Replace deprecated createCipher with createCipheriv for new tokens

Co-authored-by: Alasdair Smith <ali@alasdairsmith.co.uk>

libraries/access-token-encryptor/lib/coffee/AccessTokenEncryptor.coffee

@@ -1,17 +1,17 @@
 crypto = require('crypto')
+async = require('async')
 
 ALGORITHM = 'aes-256-ctr'
 
-keyFn = (password, salt, callback)->
+keyFn = (password, salt, keyLength, callback)->
-	return crypto.pbkdf2(password, salt, 10000, 64, 'sha1', callback)
+	return crypto.pbkdf2(password, salt, 10000, keyLength, 'sha1', callback)
 
 class AccessTokenEncryptor
 
 	constructor: (settings) ->
 
 		@settings = settings
-		@cipherLabel = @settings.cipherLabel
+		@cipherLabel = "2019.1"
-		throw Error("cipherLabel must not contain a colon (:)") if @cipherLabel?.match(/:/)
 
 		@cipherPassword = @settings.cipherPasswords[@cipherLabel]
 		throw Error("cipherPassword not set") if not @cipherPassword?
@@ -19,24 +19,43 @@ class AccessTokenEncryptor
 
 	encryptJson: (json, callback) ->
 		string = JSON.stringify(json)
-		salt = crypto.randomBytes(16)
+		async.parallel [
-		keyFn @cipherPassword, salt, (err, key) =>
+			(cb) -> crypto.randomBytes(16, cb)
+			(cb) -> crypto.randomBytes(16, cb)
+		], (err, results) =>
 			if err?
-				logger.err err:err, "error getting Fn key"
 				return callback(err)
-			cipher = crypto.createCipher(ALGORITHM,  key)
+
-			crypted  = cipher.update(string, 'utf8', 'base64') + cipher.final('base64')
+			salt = results[0]
-			callback(null, @cipherLabel + ":" + salt.toString('hex') + ":" + crypted)
+			iv = results[1]
+
+			keyFn cipherPassword, salt, 32, (err, key) =>
+				if err?
+					logger.err err:err, "error getting Fn key"
+					return callback(err)
+
+				cipher = crypto.createCipheriv(ALGORITHM, key, iv)
+				crypted = cipher.update(string, 'utf8', 'base64') + cipher.final('base64')
+
+				callback(null, "#{@cipherLabel}:#{salt.toString('hex')}:#{crypted}:#{iv.toString('hex')}")
 
 	decryptToJson: (encryptedJson, callback) ->
-		[label, salt, cipherText] = encryptedJson.split(':', 3)
+		[label, salt, cipherText, iv] = encryptedJson.split(':', 4)
+
 		password = @settings.cipherPasswords[label]
 		return callback(new Error("invalid password")) if not password? or password.length < 16
-		keyFn password, new Buffer(salt, 'hex'), (err, key) =>
+
+		keyLength = if label == "2019.1" then 32 else 64
+		keyFn password, Buffer.from(salt, 'hex'), keyLength, (err, key) =>
 			if err?
 				logger.err err:err, "error getting Fn key"
 				return callback(err)
-			decipher = crypto.createDecipher(ALGORITHM, key)
+
+			decipher = if label == "2019.1"
+				crypto.createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'hex'))
+			else
+				crypto.createDecipher(ALGORITHM, key)
+
 			dec = decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8')
 			try
 				json = JSON.parse(dec)

libraries/access-token-encryptor/test/unit/coffee/AccessTokenEncryptorTests.coffee

@@ -10,24 +10,25 @@ describe 'AccessTokenEncryptor', ->
 
 	beforeEach ->
 		@testObject = {"hello":"world"}
-		@Encrypted = "2016.1:6e7ac79ab13a18b5749eace965ec7962:sAAYt1yQZqpvOnu6l8iUD/Y="
+		@encrypted2015 = "2015.1:473a66fb5d816bc716f278ab819d88a5:+mTg7O9sgUND8pNQFG6h2GE="
-		@oldEncrypted = "2015.1:473a66fb5d816bc716f278ab819d88a5:+mTg7O9sgUND8pNQFG6h2GE="
+		@encrypted2016 = "2016.1:76a7d64a444ccee1a515b49c44844a69:m5YSkexUsLjcF4gLncm72+k="
 		@badLabel = "xxxxxx:c7a39310056b694c:jQf+Uh5Den3JREtvc82GW5Q="
 		@badKey = "2015.1:d7a39310056b694c:jQf+Uh5Den3JREtvc82GW5Q="
 		@badCipherText = "2015.1:c7a39310056b694c:xQf+Uh5Den3JREtvc82GW5Q="
 		@settings =
-			cipherLabel: "2016.1"
+			cipherLabel: "2019.1"
 			cipherPasswords:
 				"2016.1": "11111111111111111111111111111111111111"
 				"2015.1": "22222222222222222222222222222222222222"
-		AccessTokenEncryptor = SandboxedModule.require modulePath, @requires
+				"2019.1": "33333333333333333333333333333333333333"
+		AccessTokenEncryptor = SandboxedModule.require modulePath
 		@encryptor = new AccessTokenEncryptor(@settings)
 
 	describe "encrypt", ->
 		it 'should encrypt the object', (done)->
 			@encryptor.encryptJson @testObject, (err, encrypted)->
 				expect(err).to.be.null
-				encrypted.should.match(/^2016.1:[0-9a-f]+:[a-zA-Z0-9=+\/]+$/)
+				encrypted.should.match(/^2019.1:[0-9a-f]+:[a-zA-Z0-9=+\/]+:[0-9a-f]+$/)
 				done()
 
 		it 'should encrypt the object differently the next time', (done)->
@@ -45,8 +46,14 @@ describe 'AccessTokenEncryptor', ->
 					expect(decrypted).to.deep.equal @testObject
 					done()
 
-		it 'should decrypt an old string to get the same object', (done)->
+		it 'should decrypt an 2015 string to get the same object', (done)->
-			@encryptor.decryptToJson @oldEncrypted, (err, decrypted)=>
+			@encryptor.decryptToJson @encrypted2015, (err, decrypted)=>
+				expect(err).to.be.null
+				expect(decrypted).to.deep.equal @testObject
+				done()
+
+		it 'should decrypt an 2016 string to get the same object', (done)->
+			@encryptor.decryptToJson @encrypted2016, (err, decrypted)=>
 				expect(err).to.be.null
 				expect(decrypted).to.deep.equal @testObject
 				done()