypted with:
alg: "ECDH-ES+A128KW"
enc: "A128GCM"
Here ECDH-ES+A128KW means that a shared secret is derived with ECDH, from which a wrapping key is determined using Concat KDF. With this key the encrypted key is unwrapped using AES-KW. Finally, the unwrapped key is applied to decrypt the content using AES-128/GCM, see here.
In the posted code Concat KDF is not taken into account. This and some other issues are the reason why decryption fails. Since WebCrypto does not support Concat KDF, a custom implementation is needed (or an additional library), which affects the whole implementation.
The following changes and fixes are required in the individual processing steps:
Deriving the shared secret
One of the inputs to Concat KDF is the shared secret. First, the private and the public key involved are imported. Then the shared secret can be determined most efficiently with deriveBits().
The gives as shared secret (hex encoded):
832bb9a5ac5c1b7febc64ed9522aefedd9f5d62830972224b1226e5498a6d13a
Keep in mind here:
The shared secret for P-256 is 32 bytes in size.
When importing the public key, no key usages may be specified.
(async () => {
// input data: encrypted token and private JWK
const compactJWE = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhHQ00iLCJraWQiOiJhYmMxMjMiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiNmNReW1GUlJSTjVkVHdoOHA5dWx1NkgwS3paSkRGcm4xdjFKb2NzVURCUSIsInkiOiJTSGliQjFEMnBHMmVMbUxMV09HTTB4UUtCRDFpM3ZtZjJRNjZIM2RnbzJ3IiwiY3J2IjoiUC0yNTYifX0.OwriqBm-PXkIj_QwbqKZRVxql0sja2-p.UrZs5Ixu_rFCxpCw.z9Rfhw.m6AgqKsttsp9TV2dREgbWw";
const privateKey = {
kty: "EC",
crv: "P-256",
ext: true,
key_ops: ["deriveKey", "deriveBits"],
d: "vPZxnkg-j1xZ_8BZfH6jIvV52NvG2pxsZhmYgI9BEec",
x: "CorZZG9qa5korQ6eVLenbFz2QyGKkpoEYlAJxF1JzGA",
y: "yIEnQSGlMNVp6JEzZO3QvjQ0UDAwepzUZqwgsv0OTQE",
};
const [protectedHeader, encryptedKey, iv, ciphertext, tag] = compactJWE.split(".");
// import private key and public key (header.epk)
const privateCryptoKey = await crypto.subtle.importKey(
"jwk",
privateKey,
{name: "ECDH", namedCurve: "P-256"},
false,
["deriveBits"]
);
const decoder = new TextDecoder();
const header = JSON.parse(decoder.decode(b64url2ab(protectedHeader)));
const publicCryptoKey = await crypto.subtle.importKey(
"jwk",
header.epk,
{name: "ECDH", namedCurve: "P-256"},
false,
[]
);
// ECDH: derive shared secret (size: 32 bytes for P-256)
const sharedSecret = await crypto.subtle.deriveBits(
{ name: "ECDH", public: publicCryptoKey },
privateCryptoKey,
256
);
console.log("ECDH - shared secret: " + ab2hex(sharedSecret)); // ECDH - shared secret: 832bb9a5ac5c1b7febc64ed9522aefedd9f5d62830972224b1226e5498a6d13a
})();
// Helper -------------------------------------------------------------------------------------------------------
function b64url2ab(base64_string){
base64_string = base64_string.replace(/-/g, '+').replace(/_/g, '/');
return Uint8Array.from(window.atob(base64_string), c => c.charCodeAt(0));
}
function ab2hex(ab) {
return Array.prototype.map.call(new Uint8Array(ab), x => ('00' + x.toString(16)).slice(-2)).join('');
}
Determining the wrapping key
From the shared secret the 16 bytes wrapping key can now be derived with Concat KDF. Concat KDF is described in Section 5.8.1 of NIST.800-56A. A JavaScript implementation can be found e.g. here.
Concat KDF has a number of other input data in addition to the shared secret, which are described here and illustrated here with an example. These are:
the algorithm, here: ECDH-ES+A128KW
the length of the output key (in bits), here: 128
the Base64url decoding of the "apu" (Agreement PartyUInfo) header parameter, if present, here: not present
the Base64url decoding of the "apv" (Agreement PartyVInfo) header parameter, if present, here: not present
This gives as wrapping key (hex encoded):
64c845c913d6a61208464a087ce72b81
(async () => {
const sharedSecret = hex2ab("832bb9a5ac5c1b7febc64ed9522aefedd9f5d62830972224b1226e5498a6d13a").buffer;
const encoder = new TextEncoder();
const algorithm = encoder.encode('ECDH-ES+A128KW'); // from header.alg
const keyLength = 128;
const apu = '';
const apv = '';
const otherInfo = concat(
lengthAndInput(algorithm),
lengthAndInput(apu),
lengthAndInput(apv),
uint32be(keyLength),
);
const wrappingKey = await concatKdf(new Uint8Array(sharedSecret), keyLength, otherInfo);
console.log("Concat KDF - wrapping key: " + ab2hex(wrappingKey)); // Concat KDF - wrapping key: 64c845c913d6a61208464a087ce72b81
})();
// Concat KDF implementation -------------------------------------------------------------------------------------------------------
function writeUInt32BE(buf, value, offset) {
buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);
}
function uint32be(value) {
const buf = new Uint8Array(4);
writeUInt32BE(buf, value);
return buf;
}
async function concatKdf(secret, bits, value) {
const iterations = Math.ceil((bits >> 3) / 32);
const res = new Uint8Array(iterations * 32);
for (let iter = 0; iter < iterations; iter++) {
const buf = new Uint8Array(4 + secret.length + value.length);
buf.set(uint32be(iter + 1));
buf.set(secret, 4);
buf.set(value, 4 + secret.length);
res.set(Array.from(new Uint8Array(await crypto.subtle.digest('SHA-256', buf))), iter * 32);
}
return res.slice(0, bits >> 3);
}
function concat(...buffers) {
const size = buffers.reduce((acc, { length }) => acc + length, 0);
const buf = new Uint8Array(size);
let i = 0;
buffers.forEach((buffer) => {
buf.set(buffer, i);
i += buffer.length;
});
return buf;
}
function lengthAndInput(input) {
return concat(uint32be(input.length), input);
}
// Helper -------------------------------------------------------------------------------------------------------
function hex2ab(hex){
return new Uint8Array(hex.match(/[\da-f]{2}/gi).map(function (h) {return parseInt(h, 16)}));
}
function ab2hex(ab) {
return Array.prototype.map.call(new Uint8Array(ab), x => ('00' + x.toString(16)).slice(-2)).join('');
}
Note that aside from the sample data in this question, the Concat KDF implementation adapted for above code has not been tested further!
Unwrapping of the encrypted key and decryption of the ciphertext
After importing the wrapping key, the encrypted key can be unwrapped (AES-KW). With the unwrapped key the ciphertext can be decrypted (AES-128, GCM).
The gives as decrypted data (UTF-8 decoded):
8807
Note regarding AES/GCM that:
WebCrypto expects as ciphertext the concatenation of the actual ciphertext and the tag.
The token header has to be specified as additional authenticated data (AAD) (otherwise authentication fails).
(async () => {
const wrappingKey = hex2ab("64c845c913d6a61208464a087ce72b81").buffer;
// input data: encrypted token and private JWK
const compactJWE = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhHQ00iLCJraWQiOiJhYmMxMjMiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiNmNReW1GUlJSTjVkVHdoOHA5dWx1NkgwS3paSkRGcm4xdjFKb2NzVURCUSIsInkiOiJTSGliQjFEMnBHMmVMbUxMV09HTTB4UUtCRDFpM3ZtZjJRNjZIM2RnbzJ3IiwiY3J2IjoiUC0yNTYifX0.OwriqBm-PXkIj_QwbqKZRVxql0sja2-p.UrZs5Ixu_rFCxpCw.z9Rfhw.m6AgqKsttsp9TV2dREgbWw";
const [protectedHeader, encryptedKey, iv, ciphertext, tag] = compactJWE.split(".");
// Import wrapping key, decrypt wrapped key:
const wrappingCryptoKey = await crypto.subtle.importKey(
"raw",
wrappingKey,
"AES-KW",
false,
["unwrapKey"]
);
const unwrappedCryptoKey = await crypto.subtle.unwrapKey(
"raw",
b64url2ab(encryptedKey),
wrappingCryptoKey,
"AES-KW",
{ name: "AES-GCM" },
false,
["decrypt"]
);
// Decrypt ciphertext
// - Concatenate ciphertext and tag: ciphertext|tag
// - Consider header as AAD
const encoder = new TextEncoder();
const ciphertextAB = new Uint8Array(b64url2ab(ciphertext));
const tagAB = new Uint8Array(b64url2ab(tag));
const ciphertextTag = new Uint8Array(ciphertextAB.length + tagAB.length);
ciphertextTag.set(ciphertextAB);
ciphertextTag.set(tagAB, ciphertextAB.length);
const additionalData = encoder.encode(protectedHeader);
const decryptedText = await crypto.subtle.decrypt(
{ name: "AES-GCM", iv: b64url2ab(iv), additionalData: additionalData },
unwrappedCryptoKey,
ciphertextTag
);
const decoder = new TextDecoder();
