fix: crash creating private key with unsupported algorithm #31087
Conversation
codebytere
force-pushed
the
fix-jwk-crash
branch
from
8d3f292
to
bbd171c
Compare
|
I would like to ask a question, why does nodejs 16.4.1 not raise crashes. In my results, it is correct, e.g:
Does that mean that the problem has been fixed in the new version of the Nodejs code? |
|
@BlackHole1 this is outlined in my PR body - Electron uses BoringSSL and Node.js uses OpenSSL. So this will fail in Electron where it would work in Node.js because the underlying crypto libraries differ. |
|
Release Notes Persisted
|
|
I have automatically backported this PR to "16-x-y", please check out #31136 |
|
I have automatically backported this PR to "15-x-y", please check out #31137 |
Description of Change
Closes #31064.
Fixed an issue where some calls to
crypto.createPrivateKeymade with algorithms unsupported by BoringSSL cause a crash when invoking methods on their return values. This was happening because BoringSSL shims some algorithms but doesn't implement them and so attempts to create keys with them will fail (see:evp.h#L835-837)Node.js returns false in
initEdRaw(seecrypto_keys.cc#L1106)but then does nothing with the return value, meaning that if no pkey is created successfully that a key object will still be returned. However, attempts to use the
data_field will crash the process asdata_is never assigned. This is fixed by checking the return value ofinitEdRawat the JavaScript level and throwing an error if the function returns false.cc @deermichel
Checklist
npm testpassesRelease Notes
Notes: Fixed an issue where some calls to
crypto.createPrivateKeymade with algorithms unsupported by BoringSSL cause a crash when invoking methods on their return values.