New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
xml-encryption
Advanced tools
xml-encryption - npm Package Compare versions
Comparing version 0.11.2 to 0.13.0
| var crypto = require('crypto'); | ||
| var async = require('async'); | ||
| var xmldom = require('xmldom'); | ||
@@ -8,2 +7,7 @@ var xpath = require('xpath'); | ||
| const insecureAlgorithms = [ | ||
| //https://www.w3.org/TR/xmlenc-core1/#rsav15note | ||
| 'http://www.w3.org/2001/04/xmlenc#rsa-1_5', | ||
| //https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA | ||
| 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc']; | ||
| function encryptKeyInfoWithScheme(symmetricKey, options, scheme, callback) { | ||
@@ -13,3 +17,3 @@ try { | ||
| var encrypted = rsa_pub.encrypt(symmetricKey.toString('binary'), scheme); | ||
| var base64EncodedEncryptedKey = new Buffer(encrypted, 'binary').toString('base64'); | ||
| var base64EncodedEncryptedKey = Buffer.from(encrypted, 'binary').toString('base64'); | ||
@@ -39,3 +43,6 @@ var params = { | ||
| return callback(new Error('encryption without encrypted key is not supported yet')); | ||
| if (options.disallowEncryptionWithInsecureAlgorithm | ||
| && insecureAlgorithms.indexOf(options.keyEncryptionAlgorighm) >= 0) { | ||
| return callback(new Error('encryption algorithm ' + options.keyEncryptionAlgorighm + 'is not secure')); | ||
| } | ||
| switch (options.keyEncryptionAlgorighm) { | ||
@@ -62,59 +69,85 @@ case 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p': | ||
| return callback(new Error('pem option is mandatory and you should provide a valid x509 certificate encoded as PEM')); | ||
| if (options.disallowEncryptionWithInsecureAlgorithm | ||
| && insecureAlgorithms.indexOf(options.keyEncryptionAlgorighm) >= 0) { | ||
| return callback(new Error('encryption algorithm ' + options.keyEncryptionAlgorighm + 'is not secure')); | ||
| } | ||
| options.input_encoding = options.input_encoding || 'utf8'; | ||
| async.waterfall([ | ||
| function generate_symmetric_key(cb) { | ||
| switch (options.encryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| crypto.randomBytes(16, cb); // generate a symmetric random key 16 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes256-cbc': | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| crypto.randomBytes(24, cb); // generate a symmetric random key 24 bytes (192 bits) length | ||
| break; | ||
| default: | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| } | ||
| }, | ||
| function encrypt_content(symmetricKey, cb) { | ||
| switch (options.encryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| encryptWithAlgorithm('aes-128-cbc', symmetricKey, 16, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, symmetricKey, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes256-cbc': | ||
| encryptWithAlgorithm('aes-256-cbc', symmetricKey, 16, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, symmetricKey, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| encryptWithAlgorithm('des-ede3-cbc', symmetricKey, 8, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, symmetricKey, encryptedContent); | ||
| }); | ||
| break; | ||
| default: | ||
| cb(new Error('encryption algorithm not supported')); | ||
| } | ||
| }, | ||
| function encrypt_key(symmetricKey, encryptedContent, cb) { | ||
| encryptKeyInfo(symmetricKey, options, function(err, keyInfo) { | ||
| if (err) return cb(err); | ||
| function generate_symmetric_key(cb) { | ||
| switch (options.encryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| crypto.randomBytes(16, cb); // generate a symmetric random key 16 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes256-cbc': | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| crypto.randomBytes(24, cb); // generate a symmetric random key 24 bytes (192 bits) length | ||
| break; | ||
| default: | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| } | ||
| } | ||
| var result = utils.renderTemplate('encrypted-key', { | ||
| encryptedContent: encryptedContent.toString('base64'), | ||
| keyInfo: keyInfo, | ||
| contentEncryptionMethod: options.encryptionAlgorithm | ||
| function encrypt_content(symmetricKey, cb) { | ||
| switch (options.encryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| encryptWithAlgorithm('aes-128-cbc', symmetricKey, 16, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#aes256-cbc': | ||
