crypto: fix unencrypted DER PKCS8 parsing #26236
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The previously used OpenSSL call only supports encrypted PKCS8, this commit adds support for unencrypted PKCS8.
nodejs-github-bot
added
c++
addaleax
approved these changes
Feb 21, 2019
|
@nodejs/crypto |
bnoordhuis
approved these changes
Feb 21, 2019
sam-github
suggested changes
Feb 21, 2019
There was a problem hiding this comment.
You can test by running the decoding in a loop over a valid key, something like this pseudo-code.
valid = valid_der;
for (i = 0; i < valid.size; i++) {
invalid = valid.truncate(i)
let err
try {
parse(invalid)
} catch (e) {
err = e;
}
if (i < valid.size()) assert(err !== null)
else assert.ifError(err)
}
We don't usually do this, because we assume that OpenSSL has a correct bug-free decoder, but if we have our own, I think we should be careful to test invalid data.
sam-github
approved these changes
Feb 21, 2019
BridgeAR
added
the
author ready
|
Thanks for reviewing, landed in 8d69fdd. |
tniessen
added a commit
that referenced
this pull request
Feb 23, 2019
The previously used OpenSSL call only supports encrypted PKCS8, this commit adds support for unencrypted PKCS8. PR-URL: #26236 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
addaleax
pushed a commit
that referenced
this pull request
Feb 25, 2019
The previously used OpenSSL call only supports encrypted PKCS8, this commit adds support for unencrypted PKCS8. PR-URL: #26236 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
@addaleax this should land on all release lines, right? |
|
I think that’s a question for @tniessen :) |
Merged
rvagg
pushed a commit
that referenced
this pull request
Feb 28, 2019
The previously used OpenSSL call only supports encrypted PKCS8, this commit adds support for unencrypted PKCS8. PR-URL: #26236 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
@ryzokuken I believe the key object API (which also added support for DER) has only landed on v11 so far so this only applies to v11. |
tniessen
removed
the
author ready
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The previously used OpenSSL call only supports encrypted PKCS8, this commit adds support for unencrypted PKCS8. This only affects keys that are encoded as DER using PKCS#8 without encryption, which probably explains why nobody noticed this earlier.
cc @nodejs/crypto
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes