Skip to content

Commit 772d45a

Browse files
TheNorthMemoryTheNorthMemory
committed
feat!: dropped supporting RSA_PKCS1_PADDING 
1 parent a80cba3 commit 772d45a

3 files changed

Lines changed: 18 additions & 19 deletions

File tree

README.md

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -552,15 +552,12 @@ Q: `APIv3`上请求参数敏感信息如何加密?返回参数敏感信息如
552552

553553
> 接口区分国内版还是国际版,国内版的`RSA`填充方案是`RSA_PKCS1_OAEP_PADDING`,方法如下:
554554
>
555-
> 请求字段需要密文的,加密方法: `Rsa.encrypt('原始信息', Rsa.from(platformPublicKeyFilePath, Rsa.KEY_TYPE_PUBLIC), Rsa.RSA_PKCS1_OAEP_PADDING)`
555+
> 加密: `Rsa.encrypt('原始信息', Rsa.from(platformPublicKeyFilePath, Rsa.KEY_TYPE_PUBLIC), Rsa.RSA_PKCS1_OAEP_PADDING)`
556556
>
557-
> 返回字段需要明文的,解密方法: `Rsa.decrypt('密文base64', Rsa.from(merchantPrivateKeyFilePath, Rsa.KEY_TYPE_PRIVATE), Rsa.RSA_PKCS1_OAEP_PADDING)`
557+
> 解密: `Rsa.decrypt('密文base64', Rsa.from(merchantPrivateKeyFilePath, Rsa.KEY_TYPE_PRIVATE), Rsa.RSA_PKCS1_OAEP_PADDING)`
558558
>
559-
> 国际版的`RSA`填充方案是`RSA_PKCS1_PADDING`(不是所有node版本都支持),方法如下:
560-
>
561-
> 请求字段需要密文的,加密方法: `Rsa.encrypt('原始信息', Rsa.from(platformCertificateFilePath, Rsa.KEY_TYPE_PUBLIC), Rsa.RSA_PKCS1_PADDING)`
562-
>
563-
> 返回字段需要明文的,解密方法: `Rsa.decrypt('密文base64', Rsa.from(merchantPrivateKeyFilePath, Rsa.KEY_TYPE_PRIVATE), Rsa.RSA_PKCS1_PADDING)`
559+
> 国际版`RSA`填充方案是`RSA_PKCS1_PADDING`,本类库放弃支持此种`加/解密`填充方案,同时`node18.19.0`也是最后一版默认支持`加密`的版本(延展阅读见[CVE-2023-46809](https://nodejs.org/en/blog/vulnerability/february-2024-security-releases)[这里](https://github.com/wechatpay-apiv3/wechatpay-php/issues/133)),如需使用,请自行寻替代方案。
560+
564561

565562
Q: 如何安全地在应用内使用`APIv2``APIv3`对称密钥?
566563

index.d.ts

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -434,6 +434,7 @@ export namespace WechatpayAxiosPlugin {
434434
static RSA_PKCS1_OAEP_PADDING: 4;
435435
/**
436436
* Alias of the `RSA_PKCS1_PADDING` mode
437+
* @deprecated see [CVE-2023-46809](https://nodejs.org/en/blog/vulnerability/february-2024-security-releases)
437438
*/
438439
static RSA_PKCS1_PADDING: 1;
439440

@@ -453,22 +454,20 @@ export namespace WechatpayAxiosPlugin {
453454

454455
/**
455456
* Encrypts text with sha256WithRSAEncryption/RSA_PKCS1_OAEP_PADDING.
456-
* Node Limits >= 12.9.0 (`oaepHash` was added)
457457
*
458458
* @param {string} plaintext - Cleartext to encode.
459459
* @param {KeyLike} publicKey - A public key.
460-
* @param {number} [padding] - Supporting `RSA_PKCS1_OAEP_PADDING` or `RSA_PKCS1_PADDING`, default is `RSA_PKCS1_OAEP_PADDING`.
460+
* @param {number} [padding] - Supporting `RSA_PKCS1_OAEP_PADDING`, default is `RSA_PKCS1_OAEP_PADDING`.
461461
*
462462
* @returns {string} Base64-encoded ciphertext.
463463
*/
464464
static encrypt(plaintext: string, publicKey: KeyLike, padding?: number): string;
465465
/**
466466
* Decrypts base64 encoded string with `privateKey`.
467-
* Node Limits >= 12.9.0 (`oaepHash` was added)
468467
*
469468
* @param {string} ciphertext - Was previously encrypted string using the corresponding public certificate.
470469
* @param {KeyLike} privateKey - A public key.
471-
* @param {number} [padding] - Supporting `RSA_PKCS1_OAEP_PADDING` or `RSA_PKCS1_PADDING`, default is `RSA_PKCS1_OAEP_PADDING`.
470+
* @param {number} [padding] - Supporting `RSA_PKCS1_OAEP_PADDING`, default is `RSA_PKCS1_OAEP_PADDING`.
472471
*
473472
* @returns {string} Utf-8 plaintext.
474473
*/

lib/rsa.js

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -30,13 +30,13 @@ const RULES = {
3030
};
3131

3232
/**
33-
* @param {number} code - Supporting `RSA_PKCS1_OAEP_PADDING` or `RSA_PKCS1_PADDING`, default is `RSA_PKCS1_OAEP_PADDING`.
34-
* @throws {RangeError} - While the padding isn't `RSA_PKCS1_OAEP_PADDING` nor `RSA_PKCS1_PADDING`.
33+
* @param {number} code - Supporting `RSA_PKCS1_OAEP_PADDING, default is `RSA_PKCS1_OAEP_PADDING`.
34+
* @throws {RangeError} - While the padding isn't `RSA_PKCS1_OAEP_PADDING`.
3535
* @returns {void}
3636
*/
3737
function paddingModeLimitedCheck(code) {
38-
if (!(code === RSA_PKCS1_PADDING || code === RSA_PKCS1_OAEP_PADDING)) {
39-
throw new RangeError(`Doesn't supported the padding mode(${code}), here's only support RSA_PKCS1_OAEP_PADDING or RSA_PKCS1_PADDING.`);
38+
if (code !== RSA_PKCS1_OAEP_PADDING) {
39+
throw new RangeError(`Doesn't supported the padding mode(${code}), here's only support RSA_PKCS1_OAEP_PADDING.`);
4040
}
4141
}
4242

@@ -46,6 +46,9 @@ function paddingModeLimitedCheck(code) {
4646
class Rsa {
4747
static RSA_PKCS1_OAEP_PADDING = RSA_PKCS1_OAEP_PADDING
4848

49+
/**
50+
* @deprecated see [CVE-2023-46809](https://nodejs.org/en/blog/vulnerability/february-2024-security-releases)
51+
*/
4952
static RSA_PKCS1_PADDING = RSA_PKCS1_PADDING
5053

5154
/** Type string of the asymmetric key */
@@ -124,10 +127,10 @@ class Rsa {
124127
*
125128
* @param {string} plaintext - Cleartext to encode.
126129
* @param {KeyLike} publicKey - The `RsaPublicKey`.
127-
* @param {number} [padding = RSA_PKCS1_OAEP_PADDING] - Value of the `RSA_PKCS1_OAEP_PADDING` or `RSA_PKCS1_PADDING`, default is `RSA_PKCS1_OAEP_PADDING`.
130+
* @param {number} [padding = RSA_PKCS1_OAEP_PADDING] - Value of the `RSA_PKCS1_OAEP_PADDING, default is `RSA_PKCS1_OAEP_PADDING`.
128131
*
129132
* @returns {string} Base64-encoded ciphertext.
130-
* @throws {RangeError} - While the padding isn't `RSA_PKCS1_OAEP_PADDING` nor `RSA_PKCS1_PADDING`.
133+
* @throws {RangeError} - While the padding isn't `RSA_PKCS1_OAEP_PADDING`.
131134
*/
132135
static encrypt(plaintext, publicKey, padding = RSA_PKCS1_OAEP_PADDING) {
133136
paddingModeLimitedCheck(padding);
@@ -143,10 +146,10 @@ class Rsa {
143146
*
144147
* @param {string} ciphertext - Was previously encrypted string using the corresponding public certificate.
145148
* @param {KeyLike} privateKey - The `RsaPrivateKey`.
146-
* @param {number} [padding = RSA_PKCS1_OAEP_PADDING] - Value of the `RSA_PKCS1_OAEP_PADDING` or `RSA_PKCS1_PADDING`, default is `RSA_PKCS1_OAEP_PADDING`.
149+
* @param {number} [padding = RSA_PKCS1_OAEP_PADDING] - Value of the `RSA_PKCS1_OAEP_PADDING, default is `RSA_PKCS1_OAEP_PADDING`.
147150
*
148151
* @returns {string} Utf-8 plaintext.
149-
* @throws {RangeError} - While the padding isn't `RSA_PKCS1_OAEP_PADDING` nor `RSA_PKCS1_PADDING`.
152+
* @throws {RangeError} - While the padding isn't `RSA_PKCS1_OAEP_PADDING`.
150153
*/
151154
static decrypt(ciphertext, privateKey, padding = RSA_PKCS1_OAEP_PADDING) {
152155
paddingModeLimitedCheck(padding);

0 commit comments

Comments
 (0)