Merge pull request #96 from leMaik/misc-updates

Improve readme, update xml-crypto, fix ci, replace deprecated crypto methods and make add compatibility with NodeJS 22.
2025-04-18 16:36:58 +00:00 · 2025-04-03 02:30:23 +03:00 · 2025-04-03 02:30:23 +03:00 · 3e4ea41090
commit 3e4ea41090
parent 1fbe17846d 8dd84444ff
12 changed files with 341 additions and 585 deletions
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@ -11,12 +11,12 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        node: [ 18, 19, 20 ]
+        node: [ 18, 20, 22 ]
    name: Node.js ${{ matrix.node }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Setup node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node }}
      - run: npm ci
--- a/README.md
+++ b/README.md
@ -15,30 +15,55 @@
 <a href='https://coveralls.io/github/eCollect/node-ebics-client?branch=master' title="Coverage Status"><img src='https://coveralls.io/repos/github/eCollect/node-ebics-client/badge.svg?branch=master' alt='Coverage Status' /></a>
 </p>
-Pure node.js ( >=8 ) implementation of [EBICS](https://en.wikipedia.org/wiki/Electronic_Banking_Internet_Communication_Standard) ( Electronic Banking Internet Communication ).
+Pure Node.js (>= 16) implementation of [EBICS](https://en.wikipedia.org/wiki/Electronic_Banking_Internet_Communication_Standard) (Electronic Banking Internet Communication).
-The client is aimed to be 100% [ISO 20022](https://www.iso20022.org) compliant, and supports the complete initializations process ( INI, HIA, HPB orders ) and HTML letter generation.
+The client is aimed to be 100% [ISO 20022](https://www.iso20022.org) compliant, and supports the complete initializations process (INI, HIA, HPB orders) and HTML letter generation.
 ## Usage
 For examples on how to use this library, take a look at the [examples](https://github.com/node-ebics/node-ebics-client/tree/master/examples).
 ### A note on recent Node.js versions
 The latest Node.js versions don't support `RSA_PKCS1_PADDING` for private decryption for security reasons, throwing an error like _TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809_.
 EBICS requires this mode, so in order for this library to work, add the following parameter when starting Node.js: `--security-revert=CVE-2023-46809`
 ### Initialization
 1. Create a configuration (see [example configs](https://github.com/node-ebics/node-ebics-client/tree/master/examples/config)) with the EBICS credentials you received from your bank and name it in this schema: `config.<environment>.<bank>[.<entity>].json` (the entity is optional).
    - The fields `url`, `partnerId`, `userId`, `hostId` are provided by your bank.
    - The `passphrase` is used to encrypt the keys file, which will be stored at the `storageLocation`.
    - The `bankName` and `bankShortName` are used internally for creating files and identifying the bank to you.
    - The `languageCode` is used when creating the Initialization Letter and can be either `de`, `en`, or `fr`.
    - You can chose any environment, bank and, optionally, entity name. Entities are useful if you have multiple EBICS users for the same bank account.
 2. Run `node examples/initialize.js <environment> <bank> [entity]` to generate your key pair and perform the INI and HIA orders (ie. send the public keys to your bank)  
   The generated keys are stored in the file specified in your config and encrypted with the specified passphrase.
 3. Run `node examples/bankLetter.js <environment> <bank> [entity]` to generate the Initialization Letter
 4. Print the letter, sign it and send it to your bank. Wait for them to activate your EBICS account.
 5. Download the bank keys by running `node examples/save-bank-keys.js <environment> <bank> [entity]`
 If all these steps were executed successfully, you can now do all things EBICS, like fetching bank statements by running `node examples/send-sta-order.js <environment> <bank> [entity]`, or actually use this library in your custom banking applications.
