Skip to content

crypto: validate RSA-PSS saltLength in subtle.sign and subtle.verify #52262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 3, 2024
Merged

crypto: validate RSA-PSS saltLength in subtle.sign and subtle.verify #52262

merged 1 commit into from
Apr 3, 2024

Conversation

@panva
Copy link
Member

@panva panva commented Mar 29, 2024

Resolves a TODO from @jasnell to validate RSA-PSS saltLength in SubtleCrypto.sign and SubtleCrypto.verify

fixes: #52188

@panva panva added crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. webcrypto labels Mar 29, 2024
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 29, 2024

Review requested:

  • @nodejs/crypto

@panva panva requested review from jasnell and tniessen March 29, 2024 15:25
@panva panva added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 29, 2024
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 29, 2024
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 29, 2024

CI: https://ci.nodejs.org/job/node-test-pull-request/57999/

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 29, 2024

CI: https://ci.nodejs.org/job/node-test-pull-request/58000/

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 29, 2024

CI: https://ci.nodejs.org/job/node-test-pull-request/58001/

anonrig
anonrig reviewed Mar 29, 2024
View reviewed changes
lib/internal/crypto/rsa.js
const type = mode === kSignJobModeSign ? 'private' : 'public';

if (key.type !== type)
throw lazyDOMException(`Key must be a ${type} key`, 'InvalidAccessError');
Copy link
Member

@anonrig anonrig Mar 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error is not sync anymore. Does this make this semver-major change?

Copy link
Member Author

@panva panva Mar 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not. The entire API surface of webcrypto is async functions.

lib/internal/crypto/util.js
case 'SHA-1': return 20;
case 'SHA-256': return 32;
case 'SHA-384': return 48;
case 'SHA-512': return 64;
Copy link
Member

@anonrig anonrig Mar 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a default with unreachable (like throw error)

Copy link
Member Author

@panva panva Mar 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's done the same way as the method above. I don't feel it's necessary. Used hashes are verified far before this is ever invoked.

@panva panva requested a review from anonrig April 2, 2024 13:09
@panva panva added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. labels Apr 3, 2024
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 3, 2024
@nodejs-github-bot nodejs-github-bot merged commit 2241e8c into nodejs:main Apr 3, 2024
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 3, 2024

Landed in 2241e8c

@panva panva deleted the webcrypto-validate-saltLength branch April 3, 2024 07:45
@RafaelGSS RafaelGSS mentioned this pull request Apr 15, 2024
Merged
marco-ippolito pushed a commit that referenced this pull request May 2, 2024
@panva @marco-ippolito
crypto: validate RSA-PSS saltLength in subtle.sign and subtle.verify
956e8fc 
fixes: #52188
PR-URL: #52262
Fixes: #52188
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
@marco-ippolito marco-ippolito mentioned this pull request May 2, 2024
Merged
marco-ippolito pushed a commit that referenced this pull request May 3, 2024
@panva @marco-ippolito
crypto: validate RSA-PSS saltLength in subtle.sign and subtle.verify
197b61f 
fixes: #52188
PR-URL: #52262
Fixes: #52188
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lpinca lpinca lpinca approved these changes

@anonrig anonrig anonrig approved these changes

@tniessen tniessen tniessen approved these changes

@jasnell jasnell Awaiting requested review from jasnell

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. webcrypto

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

node:crypto RSA-PSS seems to be broken

5 participants

@panva @nodejs-github-bot @lpinca @anonrig @tniessen