10 compatability

Author: rossphelan

lib/mcapi/crypto/jwe-crypto.js

@@ -1,5 +1,4 @@
 const forge = require('node-forge');
-const fs = require('fs');
 const utils = require('../utils/utils');
 const nodeCrypto = require('crypto');
 
@@ -19,7 +18,7 @@ function JweCrypto(config) {
 
   this.privateKey = getPrivateKey(config);
 
-  this.publicKeyFingerprint = config.publicKeyFingerprint || computePublicFingerprint.call(this, config);
+  this.publicKeyFingerprint = config.publicKeyFingerprint || computePublicFingerprint(config, this.encryptionCertificate);
 
   this.encryptedValueFieldName = config.encryptedValueFieldName;
 
@@ -40,7 +39,7 @@ function JweCrypto(config) {
       "enc": "A256GCM"
     };
 
-    const encodedJweHeader = Buffer.from(JSON.stringify(jweHeader)).toString('base64url');
+    const encodedJweHeader = Buffer.from(utils.toEncodedString(JSON.stringify(jweHeader), 'binary', 'base64url'));
 
     const secretKey = nodeCrypto.randomBytes(32);
     const secretKeyBuffer = Buffer.from(secretKey, 'binary');
@@ -62,10 +61,10 @@ function JweCrypto(config) {
     cipherText += cipher.final('base64');
     const authTag = cipher.getAuthTag().toString("base64");
 
-    const encodedEncryptedSecretKey = Buffer.from(encryptedSecretKey, 'binary').toString('base64url');
-    const encodedIv = Buffer.from(iv, 'binary').toString('base64url');
-    const encodedEncryptedText = Buffer.from(cipherText, "base64").toString('base64url');
-    const encodedAuthTag = Buffer.from(authTag, "base64").toString('base64url');
+    const encodedEncryptedSecretKey = utils.toEncodedString(encryptedSecretKey, 'binary', 'base64url');
+    const encodedIv = utils.toEncodedString(iv, 'binary', 'base64url');
+    const encodedEncryptedText = utils.toEncodedString(cipherText, "base64", 'base64url');
+    const encodedAuthTag = utils.toEncodedString(authTag, "base64", 'base64url');
 
     const encryptedData = serialize(encodedJweHeader, encodedEncryptedSecretKey, encodedIv, encodedEncryptedText, encodedAuthTag);
     return { [this.encryptedValueFieldName] : encryptedData};
@@ -83,18 +82,16 @@ function JweCrypto(config) {
     }
 
     const jweTokenParts = deSerialize(encryptedData);
-    const jweHeader = Buffer.from(jweTokenParts[0], 'base64url').toString('utf8');
-    const encryptedSecretKey = Buffer.from(jweTokenParts[1], 'base64url');
-    const iv = Buffer.from(jweTokenParts[2], 'base64url');
-    const encryptedText = Buffer.from(jweTokenParts[3], 'base64url');
-    const authTag = Buffer.from(jweTokenParts[4], 'base64url');
-
-    // const node10 = utils.isNode10()
+    const jweHeader = Buffer.from(jweTokenParts[0], 'base64').toString('utf8');
+    const encryptedSecretKey = Buffer.from(jweTokenParts[1], 'base64');
+    const iv = Buffer.from(jweTokenParts[2], 'base64');
+    const encryptedText = Buffer.from(jweTokenParts[3], 'base64');
+    const authTag = Buffer.from(jweTokenParts[4], 'base64');
 
     let secretKey = nodeCrypto.privateDecrypt(
       {
         key: this.privateKey,
-        padding: nodeCrypto.constants.RSA_PKCS1_OAEP_PADDING,
+        padding: nodeCrypto.constants.RSA_NO_PADDING,
         oaepHash: "sha256"
       },
       Buffer.from(encryptedSecretKey, 'binary')
@@ -143,11 +140,12 @@ function deSerialize(jweToken) {
  * @private
  */
 function readPublicCertificate(publicCertificatePath) {
-  const certificateContent = fs.readFileSync(publicCertificatePath, 'binary');
-  if (!certificateContent || certificateContent.length <= 1) {
-    throw new Error('Public certificate content is not valid');
+  const publicCertificate = utils.readPublicCertificate(publicCertificatePath);
+  if(publicCertificate){
+    return forge.pki.certificateToPem(publicCertificate);
+  }else{
+    return null;
   }
-  return certificateContent;
 }
 
