node-webtokens - npm Package Compare versions

Comparing version 1.0.0 to 1.0.1

lib/jwe.js

		@@ -39,9 +39,9 @@ const crypto = require('crypto');
		if (aMatch[2]) {
		salt = crypto.randomBytes(8);
		salt = Buffer.concat([Buffer.from(alg), Buffer.from([0]), salt]);
		header.p2c = 1000;
		header.p2s = buf2b64url(salt);
		let p2s = crypto.randomBytes(16);
		header.p2c = 1024;
		header.p2s = buf2b64url(p2s);
		salt = Buffer.concat([Buffer.from(alg), Buffer.from([0]), p2s]);
		if (!cb) {
		let bits = Number(aMatch[2]);
		key = crypto.pbkdf2Sync(key, salt, 1000, bits >> 4, `sha${bits}`);
		key = crypto.pbkdf2Sync(key, salt, header.p2c, bits >> 4, `sha${bits}`);
		}
		@@ -54,4 +54,4 @@ }
		let bits = Number(aMatch[2]);
		crypto.pbkdf2(key, salt, 1000, bits >> 4, `sha${bits}`, (error, key) => {
		if (error) return cb(error);
		crypto.pbkdf2(key, salt, header.p2c, bits >> 4, `sha${bits}`, (err, key) => {
		if (err) return cb(err);
		generateJwe(aMatch, eMatch, aad, payload, key, cb);
		@@ -139,6 +139,6 @@ });
		iter = parsed.header.p2c;
		if (!Number.isInteger(iter) \|\| iter < 1 \|\| iter > 10000) {
		if (!Number.isInteger(iter) \|\| iter < 1 \|\| iter > 16384) {
		parsed.error = { message: 'Missing or invalid p2c claim in header' };
		return responder(null, parsed, cb);
		} else if (!cb && iter > 1000) {
		} else if (!cb && iter > 1024) {
		parsed.error = { message: 'p2c value too large for synchronous mode' };
		@@ -151,3 +151,5 @@ return responder(null, parsed, cb);
		}
		salt = Buffer.from(parsed.header.p2s, 'base64');
		let p2s = Buffer.from(parsed.header.p2s, 'base64');
		let alg = parsed.header.alg;
		salt = Buffer.concat([Buffer.from(alg), Buffer.from([0]), p2s]);
		if (!cb) {
		@@ -154,0 +156,0 @@ let bits = Number(aMatch[2]);

package.json

		{
		"name": "node-webtokens",
		"version": "1.0.0",
		"version": "1.0.1",
		"description": "Simple, opinionated implementation of JWS and JWE compact serialization",
		@@ -5,0 +5,0 @@ "main": "index.js",

README.md

		@@ -396,3 +396,3 @@ # node-webtokens

		> With [PBES2](https://tools.ietf.org/html/rfc7518#section-4.8), key derivation at token generation time performs 1000 [PBKDF2](https://tools.ietf.org/html/rfc8018) iterations. Hence the recommendation to use the asynchronous mode.
		> With [PBES2](https://tools.ietf.org/html/rfc7518#section-4.8), key derivation at token generation time performs 1024 [PBKDF2](https://tools.ietf.org/html/rfc8018) iterations. Hence the recommendation to use the asynchronous mode.

		@@ -408,3 +408,3 @@ Token verification with asynchronous API:
		enc: 'A256GCM',
		p2c: 1000,
		p2c: 1024,
		p2s: 'UEJFUzItSFM1MTIrQTI1NktXADct7gg2MjXk' } */
		@@ -421,3 +421,3 @@ console.log(parsed.payload);

		> With [PBES2](https://tools.ietf.org/html/rfc7518#section-4.8), key derivation at token verification time performs the number of [PBKDF2](https://tools.ietf.org/html/rfc8018) iterations indicated by the `p2c` claim in the [JWE](https://tools.ietf.org/html/rfc7516) header. For protection against bogus tokens, the token verification API rejects `p2c` values larger than 1000 when used in synchronous mode or 10000 when used in asynchronous mode.
		> With [PBES2](https://tools.ietf.org/html/rfc7518#section-4.8), key derivation at token verification time performs the number of [PBKDF2](https://tools.ietf.org/html/rfc8018) iterations indicated by the `p2c` claim in the [JWE](https://tools.ietf.org/html/rfc7516) header. For protection against bogus tokens, the token verification API rejects `p2c` values larger than 1024 when used in synchronous mode or 16384 when used in asynchronous mode.

		@@ -424,0 +424,0 @@ ### Credits

LICENSE

Sorry, the diff of this file is not supported yet

node-webtokens - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics