Only allowing JWE encryption on Node 13+

Author: rossphelan

lib/mcapi/crypto/jwe-crypto.js

@@ -39,7 +39,7 @@ function JweCrypto(config) {
       "enc": "A256GCM"
     };
 
-    const encodedJweHeader = Buffer.from(utils.toEncodedString(JSON.stringify(jweHeader), 'binary', 'base64url'));
+    const encodedJweHeader = toEncodedString(JSON.stringify(jweHeader),'utf8', 'base64url');
 
     const secretKey = nodeCrypto.randomBytes(32);
     const secretKeyBuffer = Buffer.from(secretKey, 'binary');
@@ -61,10 +61,10 @@ function JweCrypto(config) {
     cipherText += cipher.final('base64');
     const authTag = cipher.getAuthTag().toString("base64");
 
-    const encodedEncryptedSecretKey = utils.toEncodedString(encryptedSecretKey, 'binary', 'base64url');
-    const encodedIv = utils.toEncodedString(iv, 'binary', 'base64url');
-    const encodedEncryptedText = utils.toEncodedString(cipherText, "base64", 'base64url');
-    const encodedAuthTag = utils.toEncodedString(authTag, "base64", 'base64url');
+    const encodedEncryptedSecretKey = toEncodedString(encryptedSecretKey, 'binary', 'base64url');
+    const encodedIv = toEncodedString(iv, 'binary', 'base64url');
+    const encodedEncryptedText = toEncodedString(cipherText, "base64", 'base64url');
+    const encodedAuthTag = toEncodedString(authTag, "base64", 'base64url');
 
     const encryptedData = serialize(encodedJweHeader, encodedEncryptedSecretKey, encodedIv, encodedEncryptedText, encodedAuthTag);
     return { [this.encryptedValueFieldName] : encryptedData};
@@ -91,7 +91,7 @@ function JweCrypto(config) {
     let secretKey = nodeCrypto.privateDecrypt(
       {
         key: this.privateKey,
-        padding: nodeCrypto.constants.RSA_NO_PADDING,
+        padding: nodeCrypto.constants.RSA_PKCS1_OAEP_PADDING,
         oaepHash: "sha256"
       },
       Buffer.from(encryptedSecretKey, 'binary')
@@ -178,6 +178,9 @@ function computePublicFingerprint(config, encryptionCertificate) {
  * @private
  */
 function isValidConfig(config) {
+  if(!utils.nodeVersionSupportsJWE()){
+    throw Error("JWE Encryption is only supported on Node 13+");
+  }
   const propertiesBasic = ["encryptionCertificate", "encryptedValueFieldName"];
   const contains = (props) => {
     return props.every((elem) => {
@@ -230,4 +233,19 @@ function validateRootMapping(config) {
   });
 }
 
+/**
+ * @private
+ */
+function toEncodedString(value, fromFormat, toFormat) {
+  let result = Buffer.from(value, fromFormat);
+  if (toFormat === 'base64url') {
+    result = result.toString('base64');
+    result = result.replace((/\+/g), "-");
+    result = result.replace((/\\/g), "_");
+    return result.replace((/=/g), "");
+  } else {
+    return result.toString(toFormat);
+  }
+}
+
 module.exports = JweCrypto;

lib/mcapi/utils/utils.js

@@ -68,30 +68,9 @@ module.exports.stringToBytes = function (value, dataEncoding) {
   }
 };
 
-/**
- * Convert a string object from format to format.
- * Extends toString to support base64url like node 13+
- *
- * @param {Object|string} value string to be encoded
- * @param {Object|string} fromFormat values current format
- * @param {Object|string} toFormat values transformed format
- * @returns {string}
- */
-module.exports.toEncodedString = function(value, fromFormat, toFormat) {
-  let result = Buffer.from(value, fromFormat)
-  if (toFormat === 'base64url') {
-    result = result.toString('base64')
-    result = result.replace((/\+/g), "-")
-    result = result.replace((/\\/g), "_")
-    return result.replace((/=/g), "")
-  } else {
-    return result.toString(toFormat)
-  }
-}
-
 module.exports.toByteArray = function(value, fromFormat) {
-  return Buffer.from(value, fromFormat)
-}
+  return Buffer.from(value, fromFormat);
+};
 
 /**
  * Convert a json object or json string to string
@@ -311,3 +290,9 @@ function createMessageDigest(digest) {
       return forge.md.sha512.create();
   }
 }
+
+module.exports.nodeVersionSupportsJWE = function (){
+  const nodeMajorVersion = parseInt(process.version.substring(1,3));
+  return (nodeMajorVersion > 12);
+};
+