Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS Compatibility Issue #10963

Open
6 of 7 tasks
bendudz opened this issue Mar 4, 2025 · 1 comment
Open
6 of 7 tasks

FIPS Compatibility Issue #10963

bendudz opened this issue Mar 4, 2025 · 1 comment
Labels
bug An error in the Docusaurus core causing instability or issues with its execution status: needs triage This issue has not been triaged by maintainers

Comments

@bendudz
Copy link

bendudz commented Mar 4, 2025

Have you read the Contributing Guidelines on issues?

Prerequisites

  • I'm using the latest version of Docusaurus.
  • I have tried the npm run clear or yarn clear command.
  • I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
  • I have tried creating a repro with https://new.docusaurus.io.
  • I have read the console error message carefully (if applicable).

Description

I have a requirement to build my Docusaurus website in a FIPS compliant container. Currently it is not possible as Docusaurus hardcodes the use of the md5 algorithm .

Could it be possible to use another hashing algorithm that is compliant to FIPS 140-2 (or a customisable one) like sha256?

Are you only using md5 a hashing function or does it have some cryptographic use also?

I attempted to use patch-package to modify my node_modules & replace md5 with sha256 in the hashUtils module. This wasn't successful and resulted in further issues i was unable to debug.

Reproducible demo

https://github.com/bendudz/docusaurus/tree/fips-repro/examples/classic

Steps to reproduce

The repro uses a publicly available .FIPS image. If you have access to Chainguard there are images available from them that could be substituted into the dockerfile FROM clause.

Clone the repro & navigate to the example.

cd examples/classic

Build the dockerfile

docker build -t fips-repro --no-cache=true .

Expected behavior

I would like to think Docusaurus could be built in a FIPS compliant manner with either an applicable algorthim used or a customisable option to replace md5.

Actual behavior

Attempting to build the site in the FIPS enabled container ends up with a long stacktrace.

/opt/app-root/src # npm run build

> [email protected] build
> docusaurus build


[ERROR] Error: Docusaurus could not load module at path "/opt/app-root/src/docusaurus.config.js"
Cause: error:0308010C:digital envelope routines::unsupported
    at loadFreshModule (/opt/app-root/src/node_modules/@docusaurus/utils/lib/moduleUtils.js:36:15)
    at loadSiteConfig (/opt/app-root/src/node_modules/@docusaurus/core/lib/server/config.js:36:62)
    at async Promise.all (index 1)
    at async loadContext (/opt/app-root/src/node_modules/@docusaurus/core/lib/server/site.js:39:97)
    at async getLocalesToBuild (/opt/app-root/src/node_modules/@docusaurus/core/lib/commands/build/build.js:55:21)
    at async Command.build (/opt/app-root/src/node_modules/@docusaurus/core/lib/commands/build/build.js:29:21)
    at async Promise.all (index 0)
    at async runCLI (/opt/app-root/src/node_modules/@docusaurus/core/lib/commands/cli.js:56:5)
    at async file:///opt/app-root/src/node_modules/@docusaurus/core/bin/docusaurus.mjs:44:3 {
  [cause]: Error: error:0308010C:digital envelope routines::unsupported
      at new Hash (node:internal/crypto/hash:68:19)
      at createHash (node:crypto:138:10)
      at md5 (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:242165)
      at opts.transform.Object.assign.Object.assign.Object.assign.legacy (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:246878)
      at transform (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:247408)
      at evalModule (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:250828)
      at jiti (/opt/app-root/src/node_modules/jiti/dist/jiti.js:1:249841)
      at loadFreshModule (/opt/app-root/src/node_modules/@docusaurus/utils/lib/moduleUtils.js:33:16)
      at loadSiteConfig (/opt/app-root/src/node_modules/@docusaurus/core/lib/server/config.js:36:62)
      at async Promise.all (index 1) {
    opensslErrorStack: [
      'error:03000086:digital envelope routines::initialization error'
    ],
    library: 'digital envelope routines',
    reason: 'unsupported',
    code: 'ERR_OSSL_EVP_UNSUPPORTED'
  }
}
[INFO] Docusaurus version: 3.7.0
Node version: v20.11.1

Your environment

Self-service

  • I'd be willing to fix this bug myself.
@bendudz bendudz added bug An error in the Docusaurus core causing instability or issues with its execution status: needs triage This issue has not been triaged by maintainers labels Mar 4, 2025
@slorber
Copy link
Collaborator

slorber commented Mar 6, 2025

Are you only using md5 a hashing function or does it have some cryptographic use also?

Afaik we only use hashing for generating unique static file names based on their content, to avoid filename conflicts and enable immutable caching. I don't remember any cryptographic usage.

I attempted to use patch-package to modify my node_modules & replace md5 with sha256 in the hashUtils module. This wasn't successful and resulted in further issues i was unable to debug.

That would be helpful to share these experiments and the issues you encountered.

The stacktrace you shared seems related to the usage of Jiti to load our config file, that apparently uses md5 internally. See also unjs/jiti#340

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug An error in the Docusaurus core causing instability or issues with its execution status: needs triage This issue has not been triaged by maintainers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slorber @bendudz