browserify / browserify-sign Goto Github PK

Hi

Issue:

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, 
leading '\0' bytes, or integer overflows. 

This could conceivably have a security-relevant impact if an application relied on a  
single canonical signature. I'm using Elliptic 6.5.3 version but still I'm facing this issue in my project.

Could you please let me know what could be the reason for this?

I tried npm install [email protected]
and
npm audit fix
and I played around lot of other ways but still issue persists.

Thanks

Image reference:

Note: Actually, this issue is throwing by browserify-sign. browserify-sign is internally using few packages and those packages are internally using elliptic.

Elliptic had been caught by the component security scan for our team and it seems like they have a new release version 6.5.3
Could you guys make an update to your dependency graph?

Typically, on debian openssl has a stricter set of algorithms and hashes.
Some fixtures will make the test fail, like ec.dsa.
It might be a good idea to not test them, or to catch the error and not fail here:
https://github.com/crypto-browserify/browserify-sign/blob/44a10f6edf5df9dade14cf5600392417da6f966b/test/index.js#L66

Hi,

There is a bug when I want to run crypto functions in my browser, seems to be introduced here: 92b2b83

Fortunately there is an open PR with a fix: #50

Thank you!

Hello,

there seems to be some differences between this library and Node.js, consider following code:

const bCrypto = require('./browser');
const nCrypto = require('crypto');

const key = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvvjcmEFSc9CYHZ8gN5phm9xBDxEXbM/8K62Rw5TpAENI3RZr
7Ua570EL3GEJBFM5IfWjn4zlEoXdLIM4Rj4mC9TQdxsmRYr9zGL8r9/jDTwwPTTk
ApGTZWJg5og2IrVaKByXnJHQGtHEkgNS0ay3JnL8TEOUr75WujU8YRPoBCnSnFtN
vhGRgrp+4QOROtP5pW85FmQKTkYK1s0bdlJM4YCDyicFPuqo8d2+pn8uXHcmHq7C
2QJwVEOSESpSEKwwVpZ2jQws7QRb5+ELaRdH2QQQ239FZRhVrEMsNf3AOSXcNULl
W+Mp6rbwY9+xM84g5pKgGJ80i3LDqsPvdvMAcwIDAQABAoIBAB8JvHSkfT2kg+yg
jbBrz3xw9kP4H6oIPbBto9i5TYtE5EVGnSDx00tu83oMbVY+HnWGAmNul1aE2jcf
VpiYBj/7BSyuhXBdEDXVSsNc7H6cryxreblvJpkePaiKL95BQldtmjiQvFV3jW67
yoyYeSXvH1FX1IUhtt/Jwjf278kpKIhfTmshlRaSUavjZWYv4kj7qOURUTkXuZrF
yfy3jyid1lRmLzOOGsNs9EMjNMdbThLYOmhrkrMr4dM7jWby850MMTXMJxIcTlAJ
SlhPONvvJfS2D49dKVPBxMMh3DoBGsOcd6lZiy3VSRBrUHXFyI98pH7Y+2NHCjjw
SApfDI0CgYEA+raJ+kkLooZ+Sf+0chVCRlr/6XmEcvJk6VDMV2OP/2AJpWLOZLVY
R2fkC4qtnW4MTBM191l+qarPooWU2ZvAcVmP/A9341kTcawdg1NPB7GDsNEum8yL
9JVc8FU0cF4UU39U7JjoQ1rwcMhFVg8qVogyOZ/qvBY5ddJncEzFGl8CgYEAwv/Q
g40OrTxx2FHMpS7vh8rHU7qrsclhX2AdnNlvtlm/ejAB1lgaJHSUakVZtbCo2X0J
wD8dmpbibtPVYtyq/AXvRG0I9ufxh5na6F0T91ndagF+gEuDdT57OKXaBOJnKU1E
Z3GC5bYcWdtz4VX54opg1VRRWRM21zBf1oZ6+m0CgYAh85RN05SCxunVRY5/IIfg
FTSwvmcEVfT6b5msf+whLjVAM1g15ST2TohgU8BdIGkD6FoXjAQOH/aMUMCuk1wF
PZa1ELcwj4CFlURN43tBVHW7/Sftq06MqalzVmaKjQL9p7GtdKuHa4pCC6zwEY+v
NjRu/0v/epb/cKXXXF4YywKBgQCoSf66idJQ0Amwl2f2ZztyBh9gs4naNeJDXcAw
zbcLuQj3etcbFY36SGKOFKwHkh8nFDKGJ/J0qCNjYo6Wc7tdJgIJG9DQxfw8+xth
znKc1oGwKvnx3znkxbeye/BcpshBbN3MKLq/ZRuysSKhJoIycRqBAfPy3BJIRQdx
LT6VQQKBgBD/advmsuU2ElAbEkVdHqFt3yqP09oa2oBrnqc07hP8ztv/yUxUbm9Z
olkHrmkLrXwnaYVqKaUPhC6JdaXOFu8/Jv3kpbsxuBDXJ9+wOQAMbREQa6232YOn
VbDhsJpqb5CSqNlGEYidSrksQY9qgZM2LjvxGmAysDM/FZk25pZ7
-----END RSA PRIVATE KEY-----
`;

let p = Buffer.from(key, 'utf8');

let txt = "eyJhbGciOiJSUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3QiLCJub25jZSI6InBuTDIzaDBpR0pPYm9PcWJpdmozOGtPdmdsZTJrbVZWaF9DTXcyeExZSWc4VkMzTzdTRSIsImp3ayI6eyJlIjoiQVFBQiIsImt0eSI6IlJTQSIsIm4iOiJ1VjlEUzB4bnNfOWtYbXZlQUp2VmwxV0M3emduTFlvdnNqcDY5UldQYTJ2UFVCUm1iS1lRWlZOZXQwOTdSaWxjUXNtaEhNMTVpdDA2QUdrQ2ZiNHNZcU1aWVd0QXh0a0N3U2pKUEN1OWN4WmdoU0dYWFFEM3dncm8wYl9vbmN2d1V1cjhaeG10U09pRmJQVElOZWUwUVlMWEg3ak12cVhKN3VzMTcxSU5jNDBhOXU1WDJoa3hGMVFBeWdOYmx2RVJxWHo2V2otNjR3TEhIMnBZNk9QaVFST2Rub0VlQ29DNEhXMjNqNlNDckZXTlNOei1DcUxTZWtYM0Z3TGZUMk55Z3l5N1pEeWFPZHhobFRPa0NxdUlJVGFHMF81Qjl1a1ZHRW9yQ0E5RmhYb20yRk50b1J3c0I3eUFtdkpDQ3B4Q1lUTmFuZ3VWYmVmU3luYS14VWR1ZHcifX0.eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZSwiY29udGFjdCI6WyJtYWlsdG86ZW1haWxAZXhhbXBsZS5jb20iXX0";

let nData = nCrypto.createSign('sha256WithRSAEncryption').update(txt).sign(p);
console.log('node', nData);
let bData = bCrypto.createSign('sha256WithRSAEncryption').update(txt).sign(p);
console.log('browserify-sign', bData);
console.log('isEqual', nData.toString('hex') === bData.toString('hex'));

nData = nCrypto.createSign('sha256').update(txt).sign(p);
console.log('node', nData);
bData = bCrypto.createSign('sha256').update(txt).sign(p);
console.log('browserify-sign', bData);
console.log('isEqual', nData.toString('hex') === bData.toString('hex'));

For sha256WithRSAEncryption both Node.js and browserify-sign are correctly signing the text using provided private key, but for sha256 only Node.js is able to sign a text, while browserify-sign` throws an error:

Error: wrong private key type
    at sign (/home/ubuntu/Projects/browserify-sign/browser/sign.js:24:63)
    at Sign.signMethod [as sign] (/home/ubuntu/Projects/browserify-sign/browser/index.js:43:13)
    at Object.<anonymous> (/home/ubuntu/Projects/browserify-sign/test-bsign.js:45:50)
    at Module._compile (node:internal/modules/cjs/loader:1256:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1310:10)
    at Module.load (node:internal/modules/cjs/loader:1119:32)
    at Module._load (node:internal/modules/cjs/loader:960:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:23:47

From my initial investigation, its because sha256 algorithm expects only ECDSA key, but we are providing RSA key instead.

Is it expected? Since browserify-sign wants to duplicate node behaviour, I think its a bug.

Hi, crypto-browserify uses this package and many react-native crypto apps use crypto-browserify.

Seems that the latest readable-stream downgrade in your package.json broken all this apps because process is not available.

In my case react native quick crypto.
Check this

margelo/react-native-quick-crypto#242 (comment)

Any workaround?

I am finding that the libraries that are attempting to use this are using different algorithm names than are listed in the algorithms.json. The one I am encountering now is sha1 which I was able to get working by duplicating and renaming the existing RSA-SHA1 algorithm.

Ideally it would be great to export a method that allows adding custom algorithm definitions at runtime.

// Very early in code
import { addAlgorithm } from 'broweserify-sign'
addAlgorithm('sha1', "rsa", "sha1", "3021300906052b0e03021a05000414")

There is a bunch of new goodies in recent browsers such as window.crypto.subtle.sign() that should be much faster and probably more secure than native javascript implementations. It would be a good idea to detect these methods and automatically use them if present.

Could all the test fixtures please be moved out of test/ and be put in test/fixtures?

The README says DSA keys are not yet implemented. @calvinmetcalf is this the case?

These places in the code use new Buffer(...). The constructor is deprecated and unsafe. Is it possible to replace those instances with Buffer.from(...)?

After updating project to use https://github.com/webpack-contrib/css-loader v3.0.0 from v2.1.1.
Compiles with error: First argument must be a string, Buffer, ArrayBuffer, Array, or array-like object
Tell me if you need more info, because i really don't know what should i provide here

Edited: issue was with 'file-loader' usage for ".json"

Hi guys,

Are you going to add next digest algorithms: sha256, sha384, sha512?

Are there any plans to fix the Security issue GHSA-x9w5-v3q2-3rhw reported here?
Dependabot is recommending an upgrade but there's no fix that I can see.
Thank you.

specifically it is breaking on the call to parseKeys with the following key

-----BEGIN CERTIFICATE-----
MIIDUDCCAjgCCQD1TryolF9FbDANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkRhbGxhczEWMBQGA1UECgwNUHVi
bGlzaGVyIEluYzErMCkGA1UEAwwiUHVibGlzaGVyIElOVEVSTUVESUFSWSBDRVJU
SUZJQ0FURTAeFw0xOTAxMTAyMTAzNDVaFw0yOTAxMDcyMTAzNDVaMGExCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGRGFsbGFzMRYwFAYDVQQK
DA1QdWJsaXNoZXIgSW5jMRkwFwYDVQQDDBBCb2IgUGhvdG9ncmFwaGVyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9YImToSbFBMV+/xo6Dlh8+MlZEi
zQKLE2B3PF9qKeBCg24pRYff+rhrfj9fA67Z0duGCDjys+IF2BcqY+vlBt6s0mjf
D3zAKwLXCKVTv81znWu7ChwKk6QQMfs4EHaxJShrA4vdhhf6+Z3Grt6WnlDD7SwU
HXVfOexeTC1VIS+0fXQfbfTMQL8A+0GA7u0/c465v5AGMDwts+leNJ9kdgaowJtU
u681i0tlJpTceAn1xuKnAONbw6LTlQns1+30TDwrUgn72dDcf6s3XqGwMV0RjXC5
0l/mISNNVLiIDCYf57FhW9NZcxt0uuJDwU4VaWxQaMAmbaI2U8sxF3FtGQIDAQAB
MA0GCSqGSIb3DQEBCwUAA4IBAQCLXkxQAHK1uSrtNZL3LbYFmDq1EXpe7wNmRmya
9i5ys+TmGYACGDEGogTp0uGY1qL7pKPB4IWfZsiZ0UEcYju4eRQR/SfK2e8GPT26
IC3nLfoH20E7+TbHZSfUt3g+Oqn4Sg63vYMXNxCPnUq6gUbbzYcv5/O0cT5yqTpL
9C1y+IIXSEB0t0M7oYOZDpOSB/VN/7lDZFLjXfeOhhsXbfIc1gyx3BMrNT/nnW1J
LbSpB0r1d9VPsZA40CH7E0oiGQCa9Jb7h3n/10ABu5C8PQktbxjAlqZ5jiuYZG11
C5f7bPbe6ao2OGXWKLrVSE+2hYGMcffXy0gutH4ytLS8EiLX
-----END CERTIFICATE-----
the error is: ReporterError {path: "["tbsCertificate"]["version"]", message: "Failed to match tag: "0" at: ["tbsCertificate"]["version"]",

