User API keys should use OAEP padding

simon · June 1, 2024, 7:00am

A minor issue and maybe a bigger one:

There’s a required nonce param that’s not mentioned in the documentation:

  def require_params
    %i[public_key nonce scopes client_id application_name].each { |p| params.require(p) }
  end

Now the trickier issue. Discourse calls the public_encrypt method with no arguments:

github.com/discourse/discourse

app/controllers/user_api_keys_controller.rb

main


      
          key =
            @client.keys.create!(
              user_id: current_user.id,
              push_url: params[:push_url],
              scopes: scopes.map { |name| UserApiKeyScope.new(name: name) },
            )
          
          # we keep the payload short so it encrypts easily with public key
          # it is often restricted to 128 chars
          @payload = {
            key: key.key,
            nonce: params[:nonce],
            push: key.has_push?,
            api: AUTH_API_VERSION,
          }.to_json
          
          public_key_str = @client.public_key.present? ? @client.public_key : params[:public_key]
          public_key = OpenSSL::PKey::RSA.new(public_key_str)
          @payload = Base64.encode64(public_key.public_encrypt(@payload))
          
          if scopes.include?("one_time_password")

That means the padding argument defaults to PKCS1_PADDING. From the Ruby documentation:

Encrypt string with the public key. padding defaults to PKCS1_PADDING, which is known to be insecure but is kept for backwards compatibility.

Unfortunately, Node v20.14.0 (the current LTS) returns an error if you attempt to call crypto.privateDecrypt with RSA_PKCS1_PADDING :

function decryptData(data: string, privateKey: string) {
  const buffer = Buffer.from(data, "base64");
  const decrypted = crypto.privateDecrypt(
    {
      key: privateKey,
      padding: crypto.constants.RSA_PKCS1_PADDING,
    },
    buffer
  );
  return decrypted.toString("utf8");
}

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809

A possible fix for Node apps is to run Node with the insecure flag:

node --security-revert=CVE-2023-46809

A fix on the Discourse end would be easy, but I suspect it would break a lot of existing integrations:

public_key = OpenSSL::PKey::RSA.new(params[:public_key])
@payload = Base64.encode64(public_key.public_encrypt(@payload, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING))

mqmenchaca · February 14, 2025, 10:31pm

@simon Yes this is definitely causing problems with Node v22. It would be great to not revert security patches. It would be nice to set a flag in the API call or site setting in Discourse to choose the desired padding. (That way people can keep the existing default if they would like.)

mqmenchaca · February 15, 2025, 1:11am

Roughly following the steps here using NodeRSA works

github.com/rzcoder/node-rsa

I can't decrypt unencrypted

opened 07:29PM - 17 Apr 22 UTC

alantoledo007

I created a helper to get the public and private key. The pems files have been c…reated with `new NodeRSA ({b:1024})`: ```js const fs = require("fs"); const NodeRSA = require("node-rsa"); const getKeys = () => { const publicPem = fs.readFileSync("./public.pem", "utf8"); const privatePem = fs.readFileSync("./private.pem", "utf8"); const privateKey = new NodeRSA(privatePem); const publicKey = new NodeRSA(publicPem); return { privateKey, publicKey, privatePem, publicPem, }; }; const RSA = { getKeys, }; module.exports = { RSA }; ``` i can encrypt with `publicKey.encrypt(data, "base64")`. And, i can decrypt with `privateKey.decrypt(encryptedData,'utf8')`. but... I can't decrypt if I didn't create any encryption before. Just to give you an idea, I have to do this for the decryption to work: ```js publicKey.encrypt(""); //bug const decryptedData= privateKey.decrypt(encryptedRSA, "utf8"); ``` without ` publicKey.encrypt(""); //bug` the terminal returns next error: ``` throw Error('Error during decryption (probably incorrect key). Original error: ' + e); ^ Error: Error during decryption (probably incorrect key). Original error: Error: error:25078067:DSO support routines:win32_load:could not load the shared library at NodeRSA.module.exports.NodeRSA.$$decryptKey (C:\....\project-name\node_modules\node-rsa\src\NodeRSA.js:301:19) at NodeRSA.module.exports.NodeRSA.decrypt (C:\...\project-name\node_modules\node-rsa\src\NodeRSA.js:249:21) at Object.decrypt (C:\....\MyHelper.js:20:38) at Object.<anonymous> (C:\...\index.js:7:37) at Module._compile (node:internal/modules/cjs/loader:1103:14) at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10) at Module.load (node:internal/modules/cjs/loader:981:32) at Function.Module._load (node:internal/modules/cjs/loader:822:12) at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12) at node:internal/main/run_main_module:17:47 ``` npm v8.6.0 node v16.14.2 node-rsa v1.1.1 # Summary ```js // Works const encryptedData = publicKey.encrypt(data, "base64"); const decryptedData = privateKey.decrypt(encryptedData , "utf8"); ``` ```js // Not works // const encryptedData = publicKey.encrypt(data, "base64"); const decryptedData = privateKey.decrypt("your base64 encryption", "utf8"); ``` ```js // Works publicKey.encrypt(""); const decryptedData = privateKey.decrypt("your base64 encryption", "utf8"); ``` reproduce error: 1. Encrypt anything. 2. Copy the encrypted result. 3. remove or comment out the lines of code that do the encryption 4. try decrypt. (not works)

mqmenchaca · February 19, 2025, 3:31pm

This seems like a pretty simple addition?

github.com/discourse/discourse

Add PKCS1_OAEP_PADDING option to UserAPIKeySpec

main ← qmenchaca:AddOAEPPaddingToUserApiKey

opened 03:30PM - 19 Feb 25 UTC

qmenchaca

+7 -1

This commit adds a new site setting to the User API Keys options. The padding op…tion specified here will be used to encrypt the user api key created and sent back to the client. The default, PKCS1_PADDING, is the value currently in place (so existing) integrations won't break),but if a user chooses to use PKCS1_OAEP_PADDING, they can implement it and use it as they see fit.

sam · February 24, 2025, 6:17am

I get that OAEP is recommended for new apps being CCA / Bleichenbach attack resistant. Node forcing our hand here is a bit sad, but I guess this is a “greater good” kind of thing.

I am extremely concerned about making this yet another toggle for a Discourse admin to reason about, that is a nightmare.

Instead we would need to fix Discourse Hub to support the new and old flavors concurrently, have something about our API signal the “version” of the public key.

It is a complicated change that runs through quite a few systems. The fix you proposed is a problem cause then Discourse Hub will stop working for admins that flick to that mode.

mqmenchaca · February 24, 2025, 7:44pm

Thanks for the added context.

To be clear, this is something I have issues it when doing local development. But when connecting to our resources deployed to AWS EC2 instances, it isn’t an issue. I’m guessing their version of Node has some behind-the-scenes customizations or versioning where the crypto library doesn’t have this problem.

pmusaraj · February 24, 2025, 10:09pm

Coming in cold here but that error seems incorrect. This isn’t a feature that was removed in Node, it’s an issue with some OpenSSL installation. From the Node docs:

Using crypto.constants.RSA_PKCS1_PADDING in crypto.privateDecrypt() requires OpenSSL to support implicit rejection (rsa_pkcs1_implicit_rejection).

See also [Bug]: RSA_PKCS1_PADDING is no longer supported for private decryption · Issue #487 · bropat/eufy-security-client · GitHub

Testing locally, this works for me: An example of RSA Encryption implemented in Node.js · GitHub even when I switch to using crypto.constants.RSA_PKCS1_PADDING for the padding for both encryption and decryption. I am on OpenSSL 3.4.0 and Node 23.6.1.

The tricky thing with using a site setting is that clients won’t know which padding the specific instance is supporting. That makes compatibility across instances/services harder to understand.

I think we should clarify the existing implementation, i.e. explicitly note that we are using RSA_PKCS1_PADDING and then think about an upgrade. Maybe we need to introduce versioning to this endpoint, so that clients can neatly use the right padding before/after said version.

simon · February 24, 2025, 11:33pm

For context, this isn’t a feature request by me, it’s just an observation I made in June of last year.

Topic		Replies	Views
Can true private messages be implemented? Feature	29	5469	March 9, 2020
Authentication Protocol re: App Integration Dev	16	2172	March 31, 2020
User API keys specification Integrations rest-api , reference	65	32235	February 24, 2025
Adding command line tools support for user api keys Dev	23	3442	January 4, 2019
Using a certificate when Discourse is installed behind a reverse proxy Installation unsupported-install	24	4757	May 17, 2019

User API keys should use OAEP padding

Related topics