1 | const crypto = require('crypto')
|
2 | const CIPHER_ALGORITHM = 'aes-256-ctr'
|
3 |
|
4 | const {FBError} = require('@ministryofjustice/fb-utils-node')
|
5 | class FBJWTAES256Error extends FBError {}
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 |
|
19 |
|
20 |
|
21 |
|
22 |
|
23 |
|
24 |
|
25 | const encrypt = (key, plaintext, ivSeed) => {
|
26 | if (typeof key !== 'string' || !key) {
|
27 | throw new FBJWTAES256Error('Key must be a non-empty string', {
|
28 | error: {
|
29 | code: 'ENOENCRYPTKEY'
|
30 | }
|
31 | })
|
32 | }
|
33 | if (typeof plaintext !== 'string' || !plaintext) {
|
34 | throw new FBJWTAES256Error('Plaintext value must be a non-empty string', {
|
35 | error: {
|
36 | code: 'ENOENCRYPTVALUE'
|
37 | }
|
38 | })
|
39 | }
|
40 |
|
41 | let sha256 = crypto.createHash('sha256')
|
42 | sha256.update(key)
|
43 |
|
44 |
|
45 | const iv = ivSeed ? crypto.createHash('md5').update(ivSeed).digest() : crypto.randomBytes(16)
|
46 |
|
47 | const cipher = crypto.createCipheriv(CIPHER_ALGORITHM, sha256.digest(), iv)
|
48 | const ciphertext = cipher.update(Buffer.from(plaintext))
|
49 | const encrypted = Buffer.concat([iv, ciphertext, cipher.final()]).toString('base64')
|
50 |
|
51 | return encrypted
|
52 | }
|
53 |
|
54 |
|
55 |
|
56 |
|
57 |
|
58 |
|
59 |
|
60 |
|
61 |
|
62 |
|
63 |
|
64 |
|
65 |
|
66 |
|
67 |
|
68 |
|
69 | const decrypt = (key, encrypted) => {
|
70 | if (typeof key !== 'string' || !key) {
|
71 | throw new FBJWTAES256Error('Key must be a non-empty string', {
|
72 | error: {
|
73 | code: 'ENODECRYPTKEY'
|
74 | }
|
75 | })
|
76 | }
|
77 | if (typeof encrypted !== 'string' || !encrypted) {
|
78 | throw new FBJWTAES256Error('Encrypted value must be a non-empty string', {
|
79 | error: {
|
80 | code: 'ENODECRYPTVALUE'
|
81 | }
|
82 | })
|
83 | }
|
84 |
|
85 | const sha256 = crypto.createHash('sha256')
|
86 | sha256.update(key)
|
87 |
|
88 | const input = Buffer.from(encrypted, 'base64')
|
89 |
|
90 | if (input.length < 17) {
|
91 | throw new TypeError('Provided "encrypted" must decrypt to a non-empty string')
|
92 | }
|
93 |
|
94 |
|
95 | const iv = input.slice(0, 16)
|
96 | const decipher = crypto.createDecipheriv(CIPHER_ALGORITHM, sha256.digest(), iv)
|
97 |
|
98 | const ciphertext = input.slice(16)
|
99 | const plaintext = decipher.update(ciphertext) + decipher.final()
|
100 |
|
101 | return plaintext
|
102 | }
|
103 |
|
104 | module.exports = {
|
105 | encrypt,
|
106 | decrypt
|
107 | }
|