TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption

[Metro420yt]

[x] The FAQ doesn't contain a resolution to my issue

Versions

• minecraft-protocol: 1.47.0
• server: vanilla 1.12.2
• node: 21.7.1

Detailed description of a problem

when trying to connect, on login.js line 120 the padding "crypto.constants.RSA_PKCS1_PADDING" throws an error, due to CVE-2023-46809

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
    at Client.onEncryptionKeyResponse ([...]\minecraft-protocol\src\server\login.js:120:39)
    ...

Current code

createServer({
    version: '1.12.2',
    port: 25565,
    beforePing: (response) => {
        if (properties.enableStatus === false) return;
        response.favicon = favicon;
    },
})

Expected behavior

wasnt sure if there was a way to fix this, or if its just a part of the encryption method

edit: the error is silent, and the server just responds "Disconnected"
and i should clarify, im not sure if its possible to use another encryption method or not

Additional context

originally was using node v20.11.1, but updated at some point to see if it would help

passing "--security-revert=CVE-2023-46809" gives another error

was an issue caused by doing npm audit --force

[extremeheat]

Seems like a bug in nodejs.

Caused by nodejs/node@54cd268

You can open an issue in https://github.com/nodejs/node for it

[extremeheat]

Being discussed in nodejs/node#52017

[extremeheat]

Proposed programmatic way to re-enable is being discussed in nodejs/node#52090, pure js workaround snippet to fix mentioned in nodejs/node#52017 (comment)

[IceTank]

So, it looks like the node team decided to remove the padding feature? Is there a programmatic fix for it that could be added to nmp? I don't want to parse node arguments to all my applications.

[extremeheat]

Read the linked issue/PR, I left a comment on nodejs/node#52017 (comment).

Ideally the standard lib of a language doesn't do breaking updates to remove functionality in minor versions, but that's what seems to be the case at the moment (for security reasons). There is a PR to add a code based toggle to re-enable the funcionality, but it's not for sure that will be merged. This may require using the nodeRSA workaround snippet posted in nodejs/node#52017.

[IceTank]

Read the linked issue/PR, I left a comment on nodejs/node#52017 (comment).

Ideally the standard lib of a language doesn't do breaking updates to remove functionality in minor versions, but that's what seems to be the case at the moment (for security reasons). There is a PR to add a code based toggle to re-enable the funcionality, but it's not for sure that will be merged. This may require using the nodeRSA workaround snippet posted in nodejs/node#52017.

I think we should go for the nodeRSA workaround for the time being because Node-Minecraft-Protocol does not work right now with the latest LTS versions of Node.

[extremeheat]

Yeah, nodejs/node#52017 (comment) should have the relevant code to do it