Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

/keys URL breaks if multiple LTIs are registered - error:1C800064:Provider routines::bad decrypt #201

Open
adam-nielsen opened this issue Aug 10, 2023 · 3 comments
Assignees
Labels
bug Something isn't working

Comments

@adam-nielsen
Copy link

Describe the bug
If you have two or more LTIs registered, when you access /keys on on of the LTIs, you get this error:

provider:main Error: error:1C800064:Provider routines::bad decrypt
  provider:main     at Decipheriv.final (node:internal/crypto/cipher:199:29)
  provider:main     at Database.Decrypt (node_modules/ltijs-sequelize/dist/DB.js:680:52)
  provider:main     at Database.Get (node_modules/ltijs-sequelize/dist/DB.js:523:38)
  provider:main     at processTicksAndRejections (node:internal/process/task_queues:95:5)
  provider:main     at async Function.build (node_modules/ltijs/dist/Utils/Keyset.js:14:19)
  provider:main     at async Provider.value (node_modules/ltijs/dist/Provider/Provider.js:249:26)

Expected behavior
/keys should return some JSON. It works fine with only one LTI in the database, but as soon as you add a second LTI with a different encryption key, the /keys URL fails.

Additional context
This is using ltijs-sequelize with a MySQL database.

The problem seems to be in https://github.com/Cvmcosta/ltijs/blob/master/src/Utils/Keyset.js#L11 where it retrieves all public keys for all LTIs instead of only the keys belonging to the current LTI. When it tries to decrypt the values for the other LTIs, the decryption fails, assuming each LTI you deploy is using a different key.

@adam-nielsen adam-nielsen added the bug Something isn't working label Aug 10, 2023
@Cvmcosta
Copy link
Owner

Hello! This error happens if you change the encryption key after registering a tool. Since we'll try to decrypt with the wrong key. Can you please remove the platforms and try again? Or clean the platforms table.

@adam-nielsen
Copy link
Author

Yes we cleared the platform table and registered the LTIs again and the problem returns.

If you register all the LTIs with the same key then it works, but if you register LTI 1 with key 1, and LTI 2 with key 2, then both LTIs fail when /keys is accessed.

@lcundiff
Copy link

For anyone else experiencing this issue:
The fix for me (like @Cvmcosta stated), was clearing my platforms table in my LTI database and re-registering the LTI platform (didn't need to recreate the LTI key in Canvas though). Removing only the private and public keys affiliated to the old encryption key didn't work for me, it wasn't until I cleaned my platform tables that it worked again.

The actual problem here is different than the error message, so I would suggest that the error gets caught before calling Decrypt in the DB script. Maybe checking for copies of same client id on same platform? Or, even easier, could catch this issue, and give some additional info, stating the encryption key does not match the encryption key registered initially?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants