search

kjur / jsrsasign

The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES and JSON Web Signature/Token in pure JavaScript.
https://kjur.github.io/jsrsasign
Other
3.28k stars 644 forks source link

KEYUTIL.getKey() fails because KJUR.crypto.Cipher is undefined #606

Closed michmerr closed 9 months ago

michmerr commented 10 months ago

I'm consuming the jsrsasign (v11.0.0) package in a node (v20.8.1) script, and calling KEYUTIL.getKey(encryptedKey, password) throws a type exception when it tries to call a function on KJUR.crypto.Cipher.

Uncaught TypeError TypeError: Cannot read properties of undefined (reading 'decrypt') at getPlainHexFromEncryptedPKCS8PEM (c:\Users\mmerrel3\git\jsrsasign-test\node_modules\jsrsasign\lib\jsrsasign.js:240:8222) at getKeyFromEncryptedPKCS8PEM (c:\Users\mmerrel3\git\jsrsasign-test\node_modules\jsrsasign\lib\jsrsasign.js:240:8315) at KEYUTIL.getKey (c:\Users\mmerrel3\git\jsrsasign-test\node_modules\jsrsasign\lib\jsrsasign.js:240:16194) at (c:\Users\mmerrel3\git\jsrsasign-test\sample\test.js:34:21)

This is from a stripped-down repro script using a throw-away private key.

const {KEYUTIL} = require('jsrsasign');

const privateKey = `-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvw7skcTItOICAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECDCvJAI7x/QCBIIEyOxy3iGvkUI5
v86Q9acnN64MzniBVTuguQNZVy9Wdi1IRktIqptwpatls4u0lU8PtcUaP4dLTfE8
r9Cek6F0ZPzcTsJuHwfIjsRZ/qrKlyCwp3UsNZ5sCWdciDac3PJ/URl5O/juHIet
R5OZ51v2R9EOXnXA4G2nNu4t4acSfOiYbeDhjxSzQkU1sHYm1yJXeBNh0uJI1+cH
LBDpP3YDGFhIy1kxaajTBNYwdA6/SNyM2n1slobtyvPGoT1GHoFM7KeOQfwQgCPQ
5+N0wx1UAwadzeU+OtZ94fEogpzeLZikN9KLxd0OeDeaPAX3Fu9ZPhDyI8c1ZDFL
zsaAIMMzchVdJfe9e0amq7wSg7TW3x0+G9dkJat4ZNX7EMzBUam8osuz2fXyBA6W
Rl3B2g+u9FWNyKQs1Rg9z6Yf+7FGmZH6aq0Vyf3c4PM+STrWeCE5rTCUnQBJzWFi
1cqC5UUJebyNYzdsW/GRFhf5Pe7EaDiGd20r+SguNImHvnSN2EQF5tEnye75v2ld
sH09sg2pQkPMh1G28wMCQFfHYzZeoi4WrshVaz9FibLGxBBlHaQNqyZ0ftxPG+BP
HzXm7aosyN2G5RxNUoD+v3NinkhkYlLa2shYxiSkh11vQjgmGBi/Zjs6Ct1ua2zP
C7YR1Oy5QPvi3KlKt1auwIBmfHs/W/GXm1q6I+DxUus+tOqb6v/L6dLeT3L8mP64
9AI5g803xw9TvUaj80QRIqA3QeQJ3CZysM7kJXd6j8eg0Ft707tDNauKFoqLfWIE
oY/wYYTIobiFC57jRsr4AZumlC2v6qz+TBZN3XZtMdcWvYGMNQrMWr6BrKxmyx7U
4aWtskUX0BRfizyc8tgSkbYitvefPwQlRr6yXA4gB7gWAXhoFlYPchKGmWR+3ZII
o8bdGogUoiZhuP0rQ4BgTtu65EUOp2QywRsv275hiPiUQeLT0y4nMaMsVzPhGoIt
mhYJJ/MFN+b0aGTnaLNHmJ7EA3cPk80GUFqhWz029XtKkGterb8cohVTkwuQOmpm
IvdRqvQD5MO4GN0MnBspAforJZPNE6KSx/YE9Wv9MQ5Cpgmptmi19svi+FeWZlHm
kr16T8Rs2RcwaQBxP3VLds9g8aS0KrZUVW/J29M/n+py15WN3Z8ElGkWMtMRV2qW
PX7tV9vuP3+YlTI8L55DxxyLeDqQTRxn6wc9+V+JENzrnexAVH0j4HqNQIARXnd1
21CeiCcc85/h301e0sybvfe2rDLGzwuqA93UD6iU2+ts6RBL2nJIuGIcRIepYtpt
mjQcPEN2jJiJJs5ZaaGMMHz8+a9uzHxSiMqfnJPinMvlQdyWXhO4thAEYd34KXQA
7U2TlnltG+ZFxqzkPBabMT5ifUSTiUQ2+lg/vFjB2j16ewrdDilOPUKfRNY37TsJ
T/yrqDDEZWWHmgx7eLPiBIxelbAi6y7yz4p4sUFiG00iTqpwV7PweO0L+6oqUh+/
YKYR3fFsMZd5XAbjZq9gxWifXCGu/QPQ5L6+uB9pY85kEKQLxXP54cVGYRKh2NTZ
6ppTaDMGoScHVWsSx/I9swi9/Y6f6uqVMJciF/KXhK6ZYBKtB/VMICzMghW4dN59
4JRmRjje4je02jrjKInPAg==
-----END ENCRYPTED PRIVATE KEY-----`;

const key = KEYUTIL.getKey(privateKey, 'foobar');

console.log(key);

I tried with a DES3 private key (after looking for old issues with the same error), but that code path fails in the same way.

michmerr commented 10 months ago

Just read the changelog for v11, and can see this is by-design, I assume until there is a fix for the related vulnerability.

scarface3 commented 9 months ago

Is there a workaround for this yet? Like a way to bypass it?

kjur commented 9 months ago

This works with jsrsasign 11.1.0. Thanks.