Age | Commit message (Collapse) | Author |
|
Expose the size of asymetric keys of crypto key object from the
crypto module added in v11.6.0.
PR-URL: https://github.com/nodejs/node/pull/26387
Refs: https://github.com/nodejs/node/pull/24234
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
|
|
This change allows passing private key objects to
crypto.createPublicKey, resulting in a key object that represents a
valid public key for the given private key. The returned public key
object can be used and exported safely without revealing information
about the private key.
PR-URL: https://github.com/nodejs/node/pull/26278
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/26365
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
|
|
Use a `v8::Object` with an internal field, rather than a
`v8::External`.
On a `GetReturnValue().Set(Environment::GetCurrent(args) == nullptr)`
noop function, this benchmarks as a ~60 % speedup, as calls to
`obj->GetAlignedPointerFromInternalField()` can be inlined and
the field is stored with one level of indirection less.
This also makes breaking up some pieces of the `Environment` class
into per-native-binding data easier, if we want to pursue that path
in the future.
PR-URL: https://github.com/nodejs/node/pull/26382
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
|
|
Where appropriate, use a helper that wraps around
`ArrayBufferView::Buffer()` or `ArrayBufferView::CopyContents()`
rather than `Buffer::Data()`, as that may help to avoid materializing
the underlying `ArrayBuffer` when reading small typed arrays from C++.
This allows keeping the performance benefits of the faster creation of
heap-allocated small typed arrays in many cases.
PR-URL: https://github.com/nodejs/node/pull/26301
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/26159
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Always use the right allocator for memory that is turned into
an `ArrayBuffer` at a later point.
This enables embedders to use their own `ArrayBuffer::Allocator`s,
and is inspired by Electron’s electron/node@f61bae3440e. It should
render their downstream patch unnecessary.
Refs: https://github.com/electron/node/commit/f61bae3440e1bfcc83bba6ff0785adfb89b4045e
PR-URL: https://github.com/nodejs/node/pull/26207
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
|
|
The previously used OpenSSL call only supports encrypted PKCS8,
this commit adds support for unencrypted PKCS8.
PR-URL: https://github.com/nodejs/node/pull/26236
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
|
Fail early if key parsing failed, don't try to construct a context out
of it.
PR-URL: https://github.com/nodejs/node/pull/26238
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
|
|
Failed ConvertKey() operations should not leave errors on OpenSSL's
error stack because that's observable by subsequent cryptographic
operations. More to the point, it makes said operations fail with
an unrelated error.
PR-URL: https://github.com/nodejs/node/pull/26153
Fixes: https://github.com/nodejs/node/issues/26133
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/26042
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Signed-off-by: gengjiawen <technicalcute@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/25888
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/25916
Refs: https://github.com/nodejs/node/pull/20914
Reviewed-By: Masashi Hirano <shisama07@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
|
|
Signed-off-by: gengjiawen <technicalcute@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/25889
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/25861
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
Use MaybeLocal::ToLocal and don't crash X509ToObject on error.
PR-URL: https://github.com/nodejs/node/pull/25717
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
EC_KEY_key2buf returns an OPENSSL_malloc'd pointer so it shouldn't be
passed into Buffer::New, which expect a libc malloc'd pointer. Instead,
factor out the ECDH::GetPublicKey code which uses EC_POINT_point2oct.
This preserves the existing behavior where encoding failures are
silently ignored, but it is probably safe to CHECK fail them instead.
PR-URL: https://github.com/nodejs/node/pull/25717
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
OpenSSL has supported async notification of sessions and tickets since
1.1.0 using SSL_CTX_sess_set_new_cb(), for all versions of TLS. Using
the async API is optional for TLS1.2 and below, but for TLS1.3 it will
be mandatory. Future-proof applications should start to use async
notification immediately. In the future, for TLS1.3, applications that
don't use the async API will silently, but gracefully, fail to resume
sessions and instead do a full handshake.
See: https://wiki.openssl.org/index.php/TLS1.3#Sessions
PR-URL: https://github.com/nodejs/node/pull/25831
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
|
|
PKCS#8 describes an encoding for private keys, not public keys. Using
the name as a format usually refers to the PrivateKeyInfo structure it
defines. (Or sometimes the EncryptedPrivateKeyInfo variant or the
little-used OneAsymmetricKey extension defined in RFC 5958.) None of
these structures can hold public keys to begin with.
d2i_PUBKEY actually parses the public key analogous format defined in
X.509, SubjectPublicKeyInfo. This function already uses "X.509" to refer
to an entire certificate, so say SubjectPublicKeyInfo in the comment.
(The abbreviation SPKI sometimes refers to SubjectPublicKeyInfo, e.g. in
RFC 7469, but it can also an alternate S-expression-based PKI to X.509,
Simple Public Key Infrastructure. To avoid confusion, stick with the
expanded name.)
PR-URL: https://github.com/nodejs/node/pull/25736
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/25734
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
|
|
SSL_set_tlsext_status_ocsp_resp expects the data to be allocated with
OPENSSL_malloc, not libc malloc, so use OpenSSLMalloc.
Additionally, though OpenSSL doesn't type-check due to it being a macro,
the function is documented to take an unsigned char pointer:
https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_tlsext_status_ocsp_resp.html
(By default, OPENSSL_malloc is the same as libc malloc, but it is
possible to customize this.)
PR-URL: https://github.com/nodejs/node/pull/25706
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Renamed some internal C++ methods and properties for consistency, and
commented SSL I/O.
- Rename waiting_new_session_ after is_waiting_new_session(), instead of
using reverse naming (new_session_wait_), and change "waiting" to
"awaiting".
- Make TLSWrap::ClearIn() return void, the value is never used.
- Fix a getTicketKeys() cut-n-paste error. Since it doesn't use the
arguments, remove them from the js wrapper.
- Remove call of setTicketKeys(getTicketKeys()), its a no-op.
PR-URL: https://github.com/nodejs/node/pull/25713
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
|
|
Make OpenSSL 1.1.1 error during cipher list setting if it would have
errored with OpenSSL 1.1.0.
Can be dropped after our OpenSSL fixes this upstream.
See: https://github.com/openssl/openssl/pull/7759
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
|
|
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.
Therefore, using a smart pointer to take ownership is incorrect.
Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: https://github.com/nodejs/node/pull/24261
Fixes: https://github.com/nodejs-private/security/issues/217
PR-URL: https://github.com/nodejs/node/pull/25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/25507
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Currently, while FIPS is not supported yet for this release there might
be an option to dynamically link against a FIPS compatible OpenSSL
version.
This commit fixes the compiler errors.
PR-URL: https://github.com/nodejs/node/pull/25412
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
Instead of in node_internals.h. Also move process property
accessors that are not reused into node_process_object.cc
and make them static.
PR-URL: https://github.com/nodejs/node/pull/25397
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
Simplify the code. The flag check was in the OpenSSL source, but reading
through the docs and source, it is not necessary.
Refs: https://github.com/nodejs/node/pull/24358/files#r243099693
PR-URL: https://github.com/nodejs/node/pull/25345
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
So that it's easier to tell whether we are manipulating per-process
global states that may need to be treated with care to avoid races.
Also added comments about these variables and moved some of them
to a more suitable compilation unit:
- Move `v8_initialized` to `util.h` since it's only used in
`util.cc` and `node.cc`
- Rename `process_mutex` to `tty_mutex` and move it into
`node_errors.cc` since that's the only place it's used
to guard the tty.
- Move `per_process_opts_mutex` and `per_process_opts`
into `node_options.h` and rename them to
`per_process::cli_options[_mutex]`
- Rename `node_isolate[_mutex]` to `per_process::main_isolate[_mutex]`
PR-URL: https://github.com/nodejs/node/pull/25302
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
|
|
Some APIs already accept private keys instead of public keys. This
changes all relevant crypto APIs to do so.
PR-URL: https://github.com/nodejs/node/pull/25217
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
|
|
Use `ToV8Value()` where appropriate to reduce duplication
and avoid extra `Array::Set()` calls.
PR-URL: https://github.com/nodejs/node/pull/25288
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
When an empty string was passed, malloc might have returned a nullptr
depending on the platform, causing an assertion failure. This change
makes private key parsing behave as public key parsing does, causing
a BIO error instead that can be caught in JS.
Fixes: https://github.com/nodejs/node/issues/25247
PR-URL: https://github.com/nodejs/node/pull/25248
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
session ID was named session in C++ and key in JS, Name them after what
they are, as the 'newSession' event docs do.
PR-URL: https://github.com/nodejs/node/pull/25153
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
|
|
The OCSP info from parsing the TLS ClientHello has not been used since
550c263, remove it.
See: https://github.com/nodejs/node/pull/1464
PR-URL: https://github.com/nodejs/node/pull/25153
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
|
|
During the time between https://github.com/nodejs/node/pull/24234
being opened and it landing, a V8 update occurred that deprecated
several APIs. This commit fixes the following compiler warnings:
../src/node_crypto.cc:3342:11:
warning: 'Set' is deprecated: Use maybe version
../src/node_crypto.cc:3345:13:
warning: 'GetFunction' is deprecated: Use maybe version
PR-URL: https://github.com/nodejs/node/pull/25205
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/24234
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
This commit makes multiple important changes:
1. A new key object API is introduced. The KeyObject class itself is
not exposed to users, instead, several new APIs can be used to
construct key objects: createSecretKey, createPrivateKey and
createPublicKey. The new API also allows to convert between
different key formats, and even though the API itself is not
compatible to the WebCrypto standard in any way, it makes
interoperability much simpler.
2. Key objects can be used instead of the raw key material in all
relevant crypto APIs.
3. The handling of asymmetric keys has been unified and greatly
improved. Node.js now fully supports both PEM-encoded and
DER-encoded public and private keys.
4. Conversions between buffers and strings have been moved to native
code for sensitive data such as symmetric keys due to security
considerations such as zeroing temporary buffers.
5. For compatibility with older versions of the crypto API, this
change allows to specify Buffers and strings as the "passphrase"
option when reading or writing an encoded key. Note that this
can result in unexpected behavior if the password contains a
null byte.
PR-URL: https://github.com/nodejs/node/pull/24234
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Instead of implementing it in node_crypto.cc even though the only
place that needs it is the `Metadata::Versions` constructor.
PR-URL: https://github.com/nodejs/node/pull/25115
Reviewed-By: Steven R Loomis <srloomis@us.ibm.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Several secureProtocol strings allow any supported TLS version as the
maximum, but our maximum supported protocol version is TLSv1.2 even if
someone configures a build against an OpenSSL that supports TLSv1.3.
Fixes: https://github.com/nodejs/node/issues/24658
PR-URL: https://github.com/nodejs/node/pull/25024
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
|
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.
Fixes: https://github.com/nodejs/node/issues/24761
PR-URL: https://github.com/nodejs/node/pull/24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
|
|
This fixes deprecation warnings.
PR-URL: https://github.com/nodejs/node/pull/24883
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
This commit removes the finalized_ member from the Hash class as it does
not seem to be used in any valuable way. Commit c75f87cc4c8 ("crypto:
refactor the crypto module") removed the check where it was previously
used.
PR-URL: https://github.com/nodejs/node/pull/24822
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
Add an error code property to invalid `secureProtocol` method
exceptions.
PR-URL: https://github.com/nodejs/node/pull/24729
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/24719
Refs: https://github.com/nodejs/node/issues/24645
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.
PR-URL: https://github.com/nodejs/node/pull/24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
|
|
For symmetricality with the EC public key info, and because its useful.
PR-URL: https://github.com/nodejs/node/pull/24358
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
X.509 certs are provided to the user in a parsed object form by a number
of TLS APIs. Include public key info for elliptic curves as well, not
just RSA.
- pubkey: the public key
- bits: the strength of the curve
- asn1Curve: the ASN.1 OID for the curve
- nistCurve: the NIST nickname for the curve, if it has one
PR-URL: https://github.com/nodejs/node/pull/24358
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
Add the two TLS protocol method functions which were missing. They seem
useful, and are already documented as being supported (indirectly, our
docs just point to OpenSSL's docs).
PR-URL: https://github.com/nodejs/node/pull/24386
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/24452
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
|
|
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.
Fix: https://github.com/nodejs/node/issues/24095
PR-URL: https://github.com/nodejs/node/pull/24261
Fixes: https://github.com/nodejs/node/issues/24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
|