Skip to content

Replace node-forge by native node crypto.#86

Merged
esarafianou merged 1 commit intoauth0:masterfrom
forty:forty/remove-node-forge
Jan 13, 2022
Merged

Replace node-forge by native node crypto.#86
esarafianou merged 1 commit intoauth0:masterfrom
forty:forty/remove-node-forge

Conversation

@forty
Copy link
Contributor

@forty forty commented Aug 5, 2021
edited
Loading

This requires dropping support for node 8, which is probably fine since
node 8 is EoL since December 31, 2019.

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

Drop node-forge (which is a huge dep), use native nodejs crypto.

References

About node 8 support
https://blog.risingstack.com/update-nodejs-8-end-of-life-no-support/

Node Crypto
https://nodejs.org/api/crypto.html#crypto_crypto_publicencrypt_key_buffer
https://nodejs.org/api/crypto.html#crypto_crypto_privatedecrypt_privatekey_buffer

Testing

I updated first the encryption part, ran the tests (it was fine) then the decryption part (tests still fine).
This made sure the new encryption works well with the

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

@forty forty requested a review from a team as a code owner August 5, 2021 11:54
@forty forty force-pushed the forty/remove-node-forge branch from f3daf8e to 7f53cac Compare August 26, 2021 09:14
@forty
Copy link
Contributor Author

forty commented Aug 26, 2021

Hello maintainers! Any interest in having this merged?

@forty
Copy link
Contributor Author

forty commented Jan 10, 2022

This PR would also fix #93 :)

@gkwang @esarafianou are you still working on this project ?

@forty forty mentioned this pull request Jan 10, 2022
Closed
@esarafianou
Copy link
Contributor

esarafianou commented Jan 10, 2022

Hi @forty, seems like we missed your previous messages. I'll have the PR reviewed within the week.

panva
panva reviewed Jan 13, 2022
View reviewed changes
Copy link
Member

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless you're going to be re-using the KeyObject instance it's better to pass the key material down to the encrypt/decrypt to avoid C/JS context switching.

lib/xmlenc.js Outdated
Comment on lines 259 to 260
var private_key = crypto.createPrivateKey(options.key);
var decrypted = crypto.privateDecrypt({ key: private_key, padding: padding}, key);
Copy link
Member

@panva panva Jan 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var private_key = crypto.createPrivateKey(options.key);
var decrypted = crypto.privateDecrypt({ key: private_key, padding: padding}, key);
var decrypted = crypto.privateDecrypt({ key: options.key, padding: padding}, key);

lib/xmlenc.js Outdated
Comment on lines 17 to 20
var rsa_pub = crypto.createPublicKey(options.rsa_pub);
var encrypted = crypto.publicEncrypt({
key: rsa_pub,
padding: padding
}, symmetricKeyBuffer);
Copy link
Member

@panva panva Jan 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var rsa_pub = crypto.createPublicKey(options.rsa_pub);
var encrypted = crypto.publicEncrypt({
key: rsa_pub,
padding: padding
}, symmetricKeyBuffer);
var encrypted = crypto.publicEncrypt({
key: options.rsa_pub,
padding: padding
}, symmetricKeyBuffer);

@esarafianou
Copy link
Contributor

esarafianou commented Jan 13, 2022

@forty could you address @panva's feedback? I'll then approve, merge and create a release PR.

@esarafianou esarafianou mentioned this pull request Jan 13, 2022
Closed
@qbarbe-dashlane
Replace node-forge by native node crypto.
7aaa734 
This requires dropping support for node 8, which is probably fine since
node 8 is EoL since December 31, 2019.
@forty forty force-pushed the forty/remove-node-forge branch from 7f53cac to 7aaa734 Compare January 13, 2022 12:39
@forty
Copy link
Contributor Author

forty commented Jan 13, 2022

Thanks for the comments @panva !

@esarafianou I've just updated the PR.

Thanks!

@esarafianou esarafianou merged commit 291f3f1 into auth0:master Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@panva panva panva left review comments

@esarafianou esarafianou esarafianou approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@forty @esarafianou @panva @qbarbe-dashlane