crypto: trim input for NETSCAPE_SPKI_b64_decode

PR-URL: #40757 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
nodejs · Nov 21, 2021 · a8cc8b6 · a8cc8b6
1 parent 3a4f387
commit a8cc8b6
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/src/crypto/crypto_spkac.cc b/src/crypto/crypto_spkac.cc
@@ -16,8 +16,15 @@ using v8::Value;
 namespace crypto {
 namespace SPKAC {
 bool VerifySpkac(const ArrayBufferOrViewContents<char>& input) {
+  size_t length = input.size();
+#ifdef OPENSSL_IS_BORINGSSL
+  // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
+  // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
+  // As such, we trim those characters here for compatibility.
+  length = std::string(input.data()).find_last_not_of(" \n\r\t") + 1;
+#endif
   NetscapeSPKIPointer spki(
-      NETSCAPE_SPKI_b64_decode(input.data(), input.size()));
+      NETSCAPE_SPKI_b64_decode(input.data(), length));
   if (!spki)
     return false;
 
@@ -45,8 +52,15 @@ ByteSource ExportPublicKey(Environment* env,
   BIOPointer bio(BIO_new(BIO_s_mem()));
   if (!bio) return ByteSource();
 
+  size_t length = input.size();
+#ifdef OPENSSL_IS_BORINGSSL
+  // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
+  // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
+  // As such, we trim those characters here for compatibility.
+  length = std::string(input.data()).find_last_not_of(" \n\r\t") + 1;
+#endif
   NetscapeSPKIPointer spki(
-      NETSCAPE_SPKI_b64_decode(input.data(), input.size()));
+      NETSCAPE_SPKI_b64_decode(input.data(), length));
   if (!spki) return ByteSource();
 
   EVPKeyPointer pkey(NETSCAPE_SPKI_get_pubkey(spki.get()));
@@ -73,8 +87,15 @@ void ExportPublicKey(const FunctionCallbackInfo<Value>& args) {
 }
 
 ByteSource ExportChallenge(const ArrayBufferOrViewContents<char>& input) {
+  size_t length = input.size();
+#ifdef OPENSSL_IS_BORINGSSL
+  // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
+  // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
+  // As such, we trim those characters here for compatibility.
+  length = std::string(input.data()).find_last_not_of(" \n\r\t") + 1;
+#endif
   NetscapeSPKIPointer sp(
-      NETSCAPE_SPKI_b64_decode(input.data(), input.size()));
+      NETSCAPE_SPKI_b64_decode(input.data(), length));
   if (!sp)
     return ByteSource();