Self-hosting: encypted npmToken

[ronaldploeger]

I have create a private and public key as described here: https://docs.renovatebot.com/self-hosted-configuration/#privatekey

I have save a copy of https://renovatebot.com/encryp, replaced with my public key and created the base64 encrypted version of my npm token and configured it in renovate.json:

  "encrypted": {
    "npmToken": "my-base64-encrypted-npm-token"
  }

I have added "privateKey" the renovatebot config:

privateKey: `-----BEGIN RSA PRIVATE KEY-----
...xxxx...
-----END RSA PRIVATE KEY-----`,

but when I am running renovatebot I am getting:

DEBUG: Trying default padding for npmToken (repository=xx/xx)
DEBUG: Trying RSA_PKCS1_PADDING for npmToken (repository=xx/xx)
 INFO: Repository has invalid config (repository=xx/xx)
       "error": {
         "validationError": "Failed to decrypt field npmToken. Please re-encrypt and try again.",
         "message": "config-validation",
         "stack": "Error: config-validation\n    at Object.decryptConfig (/Users/ploegerr/.nvm/versions/node/v12.13.1/lib/node_modules/renovate/dist/config/decrypt.js:71:39)\n    at mergeRenovateConfig (/Users/ploegerr/.nvm/versions/node/v12.13.1/lib/node_modules/renovate/dist/workers/repository/init/config.js:187:39)\n    at async Object.getRepoConfig (/Users/ploegerr/.nvm/versions/node/v12.13.1/lib/node_modules/renovate/dist/workers/repository/init/config.js:231:14)\n    at async Object.initRepo (/Users/ploegerr/.nvm/versions/node/v12.13.1/lib/node_modules/renovate/dist/workers/repository/init/index.js:19:14)\n    at async Object.renovateRepository (/Users/ploegerr/.nvm/versions/node/v12.13.1/lib/node_modules/renovate/dist/workers/repository/index.js:60:18)\n    at async Object.start (/Users/ploegerr/.nvm/versions/node/v12.13.1/lib/node_modules/renovate/dist/workers/global/index.js:77:13)\n    at async /Users/ploegerr/.nvm/versions/node/v12.13.1/lib/node_modules/renovate/dist/renovate.js:28:24"
       }

I have looked at the code https://github.com/renovatebot/renovate/blob/master/lib/config/decrypt.ts and extracted the part responsible for decrypting:

const crypto = require('crypto')

const privateKey = `-----BEGIN RSA PRIVATE KEY-----
...xxx...
-----END RSA PRIVATE KEY-----`

const eVal = 'my-base64-encrypted-npm-token'
let decryptedStr

try {
  decryptedStr = crypto.privateDecrypt(privateKey, Buffer.from(eVal, 'base64')).toString()
} catch (err) {
  console.log('error -> ' + JSON.stringify(err, null, 2))
  decryptedStr = crypto
    .privateDecrypt(
      {
        key: privateKey,
        padding: crypto.constants.RSA_PKCS1_PADDING,
      },
      Buffer.from(eVal, 'base64'),
    )
    .toString()
}

console.log('------------- ' + decryptedStr)

When I run this it works and I get the decrypted string.

Any Ideas what I am doing wrong - why is the renovatebot not able to decrypt?

[ronaldploeger]

It would have been super helpful if decrypt.ts did not swallow the "err" here but log it:

          } catch (err) {
            const error = new Error('config-validation');
            error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;
            throw error;
          }

then one would have seen that the problem is:

{
  "library": "PEM routines",
  "function": "get_header_and_data",
  "reason": "short header",
  "code": "ERR_OSSL_PEM_SHORT_HEADER"
}

this might bring you here openssl/openssl#8815 which tells you that the javascript `` template syntax in combination with the IDE - which adds spaces before each line - is breaking the private certificate.

I fixed it by adding "privateKey" in the renovatebot config as a string in one line like this:

privateKey: '-----BEGIN RSA PRIVATE KEY-----\nXXXXXXXXXXXXXXXXX\n-----END RSA PRIVATE KEY-----',

XXXXXXXXXXXXXXXXX represents the private key data. The linebreaks after -----BEGIN RSA PRIVATE KEY----- and before -----END RSA PRIVATE KEY----- are important.

[ronaldploeger]

@viceice That is what I tried first - but it did not work. I tried it again and the error I get is:

error: {
  "code": "ERR_INVALID_ARG_TYPE"
}

Digging deeper the error message from crypto is:"The "key" argument must be one of type string, Buffer, TypedArray, DataView, or KeyObject. Received type object"

I have logged the "privateKey" in decrypt.js and have seen that it is an object with two keys:

• type
• data
  where the type is set to "Buffer" and data is a byte array (I guess)

[viceice]

nope, should also work with a buffer

[ronaldploeger]

I do not know much about Javascript Buffers but the "privateKey" does not seem to be one. When I log:

              for (const x in privateKey) {
                console.log("property: " + x)
              }
              console.log('type: ' + privateKey.type )
              console.log('Buffer.isBuffer(privateKey): ' + Buffer.isBuffer(privateKey) )
              console.log('typeof privateKey: ' + typeof privateKey )

I get:

property: type
property: data
type: Buffer
Buffer.isBuffer(privateKey): false
typeof privateKey: object

[viceice]

Ok, maybe i know whats going on. loading the key first time from file works as buffer, but we then clone the config object, so the prototype gets lost and so it's no longer a buffer

@rarkins any idea how to get this fixed? Move the read to setAdminConfig or the decrypt config ?