This issue is causing the following issues auth0/node-jsonwebtoken#464 and auth0/node-jsonwebtoken#568

Browserify-sign module uses incorrect dependencies , as in our Vue-Cli project, the bundle ends up containing multiple bn.js files:
https://i.imgur.com/IQuwHHJ.png (webpack-bundle-analyzer shows that).

So, another problem seems that (when you mouseover that bn.js) it is being created called from MyProject/node_modules/browserify-sign/node_modules/bn.js/lib/bn.js while in the project there is already MyProject/node_modules/bn.js/lib/bn.js called once.

So, please correct that, so B.S. module wouldnt inject odd duplicated files into bundle, and used the available bn.js from project.

I doubt that it might be coming from this : https://github.com/crypto-browserify/browserify-rsa (as we use this module in our project too), but the browserify-rsa package.json depend son bn.js : ^4.1 . So, could that be reason? if so, please update bn.js version for browserify-rsa . Moreover, seems somoene had suggested that already - browserify/browserify-rsa#13 but one year passed, no response.

https://gist.github.com/maxogden/62b7119909a93204c747633308a4d769

browserifying with this:

browserify -t brfs index.js -o bundle.js

I get Uncaught Error: wrong private key type

from the line if (signType !== 'ecdsa') throw new Error('wrong private key type')

The signType in my case is 'rsa'

CI for most of my projects using browserify started failing within minutes of v4.0.1 being published without any changes to their code.

Looking at the actual v4.0.1 release, it appears to include #25 which changed an interface that many projects use: require('browserify-sign/algos').

I'm currently running into issues with the casing of the sha256 algorithm name. I'm currently trying to use react-native-crypto which users browserify-sign. When trying to run createSign("SHA256") I get an error, because it's not found in the algorithms.json file.

This seems a little bit odd, as in node the case of the algorithm name does not matter. The following is working without any problems in node:

const crypto = require('crypto');

console.log(crypto.createSign('SHA256'));

we have to get it by ourselves i think.
Maybe it should be a good idea to even provide an example in the Readme file there for the strict minimum ?

• crypto-browserify depends on this package transitively
• this package shipped a breaking change in 4.2.3 by supporting node v1's APIs which modern projects don't support

please ship a major semver release for the 4.2.3 change and push a 4.2.4 that reverts the changes in 4.2.3.

I'm using this package as a part of crypto-browserify.
So basically it's broken, had to downgrade to 3.0.8 to make it work again.
Code that fails:
crypto.createSign('RSA-SHA256').update(data).sign(pKey, 'base64');
The error: Uncaught Error: fromRed works only with numbers in reduction context.

I debugged this a bit and it fails on sign method, createSign and update work as supposed.

Here is a simplified version of a script I am running: (The real script uses the ashtuchkin/u2f library)

#!node
var verify = require("browserify-sign/browser/verify");
var cert = `-----BEGIN CERTIFICATE-----
MIICSjCCATKgAwIBAgIEEkpy/jANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ
dWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw
MDBaGA8yMDUwMDkwNDAwMDAwMFowLDEqMCgGA1UEAwwhWXViaWNvIFUyRiBFRSBT
ZXJpYWwgMjQ5NDE0OTcyMTU4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPYsb
vS/L9ghuEHRxYBRoSEFTwcbTtLaKXoVebkB1fuIrzYmIvzvv183yHLC/XXoVDYRK
/pgQPGxmB9n6rih8AqM7MDkwIgYJKwYBBAGCxAoCBBUxLjMuNi4xLjQuMS40MTQ4
Mi4xLjEwEwYLKwYBBAGC5RwCAQEEBAMCBSAwDQYJKoZIhvcNAQELBQADggEBAKFP
HuoAdva4R2oQor5y5g0CcbtGWy37/Hwb0S01GYmRcDJjHXldCX+jCiajJWNOhXIb
wtAahjA/a8B15ZlzGeEiFIsElu7I0fT5TPQRDeYmwolEPR8PW7sjnKE+gdHVqp31
r442EmR1v8I68GKDFXJSdi/2iHm88O9XjVXWf5UbTzK2PIrqWw+Zxn19gUp/9ab1
Lfg+iUo6XZyLguf4vI2vTIAXX/iXL9p5Mz7EZdgG6syUjxurIgRalVWKSMICJtrA
A9QfvJ4F6iimu14QpJ3gYKCk9qJnajTWjEq+jGGHQ1W5An6CjKngZLAC1i6NjPB0
SSF1PTXjyHxdV3lFPnc=
-----END CERTIFICATE-----`;
verify("fake", "fake", cert, "ecdsa/rsa")

Instead of returning some sort of 'failed verification', the code breaks instead:

TypeError: Cannot read property 'join' of undefined
    at ecVerify (node_modules/browserify-sign/browser/verify.js:48:49)
    at verify (node_modules/browserify-sign/browser/verify.js:12:12)

This is failing because ecVerify is expecting pub.data.algorithm.curve to exist, but the parse-asn1 library does not add this attribute to certificates (see crypto-browserify/parse-asn1/blob/master/index.js#L25)

Bug Description:
As I work on developing an Website in React Native, I conducted a vulnerability scan of my application's manifest file using Vulert. During this process, I uncovered an issue associated with your package.

References:
In the course of the vulnerability scan, the following references were identified:

• Vulert Scan Report: Vulert Report
• CVE Reference: CVE-2023-46234

Looks like 4.0.3 was published today.

localhost > Module not found: Error: Can't resolve './browser/algorithms' in '.../node_modules/browserify-sign'
localhost > @ ./~/browserify-sign/algos.js 1:17-48
localhost > @ ./~/crypto-browserify/index.js
localhost > @ ./~/node-uuid/uuid.js

@calvinmetcalf ?

EDIT: looks like we were missing .json in our extensions: ['.js', '.jsx', '.json'] in our webpack configuration.

crypto-browserify/crypto-browserify#130 and auth0/node-jsonwebtoken#91

Running an npm audit will show that [email protected] has a moderate vulnerability - Use of a Broken or Risky Cryptographic Algorithm

Upgrading elliptic to version 6.5.4 will resolve the vulnerability

Not able to resolve Buffer when I am importing it for react native - https://github.com/crypto-browserify/browserify-sign/blob/master/browser/index.js#L9

Can we have explicit import for buffer module

Trying to sign some data with private key which is generated by new openssh 8.0, signature output is always random, Output is always different, when passing same data. I have checked and think that problem comes from var "crt" func related to browserify-rsa. for older keys it works as expected, problem occurs only in case of using new private key. Can someone help me with this ? Thanks in advance.

Getting TypeError: Cannot read property '2' of null on the following code:

const verifier = crypto.createVerify('RSA-SHA256');
verifier.update(atob(oraclize_doc));
awsSignatureValid = verifier.verify(awsPublicCertificateRSA, atob(awsSignature));

Verifies just fine on node, but throws the aforementioned exception, when trying to verify on the 3rd line.

Tested with Chrome 45 and 47.

My project uses vue2 + webpack 5, and I have configured the fallback in webpack's resolve

resolve: {
    fallback: {
        crypto: require.resolve('crypto-browserify')
    }
}

crypto-browserify dependence browserify-sign

However, after upgrading the version of browserify-sign to 4.2.3, my project throws an error stating "process is not defined."

How can I solve this problem? Thanks in advance.