keyshade-xyz · rajdip-b · Feb 11, 2024 · Feb 11, 2024 · Feb 11, 2024
@@ -1,18 +1,14 @@
-import { generateKeyPairSync } from 'crypto'
+import eccrypto from 'eccrypto'
 
 export const createKeyPair = (): {
   publicKey: string
   privateKey: string
 } => {
-  const { publicKey, privateKey } = generateKeyPairSync('rsa', {
-    modulusLength: 2048
-  })
-
-  const publicKeyPEM = publicKey.export({ type: 'pkcs1', format: 'pem' })
-  const privateKeyPEM = privateKey.export({ type: 'pkcs1', format: 'pem' })
+  const privateKey = eccrypto.generatePrivate()
+  const publicKey = eccrypto.getPublic(privateKey)
 
   return {
-    publicKey: publicKeyPEM.toString(),
-    privateKey: privateKeyPEM.toString()
+    publicKey: publicKey.toString('hex'),
+    privateKey: privateKey.toString('hex')
   }
 }
@@ -1,12 +1,22 @@
-import { createPrivateKey, privateDecrypt } from 'crypto'
+import eccrypto from 'eccrypto'
 
-export const decrypt = (privateKey: string, data: string): string => {
-  const privateKeyPEM = createPrivateKey({
-    key: privateKey,
-    format: 'pem'
-  })
+export const decrypt = async (
+  privateKey: string,
+  data: string
+): Promise<string> => {
+  const parsed = JSON.parse(data)
 
-  const buffer = Buffer.from(data, 'base64')
-  const decrypted = privateDecrypt(privateKeyPEM, buffer)
-  return decrypted.toString('utf8')
+  const eicesData = {
+    iv: Buffer.from(parsed.iv),
+    ephemPublicKey: Buffer.from(parsed.ephemPublicKey),
+    ciphertext: Buffer.from(parsed.ciphertext),
+    mac: Buffer.from(parsed.mac)
+  }
+
+  const decrypted = await eccrypto.decrypt(
+    Buffer.from(privateKey, 'hex'),
+    eicesData
+  )
+
+  return decrypted.toString()
 }
@@ -1,12 +1,13 @@
-import { createPublicKey, publicEncrypt } from 'crypto'
+import eccrypto from 'eccrypto'
 
-export const encrypt = (publicKey: string, data: string): string => {
-  const publicKeyPEM = createPublicKey({
-    key: publicKey,
-    format: 'pem'
-  })
+export const encrypt = async (
+  publicKey: string,
+  data: string
+): Promise<string> => {
+  const encrypted = await eccrypto.encrypt(
+    Buffer.from(publicKey, 'hex'),
+    Buffer.from(data)
+  )
 
-  const messageBuffer = Buffer.from(data)
-  const encrypted = publicEncrypt(publicKeyPEM, messageBuffer)
-  return encrypted.toString('base64')
+  return JSON.stringify(encrypted)
 }
@@ -18,23 +18,25 @@ describe('util', () => {
     expect(keyPair.privateKey).toBeDefined()
   })
 
-  it('should encrypt and decrypt a string', () => {
+  it('should encrypt and decrypt a string', async () => {
     const keyPair = createKeyPair()
     const plaintext = 'hello world'
-    const encrypted = encrypt(keyPair.publicKey, plaintext)
-    const decrypted = decrypt(keyPair.privateKey, encrypted)
+    const encrypted = await encrypt(keyPair.publicKey, plaintext)
+    const decrypted = await decrypt(keyPair.privateKey, encrypted)
     expect(decrypted).toEqual(plaintext)
   })
 
-  it('should fail to encrypt and decrypt a string', () => {
+  it('should fail to encrypt and decrypt a string', async () => {
     const keyPair = createKeyPair()
     const differenetKeyPair = createKeyPair()
     const plainText = 'hello world'
-    const encrypted = encrypt(keyPair.publicKey, plainText)
-    const decrypted = () => {
-      decrypt(differenetKeyPair.privateKey, encrypted);
-    };
-    expect(decrypted).toThrow()
+    const encrypted = await encrypt(keyPair.publicKey, plainText)
+    try {
+      await decrypt(differenetKeyPair.privateKey, encrypted)
+    } catch (e) {
+      expect(e).toBeDefined()
+      expect(e.message).toEqual('Bad MAC')
+    }
   })
 
   it('should exclude fields', () => {

@@ -32,7 +32,7 @@
    dto: CreateProject
  ): Promise<Project> {
    // Check if the workspace exists or not
    const workspace = await getWorkspaceWithAuthority(
      user.id,
      workspaceId,
      Authority.CREATE_SECRET,
@@ -158,7 +158,7 @@
      ...createEnvironmentOps
    ])

    createEvent(
      {
        triggeredBy: user,
        entity: newProject,
@@ -241,8 +241,8 @@
         for (const version of versions) {
           updatedVersions.push({
             id: version.id,
-            value: encrypt(
-              decrypt(project.privateKey, version.value),
+            value: await encrypt(
+              await decrypt(project.privateKey, version.value),
               privateKey
             )
           })
@@ -279,7 +279,7 @@
      ...versionUpdateOps
    ])

    createEvent(
      {
        triggeredBy: user,
        entity: updatedProject,
@@ -316,7 +316,7 @@
      }
    })

    createEvent(
      {
        triggeredBy: user,
        entity: project,

@@ -72,13 +72,13 @@
    }

    // Create the secret
    const secret = await this.prisma.secret.create({
      data: {
        name: dto.name,
         rotateAt: addHoursToDate(dto.rotateAfter),
         versions: {
           create: {
-            value: encrypt(project.publicKey, dto.value),
+            value: await encrypt(project.publicKey, dto.value),
             version: 1,
             createdById: user.id
           }
@@ -101,7 +101,7 @@
      }
    })

    createEvent(
      {
        triggeredBy: user,
        entity: secret,
@@ -120,13 +120,13 @@
      this.prisma
    )

    this.logger.log(`User ${user.id} created secret ${secret.id}`)

    return secret
  }

  async updateSecret(user: User, secretId: Secret['id'], dto: UpdateSecret) {
    const secret = await getSecretWithAuthority(
      user.id,
      secretId,
      Authority.UPDATE_SECRET,
@@ -160,7 +160,7 @@
        take: 1
      })

      result = await this.prisma.secret.update({
        where: {
          id: secretId
        },
@@ -170,7 +170,7 @@
           lastUpdatedById: user.id,
           versions: {
             create: {
-              value: encrypt(secret.project.publicKey, dto.value),
+              value: await encrypt(secret.project.publicKey, dto.value),
               version: previousVersion.version + 1,
               createdById: user.id
             }
@@ -179,7 +179,7 @@
      })
    }

    result = await this.prisma.secret.update({
      where: {
        id: secretId
      },
@@ -190,7 +190,7 @@
      }
    })

    createEvent(
      {
        triggeredBy: user,
        entity: secret,
@@ -207,9 +207,9 @@
      this.prisma
    )

    this.logger.log(`User ${user.id} updated secret ${secret.id}`)

    return result
  }

  async updateSecretEnvironment(
@@ -217,7 +217,7 @@
    secretId: Secret['id'],
    environmentId: Environment['id']
  ) {
    const secret = await getSecretWithAuthority(
      user.id,
      secretId,
      Authority.UPDATE_SECRET,
@@ -243,7 +243,7 @@
    }

    // Update the secret
    const result = await this.prisma.secret.update({
      where: {
        id: secretId
      },
@@ -252,7 +252,7 @@
      }
    })

    createEvent(
      {
        triggeredBy: user,
        entity: secret,
@@ -271,9 +271,9 @@
      this.prisma
    )

    this.logger.log(`User ${user.id} updated secret ${secret.id}`)

    return result
  }

  async rollbackSecret(
@@ -282,7 +282,7 @@
    rollbackVersion: SecretVersion['version']
  ) {
    // Fetch the secret
    const secret = await getSecretWithAuthority(
      user.id,
      secretId,
      Authority.UPDATE_SECRET,
@@ -309,7 +309,7 @@

  async deleteSecret(user: User, secretId: Secret['id']) {
    // Check if the user has the required role
    await getSecretWithAuthority(
      user.id,
      secretId,
      Authority.DELETE_SECRET,
@@ -330,7 +330,7 @@
    decryptValue: boolean
  ) {
    // Fetch the secret
    const secret = await getSecretWithAuthority(
      user.id,
      secretId,
      Authority.READ_SECRET,
@@ -356,7 +356,7 @@
 
     if (decryptValue) {
       // Decrypt the secret value
-      const decryptedValue = decrypt(
+      const decryptedValue = await decrypt(
         project.privateKey,
         secret.versions[0].value
       )
@@ -369,7 +369,7 @@

  async getAllVersionsOfSecret(user: User, secretId: Secret['id']) {
    // Fetch the secret
    const secret = await getSecretWithAuthority(
      user.id,
      secretId,
      Authority.READ_SECRET,
@@ -447,10 +447,10 @@
     })) as SecretWithVersion[]
 
     // Return the secrets
-    return secrets.map((secret) => {
+    return secrets.map(async (secret) => {
       if (decryptValue) {
         // Decrypt the secret value
-        const decryptedValue = decrypt(
+        const decryptedValue = await decrypt(
           project.privateKey,
           secret.versions[0].value
         )

diff --git a/package.json b/package.json
@@ -164,7 +164,13 @@
     "ts-jest": "^29.1.1",
     "ts-node": "10.9.1",
     "typescript": "~5.2.2",
-    "url-loader": "^4.1.1"
+    "url-loader": "^4.1.1",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/commit-analyzer": "^11.1.0",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/release-notes-generator": "^12.1.0",
+    "@types/jsonwebtoken": "^9.0.5",
+    "@types/eccrypto": "^1.1.6"
   },
   "dependencies": {
     "@nestjs/common": "^10.3.0",
@@ -177,18 +183,13 @@
     "@nestjs/schedule": "^4.0.0",
     "@nestjs/swagger": "^7.1.17",
     "@prisma/client": "^5.7.1",
-    "@semantic-release/changelog": "^6.0.3",
-    "@semantic-release/commit-analyzer": "^11.1.0",
-    "@semantic-release/git": "^10.0.1",
-    "@semantic-release/release-notes-generator": "^12.1.0",
-    "@supabase/supabase-js": "^2.39.2",
-    "@types/jsonwebtoken": "^9.0.5",
     "axios": "^1.6.5",
     "chalk": "4.1.2",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.0",
     "conventional-changelog-conventionalcommits": "^7.0.2",
     "dotenv": "^16.3.1",
+    "eccrypto": "^1.1.6",
     "express": "^4.18.2",
     "husky": "^8.0.3",
     "jest-mock-extended": "^3.0.5",