Skip to content

crypto: clear OpenSSL error queue after calling X509_verify()#45377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nodejs-github-bot merged 4 commits into from
Nov 17, 2022
Merged

crypto: clear OpenSSL error queue after calling X509_verify() #45377

nodejs-github-bot merged 4 commits into from
Nov 17, 2022

Conversation

@takuro-sato
Copy link
Contributor

@takuro-satotakuro-sato commented Nov 8, 2022
edited
Loading

Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false.

Example code to reproduce the bug

constcrypto=require('crypto');constcert0=newcrypto.X509Certificate('-----BEGIN CERTIFICATE-----\n'+'MIICeTCCAWGgAwIBAgIBADANBgkqhkiG9w0BAQsFADAAMB4XDTIyMTEwNzExMzU0\n'+'NloXDTIyMTEwNzExMzU0NlowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n'+'ggEBAKXDiNM5kCg3m7mBmLGhTWDLo3rEDf7nfI77V2rS9jXg0wV1LvnxQcYFeUud\n'+'zfvZpSc07TdmSDWJhE04/9G2fk86RwnMYj9KBLCgqzjk/wnrlcB8BuFPC5ZUKm+e\n'+'OmpfwzxRsqU0dlp/C6BmZV8cuvOKbxcq7MnACmS3lOvDUIdXjkEI1LEkzQudQNQi\n'+'S2PDPRUFm5KDkLmky2MACUkUA1eGMI8GLV60fzrsMnD6/lIGgDgRjcMdtv7D0F0K\n'+'D/AbCfXv4Z6SCKgp+0nLC5PpacNWu0yk1y4ihm9BHCRrxGcMzX5ce9pUfXVt6nUA\n'+'gwzlTcMno28yb16dBd9+XdQu/p8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAVaRJ\n'+'CSOGycfz+bOGvSkLIOGWjtRoeaX/hMwCB/b0BuAVmcyWJuPsPcghwDnNUJAlxDnB\n'+'R7F6+J9P2kv7V+B4nlB/w0YHbidlSGeyd7AENsHqwYzOaoGCcr0B8pQrocj5Dm3g\n'+'JmPGMmMSa+MJfPD5j1///plvbLzBdG8nm9nG1yzOho+4lJf0VUwDnVEcRJp1w7kF\n'+'Ys19JJo78BEnUHJMOv1vE1KINY1k6wB69BJwZoW6tDjwHcHAtWzOA6324r+2tmnK\n'+'HCKAw78IZsDjLtC13LtrqFgWXzOh6WkLGmS7W01Coi3+uZcmWwJv/8m+2VlOXgrg\n'+'iQYf67llQlRAay0wnA==\n'+'-----END CERTIFICATE-----\n');constcert1=newcrypto.X509Certificate('-----BEGIN CERTIFICATE-----\n'+'MIICeTCCAWGgAwIBAgIBADANBgkqhkiG9w0BAQsFADAAMB4XDTIyMTEwNzExMzU0\n'+'N1oXDTIyMTEwNzExMzU0N1owADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n'+'ggEBAOc1bvNUvDCUxLhgNc9oQ8WwXsVSGHWaulf93eA1m9oB3kzvoCbEURN1k/dv\n'+'QoeLhovosZqnyz4W/2o+RHwCy/PNi3FGGaFGcpMTdwEGLn8TlGcUKv32h1Her+og\n'+'XnwGqZizD8xBbqfi5WRcX3JS02EKC8BVlDQiru2eToR+T6ZiOIGRZDNYYHUGvoSz\n'+'0nFiLzFLEwuMhEJhGmXcy0JyWx4BnYwEYYnwdKSAPakYFzvePMvpYyX2Xg4eD65j\n'+'kBRtKSYxDK39rXR6BfH7UpVjsY6H3TlVXYQdkxBPfzZlCPJBMG6TJRl2IzYJU1H4\n'+'JK84mEhDGnE9fxxvxykYX5a7YYMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAPcQ\n'+'cA6MFAGvbrACFYKHx7rMZ/HxjEps47Dq8zapqPWaTZVCSRI3si8lH99UW0DCRlRJ\n'+'VQnW2l7Ag7edp2RLQlCoH8gzEkCXvG3CNVE+U82WnlsUA+FTTV+X4W9Va3nNe2ZU\n'+'B8SO4V0374osYlM5UaUz9VWU3ulBupufQ9wdJTEVPcfEekDXVGeJIFeiyafhIYrB\n'+'H6OA1xhS0Yf2NtEIup2vexJ3wOxXh1ZyPR190Jr2b9ePylcUU2DWSCMvnzFdCPLt\n'+'aHR8RktrScK8BVXMag2Fvvgoco0XCIoWl/kPN3I0SnvIcTHa/uWA49ijMqwM1yDc\n'+'Timu77Xm/VYec/v1qg==\n'+'-----END CERTIFICATE-----\n')constcert2=newcrypto.X509Certificate('-----BEGIN CERTIFICATE-----\n'+'MIICeTCCAWGgAwIBAgIBADANBgkqhkiG9w0BAQsFADAAMB4XDTIyMTEwNzExMzU0\n'+'N1oXDTIyMTEwNzExMzU0N1owADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n'+'ggEBAJwgfV4eP/rsHYVtuCBvahP7tWJ/Djs9V11NHuVB11zUng2NiwfT3qvRfR/G\n'+'kc+fEUB/8K9kV4kGiFwB+xOKZ/0vpiRVKINPhrDJYdehahlT5iwF3dkTqNARp9MK\n'+'Dk1z3iAa0aQXNXCwIUNhs+8GZmXHZn8AOjAcBz03alBwUaYINMQVfjERT+BOCr7E\n'+'wK793iY8knF0ZT07GKIzqRFJhueBA+VKfoXluSSa7SoAO3UwYt72k1UIdUjA5C73\n'+'I8ZnlmIAVldjpO4AZdhwcVrHth54G3SAtt/vjk3052iJXpICduPWCUCF+pZDkRSO\n'+'DkSNfzaxr40I2raP0hvveUiArBUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAjkdh\n'+'B0fyPt2Gyt5KRoCqsy8dS3iEhT98YzULeBk+mtcJXsbH8aEBXQzqzSnYfP3LeDxK\n'+'xP87pcP+V9sruQixHGNYQqRar8jpBuAhQAX8aqgWe4rc++3RbotafYJ7ILRj3J6K\n'+'0JXB3YXxjk7vp0aO/eaodKFM3g5EnKtXHH37yDZMQ665RPglh+MoJOw4BVutLPh4\n'+'MpmTY1yxl/HbIvqv8uQw55ftjXSaRB/pCCh4IjcQ3LS9FXE4pdESwgKScy8JsiDt\n'+'z/BtAH3hG/AbVon2RWBF4d5exFl4aJj3CSNKvMlu7q/CSbDWxdCafO433QRsI6SV\n'+'fW0jkmnFsvaUpOAF0w==\n'+'-----END CERTIFICATE-----\n');constprivateKeyPem='-----BEGIN PRIVATE KEY-----\n'+'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgo5BAQydImlcOf1LS\n'+'7FrRfoBgHHUqevagq/1nmv3thMChRANCAAQ/oNhs1q1GJ4OOats5kaARTOPBZgzb\n'+'MpVnfwmmLDYGOJotCe0sVAUMYBCQ4DHko9DdOH6HWPSiGAzohs4nwDZz\n'+'-----END PRIVATE KEY-----';constprivateKey=crypto.createPrivateKey({key: privateKeyPem})console.log(privateKey.asymmetricKeyDetails)//{namedCurve: 'prime256v1' }crypto.createPrivateKey({key: privateKeyPem})console.log(cert1.verify(cert2.publicKey))// truecrypto.createPrivateKey({key: privateKeyPem})console.log(cert0.verify(cert2.publicKey))// falsecrypto.createPrivateKey({key: privateKeyPem})// It throws and error is about RSA key even though `key` is prime256v1

output:

