Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
@authenio/xml-encryption
Advanced tools
@authenio/xml-encryption - npm Package Compare versions
Comparing version 0.11.3 to 1.2.1
@@ -1,12 +0,11 @@ | ||
| var ejs = require('ejs'), | ||
| path = require('path'), | ||
| var path = require('path'), | ||
| fs = require('fs'); | ||
| var templates = { | ||
| 'encrypted-key': fs.readFileSync(path.join(__dirname, 'templates', 'encrypted-key.tpl.xml'), 'utf8'), | ||
| 'keyinfo': fs.readFileSync(path.join(__dirname, 'templates', 'keyinfo.tpl.xml'), 'utf8') | ||
| 'encrypted-key': require('./templates/encrypted-key.tpl.xml'), | ||
| 'keyinfo': require('./templates/keyinfo.tpl.xml'), | ||
| }; | ||
| function renderTemplate (file, data) { | ||
| return ejs.render(templates[file], data); | ||
| function renderTemplate(file, data) { | ||
| return templates[file](data); | ||
| } | ||
@@ -23,6 +22,12 @@ | ||
| function warnInsecureAlgorithm(algorithm, enabled = true) { | ||
| if (enabled) { | ||
| console.warn(algorithm + " is no longer recommended due to security reasons. Please deprecate its use as soon as possible.") | ||
| } | ||
| } | ||
| module.exports = { | ||
| renderTemplate: renderTemplate, | ||
| pemToCert: pemToCert | ||
| }; | ||
| pemToCert: pemToCert, | ||
| warnInsecureAlgorithm: warnInsecureAlgorithm | ||
| }; |
| var crypto = require('crypto'); | ||
| var async = require('async'); | ||
| var xmldom = require('xmldom'); | ||
@@ -8,2 +7,7 @@ var xpath = require('xpath'); | ||
| const insecureAlgorithms = [ | ||
| //https://www.w3.org/TR/xmlenc-core1/#rsav15note | ||
| 'http://www.w3.org/2001/04/xmlenc#rsa-1_5', | ||
| //https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA | ||
| 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc']; | ||
| function encryptKeyInfoWithScheme(symmetricKey, options, scheme, callback) { | ||
@@ -13,3 +17,3 @@ try { | ||
| var encrypted = rsa_pub.encrypt(symmetricKey.toString('binary'), scheme); | ||
| var base64EncodedEncryptedKey = new Buffer(encrypted, 'binary').toString('base64'); | ||
| var base64EncodedEncryptedKey = Buffer.from(encrypted, 'binary').toString('base64'); | ||
@@ -19,3 +23,3 @@ var params = { | ||
| encryptionPublicCert: '<X509Data><X509Certificate>' + utils.pemToCert(options.pem.toString()) + '</X509Certificate></X509Data>', | ||
| keyEncryptionMethod: options.keyEncryptionAlgorighm | ||
| keyEncryptionMethod: options.keyEncryptionAlgorithm | ||
| }; | ||
@@ -38,6 +42,9 @@ | ||
| if (!options.keyEncryptionAlgorighm) | ||
| if (!options.keyEncryptionAlgorithm) | ||
| return callback(new Error('encryption without encrypted key is not supported yet')); | ||
| switch (options.keyEncryptionAlgorighm) { | ||
| if (options.disallowEncryptionWithInsecureAlgorithm | ||
| && insecureAlgorithms.indexOf(options.keyEncryptionAlgorithm) >= 0) { | ||
| return callback(new Error('encryption algorithm ' + options.keyEncryptionAlgorithm + 'is not secure')); | ||
| } | ||
| switch (options.keyEncryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p': | ||
@@ -47,2 +54,3 @@ return encryptKeyInfoWithScheme(symmetricKey, options, 'RSA-OAEP', callback); | ||
| case 'http://www.w3.org/2001/04/xmlenc#rsa-1_5': | ||
| utils.warnInsecureAlgorithm(options.keyEncryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| return encryptKeyInfoWithScheme(symmetricKey, options, 'RSAES-PKCS1-V1_5', callback); | ||
@@ -64,59 +72,105 @@ | ||
| return callback(new Error('pem option is mandatory and you should provide a valid x509 certificate encoded as PEM')); | ||
| if (options.disallowEncryptionWithInsecureAlgorithm | ||
| && (insecureAlgorithms.indexOf(options.keyEncryptionAlgorithm) >= 0 | ||
| || insecureAlgorithms.indexOf(options.encryptionAlgorithm) >= 0)) { | ||
| return callback(new Error('encryption algorithm ' + options.keyEncryptionAlgorithm + ' is not secure')); | ||
| } | ||
| options.input_encoding = options.input_encoding || 'utf8'; | ||
| async.waterfall([ | ||
| function generate_symmetric_key(cb) { | ||
| switch (options.encryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| crypto.randomBytes(16, cb); // generate a symmetric random key 16 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes256-cbc': | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| crypto.randomBytes(24, cb); // generate a symmetric random key 24 bytes (192 bits) length | ||
| break; | ||
| default: | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| } | ||
| }, | ||
| function encrypt_content(symmetricKey, cb) { | ||
| switch (options.encryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| encryptWithAlgorithm('aes-128-cbc', symmetricKey, 16, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, symmetricKey, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes256-cbc': | ||
| encryptWithAlgorithm('aes-256-cbc', symmetricKey, 16, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, symmetricKey, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| encryptWithAlgorithm('des-ede3-cbc', symmetricKey, 8, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, symmetricKey, encryptedContent); | ||
| }); | ||
| break; | ||
| default: | ||
| cb(new Error('encryption algorithm not supported')); | ||
| } | ||
| }, | ||
| function encrypt_key(symmetricKey, encryptedContent, cb) { | ||
| encryptKeyInfo(symmetricKey, options, function(err, keyInfo) { | ||
| if (err) return cb(err); | ||
| function generate_symmetric_key(cb) { | ||
| switch (options.encryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| crypto.randomBytes(16, cb); // generate a symmetric random key 16 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes256-cbc': | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2009/xmlenc11#aes128-gcm': | ||
| crypto.randomBytes(16, cb); // generate a symmetric random key 16 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2009/xmlenc11#aes256-gcm': | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| utils.warnInsecureAlgorithm(options.encryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| crypto.randomBytes(24, cb); // generate a symmetric random key 24 bytes (192 bits) length | ||
| break; | ||
| default: | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| } | ||
| } | ||
| var result = utils.renderTemplate('encrypted-key', { | ||
| encryptedContent: encryptedContent.toString('base64'), | ||
| keyInfo: keyInfo, | ||
| contentEncryptionMethod: options.encryptionAlgorithm | ||
| function encrypt_content(symmetricKey, cb) { | ||
| switch (options.encryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| encryptWithAlgorithm('aes-128-cbc', symmetricKey, 16, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes256-cbc': | ||
| encryptWithAlgorithm('aes-256-cbc', symmetricKey, 16, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2009/xmlenc11#aes128-gcm': | ||
| encryptWithAlgorithm('aes-128-gcm', symmetricKey, 12, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2009/xmlenc11#aes256-gcm': | ||
| encryptWithAlgorithm('aes-256-gcm', symmetricKey, 12, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| utils.warnInsecureAlgorithm(options.encryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| encryptWithAlgorithm('des-ede3-cbc', symmetricKey, 8, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| default: | ||
| cb(new Error('encryption algorithm not supported')); | ||
| } | ||
| } | ||
| cb(null, result); | ||
| function encrypt_key(symmetricKey, encryptedContent, cb) { | ||
| encryptKeyInfo(symmetricKey, options, function(err, keyInfo) { | ||
| if (err) return cb(err); | ||
| var result = utils.renderTemplate('encrypted-key', { | ||
| encryptedContent: encryptedContent.toString('base64'), | ||
| keyInfo: keyInfo, | ||
| contentEncryptionMethod: options.encryptionAlgorithm | ||
| }); | ||
| cb(null, result); | ||
| }); | ||
| } | ||
| generate_symmetric_key(function (genKeyError, symmetricKey) { | ||
| if (genKeyError) { | ||
| return callback(genKeyError); | ||
| } | ||
| ], callback); | ||
| encrypt_content(symmetricKey, function(encryptContentError, encryptedContent) { | ||
| if (encryptContentError) { | ||
| return callback(encryptContentError); | ||
| } | ||
| encrypt_key(symmetricKey, encryptedContent, function (encryptKeyError, result) { | ||
| if (encryptKeyError) { | ||
| return callback(encryptKeyError); | ||
| } | ||
| callback(null, result); | ||
| }); | ||
| }); | ||
| }); | ||
| } | ||
@@ -131,3 +185,2 @@ | ||
| return callback(new Error('key option is mandatory and you should provide a valid RSA private key')); | ||
| try { | ||
@@ -140,6 +193,9 @@ var doc = typeof xml === 'string' ? new xmldom.DOMParser().parseFromString(xml) : xml; | ||
| if (options.disallowDecryptionWithInsecureAlgorithm | ||
| && insecureAlgorithms.indexOf(encryptionAlgorithm) >= 0) { | ||
| return callback(new Error('encryption algorithm ' + encryptionAlgorithm + ' is not secure, fail to decrypt')); | ||
| } | ||
| var encryptedContent = xpath.select("//*[local-name(.)='EncryptedData']/*[local-name(.)='CipherData']/*[local-name(.)='CipherValue']", doc)[0]; | ||
| var encrypted = new Buffer(encryptedContent.textContent, 'base64'); | ||
| var encrypted = Buffer.from(encryptedContent.textContent, 'base64'); | ||
| switch (encryptionAlgorithm) { | ||
@@ -151,3 +207,8 @@ case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| utils.warnInsecureAlgorithm(encryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| return callback(null, decryptWithAlgorithm('des-ede3-cbc', symmetricKey, 8, encrypted)); | ||
| case 'http://www.w3.org/2009/xmlenc11#aes128-gcm': | ||
| return callback(null, decryptWithAlgorithm('aes-128-gcm', symmetricKey, 12, encrypted)); | ||
| case 'http://www.w3.org/2009/xmlenc11#aes256-gcm': | ||
| return callback(null, decryptWithAlgorithm('aes-256-gcm', symmetricKey, 12, encrypted)); | ||
| default: | ||
@@ -178,3 +239,7 @@ return callback(new Error('encryption algorithm ' + encryptionAlgorithm + ' not supported')); | ||
| var keyEncryptionAlgorighm = keyEncryptionMethod.getAttribute('Algorithm'); | ||
| var keyEncryptionAlgorithm = keyEncryptionMethod.getAttribute('Algorithm'); | ||
| if (options.disallowDecryptionWithInsecureAlgorithm | ||
| && insecureAlgorithms.indexOf(keyEncryptionAlgorithm) >= 0) { | ||
| throw new Error('encryption algorithm ' + keyEncryptionAlgorithm + ' is not secure, fail to decrypt'); | ||
| } | ||
| var encryptedKey = keyRetrievalMethodUri ? | ||
@@ -184,9 +249,10 @@ xpath.select("//*[local-name(.)='EncryptedKey' and @Id='" + keyRetrievalMethodUri.substring(1) + "']/*[local-name(.)='CipherData']/*[local-name(.)='CipherValue']", keyInfo)[0] : | ||
| switch (keyEncryptionAlgorighm) { | ||
| switch (keyEncryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p': | ||
| return decryptKeyInfoWithScheme(encryptedKey, options, 'RSA-OAEP'); | ||
| case 'http://www.w3.org/2001/04/xmlenc#rsa-1_5': | ||
| utils.warnInsecureAlgorithm(keyEncryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| return decryptKeyInfoWithScheme(encryptedKey, options, 'RSAES-PKCS1-V1_5'); | ||
| default: | ||
| throw new Error('key encryption algorithm ' + keyEncryptionAlgorighm + ' not supported'); | ||
| throw new Error('key encryption algorithm ' + keyEncryptionAlgorithm + ' not supported'); | ||
| } | ||
@@ -196,6 +262,6 @@ } | ||
| function decryptKeyInfoWithScheme(encryptedKey, options, scheme) { | ||
| var key = new Buffer(encryptedKey.textContent, 'base64').toString('binary'); | ||
| var key = Buffer.from(encryptedKey.textContent, 'base64').toString('binary'); | ||
| var private_key = pki.privateKeyFromPem(options.key); | ||
| var decrypted = private_key.decrypt(key, scheme); | ||
| return new Buffer(decrypted, 'binary'); | ||
| return Buffer.from(decrypted, 'binary'); | ||
| } | ||
@@ -211,3 +277,6 @@ | ||
| var encrypted = cipher.update(content, encoding, 'binary') + cipher.final('binary'); | ||
| return callback(null, Buffer.concat([iv, new Buffer(encrypted, 'binary')])); | ||
| var authTag = algorithm.slice(-3) === "gcm" ? cipher.getAuthTag() : Buffer.from(""); | ||
| //Format mentioned: https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM | ||
| var r = Buffer.concat([iv, Buffer.from(encrypted, 'binary'), authTag]); | ||
| return callback(null, r); | ||
| }); | ||
@@ -220,5 +289,11 @@ } | ||
| if (algorithm.slice(-3) === "gcm") { | ||
| decipher.setAuthTag(content.slice(-16)); | ||
| content = content.slice(0,-16); | ||
| } | ||
| var decrypted = decipher.update(content.slice(ivLength), null, 'binary') + decipher.final('binary'); | ||
| if (algorithm.slice(-3) !== "gcm") { | ||
| // Remove padding bytes equal to the value of the last byte of the returned data. | ||
| // Padding for GCM not required per: https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM | ||
| var padding = decrypted.charCodeAt(decrypted.length - 1); | ||
@@ -231,4 +306,5 @@ if (1 <= padding && padding <= ivLength) { | ||
| } | ||
| } | ||
| return new Buffer(decrypted, 'binary').toString('utf8'); | ||
| return Buffer.from(decrypted, 'binary').toString('utf8'); | ||
| } | ||
@@ -235,0 +311,0 @@ |
| { | ||
| "name": "@authenio/xml-encryption", | ||
| "version": "0.11.3", | ||
| "version": "1.2.1", | ||
| "devDependencies": { | ||
| "mocha": "3.3.0", | ||
| "should": "^11.2.1" | ||
| "mocha": "^7.1.2", | ||
| "should": "^11.2.1", | ||
| "sinon": "^9.0.2" | ||
| }, | ||
@@ -24,3 +25,3 @@ "main": "./lib", | ||
| "ejs": "^2.5.6", | ||
| "node-forge": "^0.7.4", | ||
| "node-forge": "^0.10.0", | ||
| "xmldom": "~0.1.15", | ||
@@ -33,4 +34,4 @@ "xpath": "0.0.27" | ||
| "engines": { | ||
| "node": ">=0.10" | ||
| "node": ">=8" | ||
| } | ||
| } |
@@ -5,2 +5,4 @@ [](https://travis-ci.org/auth0/node-xml-encryption) | ||
| Supports node >= 8 | ||
| ## Usage | ||
@@ -13,3 +15,3 @@ | ||
| ~~~js | ||
| var xmlenc = require('xmlenc'); | ||
| var xmlenc = require('xml-encryption'); | ||
@@ -20,3 +22,5 @@ var options = { | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc', | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', | ||
| disallowEncryptionWithInsecureAlgorithm: true, | ||
| warnInsecureAlgorithm: true | ||
| }; | ||
@@ -57,2 +61,4 @@ | ||
| key: fs.readFileSync(__dirname + '/your_private_key.key'), | ||
| disallowDecryptionWithInsecureAlgorithm: true, | ||
| warnInsecureAlgorithm: true | ||
| }; | ||
@@ -73,13 +79,17 @@ | ||
| * EncryptedKey to transport symmetric key using: | ||
| * EncryptedKey to transport symmetric key using: | ||
| * http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p | ||
| * http://www.w3.org/2001/04/xmlenc#rsa-1_5 | ||
| * http://www.w3.org/2001/04/xmlenc#rsa-1_5 (Insecure Algorithm) | ||
| * EncryptedData using: | ||
| * EncryptedData using: | ||
| * http://www.w3.org/2001/04/xmlenc#aes128-cbc | ||
| * http://www.w3.org/2001/04/xmlenc#aes256-cbc | ||
| * http://www.w3.org/2001/04/xmlenc#tripledes-cbc | ||
| * http://www.w3.org/2009/xmlenc11#aes128-gcm | ||
| * http://www.w3.org/2009/xmlenc11#aes256-gcm | ||
| * http://www.w3.org/2001/04/xmlenc#tripledes-cbc (Insecure Algorithm) | ||
| However, you can fork and implement your own algorithm. The code supports adding more algorithms easily | ||
| Insecure Algorithms can be disabled via `disallowEncryptionWithInsecureAlgorithm`/`disallowDecryptionWithInsecureAlgorithm` flags when encrypting/decrypting. This flag is off by default in 0.x versions. | ||
| A warning will be piped to `stderr` using console.warn() by default when the aforementioned algorithms are used. This can be disabled via the `warnInsecureAlgorithm` flag. | ||
| ## Issue Reporting | ||
@@ -96,1 +106,4 @@ | ||
| This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info. | ||
| ## Releases | ||
| Release notes may be found under github release page: https://github.com/auth0/node-xml-encryption/releases |
| var assert = require('assert'); | ||
| var fs = require('fs'); | ||
| var should = require('should'); | ||
| var sinon = require('sinon'); | ||
| var xmlenc = require('../lib'); | ||
@@ -7,3 +9,11 @@ var xpath = require('xpath'); | ||
| describe('encrypt', function() { | ||
| let consoleSpy = null; | ||
| beforeEach(function() { | ||
| consoleSpy = sinon.spy(console, 'warn'); | ||
| }); | ||
| afterEach(function() { | ||
| consoleSpy.restore(); | ||
| }); | ||
| var algorithms = [{ | ||
@@ -13,3 +23,3 @@ name: 'aes-256-cbc', | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc', | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
@@ -20,9 +30,21 @@ }, { | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes128-cbc', | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
| }, { | ||
| name: 'aes-256-gcm', | ||
| encryptionOptions: { | ||
| encryptionAlgorithm: 'http://www.w3.org/2009/xmlenc11#aes256-gcm', | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
| }, { | ||
| name: 'aes-128-gcm', | ||
| encryptionOptions: { | ||
| encryptionAlgorithm: 'http://www.w3.org/2009/xmlenc11#aes128-gcm', | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
| }, { | ||
| name: 'des-ede3-cbc', | ||
| encryptionOptions: { | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc', | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' | ||
| } | ||
@@ -52,5 +74,6 @@ }]; | ||
| options.key = fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| options.warnInsecureAlgorithm = false; | ||
| xmlenc.encrypt(content, options, function(err, result) { | ||
| xmlenc.decrypt(result, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function (err, decrypted) { | ||
| xmlenc.decrypt(result, { key: fs.readFileSync(__dirname + '/test-auth0.key'), warnInsecureAlgorithm: false}, function (err, decrypted) { | ||
| assert.equal(decrypted, content); | ||
@@ -62,2 +85,81 @@ done(); | ||
| describe('des-ede3-cbc fails', function() { | ||
| it('should fail encryption when disallowEncryptionWithInsecureAlgorithm is set', function(done) { | ||
| const options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| disallowEncryptionWithInsecureAlgorithm: true, | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc', | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
| xmlenc.encrypt('encrypt me', options, function(err, result) { | ||
| assert(err); | ||
| assert(!result); | ||
| //should not pop up warns due to options.warnInsecureAlgorithm = false; | ||
| consoleSpy.called.should.equal(false); | ||
| done(); | ||
| }); | ||
| }); | ||
| it('should fail decryption when disallowDecryptionWithInsecureAlgorithm is set', function(done) { | ||
| const options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc', | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
| xmlenc.encrypt('encrypt me', options, function(err, result) { | ||
| xmlenc.decrypt(result, | ||
| { key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| disallowDecryptionWithInsecureAlgorithm: true}, | ||
| function (err, decrypted) { | ||
| assert(err); | ||
| assert(!decrypted); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| describe('rsa-1.5 fails', function() { | ||
| it('should fail encryption when disallowEncryptionWithInsecureAlgorithm is set', function(done) { | ||
| const options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| disallowEncryptionWithInsecureAlgorithm: true, | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc', | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' | ||
| } | ||
| xmlenc.encrypt('encrypt me', options, function(err, result) { | ||
| assert(err); | ||
| assert(!result); | ||
| done(); | ||
| }); | ||
| }); | ||
| it('should fail decryption when disallowDecryptionWithInsecureAlgorithm is set', function(done) { | ||
| const options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc', | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' | ||
| } | ||
| xmlenc.encrypt('encrypt me', options, function(err, result) { | ||
| xmlenc.decrypt(result, | ||
| { key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| disallowDecryptionWithInsecureAlgorithm: true}, | ||
| function (err, decrypted) { | ||
| assert(err); | ||
| assert(!decrypted); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| it('should encrypt and decrypt keyinfo', function (done) { | ||
@@ -67,3 +169,3 @@ var options = { | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| }; | ||
@@ -103,2 +205,40 @@ | ||
| it('should fail encrypt when disallowEncryptionWithInsecureAlgorithm is set', function (done) { | ||
| var options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5', | ||
| disallowEncryptionWithInsecureAlgorithm: true | ||
| }; | ||
| var plaintext = 'The quick brown fox jumps over the lazy dog'; | ||
| xmlenc.encryptKeyInfo(plaintext, options, function(err, encryptedKeyInfo) { | ||
| assert(err); | ||
| done(); | ||
| }); | ||
| }); | ||
| it('should encrypt and fail decrypt due to insecure algorithms', function (done) { | ||
| var options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' | ||
| }; | ||
| var plaintext = 'The quick brown fox jumps over the lazy dog'; | ||
| xmlenc.encryptKeyInfo(plaintext, options, function(err, encryptedKeyInfo) { | ||
| if (err) return done(err); | ||
| consoleSpy.called.should.equal(true); | ||
| assert.throws( | ||
| function(){xmlenc.decryptKeyInfo( | ||
| encryptedKeyInfo, | ||
| {key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| disallowDecryptionWithInsecureAlgorithm: true})}, | ||
| Error, | ||
| "Error thrown due to disallowing insecure algorithms."); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); |
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by25.44%
62528
- Number of package files
- increased by13.64%
25
- Lines of code
- increased by74.92%
544
- Number of low quality alerts
- decreased by-50%
1
- Number of lines in readme file
- increased by14.29%
104
Worsened metrics
- Dev dependency count
- increased by50%
3
Dependency changes
+ Addednode-forge@0.10.0(transitive)
- Removednode-forge@0.7.6(transitive)
Updatednode-forge@^0.10.0