search

kjur / jsrsasign

The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES and JSON Web Signature/Token in pure JavaScript.
https://kjur.github.io/jsrsasign
Other
3.25k stars 646 forks source link

KEYUTIL.getKey() fails because KJUR.crypto.Cipher is undefined #606

Closed michmerr closed 7 months ago

michmerr commented 8 months ago

I'm consuming the jsrsasign (v11.0.0) package in a node (v20.8.1) script, and calling KEYUTIL.getKey(encryptedKey, password) throws a type exception when it tries to call a function on KJUR.crypto.Cipher.

Uncaught TypeError TypeError: Cannot read properties of undefined (reading 'decrypt') at getPlainHexFromEncryptedPKCS8PEM (c:\Users\mmerrel3\git\jsrsasign-test\node_modules\jsrsasign\lib\jsrsasign.js:240:8222) at getKeyFromEncryptedPKCS8PEM (c:\Users\mmerrel3\git\jsrsasign-test\node_modules\jsrsasign\lib\jsrsasign.js:240:8315) at KEYUTIL.getKey (c:\Users\mmerrel3\git\jsrsasign-test\node_modules\jsrsasign\lib\jsrsasign.js:240:16194) at (c:\Users\mmerrel3\git\jsrsasign-test\sample\test.js:34:21)

This is from a stripped-down repro script using a throw-away private key.

const {KEYUTIL} = require('jsrsasign');

const privateKey = `-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvw7skcTItOICAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECDCvJAI7x/QCBIIEyOxy3iGvkUI5
v86Q9acnN64MzniBVTuguQNZVy9Wdi1IRktIqptwpatls4u0lU8PtcUaP4dLTfE8
r9Cek6F0ZPzcTsJuHwfIjsRZ/qrKlyCwp3UsNZ5sCWdciDac3PJ/URl5O/juHIet
R5OZ51v2R9EOXnXA4G2nNu4t4acSfOiYbeDhjxSzQkU1sHYm1yJXeBNh0uJI1+cH
LBDpP3YDGFhIy1kxaajTBNYwdA6/SNyM2n1slobtyvPGoT1GHoFM7KeOQfwQgCPQ
5+N0wx1UAwadzeU+OtZ94fEogpzeLZikN9KLxd0OeDeaPAX3Fu9ZPhDyI8c1ZDFL
zsaAIMMzchVdJfe9e0amq7wSg7TW3x0+G9dkJat4ZNX7EMzBUam8osuz2fXyBA6W
Rl3B2g+u9FWNyKQs1Rg9z6Yf+7FGmZH6aq0Vyf3c4PM+STrWeCE5rTCUnQBJzWFi
1cqC5UUJebyNYzdsW/GRFhf5Pe7EaDiGd20r+SguNImHvnSN2EQF5tEnye75v2ld
sH09sg2pQkPMh1G28wMCQFfHYzZeoi4WrshVaz9FibLGxBBlHaQNqyZ0ftxPG+BP
HzXm7aosyN2G5RxNUoD+v3NinkhkYlLa2shYxiSkh11vQjgmGBi/Zjs6Ct1ua2zP
C7YR1Oy5QPvi3KlKt1auwIBmfHs/W/GXm1q6I+DxUus+tOqb6v/L6dLeT3L8mP64
9AI5g803xw9TvUaj80QRIqA3QeQJ3CZysM7kJXd6j8eg0Ft707tDNauKFoqLfWIE
oY/wYYTIobiFC57jRsr4AZumlC2v6qz+TBZN3XZtMdcWvYGMNQrMWr6BrKxmyx7U
4aWtskUX0BRfizyc8tgSkbYitvefPwQlRr6yXA4gB7gWAXhoFlYPchKGmWR+3ZII
o8bdGogUoiZhuP0rQ4BgTtu65EUOp2QywRsv275hiPiUQeLT0y4nMaMsVzPhGoIt
mhYJJ/MFN+b0aGTnaLNHmJ7EA3cPk80GUFqhWz029XtKkGterb8cohVTkwuQOmpm
IvdRqvQD5MO4GN0MnBspAforJZPNE6KSx/YE9Wv9MQ5Cpgmptmi19svi+FeWZlHm
kr16T8Rs2RcwaQBxP3VLds9g8aS0KrZUVW/J29M/n+py15WN3Z8ElGkWMtMRV2qW
PX7tV9vuP3+YlTI8L55DxxyLeDqQTRxn6wc9+V+JENzrnexAVH0j4HqNQIARXnd1
21CeiCcc85/h301e0sybvfe2rDLGzwuqA93UD6iU2+ts6RBL2nJIuGIcRIepYtpt
mjQcPEN2jJiJJs5ZaaGMMHz8+a9uzHxSiMqfnJPinMvlQdyWXhO4thAEYd34KXQA
7U2TlnltG+ZFxqzkPBabMT5ifUSTiUQ2+lg/vFjB2j16ewrdDilOPUKfRNY37TsJ
T/yrqDDEZWWHmgx7eLPiBIxelbAi6y7yz4p4sUFiG00iTqpwV7PweO0L+6oqUh+/
YKYR3fFsMZd5XAbjZq9gxWifXCGu/QPQ5L6+uB9pY85kEKQLxXP54cVGYRKh2NTZ
6ppTaDMGoScHVWsSx/I9swi9/Y6f6uqVMJciF/KXhK6ZYBKtB/VMICzMghW4dN59
4JRmRjje4je02jrjKInPAg==
-----END ENCRYPTED PRIVATE KEY-----`;

const key = KEYUTIL.getKey(privateKey, 'foobar');

console.log(key);

I tried with a DES3 private key (after looking for old issues with the same error), but that code path fails in the same way.

michmerr commented 8 months ago

Just read the changelog for v11, and can see this is by-design, I assume until there is a fix for the related vulnerability.

scarface3 commented 7 months ago

Is there a workaround for this yet? Like a way to bypass it?

kjur commented 7 months ago

This works with jsrsasign 11.1.0. Thanks.