{namedCurve: 'prime256v1' } true false node:internal/crypto/keys:620 handle.init(kKeyTypePrivate, data, format, type, passphrase); ^ Error: error:0200008A:rsa routines::invalid padding at Object.createPrivateKey (node:internal/crypto/keys:620:12) at Object.<anonymous> (/home/takuro/Projects/dev_node/bug.js:76:8) at Module._compile (node:internal/modules/cjs/loader:1159:14) at Module._extensions..js (node:internal/modules/cjs/loader:1213:10) at Module.load (node:internal/modules/cjs/loader:1037:32) at Module._load (node:internal/modules/cjs/loader:878:12) at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:82:12) at node:internal/main/run_main_module:23:47{opensslErrorStack: [ 'error:06880006:asn1 encoding routines::EVP lib', 'error:1C880004:Provider routines::RSA lib', 'error:02000072:rsa routines::padding check failed' ], library: 'rsa routines', reason: 'invalid padding', code: 'ERR_OSSL_RSA_INVALID_PADDING' } Node.js v19.0.1

Note

I got an error when I ran make -j4 test locally, but I believe it's not related to this PR because I got the same one with the latest main and v19.0.1.

make -s jstest ninja: Entering directory `out/Release' ninja: no work to do. === release test-tls-dhe === Path: parallel/test-tls-dhe Command: out/Release/node --no-warnings /home/takuro/Projects/node/test/parallel/test-tls-dhe.js --- TIMEOUT --- [05:04|% 100|+ 3769|- 1]: Done make[1]: *** [Makefile:307: jstest] Error 1 make: *** [Makefile:333: test] Error 2

@takuro-sato
crypto: clear OpenSSL error queue after calling X509_verify()
b65799c
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false.
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 8, 2022

Review requested:

  • @nodejs/crypto

@nodejs-github-botnodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Nov 8, 2022
@takuro-satotakuro-sato marked this pull request as ready for review November 8, 2022 16:17
tniessen
tniessen reviewed Nov 8, 2022
View reviewed changes
Copy link
Member

@tniessentniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this function is currently implemented, it ignores the difference between errors and verification failure. As such, this change appears logical. (Whether the current behavior is the best choice is a separate question.)

tniessen
tniessen reviewed Nov 8, 2022
View reviewed changes
Copy link
Member

@tniessentniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution.

It seems that the email address you are using to commit your changes is not associated with your GitHub account; we highly recommend that you either add the commit email address to your GitHub account (not to your public GitHub profile!) or that you re-commit your changes with an email address of your choice that is connected to your GitHub account. Note that you can add multiple email addresses to the same GitHub account.

takuro-satoand others added 2 commits November 9, 2022 03:47
@takuro-sato@tniessen
improve comment
5003cc9
Co-authored-by: Tobias Nießen <[email protected]>
@takuro-sato@tniessen
improve comment
f26f710
Co-authored-by: Tobias Nießen <[email protected]>
@takuro-sato
Copy link
ContributorAuthor

takuro-sato commented Nov 8, 2022

Thanks for the recommendation. I added the email to my GitHub account.

@mscdexmscdex mentioned this pull request Nov 16, 2022
Closed
@panvapanva added the request-ci Add this label to start a Jenkins CI on a PR. label Nov 17, 2022
@github-actionsgithub-actionsbot removed the request-ci Add this label to start a Jenkins CI on a PR. label Nov 17, 2022
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@tniessentniessen added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. labels Nov 17, 2022
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 17, 2022

CI: https://ci.nodejs.org/job/node-test-pull-request/47984/

@panvapanva added the commit-queue Add this label to land a pull request using GitHub Actions. label Nov 17, 2022
@panva
Copy link
Member

panva commented Nov 17, 2022

@takuro-sato Thank you for your contribution! I noticed it is your first. Congratulations 🎉

@nodejs-github-botnodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Nov 17, 2022
@nodejs-github-botnodejs-github-bot merged commit 405ea2a into nodejs:mainNov 17, 2022
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 17, 2022

Landed in 405ea2a

@panva
Copy link
Member

panva commented Nov 17, 2022

#45495 follows this up, fixing the same problem with x509.checkPrivateKey().

@github-actionsgithub-actionsbot mentioned this pull request Nov 18, 2022
Open
12 tasks
This was referenced Nov 19, 2022
Open
Open
Open
ruyadorno pushed a commit that referenced this pull request Nov 21, 2022
@takuro-sato@ruyadorno
crypto: clear OpenSSL error queue after calling X509_verify()
efe19eb
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Filip Skokan <[email protected]>
@github-actionsgithub-actionsbot mentioned this pull request Nov 22, 2022
Open
15 tasks
marco-ippolito pushed a commit to marco-ippolito/node that referenced this pull request Nov 23, 2022
@takuro-sato@marco-ippolito
crypto: clear OpenSSL error queue after calling X509_verify()
b19c237
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: nodejs#45377 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Filip Skokan <[email protected]>
@ruyadornoruyadorno mentioned this pull request Nov 24, 2022
Merged
@mjones-vsat
Copy link

mjones-vsat commented Dec 16, 2022

Hi there,

Is there any chance that this (as well as the other issue with private keys) may be backported to Node 18?

@mjones-vsatmjones-vsat mentioned this pull request Dec 16, 2022
Closed
danielleadams pushed a commit that referenced this pull request Dec 30, 2022
@takuro-sato@danielleadams
crypto: clear OpenSSL error queue after calling X509_verify()
eb8f19e
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Filip Skokan <[email protected]>
@danielleadamsdanielleadams mentioned this pull request Dec 30, 2022
Merged
danielleadams pushed a commit that referenced this pull request Dec 30, 2022
@takuro-sato@danielleadams
crypto: clear OpenSSL error queue after calling X509_verify()
3b11c84
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Filip Skokan <[email protected]>
danielleadams pushed a commit that referenced this pull request Jan 3, 2023
@takuro-sato@danielleadams
crypto: clear OpenSSL error queue after calling X509_verify()
dae92e7
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Filip Skokan <[email protected]>
danielleadams pushed a commit that referenced this pull request Jan 4, 2023
@takuro-sato@danielleadams
crypto: clear OpenSSL error queue after calling X509_verify()
9ff6df8
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Filip Skokan <[email protected]>
oraluben pushed a commit to oraluben/node that referenced this pull request Mar 14, 2023
@takuro-sato@oraluben
crypto: clear OpenSSL error queue after calling X509_verify()
388d58e
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/375 CVE-ID: CVE-2023-23919 PR-URL: nodejs/node#45377 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Filip Skokan <[email protected]>
oraluben pushed a commit to oraluben/node that referenced this pull request Mar 17, 2023
@takuro-sato@oraluben
crypto: clear OpenSSL error queue after calling X509_verify()
3d76c7a
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/375 CVE-ID: CVE-2023-23919 PR-URL: nodejs/node#45377 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Filip Skokan <[email protected]>
m0th3rch1p pushed a commit to m0th3rch1p/node that referenced this pull request Jul 20, 2025
@takuro-sato@richardlau
crypto: clear OpenSSL error queue after calling X509_verify()
d0ece30
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. Backport-PR-URL: nodejs-private/node-private#375 CVE-ID: CVE-2023-23919 PR-URL: nodejs#45377 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Filip Skokan <[email protected]>
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@panvapanvapanva approved these changes

@jasnelljasnelljasnell approved these changes

@tniessentniessentniessen approved these changes

Assignees

No one assigned

Labels

author readyPRs that have at least one approval, no pending requests for changes, and a CI started.c++Issues and PRs that require attention from people who are familiar with C++.commit-queue-squashAdd this label to instruct the Commit Queue to squash all the PR commits into the first one.cryptoIssues and PRs related to the crypto subsystem.needs-ciPRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@takuro-sato@nodejs-github-bot@panva@mjones-vsat@jasnell@tniessen