New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PEM_read_bio_PrivateKey()
pushes multiple errors on the error stack
#18110
Comments
If the file really has an empty passphrase, there should not be any errors left on stack after PEM_read_bio_PrivateKey(). However in case the application callback gives an empty passphrase but the key file has some non-empty passphrase, IMO the errors should be present on the stack. |
The thing we are trying to test is that parsing the private key (which was previously generated with '' as the passphrase) without the passphrase fails with |
In short, yes, that is the new expected behavior. |
@kaduk understood, so this is definitely not a bug, just a question. ERR_clear_error();
EVP_PKEY* key = PEM_read_bio_PrivateKey(bio, nullptr, PasswordCallback, passphrase);
unsigned long err = ERR_peek_last_error();
if (err != 0)
key = NULL;
if (key)
// Key parsing succeeded.
if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
ERR_GET_REASON(err) == PEM_R_BAD_PASSWORD_READ) {
if (passphrase.IsEmpty())
// Needs passphrase, so handle this error specially by throwing a "Passphrase required for encrypted key" exception.
}
// Key parsing failed, so harvest all the error info from the error stack. Could we somehow call |
I would not recommend relying on the position of the errors on the stack remaining stable over time. |
In OpenSSL 3, when we use
PEM_read_bio_PrivateKey()
to read a private key with an empty passphrase, it pushes multiple errors on the stack.Is this a bug or is nodejs/node#42400 the right way to handle errors coming from
PEM_read_bio_PrivateKey()
? Or is there another way to prevent having multiple errors on the stack?The text was updated successfully, but these errors were encountered: