Merge pull request #4 from BlackPearSw/refactor/migrate-cipher

Migrate createCipher -> createCipheriv with old behaviour
BlackPearSw · Jul 3, 2020 · 72e3a4b · 72e3a4b
2 parents 37c7ced + 92d225e
commit 72e3a4b
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -113,4 +113,5 @@ dist
 .yarn/unplugged
 .yarn/build-state.yml
 .yarn/install-state.gz
-.pnp.*
+.pnp.*
+/.idea
diff --git a/create-cipher.js b/create-cipher.js
@@ -0,0 +1,32 @@
+const crypto = require('crypto');
+
+function sizes(cipher) {
+  for (let nkey = 1, niv = 0;;) {
+    try {
+      crypto.createCipheriv(cipher, '.'.repeat(nkey), '.'.repeat(niv));
+      return [nkey, niv];
+    } catch (e) {
+      if (/invalid iv length/i.test(e.message)) niv += 1;
+      else if (/invalid key length/i.test(e.message)) nkey += 1;
+      else throw e;
+    }
+  }
+}
+
+//Replicates the EVP_BytesToKey function used by deprecated crypto.createCipher
+//with the digest algorithm set to MD5, one iteration, and no salt
+module.exports = function compute(cipher, passphrase) {
+  let [nkey, niv] = sizes(cipher);
+  for (let key = '', iv = '', p = '';;) {
+    const h = crypto.createHash('md5');
+    h.update(p, 'hex');
+    h.update(passphrase);
+    p = h.digest('hex');
+    let n, i = 0;
+    n = Math.min(p.length-i, 2*nkey);
+    nkey -= n/2, key += p.slice(i, i+n), i += n;
+    n = Math.min(p.length-i, 2*niv);
+    niv -= n/2, iv += p.slice(i, i+n), i += n;
+    if (nkey+niv === 0) return [key, iv];
+  }
+}
diff --git a/lib.js b/lib.js
@@ -1,21 +1,29 @@
 const querystring = require('querystring');
 const crypto = require('crypto');
 const _ = require('lodash');
+const createCipher = require('./create-cipher');
 
 const ALGORITHM = 'aes256';
 const PLAINTEXTENCODING = 'utf8';
 const CIPHERTEXTENCODING = 'hex';
 const DELIMITER = '|';
 const ENCRYPTEDKEY = 'enc';
-const IV = Buffer.alloc(16);
 
 function encrypt(plaintext, encryptionKey){
-    const cipher = crypto.createCipheriv(ALGORITHM, crypto.createHash("sha256").update(encryptionKey).digest(), IV);
+    let [key, iv] = createCipher(ALGORITHM, encryptionKey);
+    key = Buffer.from(`${key}`, 'hex');
+    iv  = Buffer.from(`${iv}`, 'hex');
+
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
     return cipher.update(plaintext, PLAINTEXTENCODING, CIPHERTEXTENCODING) + cipher.final(CIPHERTEXTENCODING);
 }
 
 function decrypt(ciphertext, encryptionKey){
-    const decipher = crypto.createDecipheriv(ALGORITHM, crypto.createHash("sha256").update(encryptionKey).digest(), IV);
+    let [key, iv] = createCipher(ALGORITHM, encryptionKey);
+    key = Buffer.from(`${key}`, 'hex');
+    iv  = Buffer.from(`${iv}`, 'hex');
+
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
     return decipher.update(ciphertext, CIPHERTEXTENCODING, PLAINTEXTENCODING) + decipher.final(PLAINTEXTENCODING);
 }
 
@@ -70,4 +78,4 @@ function clarify(s, options){
 }
 
 module.exports.obfuscate = obfuscate;
-module.exports.clarify = clarify;
+module.exports.clarify = clarify;
diff --git a/sample/cases.json b/sample/cases.json
@@ -13,20 +13,20 @@
   },
   {
     "plaintext": "foo=bar&secret=tell-no-one",
-    "ciphertext": "foo=bar&enc=k01|f01c14fc6a8f65ac5b661332cf0ad444cd9e4c9b8da0c054fcdfd76440130590",
+    "ciphertext": "foo=bar&enc=k01|c4d9734010d5ee825eeac2715c12a44b31270c625bb9b3f2d21a225a380fd332",
     "obfuscate": ["secret", "anotherSecret"],
     "key": "k01"
   },
   {
     "plaintext": "foo=bar&secret=tell-no-one&anotherSecret=shhhh",
-    "ciphertext": "foo=bar&enc=k01|f01c14fc6a8f65ac5b661332cf0ad444c6dee443282b8c254dcf8dee65a399a4efeb97051c5de7c0ca8367da5b48f8f5",
+    "ciphertext": "foo=bar&enc=k01|c4d9734010d5ee825eeac2715c12a44b601cbbd0dbafe7737867b51fe880a4ca1e12216b53db3bff0ad897381a84a8a9",
     "obfuscate": ["secret", "anotherSecret"],
     "key": "k01"
   },
   {
     "plaintext": "foo=bar&apikey=Basic 123456789==&user=https://sider.nhs.uk/id|[email protected]",
-    "ciphertext": "foo=bar&enc=k01|7efc2ea2d6c81755901ffcd7d8d7e2e3ce6c1641d458d8f94f902302179216f865e9f3b5f0799792fb8240b0b0d834d0798d9c9dc9a867d641c4bdbbc2f4b0d43af3d534bddf4fbb6aea2225709b9413b2eeca5576e7e84f321bac5526760e15",
+    "ciphertext": "foo=bar&enc=k01|eb9fd88c3e4c1c4a577ce6c25757040e2f4e7d951f75754ee5af5d756555b91861f05a8b1173447081efeb06b1bdb183d98710f334bdbcb88427bbc78460a5055760fd17007c8b88dfd6f15c6dd15422f1626ff889854d2dec89a580de16e791",
     "obfuscate": ["apikey", "user"],
     "key": "k01"
   }
-]
+]