crypto: fix regression in RSA-PSS keygen

nodejs/node#39937
electron · Sep 8, 2021 · 6b8fbb3 · 6b8fbb3
1 parent e36b07b
commit 6b8fbb3
Showing 1 changed file with 35 additions and 54 deletions.
diff --git a/patches/node/fix_crypto_tests_to_run_with_bssl.patch b/patches/node/fix_crypto_tests_to_run_with_bssl.patch
@@ -582,7 +582,7 @@ index aa03a0379a291a4632b68d428d4e1875d60166a3..a6862ace1fa73473b406fe4513b9e7a9
    // Exporting an encrypted private key requires a cipher
    const privateKey = createPrivateKey(privatePem);
 diff --git a/test/parallel/test-crypto-keygen.js b/test/parallel/test-crypto-keygen.js
-index ed5986e6bfd4211a1cc22fa94aaf68fc1013133f..08986a6793a39b275277c8bf188316f669a53c63 100644
+index 09d43317426e712f60d4eba380cd4e044e3f3cf8..7dbe07c493dd092a88bffb8ccf6a0fbfcd280662 100644
 --- a/test/parallel/test-crypto-keygen.js
 +++ b/test/parallel/test-crypto-keygen.js
 @@ -297,6 +297,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
@@ -593,105 +593,85 @@ index ed5986e6bfd4211a1cc22fa94aaf68fc1013133f..08986a6793a39b275277c8bf188316f6
  {
    // Test RSA-PSS.
    generateKeyPair('rsa-pss', {
-@@ -339,7 +340,9 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -345,7 +346,9 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
      testSignVerify(publicKey, privateKey);
    }));
  }
 +*/
 
++/*
+ {
+   // 'rsa-pss' should not add a RSASSA-PSS-params sequence by default.
+   // Regression test for: https://github.com/nodejs/node/issues/39936
+@@ -368,7 +371,9 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+     assert.strictEqual(spki[3], 11, spki.toString('hex'));
+   }));
+ }
++*/
+
 +/*
  {
    const privateKeyEncoding = {
      type: 'pkcs8',
-@@ -409,6 +412,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -438,6 +443,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
      });
    }));
  }
 +*/
 
  {
    // Test async elliptic curve key generation, e.g. for ECDSA, with a SEC1
-@@ -433,6 +437,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     testSignVerify(publicKey, privateKey);
-   }));
+@@ -593,6 +599,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
 
-+  /*
-   // Test async elliptic curve key generation, e.g. for ECDSA, with a SEC1
+   // Test async elliptic curve key generation, e.g. for ECDSA, with an encrypted
    // private key with paramEncoding explicit.
-   generateKeyPair('ec', {
-@@ -454,6 +459,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-
-     testSignVerify(publicKey, privateKey);
-   }));
-+  */
-
-   // Do the same with an encrypted private key.
-   generateKeyPair('ec', {
-@@ -489,6 +495,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     testSignVerify(publicKey, { key: privateKey, passphrase: 'secret' });
-   }));
-
 +  /*
-   // Do the same with an encrypted private key with paramEncoding explicit.
    generateKeyPair('ec', {
-     namedCurve: 'prime256v1',
-@@ -522,6 +529,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-
-     testSignVerify(publicKey, { key: privateKey, passphrase: 'secret' });
-   }));
-+  */
- }
-
- {
-@@ -562,6 +570,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+     namedCurve: 'P-256',
+     paramEncoding: 'explicit',
+@@ -627,6 +634,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+       passphrase: 'top secret'
      });
    }));
-
-+  /*
-   // Test async elliptic curve key generation, e.g. for ECDSA, with an encrypted
-   // private key with paramEncoding explicit.
-   generateKeyPair('ec', {
-@@ -686,6 +695,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-       }
-     }
-   });
 +  */
- }
 
- // Test invalid parameter encoding.
-@@ -709,6 +719,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+   // Test async elliptic curve key generation with 'jwk' encoding
+   [
+@@ -738,6 +746,8 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
      message: "The property 'options.paramEncoding' is invalid. " +
        "Received 'otherEncoding'"
    });
++
 +  /*
    assert.throws(() => generateKeyPairSync('dsa', {
      modulusLength: 4096,
      publicKeyEncoding: {
-@@ -722,6 +733,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -751,6 +761,8 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
      code: 'ERR_CRYPTO_JWK_UNSUPPORTED_KEY_TYPE',
      message: 'Unsupported JWK Key Type.'
    });
 +  */
++
    assert.throws(() => generateKeyPairSync('ec', {
      namedCurve: 'secp224r1',
      publicKeyEncoding: {
-@@ -1060,6 +1072,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -1089,6 +1101,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
    }
  }
 
-+  /*
++/*
  // Test DSA parameters.
  {
    // Test invalid modulus lengths.
-@@ -1087,6 +1100,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -1116,6 +1129,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
      });
    }
  }
 +*/
 
  // Test EC parameters.
  {
-@@ -1131,13 +1145,13 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -1160,13 +1174,13 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
    }));
 
    generateKeyPair('ec', {
@@ -708,7 +688,7 @@ index ed5986e6bfd4211a1cc22fa94aaf68fc1013133f..08986a6793a39b275277c8bf188316f6
      });
    }));
  }
-@@ -1145,7 +1159,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -1174,7 +1188,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
  // Test EdDSA key generation.
  {
    if (!/^1\.1\.0/.test(process.versions.openssl)) {
@@ -717,38 +697,39 @@ index ed5986e6bfd4211a1cc22fa94aaf68fc1013133f..08986a6793a39b275277c8bf188316f6
        generateKeyPair(keyType, common.mustSucceed((publicKey, privateKey) => {
          assert.strictEqual(publicKey.type, 'public');
          assert.strictEqual(publicKey.asymmetricKeyType, keyType);
-@@ -1159,6 +1173,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -1188,6 +1202,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
    }
  }
 
 +/*
  // Test classic Diffie-Hellman key generation.
  {
    generateKeyPair('dh', {
-@@ -1271,6 +1286,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -1300,6 +1315,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
      });
    }
  }
 +*/
 
  // Test invalid key encoding types.
  {
-@@ -1471,6 +1487,7 @@ if (!common.hasOpenSSL3) {
+@@ -1500,6 +1516,7 @@ if (!common.hasOpenSSL3) {
      }, common.mustSucceed((publicKey, privateKey) => {
        assert.strictEqual(publicKey.type, 'public');
 
 +      /*
        for (const passphrase of ['', Buffer.alloc(0)]) {
          const privateKeyObject = createPrivateKey({
            passphrase,
-@@ -1478,6 +1495,7 @@ if (!common.hasOpenSSL3) {
+@@ -1507,6 +1524,7 @@ if (!common.hasOpenSSL3) {
          });
          assert.strictEqual(privateKeyObject.asymmetricKeyType, 'rsa');
        }
 +      */
 
        // Encrypting with an empty passphrase is not the same as not encrypting
        // the key, and not specifying a passphrase should fail when decoding it.
+
 diff --git a/test/parallel/test-crypto-padding-aes256.js b/test/parallel/test-crypto-padding-aes256.js
 index 14d853bdfd0a5dcc5bdb6e00cb20fdbeaabd2aff..3ae6fc47d4c6a8296a2c3c70daf464fad886a88d 100644
 --- a/test/parallel/test-crypto-padding-aes256.js