Replace node-forge with native crypto for private key validation

[ido-seraphic]

Summary

Replaces the node-forge dependency with Node.js native crypto module for validating PEM-formatted private keys in the ServiceAccount credential class.

Motivation

1. License Concerns

The node-forge package contains code sourced from StackOverflow which is licensed under CC-BY-SA 4.0, causing issues with automated license scanners:

• Issue: Rewrite StackOverflow sourced function to avoid CC-BY-SA license claim digitalbazaar/forge#1001
• The util.isEmpty function references a StackOverflow answer, triggering license compliance warnings

2. Security

Native crypto is maintained by the Node.js core team and uses OpenSSL's battle-tested C++ implementation, reducing the attack surface compared to a third-party JavaScript implementation.

3. Performance

Native crypto is significantly faster than the pure JavaScript implementation in node-forge.

4. Bundle Size

Removes ~500KB dependency from the package.

Changes

Before	After
forge.pki.privateKeyFromPem(key)	crypto.createPrivateKey(key)

Both functions throw an error when given an invalid PEM-formatted key, maintaining equivalent behavior.

Testing

• All 6182 unit tests pass
• crypto.createPrivateKey() is available since Node.js 11.6.0 (package requires Node.js >=18)

Files Changed

• src/app/credential-internal.ts: Replace forge import with crypto import
• package.json: Remove node-forge dependency

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Summary of Changes

Hello @ido-seraphic, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request modernizes the private key validation mechanism within the ServiceAccount credential class by migrating from the node-forge library to Node.js's built-in crypto module. This strategic change not only resolves potential license compliance issues and bolsters security through the use of OpenSSL, but also delivers notable performance gains and a significant reduction in the overall package size.

Highlights

• Dependency Replacement: Replaced the node-forge dependency with Node.js's native crypto module for validating PEM-formatted private keys in the ServiceAccount credential class.
• License Compliance: Addressed license concerns by removing node-forge, which contained CC-BY-SA 4.0 licensed code from StackOverflow, resolving automated license scanner issues.
• Security Enhancement: Improved security by leveraging Node.js's native crypto module, which is maintained by the Node.js core team and uses OpenSSL's battle-tested C++ implementation, reducing the attack surface.
• Performance Improvement: Enhanced performance as the native crypto module is significantly faster than the pure JavaScript implementation of node-forge.
• Bundle Size Reduction: Reduced the package bundle size by approximately 500KB by removing the node-forge dependency.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully replaces the node-forge dependency with the native Node.js crypto module for private key validation. This is an excellent improvement, addressing license concerns, enhancing security by using a core module, improving performance, and reducing the package's bundle size. The implementation is straightforward and correct, replacing forge.pki.privateKeyFromPem(key) with crypto.createPrivateKey(key) and adjusting the imports accordingly. The removal of the dependency from package.json and package-lock.json is also correct. The changes are well-motivated and I have no further suggestions. Great work!

[ido-seraphic]

I have signed the CLA. Please re-check.