Skip to content

fix: use random nonce per call in AES-GCM onboarding signature#480

Merged
shonlaju merged 2 commits into
masterfrom
fix/aes-gcm-random-nonce
Jun 11, 2026
Merged

fix: use random nonce per call in AES-GCM onboarding signature#480
shonlaju merged 2 commits into
masterfrom
fix/aes-gcm-random-nonce

Conversation

@rzp-slash

@rzp-slash rzp-slash Bot commented Jun 10, 2026

Copy link
Copy Markdown

Summary

  • Updated generateOnboardingSignature to use a random 12-byte IV per encryption call instead of a static IV.
  • New output format: hex(iv[12 bytes] || ciphertext || tag[16 bytes])

Changes

  • lib/utils/razorpay-utils.js: generate a fresh random nonce on every encryption call and prepend it to the output
  • .github/workflows/ci.yml, .github/workflows/node.js.yml: bump actions/checkout and actions/setup-node to v4

Test plan

  • Verify generateOnboardingSignature produces a different hex string on every call with the same input
  • Verify Razorpay backend successfully decrypts the new format

🤖 Generated with Claude Code

rzp-slash[bot] and others added 2 commits June 10, 2026 12:50
@ankitdas13
fix: use random nonce per call in AES-GCM onboarding signature
11ce6b0 
Replace static IV derived from the key with crypto.randomBytes(12)
generated fresh on every encryption call.

New output format: hex(iv[12] || ciphertext || tag[16])
The receiver reads the first 24 hex chars as the IV before decrypting.

Co-authored-by: ankitdas13 <ankit.das@razorpay.com>
@ankitdas13
ci: bump checkout/setup-node actions to v4
2f17a13 
Upgrade from v2 to v4 to fix cache backend compatibility.

Co-authored-by: ankitdas13 <ankit.das@razorpay.com>
ankitdas13
ankitdas13 approved these changes Jun 10, 2026
View reviewed changes

@ankitdas13 ankitdas13 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ankitdas13 ankitdas13 added the TestingNotRequired TestingNotRequired label for BVT label Jun 11, 2026
@shonlaju shonlaju merged commit 6e4e7b1 into master Jun 11, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ankitdas13 ankitdas13 ankitdas13 approved these changes

Assignees

@ankitdas13 ankitdas13

Labels

TestingNotRequired TestingNotRequired label for BVT

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ankitdas13 @shonlaju