Name: bedrock-ssm
Owner: Digital Bazaar, Inc.
Description: A Bedrock library that provides Secure Security Module support.
Created: 2016-12-30 02:21:15.0
Updated: 2016-12-30 02:21:15.0
Pushed: 2016-12-30 02:22:32.0
Homepage: null
Size: 5
Language: null
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
A Bedrock library that provides Software Security Module functionality for the storage of secrets.
This functionality is useful in a variety of scenarios where a front-end application server needs to use secrets such as private key material, or Time-based One Time Passwords, without risking the exposure of that secret material in the event of a system compromise of the front-end application server.
install bedrock bedrock-server bedrock-ssm
Create a basic Bedrock application server:
bedrock = require('bedrock');
config = require('bedrock').config;
server = require('bedrock-server');
ssm = require('bedrock-ssm');
onfig
ig.server.port = 19443;
ig.server.httpPort = 19080;
ig.server.bindAddr = ['localhost'];
ig.server.domain = 'localhost';
ig.server.host = 'localhost';
ig.server.baseUri = 'https://' + config.server.host;
ig.ssm.mode = 'staging';
etup landing page
ock.events.on('bedrock.ready', function(app) {
setup the symmetric key for the system
m.setSymmetricKey('SECRET_KEY');
store and retrieve a symmetric secret
m.storeSecret(secret, function(err, id) {
console.log('Stored secret as:', id);
ssm.getSecret(id, function(err, secret) {
console.log('Retrieved secret:', id);
});
;
generate and verify a TOTP secret
m.generateTotpSecret(function(err, id, secret) {
console.log('TOTP id:', id);
console.log('TOTP secret:', secret);
ssm.verifyTotpCode(id, code, function(err, result) {
console.log('TOTP verified:', result);
});
;
generate a private key and use it to digitally sign a bytestream
m.generatePrivateKey(function(err, keyId, publicKey) {
ssm.sign(keyId, 'LinkedDataSignature2015', data, function(err, signature) {
console.log('generated signature', signature);
});
;
ock.start();
For documentation on this module's configuration, see config.js.
This module encrypts secrets by using a symmetric key that is never written to permanent storage. This means that all data stored on the device is encrypted. Private keys that are generated on the system are also encrypted and never leave the system.