Node patch releases 18.19.1, 20.11.1, 21.6.2 break OpenPGP when RSA keys are used

[adevine]

• OpenPGP.js version: 5.11.0
• Affected platform (Browser or Node.js version): Node.js 20.11.1 (but also, per Node blog here, https://nodejs.org/en/blog/vulnerability/february-2024-security-releases#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium , all other recent Node patch releases break RSA encryption as used in OpenPGP)

We hit this bug after an automatic upgrade in Google App Engine to the latest stable patch release of Node, 20.11.1, broke all of our PGP decryption. Reverting to Node.js 20.9.0 fixed the issue for us (but pretty sure the problem is just in the 20.11.1 patch, as explained below).

I believe this commit in this Node version, nodejs/node@7079c062bb, which disables PKCS # 1, is what is responsible for this issue. We were getting an error thrown when calling decrypt, down in the nodeDecrypt method here: https://github.com/openpgpjs/openpgpjs/blob/main/src/crypto/public_key/rsa.js#L483 (one note about where that bug is thrown - note it swallows the bug thrown from Node's privateDecrypt method and throws a new Error, which made this a little harder to debug). Note I understand this was a security issue from Node's perspective, but I still think doing this in a patch release was a bad decision from Node for a change that is fundamentally not backwards compatible.

I created the following minimal test case that passes in Node 20.11.0, and throws an exception in 20.11.1. Per the Node release notes, it should also be possible to pass the flag --security-revert=CVE-2023-46809 to disable the change in behavior in the patch release.

import {
    createMessage,
    decrypt,
    decryptKey,
    encrypt,
    generateKey,
    readKey,
    readMessage,
    readPrivateKey,
} from 'openpgp';

test('RSA decrypt test', async () => {
    // gen key pair
    const passphrase = 'some secret passphrase';
    const { privateKey: armoredPrivateKey, publicKey: armoredPublicKey } = await generateKey({
        type: 'rsa',
        userIDs: [{ name: 'John Doe', email: 'jdoe@test.com' }],
        passphrase,
    });

    // encrypt a piece of text
    const text = 'A string to encrypt';
    const privateKey = await decryptKey({
        privateKey: await readPrivateKey({ armoredKey: armoredPrivateKey }),
        passphrase,
    });
    const publicKey = await readKey({ armoredKey: armoredPublicKey });

    const message = await createMessage({ text });
    const armoredEncryptedMessage = await encrypt({
        message,
        encryptionKeys: publicKey,
        signingKeys: privateKey,
    });

    // now attempt to decrypt it
    const encryptedMessage = await readMessage({ armoredMessage: armoredEncryptedMessage });
    const { data: decryptedText } = await decrypt({
        message: encryptedMessage,
        verificationKeys: publicKey,
        decryptionKeys: privateKey,
    });

    expect(decryptedText).toEqual(text);
});

[adevine]

Just wanted to add a link to https://github.com/orgs/nodejs/discussions/51784#discussioncomment-8494516 - Node maintainers are great, explained the policy is that critical security fixes can go in minor version updates, which means this change should have gone in a minor version and not a patch, but honestly that still would have likely hit us anyway. Just good to know the defined policy on this.

[chazcross]

NodeJS 18.19.1 introduced the same change breaking OpenPGP.js decryption.

[adevine]

Thanks @chazcross , I updated the title and also added a minimal test case to the description.

[sharmankita]

My Production server uses NodeJS 18.19.1 it is working fine on my local as I had version NodeJS 18.19.0 I am not able to find 18.19.0 in docker images and I can not downgrade it further cause of few functionalities doesn't work on lower version. What can i do to make this work on Production It's super critical for me to fix it. Can anyone please guide me what can i do here.

[larabr]

Thanks for the detailed report -- we are going to release a patch of OpenPGP.js v5 to address this 👍

[larabr]

Fixed in v5.11.1 (just released).