Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
display warning to use --security-revert=CVE-2023-46809
- Loading branch information
1 parent
e1e9e4b
commit bdabd82
Showing
7 changed files
with
175 additions
and
52 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,54 @@ | ||
image: node:16 | ||
|
||
stages: | ||
- build | ||
- build | ||
cache: | ||
key: ${CI_COMMIT_REF_SLUG} | ||
paths: | ||
- .npm/ | ||
- node_modules/ | ||
- packages/ | ||
- ~/.pnpm-store | ||
key: ${CI_COMMIT_REF_SLUG} | ||
paths: | ||
- .npm/ | ||
- node_modules/ | ||
- packages/ | ||
- ~/.pnpm-store | ||
|
||
build_and_test: | ||
variables: | ||
KUBERNETES_CPU_REQUEST: 4 | ||
KUBERNETES_CPU_LIMIT: 4 | ||
KUBERNETES_MEMORY_REQUEST: 4Gi | ||
KUBERNETES_MEMORY_LIMIT: 4Gi | ||
stage: build | ||
before_script: | ||
- npm install -g pnpm@7 | ||
- pnpm config set store-dir `pwd`/.pnpm-store | ||
- pnpm recursive install --frozen-lockfile=false | ||
script: | ||
- pnpm run consistency | ||
- pnpm run build | ||
- pnpm run pretest | ||
- node packages/parallel_test.js | ||
# - node packages/run_all_mocha_tests.js DISCO3 | ||
|
||
.build_template: &build_template | ||
variables: | ||
KUBERNETES_CPU_REQUEST: 4 | ||
KUBERNETES_CPU_LIMIT: 4 | ||
KUBERNETES_MEMORY_REQUEST: 4Gi | ||
KUBERNETES_MEMORY_LIMIT: 4Gi | ||
stage: build | ||
before_script: | ||
- npm install -g pnpm@7 | ||
- pnpm config set store-dir `pwd`/.pnpm-store | ||
- pnpm recursive install --frozen-lockfile=false | ||
script: | ||
- pnpm run consistency | ||
- pnpm run build | ||
- pnpm run pretest | ||
- node ${SECURITY_OPTIONS} packages/parallel_test.js | ||
# - node packages/run_all_mocha_tests.js DISCO3 | ||
|
||
build_and_test_node_16: | ||
<<: *build_template | ||
variables: | ||
SECURITY_OPTIONS: "" | ||
image: node:16 | ||
|
||
## https://nodejs.org/en/about/previous-releases | ||
|
||
build_and_test_node_18: | ||
<<: *build_template | ||
variables: | ||
SECURITY_OPTIONS: "--security-revert=CVE-2023-46809" | ||
image: node:18 | ||
|
||
build_and_test_node_20: | ||
<<: *build_template | ||
variables: | ||
SECURITY_OPTIONS: "--security-revert=CVE-2023-46809" | ||
image: node:20 | ||
|
||
# build_and_test_node_21: | ||
# <<: *build_template | ||
# variables: | ||
# SECURITY_OPTIONS: --security-revert=CVE-2023-46809 | ||
# image: node:21 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
import { KeyObject, createPrivateKey, subtle } from "crypto"; | ||
import { privateKeyToPEM } from "node-opcua-crypto"; | ||
import { make_warningLog } from "node-opcua-debug"; | ||
import { RSAPKCS1V15_Encrypt, RSAPKCS1V15_Decrypt } from "./security_policy"; | ||
|
||
const warningLog = make_warningLog("NODE-OPCUA-W27"); | ||
|
||
function myCreatePrivateKey(rawKey: string | Buffer): any { | ||
// // see https://askubuntu.com/questions/1409458/openssl-config-cuases-error-in-node-js-crypto-how-should-the-config-be-updated | ||
// const backup = process.env.OPENSSL_CONF; | ||
// process.env.OPENSSL_CONF = "/dev/null"; | ||
const retValue = createPrivateKey(rawKey); | ||
// process.env.OPENSSL_CONF = backup; | ||
return { hidden: retValue }; | ||
} | ||
|
||
export async function testRSAPKCS1V15_EncryptDecrypt() { | ||
|
||
const version = process.version.match(/v([0-9]+)\.([0-9]+)\.([0-9]+)/); | ||
if (!version) { | ||
throw new Error("Invalid version"); | ||
} | ||
const major = parseInt(version[1], 10); | ||
const minor = parseInt(version[2], 10); | ||
const patch = parseInt(version[3], 10); | ||
if (major < 20) { | ||
return; // skip test | ||
} | ||
|
||
const keyPair = await subtle.generateKey( | ||
{ | ||
name: "RSA-OAEP", | ||
modulusLength: 4096, | ||
publicExponent: new Uint8Array([1, 0, 1]), | ||
hash: "SHA-512" | ||
}, | ||
true, | ||
["encrypt", "decrypt"] | ||
); | ||
|
||
// export public key as base64 string and save to file | ||
const exportedPublicKey = await subtle.exportKey("spki", keyPair.publicKey); | ||
const publicKey = Buffer.from(exportedPublicKey).toString("base64"); | ||
|
||
const privateKeyPem = await privateKeyToPEM(keyPair.privateKey); | ||
// const privateKeyFilename = ""; // fs.mkdtemp((), ".t.pem"); | ||
// await fs.promises.writeFile(privateKeyFilename, privateKeyPem.privPem, "utf-8"); | ||
const privateKey = myCreatePrivateKey(privateKeyPem.privPem); | ||
|
||
const buffer = Buffer.from("buffer"); | ||
let decrypted: Buffer | undefined; | ||
try { | ||
const encrypted = RSAPKCS1V15_Encrypt(buffer, KeyObject.from(keyPair.publicKey)); | ||
|
||
decrypted = RSAPKCS1V15_Decrypt(encrypted, privateKey); | ||
} catch (err) { /** */} | ||
if (!decrypted || decrypted.toString("ascii") !== "buffer") { | ||
warningLog("[NODE-OPCUA-W27]", "node version", process.version); | ||
warningLog(" you need to use node flag --security-revert=CVE-2023-46809 if you have issue with RSA PKCS#1 v1.5"); | ||
} | ||
} |