| encryptWithAlgorithm('aes-256-cbc', symmetricKey, 16, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| encryptWithAlgorithm('des-ede3-cbc', symmetricKey, 8, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| default: | ||
| cb(new Error('encryption algorithm not supported')); | ||
| } | ||
| } | ||
| cb(null, result); | ||
| function encrypt_key(symmetricKey, encryptedContent, cb) { | ||
| encryptKeyInfo(symmetricKey, options, function(err, keyInfo) { | ||
| if (err) return cb(err); | ||
| var result = utils.renderTemplate('encrypted-key', { | ||
| encryptedContent: encryptedContent.toString('base64'), | ||
| keyInfo: keyInfo, | ||
| contentEncryptionMethod: options.encryptionAlgorithm | ||
| }); | ||
| cb(null, result); | ||
| }); | ||
| } | ||
| generate_symmetric_key(function (genKeyError, symmetricKey) { | ||
| if (genKeyError) { | ||
| return callback(genKeyError); | ||
| } | ||
| ], callback); | ||
| encrypt_content(symmetricKey, function(encryptContentError, encryptedContent) { | ||
| if (encryptContentError) { | ||
| return callback(encryptContentError); | ||
| } | ||
| encrypt_key(symmetricKey, encryptedContent, function (encryptKeyError, result) { | ||
| if (encryptKeyError) { | ||
| return callback(encryptKeyError); | ||
| } | ||
| callback(null, result); | ||
| }); | ||
| }); | ||
| }); | ||
| } | ||
@@ -129,3 +162,2 @@ | ||
| return callback(new Error('key option is mandatory and you should provide a valid RSA private key')); | ||
| try { | ||
@@ -138,5 +170,9 @@ var doc = typeof xml === 'string' ? new xmldom.DOMParser().parseFromString(xml) : xml; | ||
| if (options.disallowDecryptionWithInsecureAlgorithm | ||
| && insecureAlgorithms.indexOf(encryptionAlgorithm) >= 0) { | ||
| throw new Error('encryption algorithm ' + encryptionAlgorithm + ' is not secure, fail to decrypt'); | ||
| } | ||
| var encryptedContent = xpath.select("//*[local-name(.)='EncryptedData']/*[local-name(.)='CipherData']/*[local-name(.)='CipherValue']", doc)[0]; | ||
| var encrypted = new Buffer(encryptedContent.textContent, 'base64'); | ||
| var encrypted = Buffer.from(encryptedContent.textContent, 'base64'); | ||
@@ -175,3 +211,7 @@ switch (encryptionAlgorithm) { | ||
| var keyEncryptionAlgorighm = keyEncryptionMethod.getAttribute('Algorithm'); | ||
| var keyEncryptionAlgorithm = keyEncryptionMethod.getAttribute('Algorithm'); | ||
| if (options.disallowDecryptionWithInsecureAlgorithm | ||
| && insecureAlgorithms.indexOf(keyEncryptionAlgorithm) >= 0) { | ||
| throw new Error('encryption algorithm ' + keyEncryptionAlgorithm + ' is not secure, fail to decrypt'); | ||
| } | ||
| var encryptedKey = keyRetrievalMethodUri ? | ||
@@ -181,3 +221,3 @@ xpath.select("//*[local-name(.)='EncryptedKey' and @Id='" + keyRetrievalMethodUri.substring(1) + "']/*[local-name(.)='CipherData']/*[local-name(.)='CipherValue']", keyInfo)[0] : | ||
| switch (keyEncryptionAlgorighm) { | ||
| switch (keyEncryptionAlgorithm) { | ||
| case 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p': | ||
@@ -193,6 +233,6 @@ return decryptKeyInfoWithScheme(encryptedKey, options, 'RSA-OAEP'); | ||
| function decryptKeyInfoWithScheme(encryptedKey, options, scheme) { | ||
| var key = new Buffer(encryptedKey.textContent, 'base64').toString('binary'); | ||
| var key = Buffer.from(encryptedKey.textContent, 'base64').toString('binary'); | ||
| var private_key = pki.privateKeyFromPem(options.key); | ||
| var decrypted = private_key.decrypt(key, scheme); | ||
| return new Buffer(decrypted, 'binary'); | ||
| return Buffer.from(decrypted, 'binary'); | ||
| } | ||
@@ -208,3 +248,3 @@ | ||
| var encrypted = cipher.update(content, encoding, 'binary') + cipher.final('binary'); | ||
| return callback(null, Buffer.concat([iv, new Buffer(encrypted, 'binary')])); | ||
| return callback(null, Buffer.concat([iv, Buffer.from(encrypted, 'binary')])); | ||
| }); | ||
@@ -228,3 +268,3 @@ } | ||
| return new Buffer(decrypted, 'binary').toString('utf8'); | ||
| return Buffer.from(decrypted, 'binary').toString('utf8'); | ||
| } | ||
@@ -231,0 +271,0 @@ |
| { | ||
| "name": "xml-encryption", | ||
| "version": "0.11.2", | ||
| "version": "0.13.0", | ||
| "devDependencies": { | ||
@@ -22,3 +22,2 @@ "mocha": "3.3.0", | ||
| "dependencies": { | ||
| "async": "^2.1.5", | ||
| "ejs": "^2.5.6", | ||
@@ -33,4 +32,4 @@ "node-forge": "^0.7.0", | ||
| "engines": { | ||
| "node": ">=0.10" | ||
| "node": ">=4" | ||
| } | ||
| } |
@@ -12,3 +12,3 @@ [](https://travis-ci.org/auth0/node-xml-encryption) | ||
| ~~~js | ||
| var xmlenc = require('xmlenc'); | ||
| var xmlenc = require('xml-encryption'); | ||
@@ -19,3 +19,4 @@ var options = { | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc', | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', | ||
| disallowInsecureEncryptionAlgorithm: true | ||
| }; | ||
@@ -56,2 +57,3 @@ | ||
| key: fs.readFileSync(__dirname + '/your_private_key.key'), | ||
| disallowInsecureDecryptionAlgorithm: true; | ||
| }; | ||
@@ -72,11 +74,13 @@ | ||
| * EncryptedKey to transport symmetric key using: | ||
| * EncryptedKey to transport symmetric key using: | ||
| * http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p | ||
| * http://www.w3.org/2001/04/xmlenc#rsa-1_5 | ||
| * http://www.w3.org/2001/04/xmlenc#rsa-1_5 (Insecure Algorithm) | ||
| * EncryptedData using: | ||
| * EncryptedData using: | ||
| * http://www.w3.org/2001/04/xmlenc#aes128-cbc | ||
| * http://www.w3.org/2001/04/xmlenc#aes256-cbc | ||
| * http://www.w3.org/2001/04/xmlenc#tripledes-cbc | ||
| * http://www.w3.org/2001/04/xmlenc#tripledes-cbc (Insecure Algorithm) | ||
| Insecure Algorithms can be disabled via disallowInsecureEncryptionAlgorithm/disallowInsecureDecryptionAlgorithm flags when encrypting/decrypting. This flag is off by default in 0.x versions. | ||
| However, you can fork and implement your own algorithm. The code supports adding more algorithms easily | ||
@@ -83,0 +87,0 @@ |
@@ -58,2 +58,41 @@ var assert = require('assert'); | ||
| describe('des-ede3-cbc fails', function() { | ||
| it('should fail encryption when disallowInsecureEncryptionAlgorithm is set', function(done) { | ||
| const options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| disallowInsecureEncryptionAlgorithm: true, | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes128-cbc', | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
| //options.encryptionAlgorithm = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc', | ||
| //options.keyEncryptionAlgorighm = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'; | ||
| xmlenc.encrypt('encrypt me', options, function(err, result) { | ||
| assert(err); | ||
| done(); | ||
| }); | ||
| }); | ||
| it('should fail decryption when disallowInsecureDecryptionAlgorithm is set', function(done) { | ||
| const options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes128-cbc', | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
| xmlenc.encrypt('encrypt me', options, function(err, result) { | ||
| xmlenc.decrypt(result, | ||
| { key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| disallowInsecureDecryptionAlgorithm: true}, | ||
| function (err, decrypted) { | ||
| assert(err); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); | ||
| }); | ||
| it('should encrypt and decrypt keyinfo', function (done) { | ||
@@ -98,2 +137,41 @@ var options = { | ||
| it('should fail encrypt when disallowInsecureDecryptionAlgorithm is set', function (done) { | ||
| var options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5', | ||
| disallowInsecureEncryptionAlgorithm: true | ||
| }; | ||
| var plaintext = 'The quick brown fox jumps over the lazy dog'; | ||
| xmlenc.encryptKeyInfo(plaintext, options, function(err, encryptedKeyInfo) { | ||
| assert(err); | ||
| done(); | ||
| }); | ||
| }); | ||
| it('should encrypt and fail decrypt due to insecure algorithms', function (done) { | ||
| var options = { | ||
| rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'), | ||
| pem: fs.readFileSync(__dirname + '/test-auth0.pem'), | ||
| keyEncryptionAlgorighm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' | ||
| }; | ||
| var plaintext = 'The quick brown fox jumps over the lazy dog'; | ||
| xmlenc.encryptKeyInfo(plaintext, options, function(err, encryptedKeyInfo) { | ||
| if (err) return done(err); | ||
| assert.throws( | ||
| function(){xmlenc.decryptKeyInfo( | ||
| encryptedKeyInfo, | ||
| {key: fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| disallowDecryptionWithInsecureAlgorithm: true})}, | ||
| Error, | ||
| "Error thrown due to disallowing insecure algorithms."); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); |
Sorry, the diff of this file is not supported yet
No alert changes
Improved metrics
- Dependency count
- decreased by-20%
4
- Lines of code
- increased by32.8%
413
- Number of lines in readme file
- increased by4.4%
95
Worsened metrics
- Total package byte prevSize
- decreased by-23.32%
54765
- Number of package files
- decreased by-17.86%
23
Dependency changes
- Removedasync@^2.1.5
- Removedasync@2.6.4(transitive)
- Removedlodash@4.17.21(transitive)