Skip to content

Commit de5ed76

Browse files
committed
Address Node 20 compatibility
- use pure RSA implementation (not native) for decryption; Node 20 deprecates it due to CVE-2023-46809
1 parent 4af0223 commit de5ed76

File tree

3 files changed

+8
-11
lines changed

3 files changed

+8
-11
lines changed

keeperapi/package-lock.json

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

keeperapi/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"name": "@keeper-security/keeperapi",
33
"description": "Keeper API Javascript SDK",
4-
"version": "16.0.67",
4+
"version": "16.0.68",
55
"browser": "dist/index.es.js",
66
"main": "dist/index.cjs.js",
77
"types": "dist/node/index.d.ts",

keeperapi/src/node/platform.ts

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -224,14 +224,11 @@ export const nodePlatform: Platform = class {
224224
}
225225

226226
static privateDecrypt(data: Uint8Array, key: Uint8Array): Uint8Array {
227-
return crypto.privateDecrypt({
228-
key: crypto.createPrivateKey({
229-
key: Buffer.from(key),
230-
type: 'pkcs1',
231-
format: 'der',
232-
}),
233-
padding: RSA_PKCS1_PADDING
234-
}, data);
227+
const rsaPrivateKey = new NodeRSA(Buffer.from(key), 'pkcs1-private-der', {
228+
encryptionScheme: 'pkcs1'
229+
})
230+
rsaPrivateKey.setOptions({environment: 'browser'}) // use pure implementation, not native (CVE-2023-46809)
231+
return rsaPrivateKey.decrypt(Buffer.from(data))
235232
}
236233

237234
static async privateDecryptEC(data: Uint8Array, privateKey: Uint8Array, publicKey?: Uint8Array, id?: Uint8Array, useHKDF?: boolean): Promise<Uint8Array> {

0 commit comments

Comments
 (0)