xml-encryption
Advanced tools
xml-encryption - npm Package Compare versions
Comparing version 1.0.0 to 1.1.0
@@ -9,3 +9,3 @@ var path = require('path'), | ||
| function renderTemplate (file, data) { | ||
| function renderTemplate(file, data) { | ||
| return templates[file](data); | ||
@@ -23,6 +23,12 @@ } | ||
| function warnInsecureAlgorithm(algorithm, enabled = true) { | ||
| if (enabled) { | ||
| console.warn(algorithm + " is no longer recommended due to security reasons. Please deprecate its use as soon as possible.") | ||
| } | ||
| } | ||
| module.exports = { | ||
| renderTemplate: renderTemplate, | ||
| pemToCert: pemToCert | ||
| pemToCert: pemToCert, | ||
| warnInsecureAlgorithm, warnInsecureAlgorithm | ||
| }; |
@@ -50,2 +50,3 @@ var crypto = require('crypto'); | ||
| case 'http://www.w3.org/2001/04/xmlenc#rsa-1_5': | ||
| utils.warnInsecureAlgorithm(options.keyEncryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| return encryptKeyInfoWithScheme(symmetricKey, options, 'RSAES-PKCS1-V1_5', callback); | ||
@@ -82,3 +83,10 @@ | ||
| break; | ||
| case 'http://www.w3.org/2009/xmlenc11#aes128-gcm': | ||
| crypto.randomBytes(16, cb); // generate a symmetric random key 16 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2009/xmlenc11#aes256-gcm': | ||
| crypto.randomBytes(32, cb); // generate a symmetric random key 32 bytes length | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| utils.warnInsecureAlgorithm(options.encryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| crypto.randomBytes(24, cb); // generate a symmetric random key 24 bytes (192 bits) length | ||
@@ -105,3 +113,16 @@ break; | ||
| break; | ||
| case 'http://www.w3.org/2009/xmlenc11#aes128-gcm': | ||
| encryptWithAlgorithm('aes-128-gcm', symmetricKey, 12, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2009/xmlenc11#aes256-gcm': | ||
| encryptWithAlgorithm('aes-256-gcm', symmetricKey, 12, content, options.input_encoding, function (err, encryptedContent) { | ||
| if (err) return cb(err); | ||
| cb(null, encryptedContent); | ||
| }); | ||
| break; | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| utils.warnInsecureAlgorithm(options.encryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| encryptWithAlgorithm('des-ede3-cbc', symmetricKey, 8, content, options.input_encoding, function (err, encryptedContent) { | ||
@@ -120,3 +141,2 @@ if (err) return cb(err); | ||
| if (err) return cb(err); | ||
| var result = utils.renderTemplate('encrypted-key', { | ||
@@ -177,3 +197,2 @@ encryptedContent: encryptedContent.toString('base64'), | ||
| var encrypted = Buffer.from(encryptedContent.textContent, 'base64'); | ||
| switch (encryptionAlgorithm) { | ||
@@ -185,3 +204,8 @@ case 'http://www.w3.org/2001/04/xmlenc#aes128-cbc': | ||
| case 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc': | ||
| utils.warnInsecureAlgorithm(encryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| return callback(null, decryptWithAlgorithm('des-ede3-cbc', symmetricKey, 8, encrypted)); | ||
| case 'http://www.w3.org/2009/xmlenc11#aes128-gcm': | ||
| return callback(null, decryptWithAlgorithm('aes-128-gcm', symmetricKey, 12, encrypted)); | ||
| case 'http://www.w3.org/2009/xmlenc11#aes256-gcm': | ||
| return callback(null, decryptWithAlgorithm('aes-256-gcm', symmetricKey, 12, encrypted)); | ||
| default: | ||
@@ -225,2 +249,3 @@ return callback(new Error('encryption algorithm ' + encryptionAlgorithm + ' not supported')); | ||
| case 'http://www.w3.org/2001/04/xmlenc#rsa-1_5': | ||
| utils.warnInsecureAlgorithm(keyEncryptionAlgorithm, options.warnInsecureAlgorithm); | ||
| return decryptKeyInfoWithScheme(encryptedKey, options, 'RSAES-PKCS1-V1_5'); | ||
@@ -247,3 +272,6 @@ default: | ||
| var encrypted = cipher.update(content, encoding, 'binary') + cipher.final('binary'); | ||
| return callback(null, Buffer.concat([iv, Buffer.from(encrypted, 'binary')])); | ||
| var authTag = algorithm.slice(-3) === "gcm" ? cipher.getAuthTag() : Buffer.from(""); | ||
| //Format mentioned: https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM | ||
| var r = Buffer.concat([iv, Buffer.from(encrypted, 'binary'), authTag]); | ||
| return callback(null, r); | ||
| }); | ||
@@ -256,5 +284,11 @@ } | ||
| if (algorithm.slice(-3) === "gcm") { | ||
| decipher.setAuthTag(content.slice(-16)); | ||
| content = content.slice(0,-16); | ||
| } | ||
| var decrypted = decipher.update(content.slice(ivLength), null, 'binary') + decipher.final('binary'); | ||
| if (algorithm.slice(-3) !== "gcm") { | ||
| // Remove padding bytes equal to the value of the last byte of the returned data. | ||
| // Padding for GCM not required per: https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM | ||
| var padding = decrypted.charCodeAt(decrypted.length - 1); | ||
@@ -267,2 +301,3 @@ if (1 <= padding && padding <= ivLength) { | ||
| } | ||
| } | ||
@@ -269,0 +304,0 @@ return Buffer.from(decrypted, 'binary').toString('utf8'); |
| { | ||
| "name": "xml-encryption", | ||
| "version": "1.0.0", | ||
| "version": "1.1.0", | ||
| "devDependencies": { | ||
| "mocha": "^7.0.0", | ||
| "mocha": "^7.1.1", | ||
| "should": "^11.2.1" | ||
@@ -24,2 +24,3 @@ }, | ||
| "node-forge": "^0.7.0", | ||
| "sinon": "^9.0.1", | ||
| "xmldom": "~0.1.15", | ||
@@ -26,0 +27,0 @@ "xpath": "0.0.27" |
@@ -21,3 +21,4 @@ [](https://travis-ci.org/auth0/node-xml-encryption) | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', | ||
| disallowEncryptionWithInsecureAlgorithm: true | ||
| disallowEncryptionWithInsecureAlgorithm: true, | ||
| warnInsecureAlgorithm: true | ||
| }; | ||
@@ -58,3 +59,4 @@ | ||
| key: fs.readFileSync(__dirname + '/your_private_key.key'), | ||
| disallowDecryptionWithInsecureAlgorithm: true; | ||
| disallowDecryptionWithInsecureAlgorithm: true, | ||
| warnInsecureAlgorithm: true | ||
| }; | ||
@@ -82,7 +84,9 @@ | ||
| * http://www.w3.org/2001/04/xmlenc#aes256-cbc | ||
| * http://www.w3.org/2009/xmlenc11#aes128-gcm | ||
| * http://www.w3.org/2009/xmlenc11#aes256-gcm | ||
| * http://www.w3.org/2001/04/xmlenc#tripledes-cbc (Insecure Algorithm) | ||
| Insecure Algorithms can be disabled via disallowEncryptionWithInsecureAlgorithm/disallowDecryptionWithInsecureAlgorithm flags when encrypting/decrypting. This flag is off by default in 0.x versions. | ||
| Insecure Algorithms can be disabled via `disallowEncryptionWithInsecureAlgorithm`/`disallowDecryptionWithInsecureAlgorithm` flags when encrypting/decrypting. This flag is off by default in 0.x versions. | ||
| However, you can fork and implement your own algorithm. The code supports adding more algorithms easily | ||
