Nodejs/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-21 10:59:27 +00:00
Code Issues Actions 25 Packages Projects Releases Wiki Activity

crypto: return clear errors when loading invalid PFX data

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/49566
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit is contained in:
Tim Perry 2023-09-29 13:56:33 +03:00 committed by GitHub
parent 7ace5aba75
commit 17b9925393
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 74 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
src/crypto/crypto_context.cc
View File

@ -1052,34 +1052,60 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
EVP_PKEY* pkey_ptr = nullptr;
X509* cert_ptr = nullptr;
STACK_OF(X509)* extra_certs_ptr = nullptr;
if (d2i_PKCS12_bio(in.get(), &p12_ptr) &&
(p12.reset(p12_ptr), true) && // Move ownership to the smart pointer.
PKCS12_parse(p12.get(), pass.data(),
&pkey_ptr,
&cert_ptr,
&extra_certs_ptr) &&
(pkey.reset(pkey_ptr), cert.reset(cert_ptr),
extra_certs.reset(extra_certs_ptr), true) && // Move ownership.
SSL_CTX_use_certificate_chain(sc->ctx_.get(),
std::move(cert),
extra_certs.get(),
&sc->cert_,
&sc->issuer_) &&
SSL_CTX_use_PrivateKey(sc->ctx_.get(), pkey.get())) {
// Add CA certs too
for (int i = 0; i < sk_X509_num(extra_certs.get()); i++) {
X509* ca = sk_X509_value(extra_certs.get(), i);
if (cert_store == GetOrCreateRootCertStore()) {
cert_store = NewRootCertStore();
SSL_CTX_set_cert_store(sc->ctx_.get(), cert_store);
}
X509_STORE_add_cert(cert_store, ca);
SSL_CTX_add_client_CA(sc->ctx_.get(), ca);
}
ret = true;
if (!d2i_PKCS12_bio(in.get(), &p12_ptr)) {
goto done;
}
// Move ownership to the smart pointer:
p12.reset(p12_ptr);
if (!PKCS12_parse(
p12.get(), pass.data(), &pkey_ptr, &cert_ptr, &extra_certs_ptr)) {
goto done;
}
// Move ownership of the parsed data:
pkey.reset(pkey_ptr);
cert.reset(cert_ptr);
extra_certs.reset(extra_certs_ptr);
if (!pkey) {
return THROW_ERR_CRYPTO_OPERATION_FAILED(
env, "Unable to load private key from PFX data");
}
if (!cert) {
return THROW_ERR_CRYPTO_OPERATION_FAILED(
env, "Unable to load certificate from PFX data");
}
if (!SSL_CTX_use_certificate_chain(sc->ctx_.get(),
std::move(cert),
extra_certs.get(),
&sc->cert_,
&sc->issuer_)) {
goto done;
}
if (!SSL_CTX_use_PrivateKey(sc->ctx_.get(), pkey.get())) {
goto done;
}
// Add CA certs too
for (int i = 0; i < sk_X509_num(extra_certs.get()); i++) {
X509* ca = sk_X509_value(extra_certs.get(), i);
if (cert_store == GetOrCreateRootCertStore()) {
cert_store = NewRootCertStore();
SSL_CTX_set_cert_store(sc->ctx_.get(), cert_store);
}
X509_STORE_add_cert(cert_store, ca);
SSL_CTX_add_client_CA(sc->ctx_.get(), ca);
}
ret = true;
done:
if (!ret) {
// TODO(@jasnell): Should this use ThrowCryptoError?
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)

BIN
test/fixtures/keys/cert-without-key.pfx vendored Normal file
View File

Binary file not shown.

23
test/parallel/test-tls-invalid-pfx.js Normal file
View File

@ -0,0 +1,23 @@
'use strict';
const common = require('../common');
if (!common.hasCrypto)
common.skip('missing crypto');
const fixtures = require('../common/fixtures');
const {
assert, connect, keys
} = require(fixtures.path('tls-connect'));
const invalidPfx = fixtures.readKey('cert-without-key.pfx');
connect({
client: {
pfx: invalidPfx,
passphrase: 'test',
rejectUnauthorized: false
},
server: keys.agent1
}, common.mustCall((e, pair, cleanup) => {
assert.strictEqual(e.message, 'Unable to load private key from PFX data');
cleanup();
}));