display warning to use --security-revert=CVE-2023-46809

node-opcua · Mar 5, 2024 · bdabd82 · bdabd82
1 parent e1e9e4b
commit bdabd82
Show file tree

Hide file tree

Showing 7 changed files with 175 additions and 52 deletions.
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -18,6 +18,12 @@ jobs:
 
   build_on_windows:
     runs-on: windows-latest
+    strategy:
+      matrix:
+        node-version: [20.x ]
+        include:
+          - node-version: 20.x
+            SECURITY_REVERT_CVE_2023_46809: "--security-revert=CVE-2023-46809"
     steps:
     - uses: actions/checkout@v3
     - name: Use Node.js ${{ matrix.node-version }}
@@ -33,12 +39,22 @@ jobs:
     - run: pnpm recursive install --no-frozen-lockfile
     - run: pnpm run build
     - run: pnpm run pretest
-    - run: pnpm test
+    - run: pnpm run test:win
+      env:
+        SECURITY_REVERT_CVE_2023_46809: ${{matrix.SECURITY_REVERT_CVE_2023_46809}}
+
+
+
   build:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [16.x]
+        node-version: [16.x, 18.x, 20.x ]
+        include:
+          - node-version: 18.x
+            SECURITY_REVERT_CVE_2023_46809: "--security-revert=CVE-2023-46809"
+          - node-version: 20.x
+            SECURITY_REVERT_CVE_2023_46809: "--security-revert=CVE-2023-46809"
 
     steps:
     - uses: actions/checkout@v3
@@ -58,11 +74,18 @@ jobs:
     - run: openssl version
     - run: pnpm run pretest
     - run: pnpm test
+      env:
+        SECURITY_REVERT_CVE_2023_46809: ${{matrix.SECURITY_REVERT_CVE_2023_46809}}
+
+
   coverage:
     runs-on: ubuntu-latest
     strategy:
       matrix:
         node-version: [20.x]
+        include:
+          - node-version: 20.x
+            SECURITY_REVERT_CVE_2023_46809: "--security-revert=CVE-2023-46809"
     steps:
       - uses: actions/checkout@v3
       - name: Use Node.js ${{ matrix.node-version }}
@@ -81,8 +104,11 @@ jobs:
       - run: hostname 
       - run: openssl version
       - run: pnpm run pretest
+        env:
+          SECURITY_REVERT_CVE_2023_46809: ${{ matrix.SECURITY_REVERT_CVE_2023_46809 }}        
       - run: make test-cov     
-
+        env:
+          SECURITY_REVERT_CVE_2023_46809: ${{ matrix.SECURITY_REVERT_CVE_2023_46809 }}        
       - name: Coveralls
         uses: coverallsapp/github-action@v2
         with:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -1,30 +1,54 @@
-image: node:16
 
 stages:
-  - build
+    - build
 cache:
-  key: ${CI_COMMIT_REF_SLUG}
-  paths:
-    - .npm/
-    - node_modules/
-    - packages/
-    - ~/.pnpm-store
+    key: ${CI_COMMIT_REF_SLUG}
+    paths:
+        - .npm/
+        - node_modules/
+        - packages/
+        - ~/.pnpm-store
 
-build_and_test:
-  variables:
-     KUBERNETES_CPU_REQUEST: 4
-     KUBERNETES_CPU_LIMIT: 4
-     KUBERNETES_MEMORY_REQUEST: 4Gi
-     KUBERNETES_MEMORY_LIMIT: 4Gi
-  stage: build
-  before_script:
-    - npm install -g pnpm@7
-    - pnpm config set store-dir `pwd`/.pnpm-store
-    - pnpm recursive install --frozen-lockfile=false
-  script:
-    - pnpm run consistency
-    - pnpm run build
-    - pnpm run pretest
-    - node packages/parallel_test.js
-    # - node packages/run_all_mocha_tests.js DISCO3
-
+.build_template: &build_template
+    variables:
+        KUBERNETES_CPU_REQUEST: 4
+        KUBERNETES_CPU_LIMIT: 4
+        KUBERNETES_MEMORY_REQUEST: 4Gi
+        KUBERNETES_MEMORY_LIMIT: 4Gi
+    stage: build
+    before_script:
+        - npm install -g pnpm@7
+        - pnpm config set store-dir `pwd`/.pnpm-store
+        - pnpm recursive install --frozen-lockfile=false
+    script:
+        - pnpm run consistency
+        - pnpm run build
+        - pnpm run pretest
+        - node ${SECURITY_OPTIONS} packages/parallel_test.js
+        # - node packages/run_all_mocha_tests.js DISCO3
+
+build_and_test_node_16:
+  <<: *build_template
+  variables: 
+    SECURITY_OPTIONS: ""
+  image: node:16
+
+## https://nodejs.org/en/about/previous-releases
+
+build_and_test_node_18:
+  <<: *build_template
+  variables: 
+    SECURITY_OPTIONS: "--security-revert=CVE-2023-46809"
+  image: node:18
+
+build_and_test_node_20:
+  <<: *build_template
+  variables: 
+    SECURITY_OPTIONS: "--security-revert=CVE-2023-46809"
+  image: node:20
+
+# build_and_test_node_21:
+#   <<: *build_template
+#   variables: 
+#     SECURITY_OPTIONS: --security-revert=CVE-2023-46809
+#   image: node:21
diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 test-cov: istanbul
 
 istanbul:
-	npx -y nyc@15 node -r source-map-support/register --max_old_space_size=8192 ./packages/run_all_mocha_tests.js  
+	npx -y nyc@15 node -r source-map-support/register  ${SECURITY_REVERT_CVE_2023_46809} --max_old_space_size=8192 ./packages/run_all_mocha_tests.js  
 	npx -y nyc@15 report --reporter=lcov --reporter=html 
 
 # literate_programming stuff

diff --git a/package.json b/package.json
@@ -9,6 +9,7 @@
         "test": "test"
     },
     "scripts": {
+        "tsup": "npx tsup ./packages/node-opcua/source/index.ts",
         "consistency": "npx -y @ster5/check-version-consistency",
         "preinstall": "node prevent_npm_install.js",
         "postinstall": "pnpm build",
@@ -23,7 +24,8 @@
         "generate": "pnpm recursive run generate",
         "pretest": "pnpm recursive run pretest",
         "_old_test": "cd source && mocha test --color -R spec --recursive --timeout 200000 --bail",
-        "test": "cd packages && node --expose-gc --max-old-space-size=1024 run_all_mocha_tests.js",
+        "test": "cd packages && node --expose-gc ${SECURITY_REVERT_CVE_2023_46809} --max-old-space-size=1024 run_all_mocha_tests.js",
+        "test:win": "cd packages && node --expose-gc %SECURITY_REVERT_CVE_2023_46809% --max-old-space-size=1024 run_all_mocha_tests.js",
         "eslint": "eslint packages/**/src/*.js  packages/**/source/*.ts packages/**/test_helpers/*",
         "eslint-fix": "eslint --fix packages/*/src/**.js packages/*/__tests__/ utils/*.js scripts/*.js",
         "generate_doc": "make doc",
@@ -60,6 +62,7 @@
         "packages_extra/*"
     ],
     "devDependencies": {
+        "tsup": "8.0.2",
         "@types/mocha": "^10.0.6",
         "@types/prettier": "^2.7.3",
         "@typescript-eslint/eslint-plugin": "^7.0.2",
@@ -186,4 +189,4 @@
             "trim-off-newlines@<1.0.3": ">=1.0.3"
         }
     }
-}
+}
diff --git a/packages/node-opcua-secure-channel/source/index.ts b/packages/node-opcua-secure-channel/source/index.ts
@@ -11,3 +11,6 @@ export * from "./message_header_to_string";
 export * from "./client/client_secure_channel_layer";
 export * from "./server/server_secure_channel_layer";
 export * from "./common";
+//
+import { testRSAPKCS1V15_EncryptDecrypt } from "./verify_pcks1";
+testRSAPKCS1V15_EncryptDecrypt();
diff --git a/packages/node-opcua-secure-channel/source/security_policy.ts b/packages/node-opcua-secure-channel/source/security_policy.ts
@@ -5,7 +5,7 @@
 // tslint:disable:variable-name
 // tslint:disable:max-line-length
 
