refactor(internal-plugin-encryption): pkijs v3 + node 20 engines

docs/dependency/unmaintained-catalog.md

@@ -64,8 +64,6 @@
 | 2026-01-22 | ampersand-collection | ^2.0.2 | packages/@webex/webex-core | npm_stale(8y) | npm_last_publish:2018-01-10T01:18:04.377Z ; deprecated:false | High |  |  |
 | 2026-01-22 | crypto-js | ^4.1.1 | packages/@webex/webex-core | npm_stale(2y) | npm_last_publish:2023-10-24T22:20:29.229Z ; deprecated:false | High |  |  |
 | 2026-01-22 | node-scr | ^0.3.0 | packages/@webex/internal-plugin-encryption | npm_stale(5y) | npm_last_publish:2020-10-21T17:38:28.760Z ; deprecated:false | High |  |  |
-| 2026-01-22 | isomorphic-webcrypto | ^2.3.8 | packages/@webex/internal-plugin-encryption | npm_stale(4y) | npm_last_publish:2021-02-27T04:53:05.017Z ; deprecated:false | High |  |  |
-| 2026-01-22 | valid-url | ^1.0.9 | packages/@webex/internal-plugin-encryption | npm_stale(12y) | npm_last_publish:2013-07-31T03:27:38.576Z ; deprecated:false | High |  |  |
 | 2026-01-22 | node-jose | ^2.2.0 | packages/@webex/internal-plugin-encryption | npm_stale(2y) | npm_last_publish:2023-02-16T15:32:58.548Z ; deprecated:false | High |  |  |
 | 2026-01-22 | @ciscospark/test-users-legacy | ^1.2.0 | packages/@webex/internal-plugin-lyra | npm_stale(6y) | npm_last_publish:2019-06-04T17:43:53.524Z ; deprecated:false | High |  |  |
 | 2026-01-22 | ip-anonymize | ^0.1.0 | packages/@webex/plugin-meetings | npm_stale(6y) | npm_last_publish:2019-06-05T02:53:26.824Z ; deprecated:false | High |  |  |

package.json

@@ -20,7 +20,7 @@
   "license": "Cisco's General Terms (https://www.cisco.com/site/us/en/about/legal/contract-experience/index.html)",
   "author": "devsupport@webex.com",
   "engines": {
-    "node": "18.x",
+    "node": ">=18.x",
     "npm": ">=10.5"
   },
   "main": "src/index.js",

packages/@webex/internal-plugin-encryption/package.json

@@ -45,17 +45,13 @@
     "@webex/internal-plugin-mercury": "workspace:*",
     "@webex/test-helper-file": "workspace:*",
     "@webex/webex-core": "workspace:*",
-    "asn1js": "^2.0.26",
     "debug": "^4.3.4",
-    "isomorphic-webcrypto": "^2.3.8",
     "lodash": "^4.17.21",
     "node-jose": "^2.2.0",
     "node-kms": "^0.4.1",
     "node-scr": "^0.3.0",
-    "pkijs": "^2.1.84",
-    "safe-buffer": "^5.2.0",
-    "uuid": "^3.3.2",
-    "valid-url": "^1.0.9"
+    "pkijs": "^3.4.0",
+    "uuid": "^3.3.2"
   },
   "scripts": {
     "build": "yarn build:src",

packages/@webex/internal-plugin-encryption/src/kms-certificate-validation.js

@@ -1,28 +1,8 @@
 import {parse as parseUrl} from 'url';
 
-import {isUri} from 'valid-url';
-import {fromBER} from 'asn1js';
-import {
-  Certificate,
-  RSAPublicKey,
-  CertificateChainValidationEngine,
-  CryptoEngine,
-  setEngine,
-} from 'pkijs';
+import {Certificate, RSAPublicKey, CertificateChainValidationEngine} from 'pkijs';
 import {isArray} from 'lodash';
 import jose from 'node-jose';
-import crypto from 'isomorphic-webcrypto';
-import {Buffer} from 'safe-buffer';
-
-setEngine(
-  'newEngine',
-  crypto,
-  new CryptoEngine({
-    name: '',
-    crypto,
-    subtle: crypto.subtle,
-  })
-);
 
 const VALID_KTY = 'RSA';
 const VALID_KID_PROTOCOL = 'kms:';
@@ -60,12 +40,7 @@ const decodeCert = (pem) => {
     throwError('certificate needs to be a string');
   }
 
-  const der = Buffer.from(pem, 'base64');
-  const ber = new Uint8Array(der).buffer;
-
-  const asn1 = fromBER(ber);
-
-  return new Certificate({schema: asn1.result});
+  return Certificate.fromBER(Buffer.from(pem, 'base64'));
 };
 
 /**
@@ -82,11 +57,15 @@ const validateKtyHeader = ({kty}) => {
 };
 
 const validateKidHeader = ({kid}) => {
-  if (!isUri(kid)) {
+  let parsedKid;
+
+  try {
+    parsedKid = new URL(kid);
+  } catch (_e) {
     throwError("'kid' is not a valid URI");
   }
 
-  if (parseUrl(kid).protocol !== VALID_KID_PROTOCOL) {
+  if (parsedKid.protocol !== VALID_KID_PROTOCOL) {
     throwError(`'kid' protocol must be '${VALID_KID_PROTOCOL}'`);
   }
 };
@@ -95,7 +74,7 @@ const validateKidHeader = ({kid}) => {
  * Checks the first certificate matches the 'kid' in the JWT.
  * It first checks the Subject Alternative Name then it checks
  * the Common Name
- * @param {Certificate} certificate represents the KMS
+ * @param {Certificate[]} certificates list of certificates provided by the KMS
  * @param {Object} JWT KMS credentials
  * @param {string} JWT.kid the uri of the KMS
  * @throws {KMSError} if unable to validate certificate against KMS credentials
@@ -151,21 +130,20 @@ export const validateCommonName = ([certificate], {kid}) => {
 /**
  * Validate the first KMS certificate against the information
  * provided in the JWT
- * @param {Certificate} certificate first certificate the identifies the KMS
+ * @param {Certificate[]} certificates list of certificates provided by the KMS
  * @param {Object} JWT credentials of the KMS
  * @param {string} JWT.e Public exponent of the first certificate
- * @param {string} KWT.n Modulus of the first certificate
+ * @param {string} JWT.n Modulus of the first certificate
  * @throws {KMSError} if e or n doesn't match the first certificate
  * @returns {void}
  */
 const validatePublicCertificate = ([certificate], {e: publicExponent, n: modulus}) => {
   const {encode} = jose.util.base64url;
 
   const publicKey = certificate.subjectPublicKeyInfo.subjectPublicKey;
-  const asn1PublicCert = fromBER(publicKey.valueBlock.valueHex);
-  const publicCert = new RSAPublicKey({schema: asn1PublicCert.result});
-  const publicExponentHex = publicCert.publicExponent.valueBlock.valueHex;
-  const modulusHex = publicCert.modulus.valueBlock.valueHex;
+  const publicCert = RSAPublicKey.fromBER(publicKey.valueBlock.valueHexView);
+  const publicExponentHex = publicCert.publicExponent.valueBlock.valueHexView;
+  const modulusHex = publicCert.modulus.valueBlock.valueHexView;
 
   if (publicExponent !== encode(publicExponentHex)) {
     throwError('Public exponent is invalid');