import { createCipheriv, createDecipheriv, HexBase64BinaryEncoding, randomBytes, Utf8AsciiBinaryEncoding, } from 'crypto'; import { TOKEN_VALID_LENGTH } from '@verdaccio/config'; import buildDebug from 'debug'; const debug = buildDebug('verdaccio:auth:token:legacy'); export const defaultAlgorithm = process.env.VERDACCIO_LEGACY_ALGORITHM || 'aes-256-ctr'; const inputEncoding: Utf8AsciiBinaryEncoding = 'utf8'; const outputEncoding: HexBase64BinaryEncoding = 'hex'; // For AES, this is always 16 const IV_LENGTH = 16; // Must be 256 bits (32 characters) // const VERDACCIO_LEGACY_ENCRYPTION_KEY = process.env.VERDACCIO_LEGACY_ENCRYPTION_KEY; export function aesEncrypt(value: string, key: string): string | void { // // debug('encrypt %o', value); debug('algorithm %o', defaultAlgorithm); const iv = Buffer.from(randomBytes(IV_LENGTH)); const secretKey = VERDACCIO_LEGACY_ENCRYPTION_KEY || key; const isKeyValid = secretKey?.length === TOKEN_VALID_LENGTH; debug('length secret key %o', secretKey?.length); debug('is valid secret %o', isKeyValid); if (!value || !secretKey || !isKeyValid) { return; } const cipher = createCipheriv(defaultAlgorithm, secretKey, iv); let encrypted = cipher.update(value, inputEncoding, outputEncoding); // @ts-ignore encrypted +=; const token = `${iv.toString('hex')}:${encrypted.toString()}`; debug('token generated successfully'); return Buffer.from(token).toString('base64'); } export function aesDecrypt(value: string, key: string): string | void { try { const buff = Buffer.from(value, 'base64'); const textParts = buff.toString().split(':'); // extract the IV from the first half of the value // @ts-ignore const IV = Buffer.from(textParts.shift(), outputEncoding); // extract the encrypted text without the IV const encryptedText = Buffer.from(textParts.join(':'), outputEncoding); const secretKey = VERDACCIO_LEGACY_ENCRYPTION_KEY || key; // decipher the string const decipher = createDecipheriv(defaultAlgorithm, secretKey, IV); let decrypted = decipher.update(encryptedText, outputEncoding, inputEncoding); decrypted +=; debug('token decrypted successfully'); return decrypted.toString(); } catch (_: any) { return; } }