-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: reject public keys properly #29913
Conversation
|
||
// This should not abort either: https://github.com/nodejs/node/issues/29904 | ||
assert.throws(() => { | ||
createPrivateKey({ key: Buffer.alloc(0), format: 'der', type: 'spki' }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are other formats for public keys, perhaps its worth testing them all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the only other supported type is pkcs1
which behaves differently, but I added a test case for that as well.
Line 3349 in 7f22aaf
enum PKEncodingType . I suggest changing the if..if else ..else to a switch(config.type_.ToChecked()) { case .... with either a default that returns ParseKeyResult::kParseKeyFailed , or probably better, no default. I think gcc will warn when a switch doesn't handle all values of an enum in its case statements, so the code will be more future proof. Just a suggestion.
|
I understand your point. My main problem with a In my opinion, the current behavior of |
Aborts at the js-to-c++ layer make a lot of sense to me, where its easy to add type check calls in js just before calling C++ it should be very difficult to reach those abort arg checks. But since users are managing to get unexpected things to happen multiple layers down in the C++, then actual error returns make more sense. I don't feel strongly about it, but I notice that changing the fallback in the code in question to an error return, see #29904 (comment), prevented the abort. The user would still get an error, of course, but that was already possible for reasons of malformed input. That was exploratory code, I'm not suggesting using it as-is, but having the return be the default/final-else case would make the code more robust. |
It would be more robust in the sense that the process would not abort, but what kind of error should we throw here? Reaching this point is definitely a bug, and an error code that indicates otherwise will only be misleading. So the error should very clearly say: "Hey, this is a bug in node!". However, if we just throw the error, it might get lost, whereas aborting the process will send a very clear message. |
Landed in c64ed10 |
Fixes: nodejs#29904 PR-URL: nodejs#29913 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
If the underlying operation requires a private key,
isPublic
must be set tofalse
instead ofundefined
. (The latter means that both public and private keys are accepted.)Fixes: #29904
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes