Address Node 20 compatibility

- use pure RSA implementation (not native) for decryption; Node 20 deprecates it due to CVE-2023-46809
Keeper-Security · Jan 20, 2025 · de5ed76 · de5ed76
1 parent 4af0223
commit de5ed76
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 11 deletions.
diff --git a/keeperapi/package-lock.json b/keeperapi/package-lock.json
diff --git a/keeperapi/package.json b/keeperapi/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@keeper-security/keeperapi",
   "description": "Keeper API Javascript SDK",
-  "version": "16.0.67",
+  "version": "16.0.68",
   "browser": "dist/index.es.js",
   "main": "dist/index.cjs.js",
   "types": "dist/node/index.d.ts",

diff --git a/keeperapi/src/node/platform.ts b/keeperapi/src/node/platform.ts
@@ -224,14 +224,11 @@ export const nodePlatform: Platform = class {
     }
 
     static privateDecrypt(data: Uint8Array, key: Uint8Array): Uint8Array {
-        return crypto.privateDecrypt({
-            key: crypto.createPrivateKey({
-                key: Buffer.from(key),
-                type: 'pkcs1',
-                format: 'der',
-            }),
-            padding: RSA_PKCS1_PADDING
-        }, data);
+        const rsaPrivateKey = new NodeRSA(Buffer.from(key), 'pkcs1-private-der', {
+          encryptionScheme: 'pkcs1'
+        })
+        rsaPrivateKey.setOptions({environment: 'browser'}) // use pure implementation, not native (CVE-2023-46809)
+        return rsaPrivateKey.decrypt(Buffer.from(data))
     }
 
     static async privateDecryptEC(data: Uint8Array, privateKey: Uint8Array, publicKey?: Uint8Array, id?: Uint8Array, useHKDF?: boolean): Promise<Uint8Array> {