FIPS Compatibility Issue

[bendudz]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io.
• I have read the console error message carefully (if applicable).

Description

I have a requirement to build my Docusaurus website in a FIPS compliant container. Currently it is not possible as Docusaurus hardcodes the use of the md5 algorithm .

Could it be possible to use another hashing algorithm that is compliant to FIPS 140-2 (or a customisable one) like sha256?

Are you only using md5 a hashing function or does it have some cryptographic use also?

I attempted to use patch-package to modify my node_modules & replace md5 with sha256 in the hashUtils module. This wasn't successful and resulted in further issues i was unable to debug.

Reproducible demo

https://github.com/bendudz/docusaurus/tree/fips-repro/examples/classic

Steps to reproduce

The repro uses a publicly available .FIPS image. If you have access to Chainguard there are images available from them that could be substituted into the dockerfile FROM clause.

Clone the repro & navigate to the example.

cd examples/classic

Build the dockerfile

docker build -t fips-repro --no-cache=true .

Expected behavior

I would like to think Docusaurus could be built in a FIPS compliant manner with either an applicable algorthim used or a customisable option to replace md5.

Actual behavior

Attempting to build the site in the FIPS enabled container ends up with a long stacktrace.

/opt/app-root/src # npm run build

> [email protected] build
> docusaurus build


[ERROR] Error: Docusaurus could not load module at path "/opt/app-root/src/docusaurus.config.js"
Cause: error:0308010C:digital envelope routines::unsupported
    at loadFreshModule (/opt/app-root/src/node_modules/@docusaurus/utils/lib/moduleUtils.js:36:15)
    at loadSiteConfig (/opt/app-root/src/node_modules/@docusaurus/core/lib/server/config.js:36:62)
    at async Promise.all (index 1)
    at async loadContext (/opt/app-root/src/node_modules/@docusaurus/core/lib/server/site.js:39:97)
    at async getLocalesToBuild (/opt/app-root/src/node_modules/@docusaurus/core/lib/commands/build/build.js:55:21)
    at async Command.build (/opt/app-root/src/node_modules/@docusaurus/core/lib/commands/build/build.js:29:21)
    at async Promise.all (index 0)
    at async runCLI (/opt/app-root/src/node_modules/@docusaurus/core/lib/commands/cli.js:56:5)
    at async file:///opt/app-root/src/node_modules/@docusaurus/core/bin/docusaurus.mjs:44:3 {
  [cause]: Error: error:0308010C:digital envelope routines::unsupported
      at new Hash (node:internal/crypto/hash:68:19)
      at createHash (node:crypto:138:10)
      at md5 (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:242165)
      at opts.transform.Object.assign.Object.assign.Object.assign.legacy (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:246878)
      at transform (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:247408)
      at evalModule (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:250828)
      at jiti (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:249841)
      at loadFreshModule (/opt/app-root/src/node_modules/@docusaurus/utils/lib/moduleUtils.js:33:16)
      at loadSiteConfig (/opt/app-root/src/node_modules/@docusaurus/core/lib/server/config.js:36:62)
      at async Promise.all (index 1) {
    opensslErrorStack: [
      'error:03000086:digital envelope routines::initialization error'
    ],
    library: 'digital envelope routines',
    reason: 'unsupported',
    code: 'ERR_OSSL_EVP_UNSUPPORTED'
  }
}
[INFO] Docusaurus version: 3.7.0
Node version: v20.11.1

Your environment

• Public source code: https://github.com/bendudz/docusaurus/tree/fips-repro/examples/classic
• Docusaurus version used: 3.7.0
• Environment name and version (e.g. Chrome 89, Node.js 16.4): Docker FIPS image, Node v20.11.1
• Operating system and version (e.g. Ubuntu 20.04.2 LTS): Ubuntu 20.x

Self-service

• I'd be willing to fix this bug myself.

[slorber]

Are you only using md5 a hashing function or does it have some cryptographic use also?

Afaik we only use hashing for generating unique static file names based on their content, to avoid filename conflicts and enable immutable caching. I don't remember any cryptographic usage.

---

I attempted to use patch-package to modify my node_modules & replace md5 with sha256 in the hashUtils module. This wasn't successful and resulted in further issues i was unable to debug.

That would be helpful to share these experiments and the issues you encountered.

---

The stacktrace you shared seems related to the usage of Jiti to load our config file, that apparently uses md5 internally. See also unjs/jiti#340

[tuckergordon]

I've been running into this as well and am the last comment in that jiti issue ticket. My hope is that they will make that update soon and then it would be a simple upgrade on the Docusaurus side.

In the mean time, this was the best (it's not good) workaround I could come up with:

• Create a new file called docusaurus-crypto-wrapper.js:

  #!/usr/bin/env node
  
  // https://github.com/pnpm/pnpm/issues/8070#issuecomment-2189818262
  // This is a bit of a monkeypatch to work around the fact that `jiti` (which is a dependency of `@docusaurus/core`)
  // uses `crypto.createHash('md5')` which fails FIPS compliance. So instead, we intercept the crypto call and use
  // sha256 instead of md5. This is a workaround until `jiti` is updated to use a more secure hash algorithm. For
  // more details: https://github.com/unjs/jiti/issues/340
  
  const crypto = require('node:crypto');
  const path = require('node:path');
  
  function monkeyPatch() {
    const originalCreateHash = crypto.createHash;
  
    function createHashInterceptMD5(...argv) {
      if (argv[0] === 'md5') {
        argv[0] = 'sha256';
      }
      return originalCreateHash(...argv);
    }
  
    crypto.createHash = createHashInterceptMD5;
  }
  
  monkeyPatch();
  
  // require(path.join(__dirname, 'node_modules/.bin/docusaurus'));
  (async () => {
    await import(path.join(__dirname, 'node_modules/@docusaurus/core/bin/docusaurus.mjs'));
  })();

• Modify your package.json so that it calls the script before build:

  "build": "node ./docusaurus-crypto-wrapper.js build",

[bendudz]

The stacktrace you shared seems related to the usage of Jiti to load our config file, that apparently uses md5 internally. See also unjs/jiti#340

You are correct. In my haste to raise the issue I’ve pasted one of the traces that is caused by Jiti. There is another cause by Docusaurus’ HashUtils module. It’s a shame Node’s crypto lib doesn’t have the same Used for Security mechanism.

@tuckergordon thanks for this workaround. I’ve used something similar on a different project. Will give this a go.

[slorber]

Great, let us know how it works.

We might expose a Docusaurus Node.js API to make this kind of things easier in the future.

---

Apart from monkey patching, there are other possible solutions. None are ideal but still worth being aware of them.

1. Monkey-patching the module loader (afaik it's not public API):

const Module = require("module");
const originalLoad = Module._load;

Module._load = function (request, parent, isMain) {
  if (request === "crypto") {
    return require(path.join(__dirname, "custom-crypto.js"));
  }
  return originalLoad(request, parent, isMain);
};

2. Pre-caching your custom crypto module in the require cache:

const path = require("path");

require.cache[require.resolve("crypto")] = {
  exports: require(path.join(__dirname, "custom-crypto.js")), 
};

3. providing a custom loader, but afaik it only works for ESM imported modules, not CJS:

node --loader ./custom-loader.mjs node_modules/@docusaurus/core/bin/docusaurus.mjs