From 15a6e92c9adb39acde41a9b11cec0cbde8ad763b Mon Sep 17 00:00:00 2001 From: nils stolpe Date: Mon, 20 Nov 2023 09:24:22 -0500 Subject: [PATCH] Merge pull request from GHSA-c2ff-88x2-x9pg * added fix to public key pem matcher so it handles pkcs1 and x.509 keys * fix: removed empty line at start of key strings --- src/crypto.js | 16 +++++++--------- test/crypto.spec.js | 12 ++++-------- 2 files changed, 11 insertions(+), 17 deletions(-) diff --git a/src/crypto.js b/src/crypto.js index a9fd4ae..a953301 100644 --- a/src/crypto.js +++ b/src/crypto.js @@ -26,7 +26,7 @@ const base64UrlMatcher = /[=+/]/g const encoderMap = { '=': '', '+': '-', '/': '_' } const privateKeyPemMatcher = /^-----BEGIN(?: (RSA|EC|ENCRYPTED))? PRIVATE KEY-----/ -const publicKeyPemMatcher = '-----BEGIN PUBLIC KEY-----' +const publicKeyPemMatcher = /^-----BEGIN( RSA)? PUBLIC KEY-----/ const publicKeyX509CertMatcher = '-----BEGIN CERTIFICATE-----' const privateKeysCache = new Cache(1000) const publicKeysCache = new Cache(1000) @@ -44,7 +44,7 @@ const ecCurves = { /* istanbul ignore next */ if (!useNewCrypto) { - directSign = function(alg, data, options) { + directSign = function (alg, data, options) { if (typeof alg === 'undefined') { throw new TokenError(TokenError.codes.signError, 'EdDSA algorithms are not supported by your Node.js version.') } @@ -55,7 +55,7 @@ if (!useNewCrypto) { } } -const PrivateKey = asn.define('PrivateKey', function() { +const PrivateKey = asn.define('PrivateKey', function () { this.seq().obj( this.key('version').int(), this.key('algorithm') @@ -69,7 +69,7 @@ const PrivateKey = asn.define('PrivateKey', function() { ) }) -const PublicKey = asn.define('PublicKey', function() { +const PublicKey = asn.define('PublicKey', function () { this.seq().obj( this.key('algorithm') .seq() @@ -82,7 +82,7 @@ const PublicKey = asn.define('PublicKey', function() { ) }) -const ECPrivateKey = asn.define('ECPrivateKey', function() { +const ECPrivateKey = asn.define('ECPrivateKey', function () { this.seq().obj( this.key('version').int(), this.key('privateKey').octstr(), @@ -103,7 +103,7 @@ function cacheSet(cache, key, value, error) { } function performDetectPrivateKeyAlgorithm(key) { - if (key.includes(publicKeyPemMatcher) || key.includes(publicKeyX509CertMatcher)) { + if (key.match(publicKeyPemMatcher) || key.includes(publicKeyX509CertMatcher)) { throw new TokenError(TokenError.codes.invalidKey, 'Public keys are not supported for signing.') } @@ -157,7 +157,7 @@ function performDetectPrivateKeyAlgorithm(key) { function performDetectPublicKeyAlgorithms(key) { if (key.match(privateKeyPemMatcher)) { throw new TokenError(TokenError.codes.invalidKey, 'Private keys are not supported for verifying.') - } else if (!key.includes(publicKeyPemMatcher) && !key.includes(publicKeyX509CertMatcher)) { + } else if (!key.match(publicKeyPemMatcher) && !key.includes(publicKeyX509CertMatcher)) { // Not a PEM, assume a plain secret return hsAlgorithms } @@ -226,7 +226,6 @@ function detectPublicKeyAlgorithms(key) { if (!key) { return 'none' } - // Check cache first const [cached, error] = publicKeysCache.get(key) || [] @@ -243,7 +242,6 @@ function detectPublicKeyAlgorithms(key) { } else if (typeof key !== 'string') { throw new TokenError(TokenError.codes.invalidKey, 'The public key must be a string or a buffer.') } - return cacheSet(publicKeysCache, key, performDetectPublicKeyAlgorithms(key)) } catch (e) { throw cacheSet( diff --git a/test/crypto.spec.js b/test/crypto.spec.js index 3bdb7b0..971c9cc 100644 --- a/test/crypto.spec.js +++ b/test/crypto.spec.js @@ -43,8 +43,7 @@ const detectedAlgorithms = { PS: rsaAlgorithms } -const invalidPrivatePKCS8 = ` ------BEGIN PRIVATE KEY----- +const invalidPrivatePKCS8 = `-----BEGIN PRIVATE KEY----- MIIBSwIBADCCASsGByqGSM44BAEwggEeAoGBAMGxOb7Tft3j9ibDnbRQmSzNFVWI zXgZuKcImr0hfaTHiCezcafkUCydrdlE+UddkS7i8I2USopaAC8qXm9MakL7aTLa PdCJIPBjmcMSXfxqngeIko1mGySNRVCc2QxGHvMSkjTrY7TEzvgI4cJDg9ykZGU1 @@ -55,16 +54,14 @@ sZjIEvC33/YIQaP8Gvw0zKIQFS9vMwQXAhUAxRK28V19J5W4jfBY+3L3Zy/XbIo= -----END PRIVATE KEY----- ` -const invalidPrivateCurve = ` ------BEGIN EC PRIVATE KEY----- +const invalidPrivateCurve = `-----BEGIN EC PRIVATE KEY----- MHECAQEEHgMIJ+JtbK1h1Hr+VuYfQD/lWlBSRo2Fx4+10MljjKAKBggqhkjOPQMA DaFAAz4ABH2YBzIol9aAQrQERTRHF31ztVeZ6dr8T8qJiitVoAFKep39qV9n/7sV NspwxJ55TbI7tJiW6tcF2/MdOw== -----END EC PRIVATE KEY----- ` -const invalidPublicPKCS8 = ` ------BEGIN PUBLIC KEY----- +const invalidPublicPKCS8 = `-----BEGIN PUBLIC KEY----- MIIBtzCCASwGByqGSM44BAEwggEfAoGBALqI31HbMCIw1QPaf2nGT6z7DaYu/NRV sdQ8cBkQSvegBXOTbAS+hxNq3rMcwm240ukBKnpvdEB3gyegsmNK2UVjrBgdl6Xs 0H9TK5Utnv5HspziTKgCy6Zf5IrAsiitrwnb+fBYLJrVGRAJErNmVVTXo6wiDHhW @@ -78,8 +75,7 @@ dceK/5cqXl02B+Q= -----END PUBLIC KEY----- ` -const invalidPublicCurve = ` ------BEGIN PUBLIC KEY----- +const invalidPublicCurve = `-----BEGIN PUBLIC KEY----- MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAEBaKDc/7IW3cMDxat8ivVjqDq1TZ+ T7r5sAUIWaF0Q5uk5NYmLOnCFxoP8Ua16sraCbAozdvg0wfvT7Cq -----END PUBLIC KEY-----