diff options
author | Laurent Ghigonis <laurent@p1sec.com> | 2013-06-17 20:08:58 +0200 |
---|---|---|
committer | Laurent Ghigonis <laurent@p1sec.com> | 2013-06-17 20:08:58 +0200 |
commit | f7708feda1e91f5da6e8ca2797d7594ed2f3350f (patch) | |
tree | c2d5865b8dbc8d1e713386ea605094b6e68ddbb7 | |
parent | jsaccess: store check dependencies (diff) | |
download | laurent-tools-f7708feda1e91f5da6e8ca2797d7594ed2f3350f.tar.xz laurent-tools-f7708feda1e91f5da6e8ca2797d7594ed2f3350f.zip |
jsaccess: WIP on a real file store
Diffstat (limited to '')
-rw-r--r-- | jsaccess/README.txt | 33 | ||||
-rw-r--r-- | jsaccess/doc/put_your_encrypted_files_here.txt | 6 | ||||
-rw-r--r-- | jsaccess/jsa/jsa.js | 4 | ||||
-rw-r--r-- | jsaccess/jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/caf3eefc85fc7c4ee06d38ea679318114b21d88d (renamed from jsaccess/jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/caf3eefc85fc7c4ee06d38ea679318114b21d88d) | 0 | ||||
-rw-r--r-- | jsaccess/jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.html (renamed from jsaccess/jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.html) | 0 | ||||
-rw-r--r-- | jsaccess/jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt (renamed from jsaccess/jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt) | 0 | ||||
-rw-r--r-- | jsaccess/jsa/store/index.html (renamed from jsaccess/jsa/files/index.html) | 0 | ||||
-rwxr-xr-x | jsaccess/store.sh | 225 |
8 files changed, 214 insertions, 54 deletions
diff --git a/jsaccess/README.txt b/jsaccess/README.txt index 16f2c98..97813bd 100644 --- a/jsaccess/README.txt +++ b/jsaccess/README.txt @@ -31,10 +31,10 @@ Deployment There are 2 parts: * The jsa/ directory that contains html / javascript files, for the user to -access files list and download. jsa/files/ is the files store. +access files list and download. jsa/store/ is the files store. * The store.sh script for the web server owner to encrypt files It is recomanded to run store.sh on your laptop, and then syncronise the -jsa/files/ file store with your server. +jsa/store/ file store with your server. Put jsa/ directory on your web server, publicly available. @@ -48,9 +48,9 @@ On your laptop: $ ./store.sh myfile # Then enter the passphase you want to use for encryption. # It will tell you something like: -jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0 -CREATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/065e18a7f246b800242a778a6e8dd07a3321dac6 -UPDATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt +jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0 +CREATED jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/065e18a7f246b800242a778a6e8dd07a3321dac6 +UPDATED jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt 2. Syncronise the file store with you online server On your laptop: @@ -64,23 +64,23 @@ $ rsync jsa/ user@myserver:/var/www/htdocs/ How it works ============ -store.sh creates a directory jsa/files/<rmd160_hash_of_passphrase>/. +store.sh creates a directory jsa/store/<rmd160_hash_of_passphrase>/. It encrypts your file using AES256 with the passphrase and stores the result in -jsa/files/<rmd160_hash_of_passphrase>/<rmd160_hash_of_(passphrase+filename)>. +jsa/store/<rmd160_hash_of_passphrase>/<rmd160_hash_of_(passphrase+filename)>. It also updates the index of available files per directory called index.txt, that contains real file names. The index is also encrypted using AES256 with the passphrase. Web UI generates rmd160 hash from the passphrase and get the list of files -available for this passphrase (jsa/files/<rmd160_hash_of_passphrase>/index.txt), +available for this passphrase (jsa/store/<rmd160_hash_of_passphrase>/index.txt), decrypts it and shows the list of files. When the user clicks on Download, it fetches the file from the rmd160 name, decrypts it with the passphrase and stores it with the real name using the Filesaver JS API. -Dependencies -============ +Dependencies / Compatibility +============================ On the host that runs store.sh: * openssl @@ -90,22 +90,25 @@ On the web server: * Serving static files is enough * optional: https, to protect against clients targeted attacks +On the web user machine: +* Tested with Firefox 21 and Chrome 27 + Git content =========== jsa/ - should be on your webserver, can be renamed -jsa/files/<password_hash>/ - directory of files to download for a given password -jsa/files/<password_hash>/index.txt - list of file name available +jsa/store/<password_hash>/ - directory of files to download for a given password +jsa/store/<password_hash>/index.txt - list of file name available store.sh - to encrypt your files before uploading them to your web server TODO ==== -* Download progress +* web: download progress -* Decrypting progress +* web: decrypting progress Need to modify gibberish-aes -* Make password field appear as full of dots after validation +* web: make password field appear as full of dots after validation diff --git a/jsaccess/doc/put_your_encrypted_files_here.txt b/jsaccess/doc/put_your_encrypted_files_here.txt index 2cab735..162e0ba 100644 --- a/jsaccess/doc/put_your_encrypted_files_here.txt +++ b/jsaccess/doc/put_your_encrypted_files_here.txt @@ -6,9 +6,9 @@ To a new file to download: $ ./store.sh README.txt Enter passphrase used to encrypt: jsa -jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0 -CREATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/065e18a7f246b800242a778a6e8dd07a3321dac6 -UPDATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt +jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0 +CREATED jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/065e18a7f246b800242a778a6e8dd07a3321dac6 +UPDATED jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt $ rsync jsa/ user@_host:/var/www/htdocs/ diff --git a/jsaccess/jsa/jsa.js b/jsaccess/jsa/jsa.js index 138ed84..259899c 100644 --- a/jsaccess/jsa/jsa.js +++ b/jsaccess/jsa/jsa.js @@ -36,7 +36,7 @@ function jsagetlist() { _status("Getting file list ..."); listreq = $.ajax({ - url: 'files/' + hash + '/index.txt', + url: 'store/' + hash + '/index.txt', beforeSend: function ( xhr ) { xhr.overrideMimeType("application/base64"); }, @@ -88,7 +88,7 @@ function _dl(file, pass) { var RMD160 = new Hashes.RMD160; var dirhash = RMD160.hex(pass); - var path = 'files/' + dirhash + '/' + RMD160.hex(dirhash + file); + var path = 'store/' + dirhash + '/' + RMD160.hex(dirhash + file); _status("Downloading \""+file+"\" ..."); dlreq = $.ajax({ diff --git a/jsaccess/jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/caf3eefc85fc7c4ee06d38ea679318114b21d88d b/jsaccess/jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/caf3eefc85fc7c4ee06d38ea679318114b21d88d index c3346fd..c3346fd 100644 --- a/jsaccess/jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/caf3eefc85fc7c4ee06d38ea679318114b21d88d +++ b/jsaccess/jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/caf3eefc85fc7c4ee06d38ea679318114b21d88d diff --git a/jsaccess/jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.html b/jsaccess/jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.html index e69de29..e69de29 100644 --- a/jsaccess/jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.html +++ b/jsaccess/jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.html diff --git a/jsaccess/jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt b/jsaccess/jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt index e4debf3..e4debf3 100644 --- a/jsaccess/jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt +++ b/jsaccess/jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt diff --git a/jsaccess/jsa/files/index.html b/jsaccess/jsa/store/index.html index d47b0f4..d47b0f4 100644 --- a/jsaccess/jsa/files/index.html +++ b/jsaccess/jsa/store/index.html diff --git a/jsaccess/store.sh b/jsaccess/store.sh index d730160..d797245 100755 --- a/jsaccess/store.sh +++ b/jsaccess/store.sh @@ -1,7 +1,7 @@ #!/bin/sh # jsaccess - private web file sharing using client side crypto -# store.sh: file encrytion script +# store.sh: file store manager for encrypting new files and deploy to server # Copyright (c) 2013 Laurent Ghigonis <laurent@gouloum.fr> # @@ -17,18 +17,140 @@ # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +VERSION=0.2 + +usage_exit() { + echo "usage: store.sh [-v] [action] [action arguments...] [store]" + echo + echo "actions:" + echo " ls [store] # default action if no arguments" + echo " init <store>" + echo " add <file_to_share> [store] # default action if one argument" + echo " rm <file_in_store> [store]" + echo " wipe <store>" + echo " pull [store]" + echo " push [store]" + echo " rset <rsync_URI> [store]" + echo " help|-h" + echo " version|-V" + echo + echo "By default store is ./store/ or ./jsa/store/" + echo "Use \"unset HISTFILE; export JSA_PASS=mypass\" to avoid typing the passphrase" + echo "Use \"unset JSA_PASS\" to forget the passphrase" + exit 1 +} + cleanup() { rm -f $tmp umask $sumask exit 0 } -if [ $# -ne 1 ]; then - echo "usage: store.sh <file_to_share>" - exit 1 -fi -clear_path=$1 -clear_name=`basename $clear_path` +_store_get() { + store="" + [[ -d ./jsa/store/ ]] && store="`readlink -f ./jsa/store/`" # priority 3 + [[ -d ./store/ ]] && store="`readlink -f ./store/`" # priority 2 + [[ X"$1" != X"" ]] && store=$1 # priority 1 + [[ -z $store ]] && echo "ERROR: store not found !" && \ + echo "Not specified as argument and local stores" \ + "./store/ or ./jsa/store/ not found" && exit 2 + echo "Using store $store" +} + +_pass_read() { + if [ X"$JSA_PASS" != X"" ]; then + pass=$JSA_PASS + else + echo "Enter encryption passphrase" + echo -n "> " + read pass + fi + enc_dir_hash=`echo -n $pass |openssl rmd160 |cut -d' ' -f2` + enc_path="$store/$enc_dir_hash" +} + +_index_decrypt() { + if [ -f $enc_path/index.txt ]; then + echo -n $pass |openssl enc -d -a -aes-256-cbc -in $enc_path/index.txt -out $tmp -pass stdin ||exit $? + else + echo > $tmp + fi +} + +_index_encrypt() { + rm -f $enc_path/index.txt + echo -n $pass |openssl enc -e -a -aes-256-cbc -in $tmp -out $enc_path/index.txt -pass stdin ||exit $? + echo "UPDATED $enc_path/index.txt" +} + +_file_add() { + # Path / name generation + clear_path=$1 + clear_name=`basename $clear_path` + enc_name=`echo -n ${enc_dir_hash}${clear_name} |openssl rmd160 |cut -d' ' -f2` + mkdir -p $enc_path + touch $enc_path/index.html + + # Encrypt + base64 -w0 $clear_path > $tmp + echo -n $pass |openssl enc -e -a -aes-256-cbc -in $tmp -out $enc_path/$enc_name -pass stdin ||exit $? + echo "CREATED $enc_path/$enc_name" +} + +_file_rm() { + pass # XXX +} + +_rset() { + pass # XXX +} + +_rget() { + pass # XXX +} + +action_ls() { + _pass_read + _index_decrypt + [ ! -f $enc_path/index.txt ] && \ + echo "Passphrase not used in store !" && exit 1 + echo "$enc_dir_hash/index.txt:" + cat $tmp +} + +action_add() { + _pass_read + _file_add $1 + _index_decrypt + echo $1 >> $tmp + _index_encrypt +} + +action_rm() { + _pass_read + _file_rm $1 + _index_decrypt + sed -i d/$1/ $tmp + _index_encrypt +} + +action_wipe() { + _rset $1 +} + +action_pull() { + _rget $1 + rsync $tmp . +} + +action_push() { + _rget $1 + rsync . $tmp +} + +action_rset() { + _rset $1 +} # Check for dependencies if [ X"`which base64`" == X"" \ @@ -43,30 +165,65 @@ umask 077 tmp=`mktemp ./jsaXXXXXXXX` trap cleanup INT TERM EXIT -# Read passphrase -echo -n "Enter encryption passphrase: " -read pass - -# Generate file/directory names -enc_dir_hash=`echo -n $pass |openssl rmd160 |cut -d' ' -f2` -enc_path="jsa/files/$enc_dir_hash" -enc_name=`echo -n ${enc_dir_hash}${clear_name} |openssl rmd160 |cut -d' ' -f2` -echo $enc_path -mkdir -p $enc_path -touch $enc_path/index.html - -# Encrypt file -base64 -w0 $clear_path > $tmp -echo -n $pass |openssl enc -e -a -aes-256-cbc -in $tmp -out $enc_path/$enc_name -pass stdin ||exit $? -echo "CREATED $enc_path/$enc_name" - -# Add to passphrase index -if [ -f $enc_path/index.txt ]; then - echo -n $pass |openssl enc -d -a -aes-256-cbc -in $enc_path/index.txt -out $tmp -pass stdin ||exit $? -else - echo > $tmp -fi -echo $clear_name >> $tmp -rm -f $enc_path/index.txt -echo -n $pass |openssl enc -e -a -aes-256-cbc -in $tmp -out $enc_path/index.txt -pass stdin ||exit $? -echo "UPDATED $enc_path/index.txt" +# Run action +case $1 in +ls) + [ $# -ne 1 -a $# -ne 2 ] && usage_exit + _store_get $2 + action_ls + ;; +init) + [ $# -ne 2 ] && usage_exit + _store_get $2 + action_init + ;; +add) + [ $# -ne 2 -a $# -ne 3 ] && usage_exit + _store_get $3 + action_add $2 + ;; +rm) + [ $# -ne 2 -a $# -ne 3 ] && usage_exit + _store_get $3 + action_rm $1 + ;; +wipe) + [ $# -ne 2 ] && usage_exit + _store_get $2 + action_wipe + ;; +pull) + [ $# -ne 1 -a $# -ne 2 ] && usage_exit + _store_get $2 + action_pull $1 + ;; +push) + [ $# -ne 1 -a $# -ne 2 ] && usage_exit + _store_get $2 + action_push $1 + ;; +rset) + [ $# -ne 2 -a $# -ne 3 ] && usage_exit + _store_get $3 + action_rset $1 + ;; +help|-h) + usage_exit + ;; +version|-V) + echo "v$VERSION" + usage_exit + ;; +"") + [ $# -ne 0 ] && usage_exit + _store_get + action_ls + ;; +*) + [ $# -ne 1 ] && usage_exit + _store_get $2 + action_add $1 +esac + +# cleanup() executed in trap + |