-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crypto: X509Certificate.checkPrivateKey() used with a non-matching key makes the next call to createPrivateKey() fail. #45485
Comments
Just tested and I can reproduce this on linux too. |
Probably the same solution as #45377. |
Ah, thanks, that looks like exactly the same issue but for the verify() function instead. That PR won't fix this function though. And this probably affects even more functions (like all that do not throw on error unkess they have been marked with that clear on return) This is pretty serious flaw in the crypto lib I think. Is there any known workaround? Is it possible to clear the openssl error queue manually from node? I cannot find anything like that in the docs. |
Fix in #45495 |
That was quick! Great stuff 👍 |
Fixes: nodejs#45485 PR-URL: nodejs#45495 Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/375 CVE-ID: CVE-2023-23919 Fixes: nodejs/node#45485 PR-URL: nodejs/node#45495 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596 Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/375 CVE-ID: CVE-2023-23919 Fixes: nodejs/node#45485 PR-URL: nodejs/node#45495 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596 Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Version
18.12.1
Platform
Microsoft Windows NT 10.0.19044.0 x64
Subsystem
crypto
What steps will reproduce the bug?
Run the following script using node
I have tested with node 16, 17 and 18 with the same behaviour.
The script contain a certificate and a private key that does NOT match.
I'm using
X509Certificate.checkPrivateKey()
to verify the combination.The validation returns false (as expected).
Then the next line creates a new private key again using
createPrivateKey
This should work as the key itself is OK (and it is the same indata that was used the first time
createPrivateKey
was used)Instead an exception is thrown.
How often does it reproduce? Is there a required condition?
Always
What is the expected behavior?
Console output should be:
What do you see instead?
console output is:
Additional information
It looks to me, that the exception thrown on the second createPrivateKey is the actual error that occured in the
checkPrivateKey
function, causing it to return false.In fact receiving that info instead as a plain
false
would have been nice.But now it looks like the error is "queued" and then thrown when using
createPrivateKey
again.The text was updated successfully, but these errors were encountered: