Nodejs crypto.publicEncrypt 在不同的机器上产生不同的结果

Question

We are trying to encrypt and decrypt using an asymmetric key in AWS KMS. The configuration for the key is as follows:

In NodeJS, we use the public key to encrypt via the crypto.publicEncrypt:

const encryptRSAPayload = (buffer, publicKey) => {
  const encryptedBuffer = crypto.publicEncrypt(
    {
      key: publicKey,
      oaepHash: 'sha256',
      padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
    },
    buffer
  );

  return encryptedBuffer;
};

And we use the function like this (the public key is read from a local file during the minimal repro):

  const plainText = '12345678910';
  const encrypted = await encryptRSAPayload(Buffer.from(plainText), publicKey);

Now, four developers have ran the exact same code (zipped, with public key etc), this is happening:

NOTE: All of the developers are on the latest OSX system.

1. Two of us can use AWS to decrypt whatever we produce from the encrypt function, and the other two can not (failing with IvalidCiphertext: null) from AWS.

2. The encrypted, base64 string from one of the machines that can not encrypt -> decrypt, can not be decrypted on any other machine.

3. The encrypted base64 string from one of the machines that can encrypt -> decrypt, can be decrypted in aws from any machine.

By now, ive spent two days on this and am a bit lost on what to do. Any ideas?

Answer 1

Problem solved after a few more days of debugging. The problem stemmed from the shipped version of OpenSSL that comes with OSX. For me, that was LibreSSL 2.8, which does not include some of the padding flags used in OAEP nor changing the hash to sha256 (instead of sha1).

The solution was:

1. Install OpenSSL via Homebrew and set the PATH env to use that version instead of the shipped version.
2. Reinstall any installed node version to re-link to the correct OpenSSL version.