Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace node-forge by native node crypto. #86

Merged
merged 1 commit into from
Jan 13, 2022

Conversation

forty
Copy link
Contributor

@forty forty commented Aug 5, 2021

This requires dropping support for node 8, which is probably fine since
node 8 is EoL since December 31, 2019.

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

Drop node-forge (which is a huge dep), use native nodejs crypto.

References

About node 8 support
https://blog.risingstack.com/update-nodejs-8-end-of-life-no-support/

Node Crypto
https://nodejs.org/api/crypto.html#crypto_crypto_publicencrypt_key_buffer
https://nodejs.org/api/crypto.html#crypto_crypto_privatedecrypt_privatekey_buffer

Testing

I updated first the encryption part, ran the tests (it was fine) then the decryption part (tests still fine).
This made sure the new encryption works well with the

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

@forty forty requested a review from a team as a code owner August 5, 2021 11:54
@forty
Copy link
Contributor Author

forty commented Aug 26, 2021

Hello maintainers! Any interest in having this merged?

@forty
Copy link
Contributor Author

forty commented Jan 10, 2022

This PR would also fix #93 :)

@gkwang @esarafianou are you still working on this project ?

@esarafianou
Copy link
Contributor

Hi @forty, seems like we missed your previous messages. I'll have the PR reviewed within the week.

Copy link

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless you're going to be re-using the KeyObject instance it's better to pass the key material down to the encrypt/decrypt to avoid C/JS context switching.

lib/xmlenc.js Outdated
Comment on lines 259 to 260
var private_key = crypto.createPrivateKey(options.key);
var decrypted = crypto.privateDecrypt({ key: private_key, padding: padding}, key);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var private_key = crypto.createPrivateKey(options.key);
var decrypted = crypto.privateDecrypt({ key: private_key, padding: padding}, key);
var decrypted = crypto.privateDecrypt({ key: options.key, padding: padding}, key);

lib/xmlenc.js Outdated
Comment on lines 17 to 20
var rsa_pub = crypto.createPublicKey(options.rsa_pub);
var encrypted = crypto.publicEncrypt({
key: rsa_pub,
padding: padding
}, symmetricKeyBuffer);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var rsa_pub = crypto.createPublicKey(options.rsa_pub);
var encrypted = crypto.publicEncrypt({
key: rsa_pub,
padding: padding
}, symmetricKeyBuffer);
var encrypted = crypto.publicEncrypt({
key: options.rsa_pub,
padding: padding
}, symmetricKeyBuffer);

@esarafianou
Copy link
Contributor

@forty could you address @panva's feedback? I'll then approve, merge and create a release PR.

This requires dropping support for node 8, which is probably fine since
node 8 is EoL since December 31, 2019.
@forty
Copy link
Contributor Author

forty commented Jan 13, 2022

Thanks for the comments @panva !

@esarafianou I've just updated the PR.

Thanks!

@esarafianou esarafianou merged commit 291f3f1 into auth0:master Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants