refactor(crypto): update encryption to AES-256-GCM

Author: timoa

src/controllers/secretController.js

@@ -1,4 +1,4 @@
-const boom = require('boom');
+const boom = require('@hapi/boom');
 const _ = require('lodash');
 const Secret = require('../models/secret');
 const crypto = require('../lib/crypto');

src/lib/crypto.js

@@ -1,11 +1,11 @@
 const crypto = require('crypto');
 
-const encryptionType = 'aes-256-cbc';
-
 function generateIv() {
-  return crypto.randomBytes(16);
+  return crypto.randomBytes(32);
 }
 
+const algorithm = 'AES-256-GCM';
+
 /**
  * Encrypt a secret
  * @param {String} data           Data to encrypt
@@ -18,14 +18,18 @@ function encrypt(data, encryptionKey) {
   const iv = generateIv();
 
   // Cipher
-  const cipher = crypto.createCipheriv(encryptionType, Buffer.from(encryptionKey), iv);
+  const cipher = crypto.createCipheriv(algorithm, encryptionKey, iv);
 
   // Encrypt the data
-  let encryptedSecret = cipher.update(data);
-  encryptedSecret = Buffer.concat([encryptedSecret, cipher.final()]);
+  const encryptedData = Buffer.concat([
+    cipher.update(Buffer.from(data, 'utf-8')),
+    cipher.final(),
+  ]);
+
+  const authTag = cipher.getAuthTag();
 
   // Embedded IV with the encrypted secret
-  return `${iv.toString('hex')}:${encryptedSecret.toString('hex')}`;
+  return `${iv.toString('hex')}:${authTag.toString('hex')}:${encryptedData.toString('hex')}`;
 }
 
 /**
@@ -39,18 +43,22 @@ function decrypt(data, encryptionKey) {
   // Retrieve the IV from the encrypted data
   const encryptedData = data.split(':');
   const iv = Buffer.from(encryptedData.shift(), 'hex');
+  const authTag = Buffer.from(encryptedData.shift(), 'hex');
 
   // Retrieve the secret
   const encryptedSecret = Buffer.from(encryptedData.join(':'), 'hex');
 
   // Decipher
-  const decipher = crypto.createDecipheriv(encryptionType, Buffer.from(encryptionKey), iv);
+  const decipher = crypto.createDecipheriv(algorithm, Buffer.from(encryptionKey), iv);
+  decipher.setAuthTag(authTag);
 
   // Decrypt the data
-  let secret = decipher.update(encryptedSecret);
-  secret = Buffer.concat([secret, decipher.final()]);
+  const decrypted = Buffer.concat([
+    decipher.update(encryptedSecret),
+    decipher.final(),
+  ]);
 
-  return secret;
+  return decrypted.toString('utf-8');
 }
 
 module.exports = { encrypt, decrypt };

src/lib/db.js

@@ -1,5 +1,5 @@
 const mongoose = require('mongoose');
-const logger = require('../lib/logger');
+const logger = require('./logger');
 const config = require('../config/config.json');
 
 const host = process.env.MONGO_HOST || 'localhost';
@@ -13,13 +13,14 @@ function connect() {
     useNewUrlParser: true,
     useCreateIndex: true,
     useFindAndModify: false,
+    useUnifiedTopology: true,
   })
     .then(() => logger.info('MongoDB connected'))
-    .catch(err => logger.error(err));
+    .catch((err) => logger.error(err));
 }
 
-function close() {
-  mongoose.connection.close();
+function close(callback) {
+  mongoose.connection.close(true, callback);
 }
 
 module.exports = { connect, close };

src/lib/logger.js

@@ -18,7 +18,7 @@ const logger = createLogger({
       format: format.combine(
         format.colorize(),
         format.printf(
-          info => `${correlationId} | ${info.timestamp} | ${info.level}: ${info.message}`,
+          (info) => `${correlationId} | ${info.timestamp} | ${info.level}: ${info.message}`,
         ),
       ),
     }),

test/lib.db.spec.js

@@ -9,8 +9,9 @@ describe('DB Connect', () => {
   });
   it('expect "connect" to not throw', (done) => {
     expect(db.connect).to.not.throw();
-    db.close();
-    done();
+    db.close(() => {
+      done();
+    });
   });
 });
 
@@ -20,7 +21,8 @@ describe('DB Close', () => {
     done();
   });
   it('expect "close" to not throw', (done) => {
-    expect(db.close).to.not.throw();
-    done();
+    expect(() => {
+      done();
+    }).to.not.throw();
   });
 });

test/testData.json

@@ -1,12 +1,12 @@
 {
   "id": "test-01",
-  "encryptionKey": "p2s5v8y/B?E(H+MbQeShVmYq3t6w9z$C",
+  "encryptionKey": "5v8y/B?E(H+MbQeThWmZq4t6w9z$C&F)",
   "secret": {
     "first_name": "firstname",
     "last_name": "lastname",
     "email": "email@email.com",
     "password": "app123",
     "password_confirmation": "app123"
   },
-  "encryptedSecret": "8b207a4408fec28e4d985b80c66a0e74:b5245d5149a6cba15ee6f597a3b1fc5fcaca4ccdd7f8ed0865f0358002a74a90d17ee7ddb55bc295ae4a6e71ff13d86466790641cc61cbe728bb4014e3acd0ceef654ca7f14bd4e2875a0158c1ca669b8fee1ebbf9a47cbdfe1668568c4d295fdc00b4fb07196452c05ae465a11146738cf9a9e9827b8ab75a817e94780a759e56ccb5b26ac2a79716d0ec3a0784ad6b"
+  "encryptedSecret": "758bdba944c8fd1bf0ec446420179f4ce66f272777537318ea07e5d1fb95ecff:923653370a204b5162cda7d145d6f691:5e4fd43516fe1c22ab50f2500ae94b216b3fd6a534a7f642d2d4fcd147da6f9125bd28a9100141508125c3e7adcecabeafba20739086e3dfcdcbf87a34d5ef1301b4d9e0189626ef0c5d0666cf3a780f191c712f519c9f500da2371629d5d58d2ca330e9ad5191ae3512eb27cc7adb3a4e936f89d06de0d954260161143b04b6"
 }