Node.js crypto.publicEncrypt在不同的机器上产生不同的结果 [英] Nodejs crypto.publicEncrypt yields different results on different machines
问题描述
我们正在尝试使用AWS KMS中的非对称密钥进行加密和解密.密钥的配置如下:
We are trying to encrypt and decrypt using an asymmetric key in AWS KMS. The configuration for the key is as follows:
在NodeJS中,我们使用公钥通过crypto.publicEncrypt进行加密:
In NodeJS, we use the public key to encrypt via the crypto.publicEncrypt:
const encryptRSAPayload = (buffer, publicKey) => {
const encryptedBuffer = crypto.publicEncrypt(
{
key: publicKey,
oaepHash: 'sha256',
padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
},
buffer
);
return encryptedBuffer;
};
我们使用这样的功能(在最小复制期间从本地文件中读取公钥):
And we use the function like this (the public key is read from a local file during the minimal repro):
const plainText = '12345678910';
const encrypted = await encryptRSAPayload(Buffer.from(plainText), publicKey);
现在,四个开发人员已经运行了完全相同的代码(压缩,带有公钥等),这种情况正在发生:
Now, four developers have ran the exact same code (zipped, with public key etc), this is happening:
注意:所有开发人员都在最新的OSX系统上.
NOTE: All of the developers are on the latest OSX system.
-
我们两个人都可以使用AWS解密从crypto函数生成的任何内容,而其他两个人则不能(从IvalidCiphertext:null失败)从AWS中获取.
Two of us can use AWS to decrypt whatever we produce from the encrypt function, and the other two can not (failing with IvalidCiphertext: null) from AWS.
其中一台无法加密->解密的机器的加密base64字符串,无法在其他任何机器上解密.
The encrypted, base64 string from one of the machines that can not encrypt -> decrypt, can not be decrypted on any other machine.
从其中一台可以加密->解密的计算机中加密的base64字符串,可以在任何计算机上用aws解密.
The encrypted base64 string from one of the machines that can encrypt -> decrypt, can be decrypted in aws from any machine.
到现在为止,我在此上花了两天时间,但在做些事情上却有些迷茫.有什么想法吗?
By now, ive spent two days on this and am a bit lost on what to do. Any ideas?
推荐答案
几天的调试后问题解决.问题源于OSX附带的OpenSSL版本.对我来说,那是LibreSSL 2.8,它不包括OAEP中使用的某些填充标志,也没有将哈希值更改为sha256(而不是sha1).
Problem solved after a few more days of debugging. The problem stemmed from the shipped version of OpenSSL that comes with OSX. For me, that was LibreSSL 2.8, which does not include some of the padding flags used in OAEP nor changing the hash to sha256 (instead of sha1).
解决方案是:
- 通过Homebrew安装OpenSSL,并将PATH env设置为使用该版本而不是出厂版本.
- 重新安装任何已安装的节点版本以重新链接到正确的OpenSSL版本.
这篇关于Node.js crypto.publicEncrypt在不同的机器上产生不同的结果的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
