Skip to content

Commit

Permalink
Merge pull request from GHSA-c2ff-88x2-x9pg
Browse files Browse the repository at this point in the history
* added fix to public key pem matcher so it handles pkcs1 and x.509 keys

* fix: removed empty line at start of key strings
  • Loading branch information
nstolpe authored Nov 20, 2023
1 parent a5ef39b commit 15a6e92
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 17 deletions.
16 changes: 7 additions & 9 deletions src/crypto.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ const base64UrlMatcher = /[=+/]/g
const encoderMap = { '=': '', '+': '-', '/': '_' }

const privateKeyPemMatcher = /^-----BEGIN(?: (RSA|EC|ENCRYPTED))? PRIVATE KEY-----/
const publicKeyPemMatcher = '-----BEGIN PUBLIC KEY-----'
const publicKeyPemMatcher = /^-----BEGIN( RSA)? PUBLIC KEY-----/
const publicKeyX509CertMatcher = '-----BEGIN CERTIFICATE-----'
const privateKeysCache = new Cache(1000)
const publicKeysCache = new Cache(1000)
Expand All @@ -44,7 +44,7 @@ const ecCurves = {

/* istanbul ignore next */
if (!useNewCrypto) {
directSign = function(alg, data, options) {
directSign = function (alg, data, options) {
if (typeof alg === 'undefined') {
throw new TokenError(TokenError.codes.signError, 'EdDSA algorithms are not supported by your Node.js version.')
}
Expand All @@ -55,7 +55,7 @@ if (!useNewCrypto) {
}
}

const PrivateKey = asn.define('PrivateKey', function() {
const PrivateKey = asn.define('PrivateKey', function () {
this.seq().obj(
this.key('version').int(),
this.key('algorithm')
Expand All @@ -69,7 +69,7 @@ const PrivateKey = asn.define('PrivateKey', function() {
)
})

const PublicKey = asn.define('PublicKey', function() {
const PublicKey = asn.define('PublicKey', function () {
this.seq().obj(
this.key('algorithm')
.seq()
Expand All @@ -82,7 +82,7 @@ const PublicKey = asn.define('PublicKey', function() {
)
})

const ECPrivateKey = asn.define('ECPrivateKey', function() {
const ECPrivateKey = asn.define('ECPrivateKey', function () {
this.seq().obj(
this.key('version').int(),
this.key('privateKey').octstr(),
Expand All @@ -103,7 +103,7 @@ function cacheSet(cache, key, value, error) {
}

function performDetectPrivateKeyAlgorithm(key) {
if (key.includes(publicKeyPemMatcher) || key.includes(publicKeyX509CertMatcher)) {
if (key.match(publicKeyPemMatcher) || key.includes(publicKeyX509CertMatcher)) {
throw new TokenError(TokenError.codes.invalidKey, 'Public keys are not supported for signing.')
}

Expand Down Expand Up @@ -157,7 +157,7 @@ function performDetectPrivateKeyAlgorithm(key) {
function performDetectPublicKeyAlgorithms(key) {
if (key.match(privateKeyPemMatcher)) {
throw new TokenError(TokenError.codes.invalidKey, 'Private keys are not supported for verifying.')
} else if (!key.includes(publicKeyPemMatcher) && !key.includes(publicKeyX509CertMatcher)) {
} else if (!key.match(publicKeyPemMatcher) && !key.includes(publicKeyX509CertMatcher)) {
// Not a PEM, assume a plain secret
return hsAlgorithms
}
Expand Down Expand Up @@ -226,7 +226,6 @@ function detectPublicKeyAlgorithms(key) {
if (!key) {
return 'none'
}

// Check cache first
const [cached, error] = publicKeysCache.get(key) || []

Expand All @@ -243,7 +242,6 @@ function detectPublicKeyAlgorithms(key) {
} else if (typeof key !== 'string') {
throw new TokenError(TokenError.codes.invalidKey, 'The public key must be a string or a buffer.')
}

return cacheSet(publicKeysCache, key, performDetectPublicKeyAlgorithms(key))
} catch (e) {
throw cacheSet(
Expand Down
12 changes: 4 additions & 8 deletions test/crypto.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,7 @@ const detectedAlgorithms = {
PS: rsaAlgorithms
}

const invalidPrivatePKCS8 = `
-----BEGIN PRIVATE KEY-----
const invalidPrivatePKCS8 = `-----BEGIN PRIVATE KEY-----
MIIBSwIBADCCASsGByqGSM44BAEwggEeAoGBAMGxOb7Tft3j9ibDnbRQmSzNFVWI
zXgZuKcImr0hfaTHiCezcafkUCydrdlE+UddkS7i8I2USopaAC8qXm9MakL7aTLa
PdCJIPBjmcMSXfxqngeIko1mGySNRVCc2QxGHvMSkjTrY7TEzvgI4cJDg9ykZGU1
Expand All @@ -55,16 +54,14 @@ sZjIEvC33/YIQaP8Gvw0zKIQFS9vMwQXAhUAxRK28V19J5W4jfBY+3L3Zy/XbIo=
-----END PRIVATE KEY-----
`

const invalidPrivateCurve = `
-----BEGIN EC PRIVATE KEY-----
const invalidPrivateCurve = `-----BEGIN EC PRIVATE KEY-----
MHECAQEEHgMIJ+JtbK1h1Hr+VuYfQD/lWlBSRo2Fx4+10MljjKAKBggqhkjOPQMA
DaFAAz4ABH2YBzIol9aAQrQERTRHF31ztVeZ6dr8T8qJiitVoAFKep39qV9n/7sV
NspwxJ55TbI7tJiW6tcF2/MdOw==
-----END EC PRIVATE KEY-----
`

const invalidPublicPKCS8 = `
-----BEGIN PUBLIC KEY-----
const invalidPublicPKCS8 = `-----BEGIN PUBLIC KEY-----
MIIBtzCCASwGByqGSM44BAEwggEfAoGBALqI31HbMCIw1QPaf2nGT6z7DaYu/NRV
sdQ8cBkQSvegBXOTbAS+hxNq3rMcwm240ukBKnpvdEB3gyegsmNK2UVjrBgdl6Xs
0H9TK5Utnv5HspziTKgCy6Zf5IrAsiitrwnb+fBYLJrVGRAJErNmVVTXo6wiDHhW
Expand All @@ -78,8 +75,7 @@ dceK/5cqXl02B+Q=
-----END PUBLIC KEY-----
`

const invalidPublicCurve = `
-----BEGIN PUBLIC KEY-----
const invalidPublicCurve = `-----BEGIN PUBLIC KEY-----
MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAEBaKDc/7IW3cMDxat8ivVjqDq1TZ+
T7r5sAUIWaF0Q5uk5NYmLOnCFxoP8Ua16sraCbAozdvg0wfvT7Cq
-----END PUBLIC KEY-----
Expand Down

0 comments on commit 15a6e92

Please sign in to comment.