N/pgp Module Script Samples
The following script samples demonstrate how to use the features of the N/pgp module.
To use the N/pgp Module, you must first generate PGP keys from GnuPG, OpenPGP, or a third party source that supports pgp key generation. The generated keys must be stored in Secrets Management to securely manage and reference the keys. To store your generated keys, go to Setup > Company > API Secrets to create a new secret key. You will need at least three secrets to use this module.
For more information about API Secrets in NetSuite, see Secrets Management.
Send a Message
The following sample shows how to encrypt, sign, and format a message as an ASCII armored string. The armored string is then sent in an email using the N/email Module.
This sample script uses the require function so that you can copy it into the SuiteScript Debugger and test it. You must use the define function in an entry point script (the script you attach to a script record and deploy). For more information, see SuiteScript 2.x Script Basics and SuiteScript 2.x Script Types and Entry Points.
Some of the values in this sample are placeholders, such as the senderId and recipientEmail values. Before using this sample, replace all hard-coded values, including IDs and secrets, with valid values from your NetSuite account. If you run a script with an invalid value, the system may throw an error.
/**
* @NApiVersion 2.1
*/
require(['N/pgp', 'N/email'], (pgp, email) => {
const keys = {
ours: {
pub: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_ours_public' }
}),
pri: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_ours_private' },
password: { scriptId: 'custsecret_pgp_key_ours_private_password' }
})
}
}
const data = pgp.createMessageData({
content: 'Hello, world!'
})
const message = data.encrypt({
encryptionKeys: keys.ours.pub,
signingKeys: keys.ours.pri
})
const payload = message.asArmored()
const senderId = -5
const recipientId = 'notify@myCompany.com'
email.send({
author: senderId,
recipients: recipientId,
subject: 'Test PGP',
body: 'Payload: ' + payload
})
})
Receive a Message
The following sample shows how to decrypt and verify a message.
/**
* @NApiVersion 2.1
*/
require(['N/pgp', 'N/email'], (pgp, email) => {
const keys = {
ours: {
pub: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_ours_public' }
}),
pri: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_ours_private' },
password: { scriptId: 'custsecret_pgp_key_ours_private_password' }
})
}
}
const data = pgp.createMessageData({
content: 'Hello, world!'
})
const message = data.encrypt({
encryptionKeys: keys.ours.pub,
signingKeys: keys.ours.pri
})
const payload = message.asArmored()
const parseMessage = pgp.parseMessage({
value: payload
})
const msgData = parseMessage.decrypt({
decryptionKeys: keys.ours.pri,
verificationKeys: keys.ours.pub
})
msgData.getText()
})
Send a Message to Multiple Receivers
PGP allows encrypting and signing with multiple keys that allows you to send the same payload to multiple recipients. As a recipient, you can provide multiple decryption and verification keys. The following sample sends a message to two receivers and decrypts the message contents.
/**
* @NApiVersion 2.1
*/
require(['N/pgp'], (pgp) => {
// public and private keys for multiple receivers
const keys = {
alice: {
pub: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_alice_public' }
}),
pri: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_alice_private' },
password: { scriptId: 'custsecret_pgp_key_bob_private_password' }
})
},
bob: {
pub: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_bob_public' }
}),
pri: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_bob_private' },
password: { scriptId: 'custsecret_pgp_key_bob_private_password' }
})
},
netsuite: {
pub: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_netsuite_pub' }
}),
pri: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_netsuite_pri' }
})
},
example: {
pri: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_example_pri' }
})
}
}
const data = pgp.createMessageData({
content: 'Hello Alice and Bob!'
})
const message = data.encrypt({
encryptionKeys: [keys.alice.pub, keys.bob.pub],
signingKeys: [keys.netsuite.pri, keys.example.pri]
})
/*
* Alice decryption.
*/
message.decrypt({
decryptionKeys: keys.alice.pri,
verificationKeys: [keys.netsuite.pub]
})
/*
* Bob decryption.
*/
message.decrypt({
decryptionKeys: [keys.bob.pri],
verificationKeys: keys.example.pub
})
})
Use a Cryptographic Key for a Signature
The following sample uses a cryptographic key to sign arbitrary data.
/**
* @NApiVersion 2.1
*/
require(['N/pgp', 'N/crypto/certificate', 'N/encode'], (pgp, cryptoCertificate, encode) => {
const keys = {
ours: {
pub: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_ours_public' }
}),
pri: pgp.loadKeyFromSecret({
secret: { scriptId: 'custsecret_pgp_key_ours_private' },
password: { scriptId: 'custsecret_pgp_key_ours_private_password' }
})
}
}
const signer = pgp.createSigner({
key: keys.ours.pri,
algorithm: cryptoCertificate.HashAlg.SHA256
})
signer.update({
input: 'Test'
})
const signature = signer.sign({
outputEncoding: encode.Encoding.BASE_64_URL_SAFE
})
log.debug(signature)
})