mdbook-pagecrypt 0.2.0

Encrypt your mdbook-built site with password protection.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

#![doc = include_str!("../README.md")]
#![warn(missing_docs)]

use aes_gcm::aead::Aead;
use aes_gcm::{Aes256Gcm, Key, KeyInit, Nonce};
use base64::prelude::BASE64_STANDARD;
use base64::Engine;
use pbkdf2::pbkdf2_hmac;
use rand::Rng;
use sha2::Sha256;
use thiserror::Error;

/// Error type for [`PageCrypt`].
#[derive(Debug, Error)]
pub enum Error {
    /// Missing password
    #[error("Password is required")]
    MissingPassword,

    /// Fail to encrypt payload
    #[error("Fail to encrypt")]
    EncryptError(#[from] aes_gcm::Error),
}

/// Result type for [`PageCrypt`].
pub type Result<T> = std::result::Result<T, Error>;

const HTML_TEMPLATE: &str = include_str!(concat!(env!("OUT_DIR"), "/decrypt.minify.html"));
const JS_TEMPLATE: &str = include_str!(concat!(env!("OUT_DIR"), "/decrypt.minify.js"));

const SALT_LEN: usize = 32;
const NONCE_LEN: usize = 12;
const HMAC_LEN: usize = 32;

/// Builder for [`PageCrypt`].
pub struct PageCryptBuilder {
    /// Password
    pub password: String,
    /// Number of rounds
    pub rounds: u32,
}

impl PageCryptBuilder {
    /// Create a new [`PageCryptBuilder`].
    #[allow(clippy::new_without_default)]
    pub fn new() -> Self {
        Self {
            password: String::new(),
            rounds: 600_000,
        }
    }

    /// Set password.
    pub fn password(mut self, password: String) -> Self {
        self.password = password;
        self
    }

    /// Set number of rounds.
    pub fn rounds(mut self, rounds: u32) -> Self {
        self.rounds = rounds;
        self
    }

    /// Build [`PageCrypt`].
    pub fn build(self) -> Result<PageCrypt> {
        if self.password.is_empty() {
            return Err(Error::MissingPassword);
        }
        if self.rounds < 100_000 {
            log::warn!(
                "The specified number of password rounds ({}) is not secure. If possible, use at least 100_000 or more.",
                self.rounds
            );
        }

        let salt = getrandom::<SALT_LEN>();
        log::info!("Salt generated for password hashing.");

        let mut hmac = [0; HMAC_LEN];
        pbkdf2_hmac::<Sha256>(self.password.as_bytes(), &salt, self.rounds, &mut hmac);
        log::info!("Password hashed.");

        Ok(PageCrypt::from_hmac(self.rounds, salt, hmac))
    }
}

/// PageCrypt implementation.
pub struct PageCrypt {
    rounds: u32,
    salt: [u8; SALT_LEN],
    hmac: [u8; HMAC_LEN],
}

impl PageCrypt {
    /// Create a new [`PageCryptBuilder`].
    pub fn builder() -> PageCryptBuilder {
        PageCryptBuilder::new()
    }

    /// Create a new [`PageCrypt`] from hmac.
    pub fn from_hmac(rounds: u32, salt: [u8; SALT_LEN], hmac: [u8; HMAC_LEN]) -> Self {
        Self { rounds, salt, hmac }
    }

    /// Encrypt payload.
    pub fn encrypt_payload(&self, data: &[u8]) -> Result<Vec<u8>> {
        let nonce = getrandom::<NONCE_LEN>();
        let nonce = Nonce::from_slice(&nonce);
        log::info!("Nonce generated for encryption.");

        let key = Key::<Aes256Gcm>::from_slice(&self.hmac);
        let cipher = Aes256Gcm::new(key);
        let cipher_text = cipher.encrypt(nonce, data)?;
        log::info!("Payload encrypted.");

        // salt + iv + cipher_text
        let mut payload = Vec::with_capacity(SALT_LEN + NONCE_LEN + cipher_text.len());
        payload.extend_from_slice(&self.salt);
        payload.extend_from_slice(nonce);
        payload.extend_from_slice(&cipher_text);
        log::info!("Payload assembled.");

        Ok(payload)
    }

    /// Encrypt HTML.
    pub fn encrypt_html(&self, html: &[u8]) -> Result<String> {
        let encrypted = self.encrypt_payload(html)?;
        log::info!("HTML encrypted.");

        let encrypted = BASE64_STANDARD.encode(encrypted);
        let encrypted = urlencoding::encode(&encrypted);
        log::info!("HTML encoded.");

        let result = HTML_TEMPLATE
            .replacen("{{ rounds }}", &self.rounds.to_string(), 1)
            .replacen("{{ encrypted }}", &encrypted, 1);
        log::info!("HTML rendered.");

        Ok(result)
    }

    /// Encrypt JS.
    pub fn encrypt_js(&self, js: &[u8]) -> Result<String> {
        let encrypted = self.encrypt_payload(js)?;
        log::info!("JS encrypted.");

        let encrypted = BASE64_STANDARD.encode(encrypted);
        log::info!("JS encoded.");

        let result = JS_TEMPLATE.replacen("{{ encrypted }}", &encrypted, 1);
        log::info!("JS rendered.");

        Ok(result)
    }
}

fn getrandom<const N: usize>() -> [u8; N] {
    let mut buf = [0; N];
    if getrandom::fill(&mut buf).is_err() {
        log::warn!(
            "Fail to generate random from system entropy. Using pseudo-random generator instead."
        );
        rand::rng().fill_bytes(&mut buf);
    }
    buf
}