crypto: fix error code handling in ParsePrivateKey()

[RaisinTen]

This changes the code to select the latest error code instead of the
earliest one from the OpenSSL error stack. It helps in getting rid of
the inconsistency between the empty passphrase related error codes of
OpenSSL 1.1.1 and 3.

Refs: #42319 (comment)
Signed-off-by: Darshan Sen [email protected]

[nodejs-github-bot]

Review requested:

• @nodejs/crypto

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/43128/

[tniessen]

Is OpenSSL pushing multiple errors during a single API call? Or can we somehow prevent having multiple errors on the stack?

[RaisinTen]

@tniessen

Is OpenSSL pushing multiple errors during a single API call?

Yes that's right, the errors are coming from this API call -

node/src/crypto/crypto_keys.cc

Lines 224 to 227 in 7fdb9d5

	pkey->reset(PEM_read_bio_PrivateKey(bio.get(),
	nullptr,
	PasswordCallback,
	&passphrase));

and this is what the stack contains:

opensslErrorStack: [
  'error:04800068:PEM routines::bad password read',
  'error:07880109:common libcrypto routines::interrupted or cancelled'
]

The first error is raised from

node/deps/openssl/openssl/crypto/pem/pem_lib.c

Line 440 in cc94563

ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ);

and the second one is from

node/deps/openssl/openssl/crypto/passphrase.c

Line 184 in 7fdb9d5

ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERRUPTED_OR_CANCELLED);

.

Is it normal for OpenSSL to push multiple errors on the stack during a single API call?

Or can we somehow prevent having multiple errors on the stack?

I don't think that would be possible without making some changes to OpenSSL.