From efe19eb7f5d62d156d526dda8aa454700faa0d78 Mon Sep 17 00:00:00 2001
From: Takuro Sato <79583855+takuro-sato@users.noreply.github.com>
Date: Thu, 17 Nov 2022 23:43:03 +0900
Subject: [PATCH] crypto: clear OpenSSL error queue after calling X509_verify()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prior to this commit, functions accessing the OpenSSL error queue did
not work properly after x509.verify() returned false.

PR-URL: https://github.com/nodejs/node/pull/45377
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
---
 src/crypto/crypto_x509.cc         | 2 ++
 test/parallel/test-crypto-x509.js | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/src/crypto/crypto_x509.cc b/src/crypto/crypto_x509.cc
index 3c30749c394655..b3c888d16fece3 100644
--- a/src/crypto/crypto_x509.cc
+++ b/src/crypto/crypto_x509.cc
@@ -468,6 +468,8 @@ void X509Certificate::Verify(const FunctionCallbackInfo<Value>& args) {
   ASSIGN_OR_RETURN_UNWRAP(&key, args[0]);
   CHECK_EQ(key->Data()->GetKeyType(), kKeyTypePublic);
 
+  ClearErrorOnReturn clear_error_on_return;
+
   args.GetReturnValue().Set(
       X509_verify(
           cert->get(),
diff --git a/test/parallel/test-crypto-x509.js b/test/parallel/test-crypto-x509.js
index 510e3183cf3ce3..0c628285f785a8 100644
--- a/test/parallel/test-crypto-x509.js
+++ b/test/parallel/test-crypto-x509.js
@@ -186,6 +186,11 @@ const der = Buffer.from(
     code: 'ERR_INVALID_ARG_VALUE'
   });
 
+  // Confirm failure of X509Certificate:verify() doesn't affect other functions that use OpenSSL.
+  assert(!x509.verify(x509.publicKey));
+  // This call should not throw.
+  createPrivateKey(key);
+
   // X509Certificate can be cloned via MessageChannel/MessagePort
   const mc = new MessageChannel();
   mc.port1.onmessage = common.mustCall(({ data }) => {