| A warning will be piped to `stderr` using console.warn() by default when the aforementioned algorithms are used. This can be disabled via the `warnInsecureAlgorithm` flag. | ||
@@ -100,1 +104,4 @@ ## Issue Reporting | ||
| This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info. | ||
| ## Releases | ||
| Release notes may be found under github release page: https://github.com/auth0/node-xml-encryption/releases |
| var assert = require('assert'); | ||
| var fs = require('fs'); | ||
| var should = require('should'); | ||
| var sinon = require('sinon'); | ||
| var xmlenc = require('../lib'); | ||
@@ -7,3 +9,11 @@ var xpath = require('xpath'); | ||
| describe('encrypt', function() { | ||
| let consoleSpy = null; | ||
| beforeEach(function() { | ||
| consoleSpy = sinon.spy(console, 'warn'); | ||
| }); | ||
| afterEach(function() { | ||
| consoleSpy.restore(); | ||
| }); | ||
| var algorithms = [{ | ||
@@ -22,2 +32,14 @@ name: 'aes-256-cbc', | ||
| }, { | ||
| name: 'aes-256-gcm', | ||
| encryptionOptions: { | ||
| encryptionAlgorithm: 'http://www.w3.org/2009/xmlenc11#aes256-gcm', | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
| }, { | ||
| name: 'aes-128-gcm', | ||
| encryptionOptions: { | ||
| encryptionAlgorithm: 'http://www.w3.org/2009/xmlenc11#aes128-gcm', | ||
| keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' | ||
| } | ||
| }, { | ||
| name: 'des-ede3-cbc', | ||
@@ -51,5 +73,6 @@ encryptionOptions: { | ||
| options.key = fs.readFileSync(__dirname + '/test-auth0.key'), | ||
| options.warnInsecureAlgorithm = false; | ||
| xmlenc.encrypt(content, options, function(err, result) { | ||
| xmlenc.decrypt(result, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function (err, decrypted) { | ||
| xmlenc.decrypt(result, { key: fs.readFileSync(__dirname + '/test-auth0.key'), warnInsecureAlgorithm: false}, function (err, decrypted) { | ||
| assert.equal(decrypted, content); | ||
@@ -74,2 +97,4 @@ done(); | ||
| assert(!result); | ||
| //should not pop up warns due to options.warnInsecureAlgorithm = false; | ||
| consoleSpy.called.should.equal(false); | ||
| done(); | ||
@@ -187,3 +212,2 @@ }); | ||
| var plaintext = 'The quick brown fox jumps over the lazy dog'; | ||
| xmlenc.encryptKeyInfo(plaintext, options, function(err, encryptedKeyInfo) { | ||
@@ -206,3 +230,3 @@ assert(err); | ||
| if (err) return done(err); | ||
| consoleSpy.called.should.equal(true); | ||
| assert.throws( | ||
@@ -209,0 +233,0 @@ function(){xmlenc.decryptKeyInfo( |
Fixed alerts
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by6.35%
60800
- Lines of code
- increased by14.29%
544
- Number of lines in readme file
- increased by7.22%
104
- Number of medium supply chain risk alerts
- decreased by-100%
0
Worsened metrics
- Dependency count
- increased by25%
5
Dependency changes
+ Addedsinon@^9.0.1
+ Added@sinonjs/commons@1.8.6(transitive)
+ Added@sinonjs/fake-timers@6.0.1(transitive)
+ Added@sinonjs/samsam@5.3.1(transitive)
+ Added@sinonjs/text-encoding@0.7.3(transitive)
+ Addeddiff@4.0.2(transitive)
+ Addedhas-flag@4.0.0(transitive)
+ Addedisarray@0.0.1(transitive)
+ Addedjust-extend@4.2.1(transitive)
+ Addedlodash.get@4.4.2(transitive)
+ Addednise@4.1.0(transitive)
+ Addedpath-to-regexp@1.9.0(transitive)
+ Addedsinon@9.2.4(transitive)
+ Addedsupports-color@7.2.0(transitive)
+ Addedtype-detect@4.0.8(transitive)