3 replies

RSA_PKCS1_PADDING is no longer supported for private decryption

Summary

I am using the native Node crypto module to decrypt data using the

pkcs1

pkcs1

pkcs1

pkcs1 padding scheme in a next.js serverless function. I am getting this error on production deployments. (It is working on local dev environment) The error message says this can be "reverted" but where do i actually pass that argument in a production deployment?

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
at handler (/var/task/.next/server/pages/api/admin/captureUpi.js:99:80)
at Object.apiResolver (/var/task/node_modules/next/dist/server/api-utils/node.js:363:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async NextNodeServer.runApi (/var/task/node_modules/next/dist/server/next-server.js:487:9)
at async Object.fn (/var/task/node_modules/next/dist/server/next-server.js:749:37)
at async Router.execute (/var/task/node_modules/next/dist/server/router.js:253:36)
at async NextNodeServer.run (/var/task/node_modules/next/dist/server/base-server.js:384:29)
at async NextNodeServer.handleRequest (/var/task/node_modules/next/dist/server/base-server.js:322:20)
at async Server.<anonymous> (/var/task/___next_launcher.cjs:26:5) {
code: 'ERR_INVALID_ARG_VALUE'
}
Node.js process exited with exit status: 1. The logs above can help with debugging the issue.
Unknown application error occurred

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
at handler (/var/task/.next/server/pages/api/admin/captureUpi.js:99:80)
at Object.apiResolver (/var/task/node_modules/next/dist/server/api-utils/node.js:363:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async NextNodeServer.runApi (/var/task/node_modules/next/dist/server/next-server.js:487:9)
at async Object.fn (/var/task/node_modules/next/dist/server/next-server.js:749:37)
at async Router.execute (/var/task/node_modules/next/dist/server/router.js:253:36)
at async NextNodeServer.run (/var/task/node_modules/next/dist/server/base-server.js:384:29)
at async NextNodeServer.handleRequest (/var/task/node_modules/next/dist/server/base-server.js:322:20)
at async Server.<anonymous> (/var/task/___next_launcher.cjs:26:5) {
code: 'ERR_INVALID_ARG_VALUE'
}
Node.js process exited with exit status: 1. The logs above can help with debugging the issue.
Unknown application error occurred

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
at handler (/var/task/.next/server/pages/api/admin/captureUpi.js:99:80)
at Object.apiResolver (/var/task/node_modules/next/dist/server/api-utils/node.js:363:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async NextNodeServer.runApi (/var/task/node_modules/next/dist/server/next-server.js:487:9)
at async Object.fn (/var/task/node_modules/next/dist/server/next-server.js:749:37)
at async Router.execute (/var/task/node_modules/next/dist/server/router.js:253:36)
at async NextNodeServer.run (/var/task/node_modules/next/dist/server/base-server.js:384:29)
at async NextNodeServer.handleRequest (/var/task/node_modules/next/dist/server/base-server.js:322:20)
at async Server.<anonymous> (/var/task/___next_launcher.cjs:26:5) {
code: 'ERR_INVALID_ARG_VALUE'
}
Node.js process exited with exit status: 1. The logs above can help with debugging the issue.
Unknown application error occurred

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
at handler (/var/task/.next/server/pages/api/admin/captureUpi.js:99:80)
at Object.apiResolver (/var/task/node_modules/next/dist/server/api-utils/node.js:363:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async NextNodeServer.runApi (/var/task/node_modules/next/dist/server/next-server.js:487:9)
at async Object.fn (/var/task/node_modules/next/dist/server/next-server.js:749:37)
at async Router.execute (/var/task/node_modules/next/dist/server/router.js:253:36)
at async NextNodeServer.run (/var/task/node_modules/next/dist/server/base-server.js:384:29)
at async NextNodeServer.handleRequest (/var/task/node_modules/next/dist/server/base-server.js:322:20)
at async Server.<anonymous> (/var/task/___next_launcher.cjs:26:5) {
code: 'ERR_INVALID_ARG_VALUE'
}
Node.js process exited with exit status: 1. The logs above can help with debugging the issue.
Unknown application error occurred

Solution

UPDATE: Found a workaround by using NodeRSA and setting the environment to browser (It will use the node crypto library with the CVE by default)

import NodeRSA from "node-rsa";

const privateKeyString = Buffer.from(
  process.env.PRIVATE_KEY ?? "",
  "base64",
).toString("utf8");

const privateKey = new NodeRSA(privateKeyString);
privateKey.setOptions({ encryptionScheme: "pkcs1", environment: "browser" });

const decryptedRequestData = privateKey
  .decrypt(encryptedBody)
  .toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);

import NodeRSA from "node-rsa";

const privateKeyString = Buffer.from(
  process.env.PRIVATE_KEY ?? "",
  "base64",
).toString("utf8");

const privateKey = new NodeRSA(privateKeyString);
privateKey.setOptions({ encryptionScheme: "pkcs1", environment: "browser" });

const decryptedRequestData = privateKey
  .decrypt(encryptedBody)
  .toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);

import NodeRSA from "node-rsa";

const privateKeyString = Buffer.from(
  process.env.PRIVATE_KEY ?? "",
  "base64",
).toString("utf8");

const privateKey = new NodeRSA(privateKeyString);
privateKey.setOptions({ encryptionScheme: "pkcs1", environment: "browser" });

const decryptedRequestData = privateKey
  .decrypt(encryptedBody)
  .toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);

import NodeRSA from "node-rsa";

const privateKeyString = Buffer.from(
  process.env.PRIVATE_KEY ?? "",
  "base64",
).toString("utf8");

const privateKey = new NodeRSA(privateKeyString);
privateKey.setOptions({ encryptionScheme: "pkcs1", environment: "browser" });

const decryptedRequestData = privateKey
  .decrypt(encryptedBody)
  .toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);

Jump to solution

RSA_PKCS1_PADDING is no longer supported for private decryption

Summary

Similar Threads

Similar Threads

Similar Threads