0

Can't find the information anywhere. I'm a noob in computer security so my question might sound a bit dumb.

I understand we can communicate with Verdaccio using HTTPS and we can set up an authentication with htpasswd so I'm guessing a Verdaccio npm registry configured to use HTTPS and authentication is encrypted. If I'm right, what is/are the algorithm(s) used to encrypt the registry?

Randy
  • 4,335
  • 3
  • 30
  • 64
  • Do you mean to create tokens ? – Juan Picado Feb 14 '20 at 00:35
  • I mean, to encrypt the data that's stored in the registry itself, I'm not talking about the communication between the client and verdaccio, I'm talking about the data in verdaccio itself. – Randy Feb 14 '20 at 19:39

1 Answers1

0

Verdaccio uses crypto.createCipher(algorithm, password[, options]) for encrypt by default tokens.

A simple example would be:

import { createDecipher, createCipher, createHash, pseudoRandomBytes, Hash } from 'crypto';

const const payload = Buffer.from(`${name}:${password}`, 'utf8'));
const c = createCipher('aes192', SOME_RANDOM_SALT_VALUE);
const b1 = c.update(payload);
const b2 = c.final();
return Buffer.concat([b1, b2]);

Furthermore, it has the option to use a standard JWT (jsonwebtoken), but it not enabled by default.

According the docs, the possible answer to your question might be

The algorithm is dependent on OpenSSL, examples are 'aes192', etc. On recent OpenSSL releases, openssl list -cipher-algorithms (openssl list-cipher-algorithms for older versions of OpenSSL) will display the available cipher algorithms.

Juan Picado
  • 1,823
  • 18
  • 33