@socialgouv/aes-gcm-rsa-oaep

AES-GCM + RSA OAEP encryption

AES-GCM + RSA-OAEP encryption/decryption using WebCrypto API in NodeJS or in the browser

Tests uses @peculiar/webcrypto for polyfilling browser crypto api.

This can be used to replace kubeseal encryption in JavaScript environments.

See demo : http://socialgouv.github.io/webseal

Usage

High level

import { encryptValue, encryptValues, getSealedSecret } from "@socialgouv/aes-gcm-rsa-oaep"

// encrypt single value
const encryptedValue =  encryptValue({
  pemKey: "somekey",
  scope: "cluster",
  namespace: "dev",
  name: "my-secret",
  value: "plain-value";
});

// encrypt multiple values
const encryptedValue =  encryptValues({
  pemKey: "somekey",
  scope: "cluster",
  namespace: "dev",
  name: "my-secret",
  values: {
    value1: "plain1",
    value2: "plain2"
  }
});

// get sealed-secret
const sealedSecret =  getSealedSecret({
  pemKey: "somekey",
  scope: "cluster",
  namespace: "dev",
  name: "my-secret",
  values: {
    value1: "plain1",
    value2: "plain2"
  }
});

Low level

import { pki } from 'node-forge';
import { HybridEncrypt, pemPublicKeyToCryptoKey } from '@socialgouv/aes-gcm-rsa-oaep';

const publicKeyPem = pki.publicKeyToPem(cert.publicKey);
const publicKey = await pemPublicKeyToCryptoKey(publicKeyPem);

const plainText = 'Bonjour le monde';
const label = Buffer.from('');

const result = await HybridEncrypt(publicKey, plainText, label);

const sealedText = Buffer.from(result).toString('base64');

Encryption Algorithm

To encrypt content, we go through the following steps :

• Generate a 128 bits AES key

• Encrypt the payload using the AES-GCM algorithm (with the previously generated key). We use a 12 bits of 0 as IV, because the key is only used once.

• Encrypt the AES key using the RSA-OAEP algorithm (using the provided public key).

• Generate the output payload this way : (RSA payload length as 2 bytes integer) || (RSA encrypted aes key) || (AES encrypted payload)