feat: update to form submission crypto configuration (#53)

cds-snc · Sep 13, 2024 · 94e6798 · 94e6798
1 parent 70d80ee
commit 94e6798
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 8 deletions.
diff --git a/src/lib/vault/encryptFormSubmission.ts b/src/lib/vault/encryptFormSubmission.ts
@@ -22,21 +22,31 @@ export const encryptFormSubmission = async (
 
   // Encrypt the submission with the public key
   const encryptionKey = randomBytes(32);
-  const iv = randomBytes(16);
+  const iv = randomBytes(12);
 
   const cipher = createCipheriv("aes-256-gcm", encryptionKey, iv);
 
   const encryptedResponses = Buffer.concat([
     cipher.update(Buffer.from(JSON.stringify(submission))),
     cipher.final(),
   ]).toString("base64");
+
   const authTag = cipher.getAuthTag();
+
   const publicKey = createPublicKey({ key: serviceAccountPublicKey });
-  const encryptedKey = publicEncrypt(publicKey, encryptionKey).toString(
+
+  const publicEncryptKey = {
+    key: publicKey,
+    oaepHash: "sha256",
+  };
+
+  const encryptedKey = publicEncrypt(publicEncryptKey, encryptionKey).toString(
+    "base64",
+  );
+  const encryptedNonce = publicEncrypt(publicEncryptKey, iv).toString("base64");
+  const encryptedAuthTag = publicEncrypt(publicEncryptKey, authTag).toString(
     "base64",
   );
-  const encryptedNonce = publicEncrypt(publicKey, iv).toString("base64");
-  const encryptedAuthTag = publicEncrypt(publicKey, authTag).toString("base64");
 
   return {
     encryptedResponses,

diff --git a/utils/responseRetriever/main.ts b/utils/responseRetriever/main.ts
@@ -93,17 +93,23 @@ const decryptSubmission = (
   }: EncryptedSubmission,
   privateKey: crypto.KeyObject,
 ) => {
+  const privateDecryptKey = {
+    key: privateKey,
+    oaepHash: "sha256",
+  };
+
   const decryptedKey = crypto.privateDecrypt(
-    privateKey,
+    privateDecryptKey,
     Buffer.from(encryptedKey, "base64"),
   );
 
   const decryptedNonce = crypto.privateDecrypt(
-    privateKey,
+    privateDecryptKey,
     Buffer.from(encryptedNonce, "base64"),
   );
+
   const authTag = crypto.privateDecrypt(
-    privateKey,
+    privateDecryptKey,
     Buffer.from(encryptedAuthTag, "base64"),
   );
 
@@ -159,7 +165,7 @@ const main = async () => {
 
     const menuSelection = await getValue(`I want to:
 (1) Retrieve a form submission
-(2) Generate and dispaly an Access Token
+(2) Generate and display an Access Token
 Selection (1): `);
 
     if (menuSelection === "2") {