console.log("Decrypted text: " + decoder.decode(decryptedText)); // Decrypted text: 8807
})();
// Helper -------------------------------------------------------------------------------------------------------
function hex2ab(hex){
return new Uint8Array(hex.match(/[\da-f]{2}/gi).map(function (h) {return parseInt(h, 16)}));
}
function b64url2ab(base64_string){
base64_string = base64_string.replace(/-/g, '+').replace(/_/g, '/');
return Uint8Array.from(window.atob(base64_string), c => c.charCodeAt(0));
}
All together:
(async () => {
// input data: encrypted token and private JWK
const compactJWE = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhHQ00iLCJraWQiOiJhYmMxMjMiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiNmNReW1GUlJSTjVkVHdoOHA5dWx1NkgwS3paSkRGcm4xdjFKb2NzVURCUSIsInkiOiJTSGliQjFEMnBHMmVMbUxMV09HTTB4UUtCRDFpM3ZtZjJRNjZIM2RnbzJ3IiwiY3J2IjoiUC0yNTYifX0.OwriqBm-PXkIj_QwbqKZRVxql0sja2-p.UrZs5Ixu_rFCxpCw.z9Rfhw.m6AgqKsttsp9TV2dREgbWw";
const privateKey = {
kty: "EC",
crv: "P-256",
ext: true,
key_ops: ["deriveKey", "deriveBits"],
d: "vPZxnkg-j1xZ_8BZfH6jIvV52NvG2pxsZhmYgI9BEec",
x: "CorZZG9qa5korQ6eVLenbFz2QyGKkpoEYlAJxF1JzGA",
y: "yIEnQSGlMNVp6JEzZO3QvjQ0UDAwepzUZqwgsv0OTQE",
};
const [protectedHeader, encryptedKey, iv, ciphertext, tag] = compactJWE.split(".");
// import private key and public key (header.epk)
const privateCryptoKey = await crypto.subtle.importKey(
"jwk",
privateKey,
{name: "ECDH", namedCurve: "P-256"},
false,
["deriveBits"]
);
const decoder = new TextDecoder();
const header = JSON.parse(decoder.decode(b64url2ab(protectedHeader)));
const publicCryptoKey = await crypto.subtle.importKey(
"jwk",
header.epk,
{name: "ECDH", namedCurve: "P-256"},
false,
[]
);
// ECDH: derive shared secret (size: 32 bytes for P-256)
const sharedSecret = await crypto.subtle.deriveBits(
{ name: "ECDH", public: publicCryptoKey },
privateCryptoKey,
256
);
// Concat KDF: determine wrapping key
const encoder = new TextEncoder();
const algorithm = encoder.encode('ECDH-ES+A128KW'); // from header.alg
const keyLength = 128;
const apu = '';
const apv = '';
const otherInfo = concat(
lengthAndInput(algorithm),
lengthAndInput(apu),
lengthAndInput(apv),
uint32be(keyLength),
);
const wrappingKey = await concatKdf(new Uint8Array(sharedSecret), keyLength, otherInfo);
// import wrapping key, decrypt wrapped key:
const wrappingCryptoKey = await crypto.subtle.importKey(
"raw",
wrappingKey,
"AES-KW",
false,
["unwrapKey"]
);
const unwrappedCryptoKey = await crypto.subtle.unwrapKey(
"raw",
b64url2ab(encryptedKey),
wrappingCryptoKey,
"AES-KW",
{ name: "AES-GCM" },
false,
["decrypt"]
);
// decrypt ciphertext
// - Concatenate ciphertext and tag: ciphertext|tag
// - Consider header as AAD
const ciphertextAB = new Uint8Array(b64url2ab(ciphertext));
const tagAB = new Uint8Array(b64url2ab(tag));
const ciphertextTag = new Uint8Array(ciphertextAB.length + tagAB.length);
ciphertextTag.set(ciphertextAB);
ciphertextTag.set(tagAB, ciphertextAB.length);
const additionalData = encoder.encode(protectedHeader);
const decryptedText = await crypto.subtle.decrypt(
{ name: "AES-GCM", iv: b64url2ab(iv), additionalData: additionalData },
unwrappedCryptoKey,
ciphertextTag
);
console.log("Decrypted text: " + decoder.decode(decryptedText)); // Decrypted text: 8807
})();
// Concat KDF implementation -------------------------------------------------------------------------------------------------------
function writeUInt32BE(buf, value, offset) {
buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);
}
function uint32be(value) {
const buf = new Uint8Array(4);
writeUInt32BE(buf, value);
return buf;
}
async function concatKdf(secret, bits, value) {
const iterations = Math.ceil((bits >> 3) / 32);
const res = new Uint8Array(iterations * 32);
for (let iter = 0; iter < iterations; iter++) {
const buf = new Uint8Array(4 + secret.length + value.length);
buf.set(uint32be(iter + 1));
buf.set(secret, 4);
buf.set(value, 4 + secret.length);
res.set(Array.from(new Uint8Array(await crypto.subtle.digest('SHA-256', buf))), iter * 32);
}
return res.slice(0, bits >> 3);
}
function concat(...buffers) {
const size = buffers.reduce((acc, { length }) => acc + length, 0);
const buf = new Uint8Array(size);
let i = 0;
buffers.forEach((buffer) => {
buf.set(buffer, i);
i += buffer.length;
});
return buf;
}
function lengthAndInput(input) {
return concat(uint32be(input.length), input);
}
// Helper -------------------------------------------------------------------------------------------------------
function b64url2ab(base64_string){
base64_string = base64_string.replace(/-/g, '+').replace(/_/g, '/');
return Uint8Array.from(window.atob(base64_string), c => c.charCodeAt(0));
}

How to zlib deflate a string in browser

I have in my backend a simple system for encrypting and compressing data.
