crypto: clear OpenSSL error on invalid ca cert
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596 CVE-ID: CVE-2023-23919 PR-URL: https://github.com/nodejs-private/node-private/pull/368 Reviewed-by: Michael Dawson <midawson@redhat.com>
This commit is contained in:
parent
9b7db62276
commit
438812e14d
@ -340,6 +340,7 @@ void X509Certificate::Pem(const FunctionCallbackInfo<Value>& args) {
|
|||||||
|
|
||||||
void X509Certificate::CheckCA(const FunctionCallbackInfo<Value>& args) {
|
void X509Certificate::CheckCA(const FunctionCallbackInfo<Value>& args) {
|
||||||
X509Certificate* cert;
|
X509Certificate* cert;
|
||||||
|
ClearErrorOnReturn clear_error_on_return;
|
||||||
ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder());
|
ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder());
|
||||||
args.GetReturnValue().Set(X509_check_ca(cert->get()) == 1);
|
args.GetReturnValue().Set(X509_check_ca(cert->get()) == 1);
|
||||||
}
|
}
|
||||||
@ -440,6 +441,8 @@ void X509Certificate::CheckIssued(const FunctionCallbackInfo<Value>& args) {
|
|||||||
X509Certificate* issuer;
|
X509Certificate* issuer;
|
||||||
ASSIGN_OR_RETURN_UNWRAP(&issuer, args[0]);
|
ASSIGN_OR_RETURN_UNWRAP(&issuer, args[0]);
|
||||||
|
|
||||||
|
ClearErrorOnReturn clear_error_on_return;
|
||||||
|
|
||||||
args.GetReturnValue().Set(
|
args.GetReturnValue().Set(
|
||||||
X509_check_issued(issuer->get(), cert->get()) == X509_V_OK);
|
X509_check_issued(issuer->get(), cert->get()) == X509_V_OK);
|
||||||
}
|
}
|
||||||
@ -482,6 +485,7 @@ void X509Certificate::ToLegacy(const FunctionCallbackInfo<Value>& args) {
|
|||||||
Environment* env = Environment::GetCurrent(args);
|
Environment* env = Environment::GetCurrent(args);
|
||||||
X509Certificate* cert;
|
X509Certificate* cert;
|
||||||
ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder());
|
ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder());
|
||||||
|
ClearErrorOnReturn clear_error_on_return;
|
||||||
Local<Value> ret;
|
Local<Value> ret;
|
||||||
if (X509ToObject(env, cert->get()).ToLocal(&ret))
|
if (X509ToObject(env, cert->get()).ToLocal(&ret))
|
||||||
args.GetReturnValue().Set(ret);
|
args.GetReturnValue().Set(ret);
|
||||||
|
@ -9,6 +9,7 @@ const {
|
|||||||
X509Certificate,
|
X509Certificate,
|
||||||
createPrivateKey,
|
createPrivateKey,
|
||||||
generateKeyPairSync,
|
generateKeyPairSync,
|
||||||
|
createSign,
|
||||||
} = require('crypto');
|
} = require('crypto');
|
||||||
|
|
||||||
const {
|
const {
|
||||||
@ -190,7 +191,12 @@ const der = Buffer.from(
|
|||||||
{
|
{
|
||||||
// https://github.com/nodejs/node/issues/45377
|
// https://github.com/nodejs/node/issues/45377
|
||||||
// https://github.com/nodejs/node/issues/45485
|
// https://github.com/nodejs/node/issues/45485
|
||||||
// Confirm failures of X509Certificate:verify() and X509Certificate:CheckPrivateKey()
|
// Confirm failures of
|
||||||
|
// X509Certificate:verify()
|
||||||
|
// X509Certificate:CheckPrivateKey()
|
||||||
|
// X509Certificate:CheckCA()
|
||||||
|
// X509Certificate:CheckIssued()
|
||||||
|
// X509Certificate:ToLegacy()
|
||||||
// do not affect other functions that use OpenSSL.
|
// do not affect other functions that use OpenSSL.
|
||||||
// Subsequent calls to e.g. createPrivateKey should not throw.
|
// Subsequent calls to e.g. createPrivateKey should not throw.
|
||||||
const keyPair = generateKeyPairSync('ed25519');
|
const keyPair = generateKeyPairSync('ed25519');
|
||||||
@ -198,6 +204,44 @@ const der = Buffer.from(
|
|||||||
createPrivateKey(key);
|
createPrivateKey(key);
|
||||||
assert(!x509.checkPrivateKey(keyPair.privateKey));
|
assert(!x509.checkPrivateKey(keyPair.privateKey));
|
||||||
createPrivateKey(key);
|
createPrivateKey(key);
|
||||||
|
const certPem = `
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIID6zCCAtOgAwIBAgIUTUREAaNcNL0zPkxAlMX0GJtJ/FcwDQYJKoZIhvcNAQEN
|
||||||
|
BQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQH
|
||||||
|
DAhDYXJsc2JhZDEPMA0GA1UECgwGVmlhc2F0MR0wGwYDVQQLDBRWaWFzYXQgU2Vj
|
||||||
|
dXJlIE1vYmlsZTEiMCAGA1UEAwwZSGFja2VyT25lIHJlcG9ydCAjMTgwODU5NjAi
|
||||||
|
GA8yMDIyMTIxNjAwMDAwMFoYDzIwMjMxMjE1MjM1OTU5WjCBiTELMAkGA1UEBhMC
|
||||||
|
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExETAPBgNVBAcMCENhcmxzYmFkMQ8wDQYD
|
||||||
|
VQQKDAZWaWFzYXQxHTAbBgNVBAsMFFZpYXNhdCBTZWN1cmUgTW9iaWxlMSIwIAYD
|
||||||
|
VQQDDBlIYWNrZXJPbmUgcmVwb3J0ICMxODA4NTk2MIIBIjANBgkqhkiG9w0BAQEF
|
||||||
|
AAOCAQ8AMIIBCgKCAQEA6I7RBPm4E/9rIrCHV5lfsHI/yYzXtACJmoyP8OMkjbeB
|
||||||
|
h21oSJJF9FEnbivk6bYaHZIPasa+lSAydRM2rbbmfhF+jQoWYCIbV2ztrbFR70S1
|
||||||
|
wAuJrlYYm+8u+1HUru5UBZWUr/p1gFtv3QjpA8+43iwE4pXytTBKPXFo1f5iZwGI
|
||||||
|
D5Bz6DohT7Tyb8cpQ1uMCMCT0EJJ4n8wUrvfBgwBO94O4qlhs9vYgnDKepJDjptc
|
||||||
|
uSuEpvHALO8+EYkQ7nkM4Xzl/WK1yFtxxE93Jvd1OvViDGVrRVfsq+xYTKknGLX0
|
||||||
|
QIeoDDnIr0OjlYPd/cqyEgMcFyFxwDSzSc1esxdCpQIDAQABo0UwQzAdBgNVHQ4E
|
||||||
|
FgQUurygsEKdtQk0T+sjM0gEURdveRUwEgYDVR0TAQH/BAgwBgEB/wIB/zAOBgNV
|
||||||
|
HQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQENBQADggEBAH7mIIXiQsQ4/QGNNFOQzTgP
|
||||||
|
/bUbMSZJsY5TPAvS9rF9yQVzs4dJZnQk5kEb/qrDQSe27oP0L0hfFm1wTGy+aKfa
|
||||||
|
BVGHdRmmvHtDUPLA9URCFShqKuS+GXp+6zt7dyZPRrPmiZaciiCMPHOnx59xSdPm
|
||||||
|
AZG8cD3fmK2ThC4FAMyvRb0qeobka3s22xTQ2kjwJO5gykTkZ+BR6SzRHQTjYMuT
|
||||||
|
iry9Bu8Kvbzu3r5n+/bmNz+xRNmEeehgT2qsHjA5b2YBVTr9MdN9Ro3H3saA3upr
|
||||||
|
oans248kpal88CGqsN2so/wZKxVnpiXlPHMdiNL7hRSUqlHkUi07FrP2Htg8kjI=
|
||||||
|
-----END CERTIFICATE-----`.trim();
|
||||||
|
const c = new X509Certificate(certPem);
|
||||||
|
assert(!c.ca);
|
||||||
|
const signer = createSign('SHA256');
|
||||||
|
assert(signer.sign(key, 'hex'));
|
||||||
|
|
||||||
|
const c1 = new X509Certificate(certPem);
|
||||||
|
assert(!c1.checkIssued(c1));
|
||||||
|
const signer1 = createSign('SHA256');
|
||||||
|
assert(signer1.sign(key, 'hex'));
|
||||||
|
|
||||||
|
const c2 = new X509Certificate(certPem);
|
||||||
|
assert(c2.toLegacyObject());
|
||||||
|
const signer2 = createSign('SHA256');
|
||||||
|
assert(signer2.sign(key, 'hex'));
|
||||||
}
|
}
|
||||||
|
|
||||||
// X509Certificate can be cloned via MessageChannel/MessagePort
|
// X509Certificate can be cloned via MessageChannel/MessagePort
|
||||||
|
Loading…
x
Reference in New Issue
Block a user