From 33cf76b4fdd11bc142eb42f1d8777248084a16e2 Mon Sep 17 00:00:00 2001
From: Cam McVey <cam.mcvey@wipro.com>
Date: Mon, 20 Nov 2017 16:15:17 +0000
Subject: [PATCH 1/2] Changes to make options.pem optional, as per XML
 Encryption spec.

---
 lib/templates/keyinfo.tpl.xml | 4 +---
 lib/xmlenc.js                 | 8 ++------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/lib/templates/keyinfo.tpl.xml b/lib/templates/keyinfo.tpl.xml
index 0e8f482..0893ac4 100644
--- a/lib/templates/keyinfo.tpl.xml
+++ b/lib/templates/keyinfo.tpl.xml
@@ -3,9 +3,7 @@
     <e:EncryptionMethod Algorithm="<%= keyEncryptionMethod %>">
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
     </e:EncryptionMethod>
-    <KeyInfo>
-      <%- encryptionPublicCert %>
-    </KeyInfo>
+    <%- encryptionPublicCert %>
     <e:CipherData>
       <e:CipherValue><%= encryptedKey %></e:CipherValue>
     </e:CipherData>
diff --git a/lib/xmlenc.js b/lib/xmlenc.js
index 4eb04fb..b6e8070 100644
--- a/lib/xmlenc.js
+++ b/lib/xmlenc.js
@@ -13,7 +13,7 @@ function encryptKeyInfoWithScheme(symmetricKey, options, scheme, callback) {
 
     var params = {
       encryptedKey:  base64EncodedEncryptedKey,
-      encryptionPublicCert: '<X509Data><X509Certificate>' + utils.pemToCert(options.pem.toString()) + '</X509Certificate></X509Data>',
+      encryptionPublicCert: options.pem ? ('<KeyInfo><X509Data><X509Certificate>' + utils.pemToCert(options.pem.toString()) + '</X509Certificate></X509Data></KeyInfo>') : '',
       keyEncryptionMethod: options.keyEncryptionAlgorighm
     };
 
@@ -29,8 +29,6 @@ function encryptKeyInfo(symmetricKey, options, callback) {
     return callback(new Error('must provide options'));
   if (!options.rsa_pub)
     return callback(new Error('must provide options.rsa_pub with public key RSA'));
-  if (!options.pem)
-    return callback(new Error('must provide options.pem with certificate'));
 
   if (!options.keyEncryptionAlgorighm)
     return callback(new Error('encryption without encrypted key is not supported yet'));
@@ -54,8 +52,6 @@ function encrypt(content, options, callback) {
     return callback(new Error('must provide content to encrypt'));
   if (!options.rsa_pub)
     return callback(new Error('rsa_pub option is mandatory and you should provide a valid RSA public key'));
-  if (!options.pem)
-    return callback(new Error('pem option is mandatory and you should provide a valid x509 certificate encoded as PEM'));
 
   options.input_encoding = options.input_encoding || 'utf8';
 
@@ -119,7 +115,7 @@ function decrypt(xml, options, callback) {
   if (!options)
     return callback(new Error('must provide options'));
   if (!xml)
-    return callback(new Error('must provide XML to encrypt'));
+    return callback(new Error('must provide XML to decrypt'));
   if (!options.key)
     return callback(new Error('key option is mandatory and you should provide a valid RSA private key'));
 

From 89d0ca51b0ac1a1b39895bb3d0beafdaba4c2d53 Mon Sep 17 00:00:00 2001
From: Cam McVey <cam.mcvey@wipro.com>
Date: Mon, 20 Nov 2017 16:23:57 +0000
Subject: [PATCH 2/2] Added tests for missing optional x509 cert

---
 test/xmlenc.encryptedkey.js | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/test/xmlenc.encryptedkey.js b/test/xmlenc.encryptedkey.js
index 7017826..30667b9 100644
--- a/test/xmlenc.encryptedkey.js
+++ b/test/xmlenc.encryptedkey.js
@@ -34,9 +34,17 @@ describe('encrypt', function() {
         _shouldEncryptAndDecrypt('content to encrypt', algorithm.encryptionOptions, done);
       });
 
+      it('should encrypt and decrypt xml when no x509 cert present', function (done) {
+        _shouldEncryptAndDecryptNoX509('content to encrypt', algorithm.encryptionOptions, done);
+      });
+
       it('should encrypt and decrypt xml with utf8 chars', function (done) {
         _shouldEncryptAndDecrypt('Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge', algorithm.encryptionOptions, done);
       });
+
+      it('should encrypt and decrypt xml with utf8 chars when no x509 cert present', function (done) {
+        _shouldEncryptAndDecryptNoX509('Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge Gnügge', algorithm.encryptionOptions, done);
+      });
     });
   });
 
@@ -58,6 +66,24 @@ describe('encrypt', function() {
     });
   }
 
+  function _shouldEncryptAndDecryptNoX509(content, options, done) {
+    // cert created with:
+    // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem
+    // pub key extracted from (only the RSA public key between BEGIN PUBLIC KEY and END PUBLIC KEY)
+    // openssl x509 -in "test-auth0.pem" -pubkey
+
+    options.rsa_pub = fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
+    // options.pem = fs.readFileSync(__dirname + '/test-auth0.pem'),
+    options.key = fs.readFileSync(__dirname + '/test-auth0.key'),
+
+    xmlenc.encrypt(content, options, function(err, result) {
+      xmlenc.decrypt(result, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function (err, decrypted) {
+        assert.equal(decrypted, content);
+        done();
+      });
+    });
+  }
+
   it('should encrypt and decrypt keyinfo', function (done) {
     var options = {
       rsa_pub: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),