feat: support for createCipher backward compatible (#4612)

.changeset/sharp-wolves-carry.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/signature': minor
+---
+
+support for createCipher backward compatible

packages/signature/package.json

@@ -26,7 +26,7 @@
     "verdaccio"
   ],
   "engines": {
-    "node": ">=12"
+    "node": ">=14"
   },
   "scripts": {
     "clean": "rimraf ./build",
@@ -39,6 +39,7 @@
   },
   "dependencies": {
     "jsonwebtoken": "9.0.2",
+    "evp_bytestokey": "1.0.3",
     "debug": "4.3.4"
   },
   "devDependencies": {

packages/signature/src/index.ts

@@ -2,7 +2,10 @@ export {
   aesDecryptDeprecated,
   aesEncryptDeprecated,
   generateRandomSecretKeyDeprecated,
+  aesDecryptDeprecatedBackwardCompatible,
+  aesEncryptDeprecatedBackwardCompatible,
 } from './legacy-signature';
+
 export { aesDecrypt, aesEncrypt } from './signature';
 export { signPayload, verifyPayload, SignOptionsSignature } from './jwt-token';
 export * as utils from './utils';

packages/signature/src/legacy-signature/index.ts

@@ -1,50 +1,13 @@
-import { createCipher, createDecipher } from 'crypto';
-
-import { generateRandomHexString } from '../utils';
-
-export const defaultAlgorithm = 'aes192';
-export const defaultTarballHashAlgorithm = 'sha1';
-
-/**
- *
- * @param buf
- * @param secret
- * @returns
- */
-export function aesEncryptDeprecated(buf: Buffer, secret: string): Buffer {
-  // deprecated (it will be removed in Verdaccio 6), it is a breaking change
-  // https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
-  // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
-  const c = createCipher(defaultAlgorithm, secret);
-  const b1 = c.update(buf);
-  const b2 = c.final();
-  return Buffer.concat([b1, b2]);
-}
-
-/**
- *
- * @param buf
- * @param secret
- * @returns
- */
-export function aesDecryptDeprecated(buf: Buffer, secret: string): Buffer {
-  try {
-    // https://nodejs.org/api/crypto.html#crypto_crypto_createdecipher_algorithm_password_options
-    // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
-    const c = createDecipher(defaultAlgorithm, secret);
-    const b1 = c.update(buf);
-    const b2 = c.final();
-    return Buffer.concat([b1, b2]);
-  } catch (_) {
-    return Buffer.alloc(0);
-  }
-}
-
-export const TOKEN_VALID_LENGTH_DEPRECATED = 64;
-
-/**
- * Generate a secret key of 64 characters.
- */
-export function generateRandomSecretKeyDeprecated(): string {
-  return generateRandomHexString(6);
-}
+export {
+  aesDecryptDeprecated,
+  aesEncryptDeprecated,
+  generateRandomSecretKeyDeprecated,
+  TOKEN_VALID_LENGTH_DEPRECATED,
+  defaultAlgorithm,
+  defaultTarballHashAlgorithm,
+} from './legacy-crypto';
+// Temporary export to keep backward compatibility with Node.js >= 22
+export {
+  aesDecryptDeprecatedBackwardCompatible,
+  aesEncryptDeprecatedBackwardCompatible,
+} from './legacy-backward-compatible';

packages/signature/src/legacy-signature/legacy-backward-compatible.ts

@@ -0,0 +1,32 @@
+/* eslint-disable new-cap */
+import { createCipheriv, createDecipheriv } from 'crypto';
+import EVP_BytesToKey from 'evp_bytestokey';
+
+export const defaultAlgorithm = 'aes192';
+const KEY_SIZE = 24;
+
+export function aesDecryptDeprecatedBackwardCompatible(text, secret: string) {
+  const result = EVP_BytesToKey(
+    secret,
+    null,
+    KEY_SIZE * 8, // byte to bit size
+    16
+  );
+
+  let decipher = createDecipheriv(defaultAlgorithm, result.key, result.iv);
+  let decrypted = decipher.update(text, 'hex', 'utf8') + decipher.final('utf8');
+  return decrypted.toString();
+}
+
+export function aesEncryptDeprecatedBackwardCompatible(text, secret: string) {
+  const result = EVP_BytesToKey(
+    secret,
+    null,
+    KEY_SIZE * 8, // byte to bit size
+    16
+  );
+
+  const cipher = createCipheriv(defaultAlgorithm, result.key, result.iv);
+  const encrypted = cipher.update(text, 'utf8', 'hex') + cipher.final('hex');
+  return encrypted.toString();
+}

packages/signature/src/legacy-signature/legacy-crypto.ts

@@ -0,0 +1,50 @@
+import { createCipher, createDecipher } from 'crypto';
+
+import { generateRandomHexString } from '../utils';
+
+export const defaultAlgorithm = 'aes192';
+export const defaultTarballHashAlgorithm = 'sha1';
+
+/**
+ * Deprecated version usage of crypto.createCipher, only useful for node.js versions < 22.
+ * @param buf
+ * @param secret
+ * @returns
+ */
+export function aesEncryptDeprecated(buf: Buffer, secret: string): Buffer {
+  // deprecated (it will be removed in Verdaccio 6), it is a breaking change
+  // https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
+  // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
+  const c = createCipher(defaultAlgorithm, secret);
+  const b1 = c.update(buf);
+  const b2 = c.final();
+  return Buffer.concat([b1, b2]);
+}
+
+/**
+ * Deprecated version usage of crypto.createCipher, only useful for node.js versions < 22.
+ * @param buf
+ * @param secret
+ * @returns
+ */
+export function aesDecryptDeprecated(buf: Buffer, secret: string): Buffer {
+  try {
+    // https://nodejs.org/api/crypto.html#crypto_crypto_createdecipher_algorithm_password_options
+    // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
+    const c = createDecipher(defaultAlgorithm, secret);
+    const b1 = c.update(buf);
+    const b2 = c.final();
+    return Buffer.concat([b1, b2]);
+  } catch (_) {
+    return Buffer.alloc(0);
+  }
+}
+
+export const TOKEN_VALID_LENGTH_DEPRECATED = 64;
+
+/**
+ * Generate a secret key of 64 characters.
+ */
+export function generateRandomSecretKeyDeprecated(): string {
+  return generateRandomHexString(6);
+}

packages/signature/src/signature.ts

@@ -26,7 +26,11 @@ export function aesEncrypt(value: string, key: string): string | void {
   // IV must be a buffer of length 16
   const iv = randomBytes(16);
   const secretKey = VERDACCIO_LEGACY_ENCRYPTION_KEY || key;
+
   const isKeyValid = secretKey?.length === TOKEN_VALID_LENGTH;
+  if (isKeyValid === false) {
+    throw new Error('Invalid secret key length');
+  }
   debug('length secret key %o', secretKey?.length);
   debug('is valid secret %o', isKeyValid);
   if (!value || !secretKey || !isKeyValid) {

packages/signature/test/legacy-token-deprecated-backward-compatible.spec.ts

@@ -0,0 +1,23 @@
+import {
+  aesDecryptDeprecatedBackwardCompatible,
+  aesEncryptDeprecatedBackwardCompatible,
+  generateRandomSecretKeyDeprecated,
+} from '../src';
+
+describe('test deprecated crypto utils', () => {
+  test('decrypt payload flow', () => {
+    const secret = generateRandomSecretKeyDeprecated();
+    const payload = 'juan:password';
+    const token = aesEncryptDeprecatedBackwardCompatible(Buffer.from(payload), secret);
+    const data = aesDecryptDeprecatedBackwardCompatible(token, secret);
+
+    expect(data.toString()).toEqual(payload.toString());
+  });
+
+  test('crypt fails if secret is incorrect', () => {
+    const payload = 'juan:password';
+    expect(
+      aesEncryptDeprecatedBackwardCompatible(Buffer.from(payload), 'fake_token').toString()
+    ).not.toEqual(Buffer.from(payload));
+  });
+});

packages/signature/test/legacy-token.spec.ts

@@ -13,7 +13,6 @@ describe('test crypto utils', () => {
   test('crypt fails if secret is incorrect', () => {
     const secret = 'f5bb945cc57fea2f25961e1bd6fb3c89_TO_LONG';
     const payload = 'juan';
-    const token = aesEncrypt(payload, secret) as string;
-    expect(token).toBeUndefined();
+    expect(() => aesEncrypt(payload, secret)).toThrow('Invalid secret key length');
   });
 });