compatibility with node-fips #340
Comments
denver-HJS
changed the title
pi0
changed the title
|
It is not a security matter for jiti's usage of md5 in cache entry paths and a false-positive in that tooling.. We cannot easily change the default hash but we can introduce an option for jiti to switch (possibly auto detecting env), Can you please prepare a reproducable docker file I can test locally? |
|
Thanks for your response @pi0. It's not exactly a false positive, it's just that MD5 is not installed at all (or at least isn't made available) in order to be FIPS compliant due to it being deprecated. If the hash is only used for cache purposes, I'm still confused why the SHA256 digest can't be used in the same way 🤔 I'll try to get a reproducable Dockerfile made available ASAP. |
|
Mainly legacy decisions in jiti and if we change it will cause stall caches for lots of files for lots of users which makes chage tricky. If we can auto detect that env, we can smartly switch though. |
|
@denver-HJS I still can't reproduce since can't have access to a node-fips image with 18,20 version. |
pi0
changed the title
|
Just commenting to say that I too am running into this issue while trying to use Docusaurus (which uses jiti) in Chainguard's node-fips image. But I understand that it's hard to reproduce and begin to address (or even determine if it should be addressed) given the lack of publicly available FIPS image |
|
Worth noting that even However it seems like that is fixed in the newly-released pnpm v10: https://en.kelen.cc/share/pnpm-v10-update-highlights Not actually a solution to the issue, but figured it was worth mentioning since I ran into it while trying to run this down / come up with a workaround |
|
Can't progress on this without access to a runnable image. If you can provide a oneliner snippet that can stabily detect FIPS builds (maybe |
|
Found a public FIPS image that I was able to reproduce the issue with. Here's a simple Dockerfile: FROM filigran/python-nodejs-fips:latest
RUN mkdir /app
WORKDIR /app
RUN npm install jiti
RUN touch foo.ts
RUN echo "import { createJiti } from 'jiti'; createJiti(import.meta.url).import('./foo.ts');" > script.mjs
RUN node --enable-fips script.mjsWhich produces this error on build: #10 [7/7] RUN node --enable-fips script.mjs
#10 0.849 node:internal/crypto/hash:68
#10 0.849 this[kHandle] = new _Hash(algorithm, xofLen);
#10 0.849 ^
#10 0.849
#10 0.849 Error: error:0308010C:digital envelope routines::unsupported
#10 0.849 at new Hash (node:internal/crypto/hash:68:19)
#10 0.849 at createHash (node:crypto:138:10)
#10 0.849 at md5 (/app/node_modules/jiti/dist/jiti.cjs:1:184484)
#10 0.849 at getCache (/app/node_modules/jiti/dist/jiti.cjs:1:190693)
#10 0.849 at transform (/app/node_modules/jiti/dist/jiti.cjs:1:192685)
#10 0.849 at eval_evalModule (/app/node_modules/jiti/dist/jiti.cjs:1:194014)
#10 0.849 at jitiRequire (/app/node_modules/jiti/dist/jiti.cjs:1:190233)
#10 0.849 at Function.import (/app/node_modules/jiti/dist/jiti.cjs:1:199778)
#10 0.849 at file:///app/script.mjs:1:70
#10 0.849 at ModuleJob.run (node:internal/modules/esm/module_job:218:25) {
#10 0.849 opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
#10 0.849 library: 'digital envelope routines',
#10 0.849 reason: 'unsupported',
#10 0.849 code: 'ERR_OSSL_EVP_UNSUPPORTED'
#10 0.849 }
#10 0.849
#10 0.849 Node.js v20.11.1
#10 ERROR: process "/bin/sh -c node --enable-fips script.mjs" did not complete successfully: exit code: 1Then I changed FROM filigran/python-nodejs-fips:latest
RUN mkdir /app
WORKDIR /app
COPY ./jiti-2.4.2.tgz /app
RUN npm install ./jiti-2.4.2.tgz
RUN touch foo.ts
RUN echo "import { createJiti } from 'jiti'; createJiti(import.meta.url).import('./foo.ts');" > script.mjs
RUN node --enable-fips script.mjs |
Environment
NodeJs version: v22.11.0
jiti@latest
Reproduction
(please see bug details referring to the FIPS compliant image described)
Describe the bug
I have a requirement to build my application in a FIPS compliant container, and currently that is not possible due to the use of the deprecated md5 crypto algorithm. Since, from what I can tell, this is used only for creating version hashes, I believe it'd be benign to switch to a more modern algorithm.
Container base image: Chainguard's node-fips image built with Node v22 (see here) which ships with the OpenSSL FIPS provider.
Step: 1:
Create a Dockerfile that pulls the Chainguard node-fips image, copies this project's source files into the image, and runs the test command
Step 2: Run the docker build . command
That results in an error that looks like this:
Error output
Additional context
I attempted to open a PR to change the utility to use the
sha256algorithm, but I do not appear to have permissions to create a branch. I think this would be pretty simple to change themd5function tosha256and use that argument in the NodecreateHashfunction.Logs
No response
The text was updated successfully, but these errors were encountered: