Need a fix for CVE-2023-46809

travist / jsencrypt

A zero-dependency Javascript library to perform OpenSSL RSA Encryption, Decryption, and Key Generation.

http://www.travistidwell.com/jsencrypt

Other

6.69k stars 2.02k forks source link

Need a fix for CVE-2023-46809 #305

Open cjbathras opened 9 months ago

cjbathras commented 9 months ago

When upgrading to Node 20, I can no longer use jsencrypt because it uses PKCS1 padding. Node is preventing using PKCS1 padding because of CVE-2023-46809. It would be great if the padding method was changed or if there was an option to use a different padding scheme. If there's a way to get around this that I haven't uncovered, I'd love to hear about it.

tomato42 commented 9 months ago

use OAEP padding?

cjbathras commented 9 months ago

How do I use OAEP padding with jsencrypt? I haven't found anything about that. If you can point me to an example that would be great!

fengmk2 commented 6 months ago

https://github.com/travist/jsencrypt/issues/84