Use built-in cipher instead of external package

simonratner · simonratner · commit 19c5c99b73b5 · 2017-10-02T14:57:47.000-07:00
diff --git a/lib/encrypted-attr.js b/lib/encrypted-attr.js
@@ -1,7 +1,6 @@
 'use strict'
 
 const crypto = require('crypto')
-const gcm = require('node-aes-gcm')
 const { get, set } = require('lodash')
 
 function EncryptedAttributes (attributes, options) {
@@ -24,11 +23,13 @@ function EncryptedAttributes (attributes, options) {
     let aad = Buffer.from(
       `aes-256-gcm$${options.verifyId ? obj.id.toString() : ''}$${options.keyId}`)
     let key = Buffer.from(options.keys[options.keyId], 'base64')
-    let result = gcm.encrypt(key, iv, Buffer.from(val), aad)
+    let gcm = crypto.createCipheriv('aes-256-gcm', key, iv).setAAD(aad)
+    let result = gcm.update(val, 'utf8', 'base64') + gcm.final('base64')
+
     return aad.toString('base64') + '$' +
            iv.toString('base64') + '$' +
-           result.ciphertext.toString('base64') + '$' +
-           result.auth_tag.toString('base64').slice(0, 22)
+           result + '$' +
+           gcm.getAuthTag().toString('base64').slice(0, 22)
   }
 
   function encryptAll (obj) {
@@ -59,11 +60,9 @@ function EncryptedAttributes (attributes, options) {
       throw new Error('Encrypted attribute has invalid key id')
     }
     let key = Buffer.from(options.keys[keyId], 'base64')
-    let result = gcm.decrypt(key, iv, payload, aad, tag)
-    if (!result.auth_ok) {
-      throw new Error('Encrypted attribute has invalid auth tag')
-    }
-    return result.plaintext.toString()
+    let gcm = crypto.createDecipheriv('aes-256-gcm', key, iv).setAAD(aad).setAuthTag(tag)
+
+    return gcm.update(payload, 'binary', 'utf8') + gcm.final('utf8')
   }
 
   function decryptAll (obj) {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -15,8 +15,7 @@
     "orm"
   ],
   "dependencies": {
-    "lodash": "^4.17.4",
-    "node-aes-gcm": "^0.2.2"
+    "lodash": "^4.17.4"
   },
   "optionalDependencies": {},
   "devDependencies": {
diff --git a/test/encrypted-attr.spec.js b/test/encrypted-attr.spec.js
@@ -158,15 +158,15 @@ describe('encrypted attributes', function () {
     let obj = {id: 1}
     // aad: aes-256-gcm$01$k2
     let wrongKey = 'YWVzLTI1Ni1nY20kMSRrMg==$sK91YfUvv+O8Jx/m$OOQniq8=$WLbWYz7uCQBTNO3Fc+5UvA'
-    expect(() => enc.decryptAttribute(obj, wrongKey), 'to throw', /invalid auth tag/i)
+    expect(() => enc.decryptAttribute(obj, wrongKey), 'to throw', /unable to auth/i)
   })
 
   it('should throw when decrypting with wrong auth tag', function () {
     let enc = EncryptedAttributes(['secret'], this.options)
     let obj = {id: 1}
     // aad: aes-256-gcm$01$k1
     let wrongAuthTag = 'YWVzLTI1Ni1nY20kMSRrMQ==$sK91YfUvv+O8Jx/m$OOQniq8=$VLbWYz7uCQBTNO3Fc+5UvA'
-    expect(() => enc.decryptAttribute(obj, wrongAuthTag), 'to throw', /invalid auth tag/i)
+    expect(() => enc.decryptAttribute(obj, wrongAuthTag), 'to throw', /unable to auth/i)
   })
 
   it('should throw when decrypting without id', function () {
