-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: trim input for NETSCAPE_SPKI_b64_decode #40757
Conversation
de356ca
to
0a9df6a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For posterity, the issue arises from the fact that, within NETSCAPE_SPKI_b64_decode
,
- OpenSSL uses
EVP_DecodeBlock
, which explicitly removes trailing whitespace etc., - BoringSSL uses
EVP_DecodedLength
andEVP_DecodeBase64
, which do not remove trailing whitespace etc.
Personally, I don't think adapting the way we read keys to be compatible with BoringSSL's implementation details is the best solution.
Also, the reason for this change and for trimming the keys is difficult if not impossible to determine without going through the git history.
Lastly, if the behavior of OpenSSL or BoringSSL ever changes to match that of the other library, we won't notice if we always trim the keys in our tests (but real applications don't).
I'd personally prefer to
- either adapt the specific test to trim the strings only if the crypto library is BoringSSL, or
- change the implementation in
src
to trim the input if the crypto library is BoringSSL.
Whichever option we go with, the reason for the trimming should be explained in the code.
(Or, if BoringSSL is closer to being "correct" than OpenSSL, then we should adopt BoringSSL's behavior.) |
0a9df6a
to
7335d4f
Compare
@tniessen updated with the second approach you suggested! |
7335d4f
to
cdf0cd4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tniessen updated with the second approach you suggested!
Thank you @codebytere, I think this is a better solution overall 😃
(FWIW, I believe that EVP_DecodeBlock
will also refuse inputs that start with whitespace, but if that never occurs in practice, there is no reason to "fix" that.)
Landed in f7668fa |
PR-URL: #40757 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: #40757 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: #40757 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: #40757 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
* chore: bump node in DEPS to v16.14.0 * src: add flags for controlling process behavior nodejs/node#40339 * src: add x509.fingerprint512 to crypto module nodejs/node#39809 * deps: upgrade to libuv 1.43.0 nodejs/node#41398 * chore: fixup patch indices * chore: add missing filenames nodejs/node#39283 nodejs/node#40665 * crypto: trim input for NETSCAPE_SPKI_b64_decode nodejs/node#40757 * chore: update patches * chore: bump node in DEPS to v16.14.1 * tools: enable no-empty ESLint rule nodejs/node#41831 * chore: update patches * chore: update patches * chore: bump node in DEPS to v16.14.2 * chore: update patches Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
* chore: bump node in DEPS to v16.14.0 * src: add flags for controlling process behavior nodejs/node#40339 * src: add x509.fingerprint512 to crypto module nodejs/node#39809 * deps: upgrade to libuv 1.43.0 nodejs/node#41398 * chore: fixup patch indices * chore: add missing filenames nodejs/node#39283 nodejs/node#40665 * crypto: trim input for NETSCAPE_SPKI_b64_decode nodejs/node#40757 * chore: update patches * chore: bump node in DEPS to v16.14.1 * tools: enable no-empty ESLint rule nodejs/node#41831 * chore: update patches * chore: update patches * chore: bump node in DEPS to v16.14.2 * chore: update patches Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
* chore: bump node in DEPS to v16.14.0 * src: add flags for controlling process behavior nodejs/node#40339 * src: add x509.fingerprint512 to crypto module nodejs/node#39809 * deps: upgrade to libuv 1.43.0 nodejs/node#41398 * chore: fixup patch indices * chore: add missing filenames nodejs/node#39283 nodejs/node#40665 * crypto: trim input for NETSCAPE_SPKI_b64_decode nodejs/node#40757 * chore: update patches * chore: bump node in DEPS to v16.14.1 * tools: enable no-empty ESLint rule nodejs/node#41831 * chore: update patches * chore: update patches * chore: bump node in DEPS to v16.14.2 * chore: update patches Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
This PR adds exta handling for spkac decoding if we are using OpenSSL instead of BoringSSL.
In our smoke tests, Electron was finding a consistent failure in
parallel/test-crypto-certificate
. In tracking this down, I found that the issue originated with a strict requirement in BoringSSL that base64 strings be evenly divisible by 4 in their implementation ofNETSCAPE_SPKI_b64_decode
- a requirement which Node.js' cert tests were mysteriously failing. It turned out that the cause of the failure was that the fixture files were being read and their newlines left intact, so the number of characters was always a single character over the actual number of characters in the .spkac file.This fixes that issue by trimming the newlines out of the file cc @jasnell