Added environment: 'browser' to NodeRSA instances as workaround for CVE.

jlkalberer · jlkalberer · commit 68084b78d1be · 2025-06-28T16:30:34.000-07:00
This change may make the encryption/decryption slower but it's necessary until Node supports SSL 3.2+
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@brewskey/spark-server",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "license": "AGPL-3.0",
   "repository": {
     "type": "git",
@@ -144,4 +144,4 @@
     "@nx/nx-linux-x64-musl": "16.8.1",
     "@nx/nx-win32-x64-msvc": "16.8.1"
   }
-}
+}
diff --git a/packages/particle-collider/package.json b/packages/particle-collider/package.json
@@ -7,6 +7,7 @@
     "start": "ts-node ./src/index.ts",
     "build": "tsc --noEmit"
   },
+  "private": "true",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/Brewskey/particle-collider.git"
@@ -29,4 +30,4 @@
     "ts-node": "^10.9.2",
     "typescript": "^5.3.3"
   }
-}
+}
diff --git a/packages/particle-collider/src/lib/CryptoManager.ts b/packages/particle-collider/src/lib/CryptoManager.ts
@@ -22,20 +22,24 @@ class CryptoManager {
     CryptoManager._serverKey = new NodeRSA(keyString, 'pkcs8-public-pem', {
       encryptionScheme: 'pkcs1',
       signingScheme: 'pkcs1',
+      environment: 'browser',
     });
   }
 
   static loadPrivateKey(keyString: string): NodeRSA {
     return new NodeRSA(keyString, undefined, {
       encryptionScheme: 'pkcs1',
       signingScheme: 'pkcs1',
+      environment: 'browser',
     });
   }
 
   static createKey(): NodeRSA {
-    return new NodeRSA({
+    const rsa = new NodeRSA({
       b: 1024,
     });
+    rsa.setOptions({ environment: 'browser' }); //By default it will use the node crypto library with the CVE
+    return rsa;
   }
 
   static randomBytes(count: number): Buffer {
diff --git a/packages/spark-protocol/package.json b/packages/spark-protocol/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@brewskey/spark-protocol",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "main": "./dist/index.js",
   "repository": {
     "type": "git",
@@ -89,4 +89,4 @@
     "ts-node": "^10.9.2",
     "typescript": "^5.3.3"
   }
-}
+}
diff --git a/packages/spark-protocol/src/lib/CryptoManager.ts b/packages/spark-protocol/src/lib/CryptoManager.ts
@@ -55,6 +55,7 @@ class CryptoManager {
 
   async _createServerKeys(): Promise<NodeRSA> {
     const privateKey = new NodeRSA({ b: 2048 });
+    privateKey.setOptions({ environment: 'browser' }); //By default it will use the node crypto library with the CVE
 
     await this._serverKeyRepository.createKeys(
       Buffer.from(privateKey.exportKey('pkcs1-private-pem')),
@@ -74,6 +75,7 @@ class CryptoManager {
     return new NodeRSA(privateKeyString, undefined, {
       encryptionScheme: 'pkcs1',
       signingScheme: 'pkcs1',
+      environment: 'browser',
     });
   }
 
@@ -114,6 +116,7 @@ class CryptoManager {
     try {
       return this._serverPrivateKey.decrypt(data);
     } catch (error) {
+      console.error(error);
       return null;
     }
   }
diff --git a/packages/spark-protocol/src/lib/DeviceKey.ts b/packages/spark-protocol/src/lib/DeviceKey.ts
@@ -11,6 +11,7 @@ class DeviceKey {
       this._nodeRsa = new NodeRSA(pemString, 'pkcs8-public-pem', {
         encryptionScheme: 'pkcs1',
         signingScheme: 'pkcs1',
+        environment: 'browser',
       });
     } catch (_) {
       this._ecKey = new ECKey(pemString, 'pem');
diff --git a/packages/spark-protocol/src/lib/Handshake.ts b/packages/spark-protocol/src/lib/Handshake.ts
@@ -212,7 +212,6 @@ class Handshake {
     deviceProvidedPem: string | null | undefined;
   }> {
     const decryptedHandshakeData = this._cryptoManager.decrypt(data);
-
     if (!decryptedHandshakeData) {
       throw new Error(
         'handshake data decryption failed. ' +
@@ -252,6 +251,7 @@ class Handshake {
 
     const deviceProvidedPem = this._convertDERtoPEM(deviceKeyBuffer);
     const deviceID = deviceIDBuffer.toString('hex');
+    console.log('decrypted', { deviceID, deviceProvidedPem });
 
     return { deviceID, deviceProvidedPem };
   }
diff --git a/src/__tests__/WebhookManager.test.ts b/src/__tests__/WebhookManager.test.ts
@@ -14,7 +14,8 @@ import { CoreOptions, UrlOptions } from 'request';
 const WEBHOOK_BASE: Webhook = {
   event: 'test-event',
   requestType: 'POST',
-  url: 'https://webhook.site/7d7dff97-b980-4d36-a4ed-ac7e94cc0c0f',
+  // TODO - use supertest or something for a mock server. This API will break whenever they decide to clean up old webhooks
+  url: 'https://webhook.site/fb2d5641-92c6-4b1d-9df9-4fbccfd22aa6',
   created_at: new Date(),
   id: 'test-id',
   ownerID: 'test-owner-id',
diff --git a/src/__tests__/setup/TestData.ts b/src/__tests__/setup/TestData.ts
@@ -65,6 +65,7 @@ class TestData {
 
   static getPublicKey: () => string = (): string => {
     const key = new NodeRSA({ b: 1024 });
+    key.setOptions({ environment: 'browser' }); //By default it will use the node crypto library with the CVE
 
     return key.exportKey('pkcs8-public-pem');
   };
diff --git a/src/global.d.ts b/src/global.d.ts
@@ -65,15 +65,6 @@ declare module 'ec-key' {
   }
   export = ECKey;
 }
-declare module 'node-rsa' {
-  class NodeRSA {
-    constructor(publicKey: string | { b: number });
-    isPublic: () => boolean;
-
-    exportKey: (format: string) => string;
-  }
-  export = NodeRSA;
-}
 declare module 'basic-auth-parser' {
   function AuthParser(param: string | undefined): {
     username: string;
diff --git a/src/managers/DeviceManager.ts b/src/managers/DeviceManager.ts
@@ -348,6 +348,8 @@ class DeviceManager {
     } else {
       try {
         const createdKey = new NodeRSA(publicKey);
+        createdKey.setOptions({ environment: 'browser' }); //By default it will use the node crypto library with the CVE
+
         if (!createdKey.isPublic()) {
           throw new HttpError('Not a public key');
         }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@brewskey/spark-server",`
`3`		`- "version": "1.0.11",`
	`3`	`+ "version": "1.0.12",`
`4`	`4`	`"license": "AGPL-3.0",`
`5`	`5`	`"repository": {`
`6`	`6`	`"type": "git",`
`@@ -144,4 +144,4 @@`
`144`	`144`	`"@nx/nx-linux-x64-musl": "16.8.1",`
`145`	`145`	`"@nx/nx-win32-x64-msvc": "16.8.1"`
`146`	`146`	`}`
`147`		`-}`
	`147`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@brewskey/spark-protocol",`
`3`		`- "version": "1.0.11",`
	`3`	`+ "version": "1.0.12",`
`4`	`4`	`"main": "./dist/index.js",`
`5`	`5`	`"repository": {`
`6`	`6`	`"type": "git",`
`@@ -89,4 +89,4 @@`
`89`	`89`	`"ts-node": "^10.9.2",`
`90`	`90`	`"typescript": "^5.3.3"`
`91`	`91`	`}`
`92`		`-}`
	`92`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@ class CryptoManager {`
`55`	`55`
`56`	`56`	`async _createServerKeys(): Promise<NodeRSA> {`
`57`	`57`	`const privateKey = new NodeRSA({ b: 2048 });`
	`58`	`+ privateKey.setOptions({ environment: 'browser' }); //By default it will use the node crypto library with the CVE`
`58`	`59`
`59`	`60`	`await this._serverKeyRepository.createKeys(`
`60`	`61`	`Buffer.from(privateKey.exportKey('pkcs1-private-pem')),`
`@@ -74,6 +75,7 @@ class CryptoManager {`
`74`	`75`	`return new NodeRSA(privateKeyString, undefined, {`
`75`	`76`	`encryptionScheme: 'pkcs1',`
`76`	`77`	`signingScheme: 'pkcs1',`
	`78`	`+ environment: 'browser',`
`77`	`79`	`});`
`78`	`80`	`}`
`79`	`81`
`@@ -114,6 +116,7 @@ class CryptoManager {`
`114`	`116`	`try {`
`115`	`117`	`return this._serverPrivateKey.decrypt(data);`
`116`	`118`	`} catch (error) {`
	`119`	`+ console.error(error);`
`117`	`120`	`return null;`
`118`	`121`	`}`
`119`	`122`	`}`