-import { KeyLike } from "crypto";
+import { KeyLike, KeyObject } from "crypto";
 import { assert } from "node-opcua-assert";
 
 import { MessageSecurityMode, SignatureData } from "node-opcua-service-secure-channel";
@@ -23,17 +23,14 @@ import {
     PrivateKey,
     publicEncrypt_long,
     PublicKey,
-
     rsaLengthPrivateKey,
     rsaLengthPublicKey,
-    RSA_PKCS1_OAEP_PADDING,
-    RSA_PKCS1_PADDING,
     Signature,
     split_der,
     toPem,
     verifyMessageChunkSignature,
-    PaddingAlgorithm
-} from "node-opcua-crypto";
+    PaddingAlgorithm,
+    privateKeyToPEM} from "node-opcua-crypto";
 import { EncryptBufferFunc, SignBufferFunc } from "node-opcua-chunkmanager";
 import { make_warningLog } from "node-opcua-debug";
 
@@ -187,10 +184,16 @@ export function coerceSecurityPolicy(value?: string | SecurityPolicy | null): Se
 }
 
 // --------------------
-// function RSAPKCS1V15_Decrypt(buffer: Buffer, privateKey: PrivateKey): Buffer {
-//     const blockSize = rsaLengthPrivateKey(privateKey);
-//     return privateDecrypt_long(buffer, privateKey, blockSize, PaddingAlgorithm.RSA_PKCS1_PADDING);
-// }
+export function RSAPKCS1V15_Decrypt(buffer: Buffer, privateKey: PrivateKey): Buffer {
+    try {
+        const blockSize = rsaLengthPrivateKey(privateKey);
+        return privateDecrypt_long(buffer, privateKey, blockSize, PaddingAlgorithm.RSA_PKCS1_PADDING);
+    } catch (err) {
+        console.log("err = ", err);
+        throw err;
+    }
+}
+
 
 function RSAOAEP_Decrypt(buffer: Buffer, privateKey: PrivateKey): Buffer {
     const blockSize = rsaLengthPrivateKey(privateKey);
@@ -255,10 +258,15 @@ const RSAPKCS1OAEPSHA1_Sign = RSAPKCS1V15SHA1_Sign;
 
 // DEPRECATED in NODEJS 20.11.1 see https://github.com/nodejs/node/commit/7079c062bb SECURITY_REVERT_CVE_2023_46809
 // ( node --security-revert=CVE-2023-46809")
-// function RSAPKCS1V15_Encrypt(buffer: Buffer, publicKey: PublicKey): Buffer {
-//     const keyLength = rsaLengthPublicKey(publicKey);
-//     return publicEncrypt_long(buffer, publicKey as unknown as KeyLike, keyLength, 11, PaddingAlgorithm.RSA_PKCS1_PADDING);
-// }
+export function RSAPKCS1V15_Encrypt(buffer: Buffer, publicKey: PublicKey): Buffer {
+    try {
+        const keyLength = rsaLengthPublicKey(publicKey);
+        return publicEncrypt_long(buffer, publicKey as unknown as KeyLike, keyLength, 11, PaddingAlgorithm.RSA_PKCS1_PADDING);
+    } catch (err) {
+        console.log(err);
+        throw err;
+    }
+}
 
 function RSAOAEP_Encrypt(buffer: Buffer, publicKey: PublicKey): Buffer {
     const keyLength = rsaLengthPublicKey(publicKey);
@@ -295,7 +303,6 @@ export function computeDerivedKeys(cryptoFactory: CryptoFactory, serverNonce: No
 }
 
 export interface CryptoFactory {
-
     securityPolicy: SecurityPolicy;
     symmetricKeyLength: number;
     derivedEncryptionKeyLength: number;
@@ -320,7 +327,7 @@ export interface CryptoFactory {
     /**  for info only */
     asymmetricEncryptionAlgorithm: string;
 
-    symmetricEncryptionAlgorithm:  "aes-256-cbc" |  "aes-128-cbc";
+    symmetricEncryptionAlgorithm: "aes-256-cbc" | "aes-128-cbc";
 
     blockPaddingSize: number;
     sha1or256: "SHA1" | "SHA256";
@@ -347,13 +354,13 @@ const factoryBasic128Rsa15: CryptoFactory = {
     asymmetricSignatureAlgorithm: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
 
     /* asymmetric encryption algorithm */
-    asymmetricEncrypt: RSAOAEP_Encrypt,
+    asymmetricEncrypt: RSAPKCS1V15_Encrypt,
 
-    asymmetricDecrypt: RSAOAEP_Decrypt,
+    asymmetricDecrypt: RSAPKCS1V15_Decrypt,
 
     asymmetricEncryptionAlgorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
 
-    blockPaddingSize: 42,
+    blockPaddingSize: 11,
 
     symmetricEncryptionAlgorithm: "aes-128-cbc",
 
@@ -500,7 +507,6 @@ const _Aes256_Sha256_RsaPss: CryptoFactory = {
     sha1or256: "SHA256"
 };
 
-
 export function getCryptoFactory(securityPolicy: SecurityPolicy): CryptoFactory | null {
     switch (securityPolicy) {
         case SecurityPolicy.None:

diff --git a/packages/node-opcua-secure-channel/source/verify_pcks1.ts b/packages/node-opcua-secure-channel/source/verify_pcks1.ts
@@ -0,0 +1,61 @@
+import { KeyObject, createPrivateKey, subtle } from "crypto";
+import { privateKeyToPEM } from "node-opcua-crypto";
+import { make_warningLog } from "node-opcua-debug";
+import { RSAPKCS1V15_Encrypt, RSAPKCS1V15_Decrypt } from "./security_policy";
+
+const warningLog = make_warningLog("NODE-OPCUA-W27");
+
+function myCreatePrivateKey(rawKey: string | Buffer): any {
+    // // see https://askubuntu.com/questions/1409458/openssl-config-cuases-error-in-node-js-crypto-how-should-the-config-be-updated
+    // const backup = process.env.OPENSSL_CONF;
+    // process.env.OPENSSL_CONF = "/dev/null";
+    const retValue = createPrivateKey(rawKey);
+    // process.env.OPENSSL_CONF = backup;
+    return { hidden: retValue };
+}
+
+export async function testRSAPKCS1V15_EncryptDecrypt() {
+
+    const version = process.version.match(/v([0-9]+)\.([0-9]+)\.([0-9]+)/);
+    if (!version) {
+        throw new Error("Invalid version");
+    }   
+    const major = parseInt(version[1], 10);
+    const minor = parseInt(version[2], 10);
+    const patch = parseInt(version[3], 10);
+    if (major < 20) {
+        return; // skip test
+    }
+
+    const keyPair = await subtle.generateKey(
+        {
+            name: "RSA-OAEP",
+            modulusLength: 4096,
+            publicExponent: new Uint8Array([1, 0, 1]),
+            hash: "SHA-512"
+        },
+        true,
+        ["encrypt", "decrypt"]
+    );
+
+    // export public key as base64 string and save to file
+    const exportedPublicKey = await subtle.exportKey("spki", keyPair.publicKey);
+    const publicKey = Buffer.from(exportedPublicKey).toString("base64");
+
+    const privateKeyPem = await privateKeyToPEM(keyPair.privateKey);
+    // const privateKeyFilename = ""; // fs.mkdtemp((), ".t.pem");
+    // await fs.promises.writeFile(privateKeyFilename, privateKeyPem.privPem, "utf-8");
+    const privateKey = myCreatePrivateKey(privateKeyPem.privPem);
+
+    const buffer = Buffer.from("buffer");
+    let decrypted: Buffer | undefined;
+    try {
+        const encrypted = RSAPKCS1V15_Encrypt(buffer, KeyObject.from(keyPair.publicKey));
+
+        decrypted = RSAPKCS1V15_Decrypt(encrypted, privateKey);
+    } catch (err) { /**  */}
+    if (!decrypted || decrypted.toString("ascii") !== "buffer") {
+        warningLog("[NODE-OPCUA-W27]", "node version", process.version);
+        warningLog("  you need to use node flag --security-revert=CVE-2023-46809 if you have issue with RSA PKCS#1 v1.5");
+    }
+}