User API keys should use OAEP padding

simon · June 1, 2024, 7:00am

A minor issue and maybe a bigger one:

There’s a required nonce param that’s not mentioned in the documentation:

  def require_params
    %i[public_key nonce scopes client_id application_name].each { |p| params.require(p) }
  end

Now the trickier issue. Discourse calls the public_encrypt method with no arguments:

github.com/discourse/discourse

app/controllers/user_api_keys_controller.rb

main


      
          key =
            @client.keys.create!(
              user_id: current_user.id,
              push_url: params[:push_url],
              scopes: scopes.map { |name| UserApiKeyScope.new(name: name) },
            )
          
          # we keep the payload short so it encrypts easily with public key
          # it is often restricted to 128 chars
          @payload = {
            key: key.key,
            nonce: params[:nonce],
            push: key.has_push?,
            api: AUTH_API_VERSION,
          }.to_json
          
          public_key_str = @client.public_key.present? ? @client.public_key : params[:public_key]
          public_key = OpenSSL::PKey::RSA.new(public_key_str)
          @payload = Base64.encode64(public_key.public_encrypt(@payload))
          
          if scopes.include?("one_time_password")

That means the padding argument defaults to PKCS1_PADDING. From the Ruby documentation:

Encrypt string with the public key. padding defaults to PKCS1_PADDING, which is known to be insecure but is kept for backwards compatibility.

Unfortunately, Node v20.14.0 (the current LTS) returns an error if you attempt to call crypto.privateDecrypt with RSA_PKCS1_PADDING :

function decryptData(data: string, privateKey: string) {
  const buffer = Buffer.from(data, "base64");
  const decrypted = crypto.privateDecrypt(
    {
      key: privateKey,
      padding: crypto.constants.RSA_PKCS1_PADDING,
    },
    buffer
  );
  return decrypted.toString("utf8");
}

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809

A possible fix for Node apps is to run Node with the insecure flag:

node --security-revert=CVE-2023-46809

A fix on the Discourse end would be easy, but I suspect it would break a lot of existing integrations:

public_key = OpenSSL::PKey::RSA.new(params[:public_key])
@payload = Base64.encode64(public_key.public_encrypt(@payload, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING))

mqmenchaca · February 14, 2025, 10:31pm

@simon Yes this is definitely causing problems with Node v22. It would be great to not revert security patches. It would be nice to set a flag in the API call or site setting in Discourse to choose the desired padding. (That way people can keep the existing default if they would like.)

mqmenchaca · February 15, 2025, 1:11am

Roughly following the steps here using NodeRSA works

github.com/rzcoder/node-rsa

I can't decrypt unencrypted

opened 07:29PM - 17 Apr 22 UTC

alantoledo007

I created a helper to get the public and private key. The pems files have been c…reated with `new NodeRSA ({b:1024})`: ```js const fs = require("fs"); const NodeRSA = require("node-rsa"); const getKeys = () => { const publicPem = fs.readFileSync("./public.pem", "utf8"); const privatePem = fs.readFileSync("./private.pem", "utf8"); const privateKey = new NodeRSA(privatePem); const publicKey = new NodeRSA(publicPem); return { privateKey, publicKey, privatePem, publicPem, }; }; const RSA = { getKeys, }; module.exports = { RSA }; ``` i can encrypt with `publicKey.encrypt(data, "base64")`. And, i can decrypt with `privateKey.decrypt(encryptedData,'utf8')`. but... I can't decrypt if I didn't create any encryption before. Just to give you an idea, I have to do this for the decryption to work: ```js publicKey.encrypt(""); //bug const decryptedData= privateKey.decrypt(encryptedRSA, "utf8"); ``` without ` publicKey.encrypt(""); //bug` the terminal returns next error: ``` throw Error('Error during decryption (probably incorrect key). Original error: ' + e); ^ Error: Error during decryption (probably incorrect key). Original error: Error: error:25078067:DSO support routines:win32_load:could not load the shared library at NodeRSA.module.exports.NodeRSA.$$decryptKey (C:\....\project-name\node_modules\node-rsa\src\NodeRSA.js:301:19) at NodeRSA.module.exports.NodeRSA.decrypt (C:\...\project-name\node_modules\node-rsa\src\NodeRSA.js:249:21) at Object.decrypt (C:\....\MyHelper.js:20:38) at Object.<anonymous> (C:\...\index.js:7:37) at Module._compile (node:internal/modules/cjs/loader:1103:14) at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10) at Module.load (node:internal/modules/cjs/loader:981:32) at Function.Module._load (node:internal/modules/cjs/loader:822:12) at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12) at node:internal/main/run_main_module:17:47 ``` npm v8.6.0 node v16.14.2 node-rsa v1.1.1 # Summary ```js // Works const encryptedData = publicKey.encrypt(data, "base64"); const decryptedData = privateKey.decrypt(encryptedData , "utf8"); ``` ```js // Not works // const encryptedData = publicKey.encrypt(data, "base64"); const decryptedData = privateKey.decrypt("your base64 encryption", "utf8"); ``` ```js // Works publicKey.encrypt(""); const decryptedData = privateKey.decrypt("your base64 encryption", "utf8"); ``` reproduce error: 1. Encrypt anything. 2. Copy the encrypted result. 3. remove or comment out the lines of code that do the encryption 4. try decrypt. (not works)

mqmenchaca · February 19, 2025, 3:31pm

This seems like a pretty simple addition?

github.com/discourse/discourse

Add PKCS1_OAEP_PADDING option to UserAPIKeySpec

main ← qmenchaca:AddOAEPPaddingToUserApiKey

opened 03:30PM - 19 Feb 25 UTC

qmenchaca

+7 -1

This commit adds a new site setting to the User API Keys options. The padding op…tion specified here will be used to encrypt the user api key created and sent back to the client. The default, PKCS1_PADDING, is the value currently in place (so existing) integrations won't break),but if a user chooses to use PKCS1_OAEP_PADDING, they can implement it and use it as they see fit.

sam · February 24, 2025, 6:17am

I get that OAEP is recommended for new apps being CCA / Bleichenbach attack resistant. Node forcing our hand here is a bit sad, but I guess this is a “greater good” kind of thing.

I am extremely concerned about making this yet another toggle for a Discourse admin to reason about, that is a nightmare.

Instead we would need to fix Discourse Hub to support the new and old flavors concurrently, have something about our API signal the “version” of the public key.

It is a complicated change that runs through quite a few systems. The fix you proposed is a problem cause then Discourse Hub will stop working for admins that flick to that mode.

Topic		Replies	Views
Authentication Protocol re: App Integration Dev	16	2171	March 31, 2020
Adding command line tools support for user api keys Dev	23	3439	January 4, 2019
User API keys specification Integrations rest-api , reference	65	31902	February 24, 2025
Can true private messages be implemented? Feature	29	5468	March 9, 2020
Encrypted personal messages Marketplace	17	4728	December 14, 2018

User API keys should use OAEP padding

Related topics