 ## Supported Banks
 The client is currently tested and verified to work with the following banks:
-* [Credit Suisse (Schweiz) AG](https://www.credit-suisse.com/ch/en.html)
+-   [Credit Suisse (Schweiz) AG](https://www.credit-suisse.com/ch/en.html)
-* [Zürcher Kantonalbank](https://www.zkb.ch/en/lg/ew.html)
+-   [Zürcher Kantonalbank](https://www.zkb.ch/en/lg/ew.html)
-* [Raiffeisen Schweiz](https://www.raiffeisen.ch/rch/de.html)
+-   [Raiffeisen Schweiz](https://www.raiffeisen.ch/rch/de.html)
-* [BW Bank](https://www.bw-bank.de/de/home.html)
+-   [BW Bank](https://www.bw-bank.de/de/home.html)
-* [Bank GPB International S.A.](https://gazprombank.lu/e-banking)
+-   [Bank GPB International S.A.](https://gazprombank.lu/e-banking)
-* [Bank GPB AO](https://gazprombank.ru/)
+-   [Bank GPB AO](https://gazprombank.ru/)
-* [J.P. Morgan](https://www.jpmorgan.com/)
+-   [J.P. Morgan](https://www.jpmorgan.com/)
 ## Inspiration
 The basic concept of this library was inspired by the [EPICS](https://github.com/railslove/epics) library from the Railslove Team.
 ## Copyright
 Copyright: Dimitar Nanov, 2019-2022.  
 Licensed under the [MIT](LICENSE) license.
--- a/examples/bankLetter.js
+++ b/examples/bankLetter.js
@ -10,7 +10,7 @@ const os = require('os');
 const config = require('./loadConfig')();
 const client = require('./getClient')(config);
 const bankName = client.bankName;
-const template = fs.readFileSync("../templates/ini_"+client.languageCode+".hbs", { encoding: 'utf8'});
+const template = fs.readFileSync("./templates/ini_"+client.languageCode+".hbs", { encoding: 'utf8'});
 const bankLetterFile = path.join("./", "bankLetter_"+client.bankShortName+"_"+client.languageCode+".html");
 const letter = new ebics.BankLetter({ client, bankName, template });
--- a/examples/getClient.js
+++ b/examples/getClient.js
@ -10,6 +10,7 @@ module.exports = ({
 	userId,
 	hostId,
 	passphrase,
 	iv,
 	keyStoragePath,
 } = loadConfig()) => new Client({
 	url,
@ -17,5 +18,6 @@ module.exports = ({
 	userId,
 	hostId,
 	passphrase,
 	iv,
 	keyStorage: fsKeysStorage(keyStoragePath),
 });
--- a/lib/Client.js
+++ b/lib/Client.js
@ -43,7 +43,8 @@ const stringifyKeys = (keys) => {
 * @property {string} partnerId - PARTNERID provided by the bank
 * @property {string} hostId - HOSTID provided by the bank
 * @property {string} userId - USERID provided by the bank
- * @property {string} passphrase - passphrase for keys encryption
+ * @property {string|Buffer} passphrase - passphrase or key for keys encryption
 * @property {string|Buffer} iv - Initialization Vector for keys encryption
 * @property {KeyStorage} keyStorage - keyStorage implementation
 * @property {object} [tracesStorage] - traces (logs) storage implementation
 * @property {string} bankName - Full name of the bank to be used in the bank INI letters.
@ -51,7 +52,6 @@ const stringifyKeys = (keys) => {
 * @property {string} languageCode - Language code to be used in the bank INI letters ("de", "en" and "fr" are currently supported).
 * @property {string} storageLocation - Location where to store the files that are downloaded. This can be a network share for example.
 */
 module.exports = class Client {
 	/**
 	 *Creates an instance of Client.
@ -63,6 +63,7 @@ module.exports = class Client {
 		userId,
 		hostId,
 		passphrase,
 		iv,
 		keyStorage,
 		tracesStorage,
 		bankName,
@ -88,7 +89,7 @@ module.exports = class Client {
 		this.userId = userId;
 		this.hostId = hostId;
 		this.keyStorage = keyStorage;
-		this.keyEncryptor = defaultKeyEncryptor({ passphrase });
+		this.keyEncryptor = defaultKeyEncryptor({ passphrase, iv });
 		this.tracesStorage = tracesStorage || null;
 		this.bankName = bankName || 'Dummy Bank Full Name';
 		this.bankShortName = bankShortName || 'BANKSHORTCODE';
@ -216,26 +217,25 @@ module.exports = class Client {
 					.persist();
 			rock({
-					method: 'POST',
+				method: 'POST',
-					url: this.url,
+				url: this.url,
-					body: r,
+				body: r,
-					headers: { 'content-type': 'text/xml;charset=UTF-8' },
+				headers: { 'content-type': 'text/xml;charset=UTF-8' },
-				},
+			},
-				(err, res, data) => {
+			(err, res, data) => {
-					if (err) reject(err);
+				if (err) reject(err);
-					const ebicsResponse = response.version(version)(data.toString('utf-8'), keys);
+				const ebicsResponse = response.version(version)(data.toString('utf-8'), keys);
-					if (this.tracesStorage)
+				if (this.tracesStorage)
-						this.tracesStorage
+					this.tracesStorage
-							.label(`RESPONSE.${order.orderDetails.OrderType}`)
+						.label(`RESPONSE.${order.orderDetails.OrderType}`)
-							.connect()
+						.connect()
-							.data(ebicsResponse.toXML())
+						.data(ebicsResponse.toXML())
-							.persist();
+						.persist();
-					resolve(ebicsResponse);
+				resolve(ebicsResponse);
-				},
+			});
 			);
 		});
 	}
@ -250,7 +250,6 @@ module.exports = class Client {
 	async keys() {
 		try {
 			const keysString = await this._readKeys();
 			return new Keys(JSON.parse(this.keyEncryptor.decrypt(keysString)));
 		} catch (err) {
 			return null;
--- a/lib/crypto/Crypto.js
+++ b/lib/crypto/Crypto.js
@ -1,6 +1,7 @@
 'use strict';
 const crypto = require('crypto');
 const NodeRSA = require('node-rsa');
 const BigNumber = require('./BigNumber.js');
 const mgf1 = require('./MGF1');
@ -54,10 +55,14 @@ module.exports = class Crypto {
 	}
 	static privateDecrypt(key, data) {
-		return crypto.privateDecrypt({
+		const keyRSA = new NodeRSA(
-			key: key.toPem(),
+			key.toPem(),
-			padding: crypto.constants.RSA_PKCS1_PADDING,
+			'pkcs1-private-pem', {
-		}, data);
+				encryptionScheme: 'pkcs1',
 				environment: 'browser', // would use the crypto module by default, which blocks pkcs1
 			},
 		);
 		return keyRSA.decrypt(data);
 	}
 	static privateSign(key, data, outputEncoding = 'base64') {
--- a/lib/crypto/encryptDecrypt.js
+++ b/lib/crypto/encryptDecrypt.js
@ -0,0 +1,66 @@
 'use strict';
 const crypto = require('crypto');
 const createKeyAndIv = (passphrase) => {
 	// this generates a 256-bit key and a 128-bit iv for aes-256-cbc
 	// just like nodejs's deprecated/removed crypto.createCipher would
 	const a = crypto.createHash('md5').update(passphrase).digest();
 	const b = crypto
 		.createHash('md5')
 		.update(Buffer.concat([a, Buffer.from(passphrase)]))
 		.digest();
 	const c = crypto
 		.createHash('md5')
 		.update(Buffer.concat([b, Buffer.from(passphrase)]))
 		.digest();
 	const bytes = Buffer.concat([a, b, c]);
 	const key = bytes.subarray(0, 32);
 	const iv = bytes.subarray(32, 48);
 	return { key, iv };
 };
 const encrypt = (data, algorithm, passphrase, iv) => {
 	let cipher;
 	if (iv) {
 		cipher = crypto.createCipheriv(algorithm, passphrase, iv);
 	} else {
 		console.warn(
 			'[Deprecation notice] No IV provided, falling back to legacy key derivation.\n'
            + 'This will be removed in a future major release. You should encrypt your keys with a proper key and IV.',
 		);
 		if (crypto.createCipher) {
 			// nodejs < 22
 			cipher = crypto.createCipher(algorithm, passphrase);
 		} else {
 			const { key, iv: generatedIv } = createKeyAndIv(passphrase);
 			cipher = crypto.createCipheriv(algorithm, key, generatedIv);
 		}
 	}
 	const encrypted = cipher.update(data, 'utf8', 'hex') + cipher.final('hex');
 	return Buffer.from(encrypted).toString('base64');
 };
 const decrypt = (data, algorithm, passphrase, iv) => {
 	data = Buffer.from(data, 'base64').toString();
 	let decipher;
 	if (iv) {
 		decipher = crypto.createDecipheriv(algorithm, passphrase, iv);
 	} else {
 		console.warn(
 			'[Deprecation notice] No IV provided, falling back to legacy key derivation.\n'
 			+ 'This will be removed in a future major release. You should re-encrypt your keys with a proper key and IV.',
 		);
 		if (crypto.createDecipher) {
 			// nodejs < 22
 			decipher = crypto.createDecipher(algorithm, passphrase);
 		} else {
 			const { key, iv: generatedIv } = createKeyAndIv(passphrase);
 			decipher = crypto.createDecipheriv(algorithm, key, generatedIv);
 		}
 	}
 	const decrypted = decipher.update(data, 'hex', 'utf8') + decipher.final('utf8');
 	return decrypted;
 };
 module.exports = { encrypt, decrypt };
--- a/lib/keymanagers/KeysManager.js
+++ b/lib/keymanagers/KeysManager.js
@ -1,24 +1,8 @@
 'use strict';
-const crypto = require('crypto');
+const { encrypt, decrypt } = require('../crypto/encryptDecrypt');
 const Keys = require('./Keys');
 const encrypt = (data, algorithm, passphrase) => {
 	const cipher = crypto.createCipher(algorithm, passphrase);
 	const encrypted = cipher.update(data, 'utf8', 'hex') + cipher.final('hex');
 	return Buffer.from(encrypted).toString('base64');
 };
 const decrypt = (data, algorithm, passphrase) => {
 	data = (Buffer.from(data, 'base64')).toString();
 	const decipher = crypto.createDecipher(algorithm, passphrase);
 	const decrypted = decipher.update(data, 'hex', 'utf8') + decipher.final('utf8');
 	return decrypted;
 };
 module.exports = (keysStorage, passphrase, algorithm = 'aes-256-cbc') => {
 	const storage = keysStorage;
 	const pass = passphrase;
--- a/lib/keymanagers/defaultKeyEncryptor.js
+++ b/lib/keymanagers/defaultKeyEncryptor.js
@ -1,24 +1,9 @@
 'use strict';
-const crypto = require('crypto');
+const { encrypt, decrypt } = require('../crypto/encryptDecrypt');
 const encrypt = (data, algorithm, passphrase) => {
 	const cipher = crypto.createCipher(algorithm, passphrase);
 	const encrypted = cipher.update(data, 'utf8', 'hex') + cipher.final('hex');
 	return Buffer.from(encrypted).toString('base64');
 };
 const decrypt = (data, algorithm, passphrase) => {
 	data = (Buffer.from(data, 'base64')).toString();
 	const decipher = crypto.createDecipher(algorithm, passphrase);
 	const decrypted = decipher.update(data, 'hex', 'utf8') + decipher.final('utf8');
-	return decrypted;
+module.exports = ({ passphrase, iv, algorithm = 'aes-256-cbc' }) => ({
-};
+	encrypt: data => encrypt(data, algorithm, passphrase, iv),
 module.exports = ({
 	passphrase,
 	algorithm = 'aes-256-cbc',
 }) => ({
 	encrypt: data => encrypt(data, algorithm, passphrase),
 	decrypt: data => decrypt(data, algorithm, passphrase),
 });
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -9,7 +9,10 @@
 	],
 	"scripts": {
 		"lint": "eslint .",
-		"test": "nyc mocha test/**/*.js",
+		"test": "npm run test:node$(node -v | cut -d '.' -f 1 | cut -c 2-)",
 		"test:node22": "nyc node ./node_modules/.bin/mocha test/**/*.js",
 		"test:node20": "nyc node --security-revert=CVE-2023-46809 ./node_modules/.bin/mocha test/**/*.js",
 		"test:node18": "nyc node --security-revert=CVE-2023-46809 ./node_modules/.bin/mocha test/**/*.js",
 		"coverage": "nyc report --reporter=text-lcov | coveralls",
 		"version": "auto-changelog -p -t changelog-template.hbs && git add CHANGELOG.md"
 	},
@ -67,9 +70,10 @@
 		"handlebars": "^4.7.8",
 		"js2xmlparser": "^5.0.0",
 		"node-forge": "^1.3.1",
 		"node-rsa": "^1.1.1",
 		"rock-req": "^5.1.3",
 		"uuid": "^9.0.1",
-		"xml-crypto": "^4.0.1",
+		"xml-crypto": "^6.0.0",
 		"xpath": "0.0.32"
 	},
 	"devDependencies": {
@ -79,8 +83,8 @@
 		"eslint": "^6.7.2",
 		"eslint-config-ecollect-base": "^0.1.2",
 		"eslint-plugin-import": "^2.28.1",
 		"libxmljs": "^1.0.10",
 		"mocha": "^10.2.0",
-		"nyc": "^15.1.0"
+		"nyc": "^15.1.0",
 		"xmllint-wasm": "^4.0.2"
 	}
 }
--- a/test/spec/H004.js
+++ b/test/spec/H004.js
@ -9,27 +9,36 @@ const fs = require('fs');
 const ebics = require('../../');
-const libxml = require('libxmljs');
+const xmlLintWasm = require('xmllint-wasm');
-const schemaPath = path.resolve(__dirname, '../xsd/ebics_H004.xsd');
+const validateXML = (() => {
-const schemaDoc = libxml.parseXml(
+	const xsdDir = path.resolve(__dirname, '../xsd');
-	fs.readFileSync(schemaPath, { encoding: 'utf8' }),
+	const schemaPath = path.resolve(xsdDir, 'ebics_H004.xsd');
-);
+	const schemaDoc = fs.readFileSync(schemaPath, { encoding: 'utf8' });
 	const preload = fs
 		.readdirSync(xsdDir)
 		.filter(file => file.endsWith('.xsd') && file !== 'ebics_H004.xsd')
 		.map(file => ({
 			fileName: file,
 			contents: fs.readFileSync(path.join(xsdDir, file), {
 				encoding: 'utf8',
 			}),
 		}));
-const schemaDir = path.dirname(schemaPath);
+	return async (str) => {
-const cwd = process.cwd();
+		const results = await xmlLintWasm.validateXML({
-
+			xml: { fileName: 'ebics.xml', contents: str },
-const validateXML = (str) => {
+			schema: [
-	try {
+				{
-		process.chdir(schemaDir);
+					fileName: 'ebics_H004.xsd',
-		const isValid = libxml.parseXml(str).validate(schemaDoc);
+					contents: schemaDoc,
-		process.chdir(cwd);
+				},
-		return isValid;
+			],
-	} catch (e) {
+			preload,
-		process.chdir(cwd);
+		});
-		return false;
+		return results.valid;
-	}
+	};
-};
+})();
 const client = new ebics.Client({
 	url: 'https://iso20022test.credit-suisse.com/ebicsweb/ebicsweb',
@ -103,7 +112,7 @@ describe('H004 order generation', () => {
 		it(`[${operation}] ${type} order generation`, async () => {
 			const signedOrder = await client.signOrder(order);
-			assert.isTrue(validateXML(signedOrder));
+			assert.isTrue(await validateXML(signedOrder));
 		});
 	}
 });