refactor(internal-plugin-encryption): pkijs v3 + node 20 engines

docs/dependency/unmaintained-catalog.md

@@ -64,8 +64,6 @@
 | 2026-01-22 | ampersand-collection | ^2.0.2 | packages/@webex/webex-core | npm_stale(8y) | npm_last_publish:2018-01-10T01:18:04.377Z ; deprecated:false | High |  |  |
 | 2026-01-22 | crypto-js | ^4.1.1 | packages/@webex/webex-core | npm_stale(2y) | npm_last_publish:2023-10-24T22:20:29.229Z ; deprecated:false | High |  |  |
 | 2026-01-22 | node-scr | ^0.3.0 | packages/@webex/internal-plugin-encryption | npm_stale(5y) | npm_last_publish:2020-10-21T17:38:28.760Z ; deprecated:false | High |  |  |
-| 2026-01-22 | isomorphic-webcrypto | ^2.3.8 | packages/@webex/internal-plugin-encryption | npm_stale(4y) | npm_last_publish:2021-02-27T04:53:05.017Z ; deprecated:false | High |  |  |
-| 2026-01-22 | valid-url | ^1.0.9 | packages/@webex/internal-plugin-encryption | npm_stale(12y) | npm_last_publish:2013-07-31T03:27:38.576Z ; deprecated:false | High |  |  |
 | 2026-01-22 | node-jose | ^2.2.0 | packages/@webex/internal-plugin-encryption | npm_stale(2y) | npm_last_publish:2023-02-16T15:32:58.548Z ; deprecated:false | High |  |  |
 | 2026-01-22 | @ciscospark/test-users-legacy | ^1.2.0 | packages/@webex/internal-plugin-lyra | npm_stale(6y) | npm_last_publish:2019-06-04T17:43:53.524Z ; deprecated:false | High |  |  |
 | 2026-01-22 | ip-anonymize | ^0.1.0 | packages/@webex/plugin-meetings | npm_stale(6y) | npm_last_publish:2019-06-05T02:53:26.824Z ; deprecated:false | High |  |  |

package.json

@@ -20,7 +20,7 @@
   "license": "Cisco's General Terms (https://www.cisco.com/site/us/en/about/legal/contract-experience/index.html)",
   "author": "devsupport@webex.com",
   "engines": {
-    "node": "18.x",
+    "node": ">=20",
     "npm": ">=10.5"
   },
   "main": "src/index.js",

packages/@webex/common-evented/package.json

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/common-evented"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/common-timers/package.json

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/common-timers"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/common/package.json

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/common"
   },
   "engines": {
-    "node": ">=16"
+    "node": ">=20"
   },
   "browser": {
     "./dist/in-browser/node.js": "./dist/in-browser/browser.js",

packages/@webex/contact-center/package.json

@@ -29,7 +29,7 @@
     "directory": "packages/@webex/contact-center"
   },
   "engines": {
-    "node": ">=20.x"
+    "node": ">=20"
   },
   "scripts": {
     "build:src": "webex-legacy-tools build -dest \"./dist\" -src \"./src\" -js -ts -maps && yarn build",

packages/@webex/helper-html/package.json

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/helper-html"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browser": {
     "./dist/html.js": "./dist/html.shim.js",

packages/@webex/helper-image/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/helper-image"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browser": {
     "./dist/process-image.js": "./dist/process-image.browser.js",

packages/@webex/http-core/package.json

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/http-core"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browser": {
     "./dist/request/request.js": "./dist/request/request.shim.js",

packages/@webex/internal-plugin-ai-assistant/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/internal-plugin-ai-assistant"
   },
   "engines": {
-    "node": ">=16"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/internal-plugin-avatar/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/internal-plugin-avatar"
   },
   "engines": {
-    "node": ">=16"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/internal-plugin-board/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/internal-plugin-board"
   },
   "engines": {
-    "node": ">=16"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/internal-plugin-calendar/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/internal-plugin-calendar"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/internal-plugin-call-ai-summary/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/internal-plugin-call-ai-summary"
   },
   "engines": {
-    "node": ">=16"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/internal-plugin-conversation/package.json

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/internal-plugin-conversation"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/internal-plugin-device/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/internal-plugin-device"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/internal-plugin-dss/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/internal-plugin-dss"
   },
   "engines": {
-    "node": ">=16"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/internal-plugin-ediscovery/package.json

@@ -15,7 +15,7 @@
     "directory": "packages/@webex/ediscovery"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [

packages/@webex/internal-plugin-encryption/package.json

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/internal-plugin-encryption"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browser": {
     "./dist/ensure-buffer.js": "./dist/ensure-buffer.browser.js",
@@ -45,17 +45,12 @@
     "@webex/internal-plugin-mercury": "workspace:*",
     "@webex/test-helper-file": "workspace:*",
     "@webex/webex-core": "workspace:*",
-    "asn1js": "^2.0.26",
     "debug": "^4.3.4",
-    "isomorphic-webcrypto": "^2.3.8",
     "lodash": "^4.17.21",
     "node-jose": "^2.2.0",
     "node-kms": "^0.4.1",
     "node-scr": "^0.3.0",
-    "pkijs": "^2.1.84",
-    "safe-buffer": "^5.2.0",
-    "uuid": "^3.3.2",
-    "valid-url": "^1.0.9"
+    "pkijs": "^3.4.0"
   },
   "scripts": {
     "build": "yarn build:src",

packages/@webex/internal-plugin-encryption/src/kms-certificate-validation.js

@@ -1,28 +1,8 @@
 import {parse as parseUrl} from 'url';
 
-import {isUri} from 'valid-url';
-import {fromBER} from 'asn1js';
-import {
-  Certificate,
-  RSAPublicKey,
-  CertificateChainValidationEngine,
-  CryptoEngine,
-  setEngine,
-} from 'pkijs';
+import {Certificate, RSAPublicKey, CertificateChainValidationEngine} from 'pkijs';
 import {isArray} from 'lodash';
 import jose from 'node-jose';
-import crypto from 'isomorphic-webcrypto';
-import {Buffer} from 'safe-buffer';
-
-setEngine(
-  'newEngine',
-  crypto,
-  new CryptoEngine({
-    name: '',
-    crypto,
-    subtle: crypto.subtle,
-  })
-);
 
 const VALID_KTY = 'RSA';
 const VALID_KID_PROTOCOL = 'kms:';
@@ -60,12 +40,7 @@ const decodeCert = (pem) => {
     throwError('certificate needs to be a string');
   }
 
-  const der = Buffer.from(pem, 'base64');
-  const ber = new Uint8Array(der).buffer;
-
-  const asn1 = fromBER(ber);
-
-  return new Certificate({schema: asn1.result});
+  return Certificate.fromBER(Buffer.from(pem, 'base64'));
 };
 
 /**
@@ -82,11 +57,15 @@ const validateKtyHeader = ({kty}) => {
 };
 
 const validateKidHeader = ({kid}) => {
-  if (!isUri(kid)) {
+  let parsedKid;
+
+  try {
+    parsedKid = new URL(kid);
+  } catch (_e) {
     throwError("'kid' is not a valid URI");
   }
 
-  if (parseUrl(kid).protocol !== VALID_KID_PROTOCOL) {
+  if (parsedKid.protocol !== VALID_KID_PROTOCOL) {
     throwError(`'kid' protocol must be '${VALID_KID_PROTOCOL}'`);
   }
 };
@@ -95,7 +74,7 @@ const validateKidHeader = ({kid}) => {
  * Checks the first certificate matches the 'kid' in the JWT.
  * It first checks the Subject Alternative Name then it checks
  * the Common Name
- * @param {Certificate} certificate represents the KMS
+ * @param {Certificate[]} certificates list of certificates provided by the KMS
  * @param {Object} JWT KMS credentials
  * @param {string} JWT.kid the uri of the KMS
  * @throws {KMSError} if unable to validate certificate against KMS credentials
@@ -151,21 +130,20 @@ export const validateCommonName = ([certificate], {kid}) => {
 /**
  * Validate the first KMS certificate against the information
  * provided in the JWT
- * @param {Certificate} certificate first certificate the identifies the KMS
+ * @param {Certificate[]} certificates list of certificates provided by the KMS
  * @param {Object} JWT credentials of the KMS
  * @param {string} JWT.e Public exponent of the first certificate
- * @param {string} KWT.n Modulus of the first certificate
+ * @param {string} JWT.n Modulus of the first certificate
  * @throws {KMSError} if e or n doesn't match the first certificate
  * @returns {void}
  */
 const validatePublicCertificate = ([certificate], {e: publicExponent, n: modulus}) => {
   const {encode} = jose.util.base64url;
 
   const publicKey = certificate.subjectPublicKeyInfo.subjectPublicKey;
-  const asn1PublicCert = fromBER(publicKey.valueBlock.valueHex);
-  const publicCert = new RSAPublicKey({schema: asn1PublicCert.result});
-  const publicExponentHex = publicCert.publicExponent.valueBlock.valueHex;
-  const modulusHex = publicCert.modulus.valueBlock.valueHex;
+  const publicCert = RSAPublicKey.fromBER(publicKey.valueBlock.valueHexView);
+  const publicExponentHex = publicCert.publicExponent.valueBlock.valueHexView;
+  const modulusHex = publicCert.modulus.valueBlock.valueHexView;
 
   if (publicExponent !== encode(publicExponentHex)) {
     throwError('Public exponent is invalid');

packages/@webex/internal-plugin-encryption/src/kms.js

@@ -11,7 +11,6 @@ import {WebexPlugin} from '@webex/webex-core';
 import {Context, Request, Response} from 'node-kms';
 import jose from 'node-jose';
 import {omit} from 'lodash';
-import uuid from 'uuid';
 
 import KMSBatcher, {TIMEOUT_SYMBOL} from './kms-batcher';
 import validateKMS, {KMSError} from './kms-certificate-validation';
@@ -295,7 +294,7 @@ const KMS = WebexPlugin.extend({
       uri: awsKms ? '/awsKmsCmk' : '/cmk',
       assignedOrgId,
       customerMasterKey,
-      requestId: uuid.v4(),
+      requestId: crypto.randomUUID(),
       customerMasterKeyBackup: awsKms ? customerMasterKeyBackup : undefined,
       customerMasterKeyRole: awsKms ? customerMasterKeyRole : undefined,
     }).then((res) => {
@@ -319,7 +318,7 @@ const KMS = WebexPlugin.extend({
       method: 'retrieve',
       uri: awsKms ? '/awsKmsCmk' : '/cmk',
       assignedOrgId,
-      requestId: uuid.v4(),
+      requestId: crypto.randomUUID(),
     }).then((res) => {
       this.logger.info('kms: finish to get all customer master keys');
 
@@ -362,7 +361,7 @@ const KMS = WebexPlugin.extend({
       uri: keyId,
       keyState,
       assignedOrgId,
-      requestId: uuid.v4(),
+      requestId: crypto.randomUUID(),
     }).then((res) => {
       this.logger.info('kms: finish to change the customer master key state to {}', keyState);
 
@@ -384,7 +383,7 @@ const KMS = WebexPlugin.extend({
       method: 'delete',
       uri: awsKms ? '/awsKmsCmk' : '/cmk',
       assignedOrgId,
-      requestId: uuid.v4(),
+      requestId: crypto.randomUUID(),
     }).then((res) => {
       this.logger.info('kms: finish to delete all customer master keys');
 
@@ -406,7 +405,7 @@ const KMS = WebexPlugin.extend({
       uri: 'default',
       keyState: 'ACTIVE',
       assignedOrgId,
-      requestId: uuid.v4(),
+      requestId: crypto.randomUUID(),
     }).then((res) => {
       this.logger.info('kms: finish to return to global master key');
 

packages/@webex/internal-plugin-encryption/test/integration/spec/kms.js

@@ -9,7 +9,6 @@ import {assert, expect} from '@webex/test-helper-chai';
 import sinon from 'sinon';
 import WebexCore from '@webex/webex-core';
 import testUsers from '@webex/test-helper-test-users';
-import uuid from 'uuid';
 import {skipInBrowser} from '@webex/test-helper-mocha';
 
 const debug = require('debug')('kms');
@@ -732,7 +731,7 @@ describe('Encryption', function () {
           .create({
             count: 1,
             config: {
-              email: `webex-js-sdk--kms-fed--${uuid.v4()}@wx2.example.com`,
+              email: `webex-js-sdk--kms-fed--${crypto.randomUUID()}@wx2.example.com`,
               entitlements: ['webExSquared'],
               orgId: 'kmsFederation',
             },

packages/@webex/internal-plugin-feature/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/internal-plugin-feature"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "scripts": {
     "build": "yarn build:src",

packages/@webex/internal-plugin-flag/package.json

@@ -11,7 +11,7 @@
     "directory": "packages/@webex/internal-plugin-flag"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "scripts": {
     "build": "yarn build:src",

packages/@webex/internal-plugin-llm/package.json

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/internal-plugin-llm"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "dependencies": {
     "@webex/internal-plugin-mercury": "workspace:*"

packages/@webex/internal-plugin-locus/package.json

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/internal-plugin-locus"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "browserify": {
     "transform": [