 /**
@@ -166,52 +164,14 @@ function getPrivateKey(config) {
  * @private
  * @param config Configuration object
  */
-function computePublicFingerprint(config) {
-  let fingerprint = null;
-  if (config && config.publicKeyFingerprintType) {
-    switch (config.publicKeyFingerprintType) {
-      case "certificate":
-        fingerprint = publicCertificateFingerprint.call(this, this.encryptionCertificate);
-        break;
-      case "publicKey":
-        fingerprint = publicKeyFingerprint.call(this, this.encryptionCertificate);
-        break;
-    }
-  }
-  return fingerprint;
-}
-
-/**
- * Get SHA-256 certificate fingerprint from a X509 certificate
- *
- * @private
- * @param {string} publicCertificate PEM
- */
-function publicCertificateFingerprint(publicCertificate) {
-  if (!publicCertificate || publicCertificate.length <= 1) {
-    throw new Error('Public certificate content is not valid');
-  }
-  let hexFingerprint = new nodeCrypto.X509Certificate(publicCertificate).fingerprint256;
-  hexFingerprint = hexFingerprint.replaceAll(":", "");
-  return Buffer.from(hexFingerprint, 'hex').toString('base64');
-}
-
-/**
- * Get SHA-256 public Key fingerprint from a X509 certificate
- *
- * @private
- * @param {string} publicCertificate PEM
- */
-function publicKeyFingerprint(publicKey) {
-  if (!publicKey || publicKey.length <= 1) {
-    throw new Error('Public certificate content is not valid');
+function computePublicFingerprint(config, encryptionCertificate) {
+  if(config && encryptionCertificate) {
+    return utils.computePublicFingerprint(config, forge.pki.certificateFromPem(encryptionCertificate), 'base64');
+  } else {
+    return null;
   }
-  let hexFingerprint = new nodeCrypto.X509Certificate(publicKey).fingerprint256;
-  hexFingerprint = hexFingerprint.replaceAll(":", "");
-  return Buffer.from(hexFingerprint, 'hex').toString('base64');
 }
 
-
 /**
  * Check if the passed configuration is valid
  * @throws {Error} if the config is not valid

lib/mcapi/crypto/legacy-crypto.js

@@ -1,5 +1,4 @@
 const forge = require('node-forge');
-const fs = require('fs');
 const utils = require('../utils/utils');
 
 /**
@@ -15,14 +14,14 @@ function LegacyCrypto(config) {
   isValidConfig.call(this, config);
 
   // Load public certificate (for encryption)
-  this.encryptionCertificate = readPublicCertificate(config.encryptionCertificate);
+  this.encryptionCertificate = utils.readPublicCertificate(config.encryptionCertificate);
 
   // Load private key (for decryption)
   this.privateKey = utils.getPrivateKey(config);
 
   this.encoding = config.dataEncoding;
 
-  this.publicKeyFingerprint = config.publicKeyFingerprint || computePublicFingerprint.call(this, config);
+  this.publicKeyFingerprint = config.publicKeyFingerprint || utils.computePublicFingerprint(config, this.encryptionCertificate, this.encoding);
 
   this.publicKeyFingerprintFieldName = config.publicKeyFingerprintFieldName;
 
@@ -152,76 +151,6 @@ function createOAEPOptions(asymmetricCipher, oaepHashingAlgorithm) {
   }
 }
 
-/**
- * @private
- */
-function generateSecretKey(algorithm, size, digest) {
-  if (algorithm === 'AES') {
-    const key = forge.random.getBytesSync(size / 8);
-    const md = createMessageDigest(digest);
-    md.update(key);
-    return md.digest().getBytes(16);
-  }
-  throw new Error('Unsupported symmetric algorithm');
-}
-
-/**
- * @private
- */
-function readPublicCertificate(publicCertificatePath) {
-  const certificateContent = fs.readFileSync(publicCertificatePath);
-  if (!certificateContent || certificateContent.length <= 1) {
-    throw new Error('Public certificate content is not valid');
-  }
-  return forge.pki.certificateFromPem(certificateContent);
-}
-
-/**
- * @private
- * @param config Configuration object
- */
-function computePublicFingerprint(config) {
-  let fingerprint = null;
-  if (config && config.publicKeyFingerprintType) {
-    switch (config.publicKeyFingerprintType) {
-      case "certificate":
-        fingerprint = publicCertificateFingerprint.call(this, this.encryptionCertificate);
-        break;
-      case "publicKey":
-        fingerprint = publicKeyFingerprint.call(this, this.encryptionCertificate);
-        break;
-    }
-  }
-  return fingerprint;
-}
-
-/**
- * Get SHA-256 certificate fingerprint from a X509 certificate
- *
- * @private
- * @param {string} publicCertificate PEM
- */
-function publicCertificateFingerprint(publicCertificate) {
-  const bytes = forge.asn1.toDer(forge.pki.certificateToAsn1(publicCertificate)).getBytes();
-  const md = createMessageDigest('SHA-256');
-  md.update(bytes);
-  return utils.bytesToString(md.digest().getBytes(), this.encoding);
-}
-
-/**
- * Get SHA-256 public Key fingerprint from a X509 certificate
- *
- * @private
- * @param {string} publicCertificate PEM
- */
-function publicKeyFingerprint(publicCertificate) {
-  return forge.pki.getPublicKeyFingerprint(publicCertificate.publicKey, {
-    type: 'SubjectPublicKeyInfo',
-    md: createMessageDigest('SHA-256'),
-    encoding: 'hex'
-  });
-}
-
 /**
  * @private
  */
@@ -236,6 +165,20 @@ function createMessageDigest(digest) {
   }
 }
 
