1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

crypto: clear OpenSSL error on invalid ca cert

Browse Source 
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>

Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596
CVE-ID: CVE-2023-23919
PR-URL: https://github.com/nodejs-private/node-private/pull/368
Reviewed-by: Michael Dawson <midawson@redhat.com>
This commit is contained in:
RafaelGSS 2022-12-23 17:48:19 -03:00
parent 9b7db62276
commit 438812e14d
2 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/crypto/crypto_x509.cc
View File

@ -340,6 +340,7 @@ void X509Certificate::Pem(const FunctionCallbackInfo<Value>& args) {
void X509Certificate::CheckCA(const FunctionCallbackInfo<Value>& args) { void X509Certificate::CheckCA(const FunctionCallbackInfo<Value>& args) {
X509Certificate* cert; X509Certificate* cert;
ClearErrorOnReturn clear_error_on_return;
ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder()); ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder());
args.GetReturnValue().Set(X509_check_ca(cert->get()) == 1); args.GetReturnValue().Set(X509_check_ca(cert->get()) == 1);
} }
@ -440,6 +441,8 @@ void X509Certificate::CheckIssued(const FunctionCallbackInfo<Value>& args) {
X509Certificate* issuer; X509Certificate* issuer;
ASSIGN_OR_RETURN_UNWRAP(&issuer, args[0]); ASSIGN_OR_RETURN_UNWRAP(&issuer, args[0]);
ClearErrorOnReturn clear_error_on_return;
args.GetReturnValue().Set( args.GetReturnValue().Set(
X509_check_issued(issuer->get(), cert->get()) == X509_V_OK); X509_check_issued(issuer->get(), cert->get()) == X509_V_OK);
} }
@ -482,6 +485,7 @@ void X509Certificate::ToLegacy(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args); Environment* env = Environment::GetCurrent(args);
X509Certificate* cert; X509Certificate* cert;
ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder()); ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder());
ClearErrorOnReturn clear_error_on_return;
Local<Value> ret; Local<Value> ret;
if (X509ToObject(env, cert->get()).ToLocal(&ret)) if (X509ToObject(env, cert->get()).ToLocal(&ret))
args.GetReturnValue().Set(ret); args.GetReturnValue().Set(ret);

46
test/parallel/test-crypto-x509.js
View File

@ -9,6 +9,7 @@ const {
X509Certificate, X509Certificate,
createPrivateKey, createPrivateKey,
generateKeyPairSync, generateKeyPairSync,
createSign,
} = require('crypto'); } = require('crypto');
const { const {
@ -190,7 +191,12 @@ const der = Buffer.from(
{ {
// https://github.com/nodejs/node/issues/45377 // https://github.com/nodejs/node/issues/45377
// https://github.com/nodejs/node/issues/45485 // https://github.com/nodejs/node/issues/45485
// Confirm failures of X509Certificate:verify() and X509Certificate:CheckPrivateKey() // Confirm failures of
// X509Certificate:verify()
// X509Certificate:CheckPrivateKey()
// X509Certificate:CheckCA()
// X509Certificate:CheckIssued()
// X509Certificate:ToLegacy()
// do not affect other functions that use OpenSSL. // do not affect other functions that use OpenSSL.
// Subsequent calls to e.g. createPrivateKey should not throw. // Subsequent calls to e.g. createPrivateKey should not throw.
const keyPair = generateKeyPairSync('ed25519'); const keyPair = generateKeyPairSync('ed25519');
@ -198,6 +204,44 @@ const der = Buffer.from(
createPrivateKey(key); createPrivateKey(key);
assert(!x509.checkPrivateKey(keyPair.privateKey)); assert(!x509.checkPrivateKey(keyPair.privateKey));
createPrivateKey(key); createPrivateKey(key);
const certPem = `
-----BEGIN CERTIFICATE-----
MIID6zCCAtOgAwIBAgIUTUREAaNcNL0zPkxAlMX0GJtJ/FcwDQYJKoZIhvcNAQEN
BQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQH
DAhDYXJsc2JhZDEPMA0GA1UECgwGVmlhc2F0MR0wGwYDVQQLDBRWaWFzYXQgU2Vj
dXJlIE1vYmlsZTEiMCAGA1UEAwwZSGFja2VyT25lIHJlcG9ydCAjMTgwODU5NjAi
GA8yMDIyMTIxNjAwMDAwMFoYDzIwMjMxMjE1MjM1OTU5WjCBiTELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExETAPBgNVBAcMCENhcmxzYmFkMQ8wDQYD
VQQKDAZWaWFzYXQxHTAbBgNVBAsMFFZpYXNhdCBTZWN1cmUgTW9iaWxlMSIwIAYD
VQQDDBlIYWNrZXJPbmUgcmVwb3J0ICMxODA4NTk2MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA6I7RBPm4E/9rIrCHV5lfsHI/yYzXtACJmoyP8OMkjbeB
h21oSJJF9FEnbivk6bYaHZIPasa+lSAydRM2rbbmfhF+jQoWYCIbV2ztrbFR70S1
wAuJrlYYm+8u+1HUru5UBZWUr/p1gFtv3QjpA8+43iwE4pXytTBKPXFo1f5iZwGI
D5Bz6DohT7Tyb8cpQ1uMCMCT0EJJ4n8wUrvfBgwBO94O4qlhs9vYgnDKepJDjptc
uSuEpvHALO8+EYkQ7nkM4Xzl/WK1yFtxxE93Jvd1OvViDGVrRVfsq+xYTKknGLX0
QIeoDDnIr0OjlYPd/cqyEgMcFyFxwDSzSc1esxdCpQIDAQABo0UwQzAdBgNVHQ4E
FgQUurygsEKdtQk0T+sjM0gEURdveRUwEgYDVR0TAQH/BAgwBgEB/wIB/zAOBgNV
HQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQENBQADggEBAH7mIIXiQsQ4/QGNNFOQzTgP
/bUbMSZJsY5TPAvS9rF9yQVzs4dJZnQk5kEb/qrDQSe27oP0L0hfFm1wTGy+aKfa
BVGHdRmmvHtDUPLA9URCFShqKuS+GXp+6zt7dyZPRrPmiZaciiCMPHOnx59xSdPm
AZG8cD3fmK2ThC4FAMyvRb0qeobka3s22xTQ2kjwJO5gykTkZ+BR6SzRHQTjYMuT
iry9Bu8Kvbzu3r5n+/bmNz+xRNmEeehgT2qsHjA5b2YBVTr9MdN9Ro3H3saA3upr
oans248kpal88CGqsN2so/wZKxVnpiXlPHMdiNL7hRSUqlHkUi07FrP2Htg8kjI=
-----END CERTIFICATE-----`.trim();
const c = new X509Certificate(certPem);
assert(!c.ca);
const signer = createSign('SHA256');
assert(signer.sign(key, 'hex'));
const c1 = new X509Certificate(certPem);
assert(!c1.checkIssued(c1));
const signer1 = createSign('SHA256');
assert(signer1.sign(key, 'hex'));
const c2 = new X509Certificate(certPem);
assert(c2.toLegacyObject());
const signer2 = createSign('SHA256');
assert(signer2.sign(key, 'hex'));
} }
// X509Certificate can be cloned via MessageChannel/MessagePort // X509Certificate can be cloned via MessageChannel/MessagePort