Backend NodeJS
export const aesEncrypt = (text: string, key: string = ENCRYPTION_KEY) => {
let iv = randomBytes(IV_LENGTH);
let cipher = createCipheriv('aes-256-cbc', Buffer.from(key), iv);
let encrypted = cipher.update(text);
encrypted = Buffer.concat([encrypted, cipher.final()]);
return iv.toString('hex') + ':' + encrypted.toString('hex');
}
export const textCompressToBase64Url = (text: string) => {
return deflateSync(text).toString('base64url')
}
export const packDataForUrl = (data: string, key: string = ENCRYPTION_KEY) => {
return textCompressToBase64Url(aesEncrypt(data, key))
}
Result string:
eJwVU8cRxDAIbIkowXUjUv8lHP55BoM2Bp_W59hmGWH0DrxKpMlumMlfgAKD2DBKEx0gJs9j2ll-D7Gfl2PAgn1dPN696eDor3dWdR4iHH3hGQRKqKVy790Dneo7VZMEelNVag-n4rKAjhn4NNCiMmqwQ7QHMjgfkk0Rd3GlyviJuxz2zJWh6-_oAd4z9WHQPMhXgQ7P3LkegZHMt9-8h_IA-qSfm5LVIxn3PMJ0DEZSefcNW4CVKMluHkfhqjdIyXSPPWdeJGeJUWjInVq4E3tCClEQq2NSDFfA1QjSi71twSRRoMMk7GtceDIzTCHm9iqjFcB3D0U-N6tTIdnnkpnf_VpHDBJ5VnVZas7DQMVUrUu5TWXZV81j378DjVsYsGhdI7j7my6mFT6HH5dxxusT6_CiKpISF-u3A8U4O-aguJbnMapTBa0R8qEf6iK_GsZoZ89ZuTkBNoCazYWwUR8nQ0jBq9xu6Vr70nMKwAHeXWSNhI4qOS6QjSvtDg_iLoQVRmfAy_RVv3yN7buUFS6MiKCf0yVsgqr8KqYYXf0zR56utsdzXLFGauMhJ7QggHSphe0bwH1DyuQJT-DGAyfgUltmP4JcPUJ0akPPB0NTW6bV-61OIGcSV7N1zcik1_67QIH1c6i3An5X41WgZZfugnkWRxYF-2LxMuskueL8dNV_z7Ub5StKPVmZ2e52Y5M3I905SlaVdG2rF9X5dFg307uxiak2vgYSruvggU07bhP5wV273c6-Z65Zd_mjb0HXXs7pe-mrA-lsHzQZNvp8z2jt4rrID89spGGlyLdsagOyWd-eX13TX1DmNhnRdkMzt0NRHivqORe3nH_9zDtg
I then try to use Pako (port of zlib for browser) in the frontend to deflate before doing a AES decrypt however i keep getting various errors:
export const textDecompressFromBase64Url = (text: string) => {
//#ts-ignore
const sanitizedbase64 = text.replace(/_/g, '/').replace(/-/g, '+')
const testData = convertDataURIToBinary(sanitizedbase64)
const inflated = inflate(testData).toLocaleString()
return inflated
}
const convertDataURIToBinary = (base64Data: string) => {
const raw = window.atob(base64Data);
const rawLength = raw.length;
let array = new Uint8Array(new ArrayBuffer(rawLength));
for (let i = 0; i < rawLength; i++) {
array[i] = raw.charCodeAt(i);
}
return array;
}
If I don't use { raw: true } I get the following which is not usable in my aes function in the inflate method:
98,51,54,101,53,97,57,49,101,56,56,99,98,98,56,50,97,54,48,97,100,99,49,50,102,99,101,101,48,102,102,99,58,98,48,53,48,51,48,52,56,102,51,49,52,101,50,50,54,48,50,51,50,57,99,54,56,53,101,99,100,57,55,54,50,51,57,54,97,99,102,56,48,51,52,49,101,55,57,52,57,98,97,55,55,99,57,48,57,49,57,97,101,51,57,54,100,100,54,97,49,49,48,54,53,97,98,57,99,98,50,48,53,50,49,53,100,53,52,55,55,55,53,101,99,101,99,53,57,97,49,49,53,56,52,99,48,50,97,102,100,100,100,53,56,97,49,102,100,98,55,51,52,48,53,102,56,56,48,57,102,101,48,50,56,50,97,56,50,101,48,56,54,50,50,50,48,53,99,98,51,99,97,49,50,56,102,100,50,51,101,100,51,100,99,53,52,102,57,54,98,55,57,49,101,52,99,48,55,52,102,50,55,57,97,54,53,54,48,51,98,55,51,100,101,51,57,54,53,99,54,49,51,55,53,48,50,54,51,102,102,55,102,55,57,98,98,49,98,99,51,51,55,101,97,102,97,97,49,52,97,48,48,101,54,99,57,54,55,99,52,99,100,101,102,52,99,98,55,54,97,50,49,99,57,49,98,51,49,50,53,52,97,55,97,102,51,56,98,48,56,100,52,53,50,52,98,99,51,54,57,49,52,51,100,100,97,102,49,50,99,51,50,55,54,56,97,57,51,51,51,100,99,54,53,52,55,50,98,53,98,52,55,102,100,48,56,54,102,98,99,57,49,52,100,49,49,52,49,49,100,101,98,102,99,52,56,49,50,54,48,52,57,98,48,99,57,100,51,57,101,56,55,102,55,99,50,50,98,49,57,48,102,99,48,49,98,51,51,100,49,54,99,99,99,98,56,53,48,98,102,55,101,49,53,56,53,100,98,48,51,55,98,99,57,98,99,97,57,56,56,100,54,100,98,52,99,101,54,55,50,56,56,57,55,52,99,101,50,50,54,56,48,99,49,51,102,55,55,99,52,102,55,57,57,51,102,51,48,50,100,51,50,100,101,53,55,53,48,101,56,53,52,99,54,49,100,100,102,97,51,57,99,101,50,98,49,56,51,101,52,51,48,49,100,50,97,99,102,50,48,55,100,101,53,53,50,54,48,100,53,56,99,102,51,97,51,100,56,51,99,98,97,101,54,98,99,54,56,49,57,48,100,50,52,100,52,57,52,56,101,97,100,56,51,53,49,98,54,56,51,99,51,98,50,98,55,56,99,54,97,51,49,53,57,50,100,98,50,102,100,50,52,99,48,49,98,102,50,101,100,50,57,55,53,98,56,51,49,56,54,99,102,51,56,100,57,56,57,50,48,49,101,48,48,53,56,56,102,55,48,98,56,102,53,57,102,57,50,56,49,48,99,52,49,55,53,51,101,57,56,99,57,53,100,49,57,48,97,57,50,98,48,49,102,48,51,51,49,56,49,51,53,98,99,48,101,98,100,100,52,54,57,52,48,99,101,49,100,99,54,48,49,102,54,49,49,101,57,56,98,56,100,49,98,101,99,98,48,97,99,99,57,51,50,55,100,57,48,50,54,101,55,100,51,50,53,48,55,48,102,52,52,52,49,57,54,54,101,100,52,51,56,52,49,53,53,51,97,100,98,102,100,51,49,57,53,57,52,55,50,98,52,97,53,53,48,98,54,57,99,102,57,53,49,100,102,52,100,57,54,53,52,54,98,53,100,48,98,48,50,53,98,50,98,98,56,101,57,56,48,51,101,55,98,52,100,56,52,97,52,51,102,98,49,48,101,54,49,102,98,48,55,50,101,56,99,99,101,97,50,48,99,97,100,56,98,52,53,102,100,52,49,101,51,54,49,98,53,99,53,101,52,102,101,53,57,101,97,56,51,53,48,52,54,102,99,49,101,97,100,99,57,98,56,50,56,52,101,49,49,100,55,50,55,100,48,51,53,102,55,57,57,101,50,49,53,57,55,101,54,98,49,55,53,101,52,101,53,57,55,99,102,57,97,56,98,54,52,53,100,48,51,57,98,53,100,57,100,56,56,101,99,50,52,55,52,57,51,97,53,56,101,97,97,97,57,53,101,101,49,52,56,52,99,48,100,97,52,100,50,57,51,56,55,57,102,101,54,56,97,102,102,52,101,101,99,102,53,50,56,100,100,99,50,55,56,57,48,57,98,100,101,99,97,53,102,51,53,99,57,54,56,52,99,100,98,52,100,101,56,51,55,56,48,52,98,57,53,56,51,99,54,48,54,99,57,49,53,50,49,51,97,48,55,99,98,97,57,56,54,56,56,101,56,57,53,99,100,55,98,98,56,49,57,100,53,52,54,97,51,51,99,102,101,55,55,50,52,99,98,55,50,53,102,50,49,99,53,99,51,48,54,57,49,51,55,54,102,53,100,55,99,98,49,48,99,51,97,49,54,102,54,48,52,48,102,100,52,99,97,101,52,101,100,51,99,51,100,101,98,48,53,50,55,53,53,56,56,97,98,50,99,99,53,102,56,49,49,56,100,55,99,53,99,99,56,100,52,98,100,57,98,102,98,49,54,54,55,49,51,57,54
I have try to convert this to hex as I do in the backend but it is not working
If I pass the {raw: true} I get the following:
invalid code lengths set
In the backend however i'm able to inflate and decrypt with zlib with no issue:
export const textDecompressFromBase64Url = (text: string) => {
return inflateSync(Buffer.from(text, 'base64')).toString()
}
export const aesDecrypt = (text: string, key: string = ENCRYPTION_KEY) => {
let textParts = text.split(':');
let iv = Buffer.from(textParts.shift(), 'hex');
let encryptedText = Buffer.from(textParts.join(':'), 'hex');
let decipher = createDecipheriv('aes-256-cbc', Buffer.from(key), iv);
let decrypted = decipher.update(encryptedText);
decrypted = Buffer.concat([decrypted, decipher.final()]);
return decrypted.toString();
}
From the comments it is said that this is impossible to make it work but here is a working example in nodejs of the full circle:
https://jdoodle.com/ia/s5Y
TIMELINE:
Stringify object
AES encrypt the string + add the IV in front in format of hex string
Deflate the string with zlib and output as base64url
Inflate the string with zlib
Decrypt the string with AES
The issue is using pako I'm not able to execute step 4

Trouble tracing error "Invalid Metadata Provided"

I followed this tutorial to learn how to use the tensorflow.js model mobilenet in node.js:link
Now I am trying to use my own tensorflow.js model trained in teachable machine using the #teachablemachine/image package: link
Here is my code:
const tf = require('#tensorflow/tfjs');
const tfnode = require('#tensorflow/tfjs-node');
const tmImage = require('#teachablemachine/image');
const fs = require('fs');
const path = require('path');
const FileAPI = require('file-api'),
File = FileAPI.File;
global.FileReader = FileAPI.FileReader;
global.Response = require('response');
const uploadModel = "model.json"
const uploadModelPath = path.join(process.cwd(), uploadModel);
const uploadModelFile = new File({
name: "model.json",
type: "application/json",
path: uploadModelPath
});
const uploadWeights = "weights.bin"
const uploadWeightsPath = path.join(process.cwd(), uploadWeights);
const uploadWeightsFile = new File({
name: "weights.bin",
path: uploadWeightsPath
});
const uploadMetadata = "metadata.json"
const uploadMetadataPath = path.join(process.cwd(), uploadMetadata);
const uploadMetadataFile = new File({
name: "metadata.json",
type: "application/json",
path: uploadMetadataPath
});
const readImage = path => {
const imageBuffer = fs.readFileSync(path);
const tfimage = tfnode.node.decodeImage(imageBuffer);
return tfimage;
}
const imageClassification = async path => {
const image = readImage(path);
const model = await tmImage.loadFromFiles(uploadModelFile,uploadWeightsFile,uploadMetadataFile);
//const model = await tmImage.load('https://teachablemachine.withgoogle.com/models/25uN0DSdd/model.json','https://teachablemachine.withgoogle.com/models/25uN0DSdd/metadata.json');
const predictions = await model.predict(image);
console.log('Classification Results:', predictions);
}
if (process.argv.length !== 3) throw new Error('Incorrect arguments: node classify.js <IMAGE_FILE>');
imageClassification(process.argv[2]);
When I run it I get error:
> (node:94924) UnhandledPromiseRejectionWarning: Error: Invalid Metadata provided
at C:\Users\Awesome\Google Drive\Source\Programming\JS\Testing\node_modules\#teachablemachine\image\dist\custom-mobilenet.js:163:27
Which leads me to:
var processMetadata = function (metadata) { return __awaiter(void 0, void 0, void 0, function () {
var metadataJSON, metadataResponse;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
if (!(typeof metadata === 'string')) return [3 /*break*/, 3];
return [4 /*yield*/, fetch(metadata)];
case 1:
metadataResponse = _a.sent();
return [4 /*yield*/, metadataResponse.json()];
case 2:
metadataJSON = _a.sent();
return [3 /*break*/, 4];
case 3:
if (isMetadata(metadata)) {
metadataJSON = metadata;
}
else {
throw new Error('Invalid Metadata provided');
}
_a.label = 4;
case 4: return [2 /*return*/, fillMetadata(metadataJSON)];
}
});
}); };
full file here: link
So I can see case 0-2 aren't being triggered and for case 3 the metadata file isn't passing the isMetadata function which is:
var isMetadata = function (c) {
return !!c && Array.isArray(c.labels);
};
Which I think tests that the file is not undefined and has an array of labels.
Where to go from there I am not sure because I don't understand the rest of the code in that file. I am going to try an alternative approach but I thought I might post this encase someone with more experience can see the problem clearly and wants to help teach me something or point me in the right direction or just simply tell me that at my experience level this isn't the right use of my time.
Thanks for reading.

php openssl_seal equivalent in Node.js

I have a code snippet in php which I would like to move into node.js but I cannot seem to find the right way to do it.
class EncryptService
{
const PUBLIC_CERT_PATH = 'cert/public.cer';
const PRIVATE_CERT_PATH = 'cert/private.key';
const ERROR_LOAD_X509_CERTIFICATE = 0x10000001;
const ERROR_ENCRYPT_DATA = 0x10000002;
public $outEncData = null;
public $outEnvKey = null;
public $srcData;
public function encrypt()
{
$publicKey = openssl_pkey_get_public(self::PUBLIC_CERT_PATH);
if ($publicKey === false) {
$publicKey = openssl_pkey_get_public("file://".self::PUBLIC_CERT_PATH);
}
if ($publicKey === false) {
$errorMessage = "Error while loading X509 public key certificate! Reason:";
while (($errorString = openssl_error_string())) {
$errorMessage .= $errorString . "\n";
}
throw new Exception($errorMessage, self::ERROR_LOAD_X509_CERTIFICATE);
}
$publicKeys = array($publicKey);
$encData = null;
$envKeys = null;
$result = openssl_seal($this->srcData, $encData, $envKeys, $publicKeys);
if ($result === false)
{
$this->outEncData = null;
$this->outEnvKey = null;
$errorMessage = "Error while encrypting data! Reason:";
while (($errorString = openssl_error_string()))
{
$errorMessage .= $errorString . "\n";
}
throw new Exception($errorMessage, self::ERROR_ENCRYPT_DATA);
}
$this->outEncData = base64_encode($encData);
$this->outEnvKey = base64_encode($envKeys[0]);
}
};
The problem is that I cannot find an implementation of the openssl_sign in Javascript anywhere. I do need to keep this structure because I use both outEncData and outEnvKey.
I managed to find the equivalent implementation of openssl_sign with the crypto package but nothing for openssl_seal.
LE added working solution as an answer

OK I've spent some time to figure this out, in short it is now in the repo: ivarprudnikov/node-crypto-rc4-encrypt-decrypt. But we want to follow SO rules here.
Below assumes that you have public key for signing the generated key and private key for testing if all is great.
Randomly generated secret key used for encryption:
const crypto = require('crypto');
const generateRandomKeyAsync = async () => {
return new Promise((resolve, reject) => {
crypto.scrypt("password", "salt", 24, (err, derivedKey) => {
if (err) reject(err);
resolve(derivedKey.toString('hex'));
});
});
}
Encrypt data with the generated key and then encrypt that key with a given public key. We want to send back both encrypted details and encrypted key as we expect the user on another side to have private key.
const crypto = require('crypto');
const path = require('path');
const fs = require('fs');
const encryptKeyWithPubAsync = async (text) => {
return new Promise((resolve) => {
fs.readFile(path.resolve('./public_key.pem'), 'utf8', (err, publicKey) => {
if (err) throw err;
const buffer = Buffer.from(text, 'utf8');
const encrypted = crypto.publicEncrypt(publicKey, buffer);
resolve(encrypted.toString('base64'));
});
});
}
const encryptStringAsync = async (clearText) => {
const encryptionKey = await generateRandomKeyAsync();
const cipher = await crypto.createCipheriv("RC4", encryptionKey, null);
const encryptedKey = await encryptKeyWithPubAsync(encryptionKey);
return new Promise((resolve, reject) => {
let encryptedData = '';
cipher.on('readable', () => {
let chunk;
while (null !== (chunk = cipher.read())) {
encryptedData += chunk.toString('hex');
}
});
cipher.on('end', () => {
resolve([encryptedKey, encryptedData]); // return value
});
cipher.write(clearText);
cipher.end();
});
}
So now we can encrypt the details:
encryptStringAsync("foo bar baz")
.then(details => {
console.log(`encrypted val ${details[1]}, encrypted key ${details[0]}`);
})
Will print something like:
encrypting foo bar baz
encrypted val b4c6c7a79712244fbe35d4, encrypted key bRnxH+/pMEKmYyvJuFeNWvK3u4g7X4cBaSMnhDgCI9iii186Eo9myfK4gOtHkjoDKbkhJ3YIErNBHpzBNc0rmZ9hy8Kur8uiHG6ai9K3ylr7sznDB/yvNLszKXsZxBYZL994wBo2fI7yfpi0B7y0QtHENiwE2t55MC71lCFmYtilth8oR4UjDNUOSrIu5QHJquYd7hF5TUtUnDtwpux6OnJ+go6sFQOTvX8YaezZ4Rmrjpj0Jzg+1xNGIIsWGnoZZhJPefc5uQU5tdtBtXEWdBa9LARpaXxlYGwutFk3KsBxM4Y5Rt2FkQ0Pca9ZZQPIVxLgwIy9EL9pDHtm5JtsVw==
To test above assumptions it is necessary first to decrypt the key with the private one:
const decryptKeyWithPrivateAsync = async (encryptedKey) => {
return new Promise((resolve) => {
fs.readFile(path.resolve('./private_key.pem'), 'utf8', (err, privateKey) => {
if (err) throw err;
const buffer = Buffer.from(encryptedKey, 'base64')
const decrypted = crypto.privateDecrypt({
key: privateKey.toString(),
passphrase: '',
}, buffer);
resolve(decrypted.toString('utf8'));
});
});
}
After key is decrypted it is possible to decrypt the message:
const decryptWithEncryptedKey = async (encKey, encVal) => {
const k = await decryptKeyWithPrivateAsync(encKey);
const decipher = await crypto.createDecipheriv("RC4", k, null);
return new Promise((resolve, reject) => {
let decrypted = '';
decipher.on('readable', () => {
while (null !== (chunk = decipher.read())) {
decrypted += chunk.toString('utf8');
}
});
decipher.on('end', () => {
resolve(decrypted); // return value
});
decipher.write(encVal, 'hex');
decipher.end();
});
}
Hope this answers the question.

The final and working version that worked for me. My problem was that I used an 128bit random key encrypt the data, instead 256bit worked in the end.
The encryption works in JS and it can be decrypted in php with the openssl_open using your private key, which was what I asked in the original question.
const crypto = require('crypto');
const path = require('path');
const fs = require('fs');
const encryptMessage = (message) => {
const public_key = fs.readFileSync(`${appDir}/certs/sandbox.public.cer`, 'utf8');
const rc4Key = Buffer.from(crypto.randomBytes(32), 'binary');
const cipher = crypto.createCipheriv('RC4', rc4Key, null);
let data = cipher.update(message, 'utf8', 'base64');
cipher.final();
const encryptedKey = crypto.publicEncrypt({
key: public_key,
padding: constants.RSA_PKCS1_PADDING
}, rc4Key);
return {
'data': data,
'env_key': encryptedKey.toString('base64'),
};
};

Hyperledger sawtooth JavaScript SDK:submitted batches are invalid

I am trying to implement hyperledger sawtooth transaction through javascript SDK following this https://sawtooth.hyperledger.org/docs/core/releases/1.0/_autogen/sdk_submit_tutorial_js.html#encoding-your-payload.
/*
*Create the transaction header
*/
const createTransactionHeader = function createTransactionHeader(payloadBytes) {
return protobuf.TransactionHeader.encode({
familyName: 'intkey',
familyVersion: '1.0',
inputs: [],
outputs: [],
signerPublicKey: '02cb65a26f7af4286d5f8118400262f7790e20018f2d01e1a9ffc25de1aafabdda',
batcherPublicKey: '02cb65a26f7af4286d5f8118400262f7790e20018f2d01e1a9ffc25de1aafabdda',
dependencies: [],
payloadSha512: createHash('sha512').update(payloadBytes).digest('hex')
}).finish();
}
/*
* Create the transactions
*/
const createTransaction = function createTransaction(transactionHeaderBytes, payloadBytes) {
const signature = signer.sign(transactionHeaderBytes)
return transaction = protobuf.Transaction.create({
header: transactionHeaderBytes,
headerSignature: Buffer.from(signature, 'utf8').toString('hex'),
payload: payloadBytes
});
}
While submitting the transaction I am getting the following error from REST API
{
"error": {
"code": 30,
"message": "The submitted BatchList was rejected by the validator. It was poorly formed, or has an invalid signature.",
"title": "Submitted Batches Invalid"
}
}
Found the following issue similar to my problem
Sawtooth Invalid Batch or Signature
But its implemented in java the solution not work for my case

This should work, try this:
const cbor = require('cbor');
const {createContext, CryptoFactory} = require('sawtooth-sdk/signing');
const {createHash} = require('crypto');
const {protobuf} = require('sawtooth-sdk');
const request = require('request');
const crypto = require('crypto');
const context = createContext('secp256k1');
const privateKey = context.newRandomPrivateKey();
const signer = CryptoFactory(context).newSigner(privateKey);
// Here's how you can generate the input output address
const FAMILY_NAMESPACE = crypto.createHash('sha512').update('intkey').digest('hex').toLowerCase().substr(0, 6);
const address = FAMILY_NAMESPACE + crypto.createHash('sha512').update('foo').digest('hex').toLowerCase().substr(0, 64);
const payload = {
Verb: 'set',
Name: 'foo',
Value: 42
};
const payloadBytes = cbor.encode(payload);
const transactionHeaderBytes = protobuf.TransactionHeader.encode({
familyName: 'intkey',
familyVersion: '1.0',
inputs: [address],
outputs: [address],
signerPublicKey: signer.getPublicKey().asHex(),
batcherPublicKey: signer.getPublicKey().asHex(),
dependencies: [],
payloadSha512: createHash('sha512').update(payloadBytes).digest('hex')
}).finish();
const transactionHeaderSignature = signer.sign(transactionHeaderBytes);
const transaction = protobuf.Transaction.create({
header: transactionHeaderBytes,
headerSignature: transactionHeaderSignature,
payload: payloadBytes
});
const transactions = [transaction]
const batchHeaderBytes = protobuf.BatchHeader.encode({
signerPublicKey: signer.getPublicKey().asHex(),
transactionIds: transactions.map((txn) => txn.headerSignature),
}).finish();
const batchHeaderSignature = signer.sign(batchHeaderBytes)
const batch = protobuf.Batch.create({
header: batchHeaderBytes,
headerSignature: batchHeaderSignature,
transactions: transactions
};
const batchListBytes = protobuf.BatchList.encode({
batches: [batch]
}).finish();
request.post({
url: 'http://rest.api.domain/batches',
body: batchListBytes,
headers: {'Content-Type': 'application/octet-stream'}
}, (err, response) => {
if(err) {
return console.log(err);
}
console.log(response.body);
});

Categories

Resources