cloudflare
🐛 Bug Report — Runtime APIs - Figure out support for `chacha20-poly1305`
As per discussion in our internal chatroom, I am looking to write some code that uses the chacha20-poly1305 algorithm to encrypt (and later, decrypt) some data.
In both running my worker in local Wrangler as well as Vitest tests using @cloudflare/vitest-pool-workers, I see the following error thrown for code that uses "chacha20-poly1305" as an algorithm for createCipheriv
import nodeCrypto from 'node:crypto'
import { promisify } from 'node:util'
const asyncScrypt = promisify(nodeCrypto.scrypt)
const asyncRandomFill = promisify(nodeCrypto.randomFill)
function encryptData(data: string) {
const password = 'Password used to generate key';
const key = await asyncScrypt(password, 'salt', 24)
const ivNonce = nodeCrypto.randomBytes(24) // Initialization vector.
// Normalize the inputted string as specified by
// nodejs.org/api/crypto.html#using-strings-as-inputs-to-cryptographic-apis
data = data.normalize()
const cipher = nodeCrypto.createCipheriv("chacha20-poly1305", key, ivNonce)
let encrypted = cipher.update(data, 'utf8', 'hex');
encrypted += cipher.final("hex")
return encrypted
}
✘ [ERROR] Error: Unknown or unsupported cipher: chacha20-poly1305
at new Cipheriv (node-internal:crypto_cipher:71:21)
at createCipheriv (node-internal:crypto_cipher:236:12)
at null.<anonymous>
BoringSSL does not provide ChaCha20-Poly1305 as a standard EVP_CIPHER. It's only available as an EVP_AEAD.
So, technically OpenSSL supports chacha20-poly1305, but not through NID definition, but through AEAD. Since we are using ncrypto::Cipher::FromName() (which calls EVP_get_cipherbyname(...) to identify and initialize a cipher, it is throwing an error.
To fix this we need to add support for EVP_AEAD to ncrypto (possibly with an architectural change).
cc @jasnell
This will require upstream changes to ncrypto. Yagiz and I will deal with it.
This has been deployed to prod for a little while now. Please give it a try and let me know if you run into any trouble.