Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: fix unencrypted DER PKCS8 parsing #26236

Conversation

tniessen
Copy link
Member

The previously used OpenSSL call only supports encrypted PKCS8, this commit adds support for unencrypted PKCS8. This only affects keys that are encoded as DER using PKCS#8 without encryption, which probably explains why nobody noticed this earlier.

cc @nodejs/crypto

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

The previously used OpenSSL call only supports encrypted PKCS8,
this commit adds support for unencrypted PKCS8.
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. labels Feb 21, 2019
@addaleax
Copy link
Member

@nodejs/crypto

src/node_crypto.cc Outdated Show resolved Hide resolved
@tniessen
Copy link
Member Author

tniessen commented Feb 21, 2019

Copy link
Contributor

@sam-github sam-github left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can test by running the decoding in a loop over a valid key, something like this pseudo-code.

valid = valid_der;
for (i = 0; i < valid.size; i++) {
  invalid = valid.truncate(i)
  let err
  try {
   parse(invalid)
  } catch (e) {
    err = e;
  }
  if (i < valid.size()) assert(err !== null)
  else assert.ifError(err)
}

We don't usually do this, because we assume that OpenSSL has a correct bug-free decoder, but if we have our own, I think we should be careful to test invalid data.

src/node_crypto.cc Show resolved Hide resolved
src/node_crypto.cc Show resolved Hide resolved
Copy link
Contributor

@ryzokuken ryzokuken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked out this branch, and this change literally is exactly what was needed to make easy-crypto work and what not.

Great work, @tniessen! 🎉

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@BridgeAR BridgeAR added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Feb 21, 2019
@tniessen
Copy link
Member Author

Thanks for reviewing, landed in 8d69fdd.

@tniessen tniessen closed this Feb 23, 2019
tniessen added a commit that referenced this pull request Feb 23, 2019
The previously used OpenSSL call only supports encrypted PKCS8,
this commit adds support for unencrypted PKCS8.

PR-URL: #26236
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
addaleax pushed a commit that referenced this pull request Feb 25, 2019
The previously used OpenSSL call only supports encrypted PKCS8,
this commit adds support for unencrypted PKCS8.

PR-URL: #26236
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@ryzokuken
Copy link
Contributor

@addaleax this should land on all release lines, right?

@addaleax
Copy link
Member

I think that’s a question for @tniessen :)

@BridgeAR BridgeAR mentioned this pull request Feb 26, 2019
rvagg pushed a commit that referenced this pull request Feb 28, 2019
The previously used OpenSSL call only supports encrypted PKCS8,
this commit adds support for unencrypted PKCS8.

PR-URL: #26236
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@tniessen
Copy link
Member Author

tniessen commented Mar 1, 2019

@ryzokuken I believe the key object API (which also added support for DER) has only landed on v11 so far so this only applies to v11.

@tniessen tniessen removed the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jan 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants