tlwr · November 26, 2019 14:18
diff --git a/CloudFront Field Level Encryption b/CloudFront Field Level Encryption
 See index.js
diff --git a/Example private key b/Example private key
 -----BEGIN RSA PRIVATE KEY-----
 MIIEpAIBAAKCAQEA3YsdHLM7+5Go8roGFXtIhKTU26SumkkQCMGg6Y5rD/+n2ZiS
 LTQkmXBSFCQth93b/uSqQ1W6QcSWL8o1Ys7X7arQqTgqnfxut4ioNnAEY1dBL8nv
 tZcboAfvFQtPMwqL9esk6yH3T66cSIy0TdxMEzzU10PhQhVwUebQ3OFsqdAZtL3F
 g5WIP4T+c3Wu+0OQ11eyOWcoqFKTm50Adia10CeEEi9IwiwnpudIWd5ivDLVqe4t
 unAmJ9goyK31lUBOrIrMXVE3y4Cps0Mc7RqbBfu6t5NO+DnNWjStOWCgA++VzU8T
 nM2VBsP7DA7bmFP1RuML1MFckd9XRPihVucmIQIDAQABAoIBAD2z+ja9IM6vQfvg
 ncMr5AW1ludZ1Zt5D/MwYq3KEb2R+eDb4pKefDcUFngvn1LBEv3KGDXK0aZxp1bG
 HdpYO8GhGp6W2x/HZ9rMP/Vxe3djnO8/cfkEjhgjPY6B6NwRauviQxUOD8BspHB8
 Z9drrPCKt8kAyeNK706QV8m9KzOcEm2dqcqO+WU+sU2zfiJurDkJv92Mb2Q6khBk
 WGQ4Si8T/D15VJe5EB6wIYy5x4SlYHq66uhAE4jym6ytzcqtYeXuSYl/hi6uG0kK
 9LEwXn4HR9zX6Q6WzWab6rCTts/sPCrzLdnAJTEjr889Pzz53JVYzzzfrwzU1iJR
 cPgFlLUCgYEA8u2Fbgh//K/TjVhs5JpvAl1boNxdD2v3eglBQ9e2VsGEcuXO3V9s
 bl7pQyz6N28f+u5JiYBjslE+/2V6VOFL2AGeHU6XKzdxQInq0+VmYpLXgCQYMIdW
 4iG/ZJTLQg4o33am78sY0YpsqhEtPPeTG/isoOwveKL4eU9JkT+gemcCgYEA6XcC
 Yajve1EyMtCMyHGe/EwJ8KOC5cS1VU4bRDg26zuZW3UzcKiOf3WR/uFOMgbzHSeB
 KcHeLDY4J8jc49WVrIUGsZz0UFhAzsHWGBSbMLA1v2fvqzfDoQWkCgrAJvHZOV9R
 xrUjFfaZeTDkIzCipR1/d1M7V7P/ft4OuVbYFjcCgYEAhDrnyzoTOJ8YXzLHqzOo
 wze//XKVsSRKxAGvpdcQKG8Twlr23Cbp5bYB8I/V70CsvrDgFFlvawuwZ+J70SIF
 X6GZyEgUHvEB02h/CzIuJe/aH6UGCbxRfaty+7PGY8FDXEfAnHwHmV9owLWy0yHL
 0IjupnWJbXgAGkAfQlHI73cCgYAn7TpzCTkrlc9H8XKiNQxDiZ2Jke0o7mM0m47+
 M77wq9imU3zgn3L/SVQWiuGcnKOnMMJeKdGdLgichTWBoV1fi8CBT55Yvz8WHQBI
 Tf3cbcZDXbsXRQon15ceQIhsIKBNt4d8vC2r6+iDWWEqw36NTmYmOg3ECfx/7eoG
 uFtsMQKBgQC3G5JkGrhzX9kFM+zoR1hBZdoKg8l9hBxwqaLk0vMWfI+SCPwQajon
 +oMVv10MsFnnlxxcqJl2NXkvG3tZ4krP15QEsPRAHnHIfiUsxJEiGhuUmtBwV1gO
 AwB3bQBh0WEYkXGU+eYiAkKyIqIDm2BC8X/M0GmzEuFEDioQpYcNYg==
 -----END RSA PRIVATE KEY-----
diff --git a/express-middleware.js b/express-middleware.js
 // This demonstrates how to use an express middleware for decrypting fields
 // It uses RSAES-OAEP/SHA-256/MGF1-SHA-1 which is a common encryption format for Java
 // Bear in mind most of the code below is boilerplate for express
 // The only relevant code is the middleware which decrypts the field
 // This does not include error handling or proper logging

 // How to use
 //
 // 1. Run the app
 //    FIELD_NAMES=cvv PRIVATE_KEY="$(cat /path/to/private.pem)" node index.js
 // 2. Send a request to the app
 //
 //    curl localhost:8080 \
 //         -H 'Content-Type: application/x-www-form-urlencoded' \
 //         -X POST \
 //         --data-urlencode 'cvv=dVtpG7qoDPam/3Qm4tTT8eYSVggfWrKi+YIBm9zxgbU7wLUJg5S9cn6yTJY3hff8/fdzk4RVuyjaPlQE1Hndlj7Nd0LuMwgyqLTB0u4uydQPkYOrthwv0aJgou9Y6Vooqbkrfo6QgBYwrPWdK8zrLLqsYdUpPpl9sSBn1sl8WnQawCrYvhwFgM8LSY0YGjHLt+Koc6QoN6aBYXJoNzThIFIlV5lycfrSgqA7NI3HFMJmY/BwOt9H8Xn+irP/tLsKkFdieYer0S3fkJ+Fl8GJ6dPWt+wUqEDlIqVW1qQCfF87S38L7g8F1h66mQxN4oMswuZ5kDfv4TjNjdglBrFEhA=='

 const express    = require('express')
 const bodyParser = require('body-parser')
 const forge      = require('node-forge');
 const rsa        = forge.pki.rsa;

 const port = parseInt(process.env['PORT'] || '8080', 10)
 const fieldNames    = process.env['FIELD_NAMES']
 const privateKeyPEM = process.env['PRIVATE_KEY']

 if (typeof fieldNames === 'undefined' || fieldNames === '') {
  throw new Error('Environment variable FIELD_NAMES must be specified')
 }

 if (typeof privateKeyPEM === 'undefined' || privateKeyPEM === '') {
  throw new Error('PRIVATE_KEY must be specified')
 }

 const fieldsToDecrypt = new Set(fieldNames.split(","))
 const privateKey      = forge.pki.privateKeyFromPem(privateKeyPEM);
 const app             = express();

 app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: true }));
 app.use(function(req, res, next) {
  console.info(`Received request for ${req.url}`)
  next()
 });

 app.use(function(req, res, next) {
  Object.keys(req.body).forEach(fieldName => {
    if (fieldsToDecrypt.has(fieldName)) {

      req.body[fieldName] = forge.util.encodeUtf8(
        privateKey.decrypt(
          forge.util.decode64(req.body[fieldName]),
          'RSA-OAEP',
          {md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() }},
        )
      );

    }
  });
  next()
 });

 app.use(function(req, res, next) {
  res.send(JSON.stringify(req.body));
  console.info(`Sent response for ${req.url}`);
 });

 app.listen(port);
	-----BEGIN RSA PRIVATE KEY-----
	MIIEpAIBAAKCAQEA3YsdHLM7+5Go8roGFXtIhKTU26SumkkQCMGg6Y5rD/+n2ZiS
	LTQkmXBSFCQth93b/uSqQ1W6QcSWL8o1Ys7X7arQqTgqnfxut4ioNnAEY1dBL8nv
	tZcboAfvFQtPMwqL9esk6yH3T66cSIy0TdxMEzzU10PhQhVwUebQ3OFsqdAZtL3F
	g5WIP4T+c3Wu+0OQ11eyOWcoqFKTm50Adia10CeEEi9IwiwnpudIWd5ivDLVqe4t
	unAmJ9goyK31lUBOrIrMXVE3y4Cps0Mc7RqbBfu6t5NO+DnNWjStOWCgA++VzU8T
	nM2VBsP7DA7bmFP1RuML1MFckd9XRPihVucmIQIDAQABAoIBAD2z+ja9IM6vQfvg
	ncMr5AW1ludZ1Zt5D/MwYq3KEb2R+eDb4pKefDcUFngvn1LBEv3KGDXK0aZxp1bG
	HdpYO8GhGp6W2x/HZ9rMP/Vxe3djnO8/cfkEjhgjPY6B6NwRauviQxUOD8BspHB8
	Z9drrPCKt8kAyeNK706QV8m9KzOcEm2dqcqO+WU+sU2zfiJurDkJv92Mb2Q6khBk
	WGQ4Si8T/D15VJe5EB6wIYy5x4SlYHq66uhAE4jym6ytzcqtYeXuSYl/hi6uG0kK
	9LEwXn4HR9zX6Q6WzWab6rCTts/sPCrzLdnAJTEjr889Pzz53JVYzzzfrwzU1iJR
	cPgFlLUCgYEA8u2Fbgh//K/TjVhs5JpvAl1boNxdD2v3eglBQ9e2VsGEcuXO3V9s
	bl7pQyz6N28f+u5JiYBjslE+/2V6VOFL2AGeHU6XKzdxQInq0+VmYpLXgCQYMIdW
	4iG/ZJTLQg4o33am78sY0YpsqhEtPPeTG/isoOwveKL4eU9JkT+gemcCgYEA6XcC
	Yajve1EyMtCMyHGe/EwJ8KOC5cS1VU4bRDg26zuZW3UzcKiOf3WR/uFOMgbzHSeB
	KcHeLDY4J8jc49WVrIUGsZz0UFhAzsHWGBSbMLA1v2fvqzfDoQWkCgrAJvHZOV9R
	xrUjFfaZeTDkIzCipR1/d1M7V7P/ft4OuVbYFjcCgYEAhDrnyzoTOJ8YXzLHqzOo
	wze//XKVsSRKxAGvpdcQKG8Twlr23Cbp5bYB8I/V70CsvrDgFFlvawuwZ+J70SIF
	X6GZyEgUHvEB02h/CzIuJe/aH6UGCbxRfaty+7PGY8FDXEfAnHwHmV9owLWy0yHL
	0IjupnWJbXgAGkAfQlHI73cCgYAn7TpzCTkrlc9H8XKiNQxDiZ2Jke0o7mM0m47+
	M77wq9imU3zgn3L/SVQWiuGcnKOnMMJeKdGdLgichTWBoV1fi8CBT55Yvz8WHQBI
	Tf3cbcZDXbsXRQon15ceQIhsIKBNt4d8vC2r6+iDWWEqw36NTmYmOg3ECfx/7eoG
	uFtsMQKBgQC3G5JkGrhzX9kFM+zoR1hBZdoKg8l9hBxwqaLk0vMWfI+SCPwQajon
	+oMVv10MsFnnlxxcqJl2NXkvG3tZ4krP15QEsPRAHnHIfiUsxJEiGhuUmtBwV1gO
	AwB3bQBh0WEYkXGU+eYiAkKyIqIDm2BC8X/M0GmzEuFEDioQpYcNYg==
	-----END RSA PRIVATE KEY-----
	// This demonstrates how to use an express middleware for decrypting fields
	// It uses RSAES-OAEP/SHA-256/MGF1-SHA-1 which is a common encryption format for Java
	// Bear in mind most of the code below is boilerplate for express
	// The only relevant code is the middleware which decrypts the field
	// This does not include error handling or proper logging

	// How to use
	//
	// 1. Run the app
	// FIELD_NAMES=cvv PRIVATE_KEY="$(cat /path/to/private.pem)" node index.js
	// 2. Send a request to the app
	//
	// curl localhost:8080 \
	// -H 'Content-Type: application/x-www-form-urlencoded' \
	// -X POST \
	// --data-urlencode 'cvv=dVtpG7qoDPam/3Qm4tTT8eYSVggfWrKi+YIBm9zxgbU7wLUJg5S9cn6yTJY3hff8/fdzk4RVuyjaPlQE1Hndlj7Nd0LuMwgyqLTB0u4uydQPkYOrthwv0aJgou9Y6Vooqbkrfo6QgBYwrPWdK8zrLLqsYdUpPpl9sSBn1sl8WnQawCrYvhwFgM8LSY0YGjHLt+Koc6QoN6aBYXJoNzThIFIlV5lycfrSgqA7NI3HFMJmY/BwOt9H8Xn+irP/tLsKkFdieYer0S3fkJ+Fl8GJ6dPWt+wUqEDlIqVW1qQCfF87S38L7g8F1h66mQxN4oMswuZ5kDfv4TjNjdglBrFEhA=='

	const express = require('express')
	const bodyParser = require('body-parser')
	const forge = require('node-forge');
	const rsa = forge.pki.rsa;

	const port = parseInt(process.env['PORT'] \|\| '8080', 10)
	const fieldNames = process.env['FIELD_NAMES']
	const privateKeyPEM = process.env['PRIVATE_KEY']

	if (typeof fieldNames === 'undefined' \|\| fieldNames === '') {
	throw new Error('Environment variable FIELD_NAMES must be specified')
	}

	if (typeof privateKeyPEM === 'undefined' \|\| privateKeyPEM === '') {
	throw new Error('PRIVATE_KEY must be specified')
	}

	const fieldsToDecrypt = new Set(fieldNames.split(","))
	const privateKey = forge.pki.privateKeyFromPem(privateKeyPEM);
	const app = express();

	app.use(bodyParser.json());
	app.use(bodyParser.urlencoded({ extended: true }));
	app.use(function(req, res, next) {
	console.info(`Received request for ${req.url}`)
	next()
	});

	app.use(function(req, res, next) {
	Object.keys(req.body).forEach(fieldName => {
	if (fieldsToDecrypt.has(fieldName)) {

	req.body[fieldName] = forge.util.encodeUtf8(
	privateKey.decrypt(
	forge.util.decode64(req.body[fieldName]),
	'RSA-OAEP',
	{md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() }},
	)
	);

	}
	});
	next()
	});

	app.use(function(req, res, next) {
	res.send(JSON.stringify(req.body));
	console.info(`Sent response for ${req.url}`);
	});

	app.listen(port);