+
+/**
+ * @private
+ */
+function generateSecretKey(algorithm, size, digest) {
+  if (algorithm === 'AES') {
+    const key = forge.random.getBytesSync(size / 8);
+    const md = createMessageDigest(digest);
+    md.update(key);
+    return md.digest().getBytes(16);
+  }
+  throw new Error('Unsupported symmetric algorithm');
+}
+
 /**
  * Check if the passed configuration is valid
  * @throws {Error} if the config is not valid

lib/mcapi/utils/utils.js

@@ -7,14 +7,10 @@ const fs = require('fs');
  * @version 1.0.0
  */
 
-/**
- * Check if a value is set
- * @param value value to check
- * @returns {boolean} True if set, false otherwise
- */
 module.exports.isSet = function (value) {
   return typeof value !== "undefined" && value !== null && value.length !== 0;
 };
+
 isSet = function (value) {
   return typeof value !== "undefined" && value !== null && value.length !== 0;
 };
@@ -39,6 +35,19 @@ module.exports.bytesToString = function (bytes, dataEncoding) {
   }
 };
 
+function bytesToString(bytes, dataEncoding) {
+  if (typeof bytes === "undefined" || bytes === null) {
+    throw new Error("Input not valid");
+  }
+  switch (dataEncoding.toLowerCase()) {
+    case 'hex':
+      return forge.util.bytesToHex(bytes);
+    case 'base64':
+    default:
+      return forge.util.encode64(bytes);
+  }
+};
+
 /**
  * Converts a (hex or base64) string into a 'binary' encoded string of bytes.
  *
@@ -59,6 +68,31 @@ module.exports.stringToBytes = function (value, dataEncoding) {
   }
 };
 
+/**
+ * Convert a string object from format to format.
+ * Extends toString to support base64url like node 13+
+ *
+ * @param {Object|string} value string to be encoded
+ * @param {Object|string} fromFormat values current format
+ * @param {Object|string} toFormat values transformed format
+ * @returns {string}
+ */
+module.exports.toEncodedString = function(value, fromFormat, toFormat) {
+  let result = Buffer.from(value, fromFormat)
+  if (toFormat === 'base64url') {
+    result = result.toString('base64')
+    result = result.replace((/\+/g), "-")
+    result = result.replace((/\\/g), "_")
+    return result.replace((/=/g), "")
+  } else {
+    return result.toString(toFormat)
+  }
+}
+
+module.exports.toByteArray = function(value, fromFormat) {
+  return Buffer.from(value, fromFormat)
+}
+
 /**
  * Convert a json object or json string to string
  *
@@ -144,17 +178,6 @@ function deleteRoot(obj, paths, properties){
   }
 }
 
-// module.exports.isNode10 = function(){
-//   const majorVersion = parseInt(parseInt(process.version.substring(1,3)));
-//   if(majorVersion < 10){
-//     throw new Error("Only node version 10+ supported");
-//   }
-//   if(majorVersion === 10){
-//     return true;
-//   }
-//   return false;
-// };
-
 module.exports.getPrivateKey = function(config){
   if (config.privateKey) {
     return loadPrivateKey(config.privateKey);
@@ -240,3 +263,51 @@ function loadPrivateKey(privateKeyPath) {
   return forge.pki.privateKeyFromAsn1(forge.asn1.fromDer(privateKeyContent));
 }
 
+module.exports.readPublicCertificate = function(publicCertificatePath){
+  const certificateContent = fs.readFileSync(publicCertificatePath);
+  if (!certificateContent || certificateContent.length <= 1) {
+    throw new Error('Public certificate content is not valid');
+  }
+  return forge.pki.certificateFromPem(certificateContent);
+};
+
+module.exports.computePublicFingerprint = function(config, encryptionCertificate, encoding) {
+  let fingerprint = null;
+  if (config && config.publicKeyFingerprintType) {
+    switch (config.publicKeyFingerprintType) {
+      case "certificate":
+        fingerprint = publicCertificateFingerprint(encryptionCertificate, encoding);
+        break;
+      case "publicKey":
+        fingerprint = publicKeyFingerprint(encryptionCertificate);
+        break;
+    }
+  }
+  return fingerprint;
+};
+
+function publicCertificateFingerprint(publicCertificate, encoding) {
+  const bytes = forge.asn1.toDer(forge.pki.certificateToAsn1(publicCertificate)).getBytes();
+  const md = createMessageDigest('SHA-256');
+  md.update(bytes);
+  return bytesToString(md.digest().getBytes(), encoding);
+}
+
+function publicKeyFingerprint(publicCertificate) {
+  return forge.pki.getPublicKeyFingerprint(publicCertificate.publicKey, {
+    type: 'SubjectPublicKeyInfo',
+    md: createMessageDigest('SHA-256'),
+    encoding: 'hex'
+  });
+}
+
+function createMessageDigest(digest) {
+  switch (digest.toUpperCase()) {
+    case 'SHA-256':
+    case 'SHA256':
+      return forge.md.sha256.create();
+    case 'SHA-512':
+    case 'SHA512':
+      return forge.md.sha512.create();
+  }
+}