Skip to content

Commit 15a6e92

Browse files
nstolpenstolpe
authored
Merge pull request from GHSA-c2ff-88x2-x9pg
* added fix to public key pem matcher so it handles pkcs1 and x.509 keys * fix: removed empty line at start of key strings
1 parent a5ef39b commit 15a6e92

File tree

2 files changed

+11
-17
lines changed

2 files changed

+11
-17
lines changed

src/crypto.js

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ const base64UrlMatcher = /[=+/]/g
2626
const encoderMap = { '=': '', '+': '-', '/': '_' }
2727

2828
const privateKeyPemMatcher = /^-----BEGIN(?: (RSA|EC|ENCRYPTED))? PRIVATE KEY-----/
29-
const publicKeyPemMatcher = '-----BEGIN PUBLIC KEY-----'
29+
const publicKeyPemMatcher = /^-----BEGIN( RSA)? PUBLIC KEY-----/
3030
const publicKeyX509CertMatcher = '-----BEGIN CERTIFICATE-----'
3131
const privateKeysCache = new Cache(1000)
3232
const publicKeysCache = new Cache(1000)
@@ -44,7 +44,7 @@ const ecCurves = {
4444

4545
/* istanbul ignore next */
4646
if (!useNewCrypto) {
47-
directSign = function(alg, data, options) {
47+
directSign = function (alg, data, options) {
4848
if (typeof alg === 'undefined') {
4949
throw new TokenError(TokenError.codes.signError, 'EdDSA algorithms are not supported by your Node.js version.')
5050
}
@@ -55,7 +55,7 @@ if (!useNewCrypto) {
5555
}
5656
}
5757

58-
const PrivateKey = asn.define('PrivateKey', function() {
58+
const PrivateKey = asn.define('PrivateKey', function () {
5959
this.seq().obj(
6060
this.key('version').int(),
6161
this.key('algorithm')
@@ -69,7 +69,7 @@ const PrivateKey = asn.define('PrivateKey', function() {
6969
)
7070
})
7171

72-
const PublicKey = asn.define('PublicKey', function() {
72+
const PublicKey = asn.define('PublicKey', function () {
7373
this.seq().obj(
7474
this.key('algorithm')
7575
.seq()
@@ -82,7 +82,7 @@ const PublicKey = asn.define('PublicKey', function() {
8282
)
8383
})
8484

85-
const ECPrivateKey = asn.define('ECPrivateKey', function() {
85+
const ECPrivateKey = asn.define('ECPrivateKey', function () {
8686
this.seq().obj(
8787
this.key('version').int(),
8888
this.key('privateKey').octstr(),
@@ -103,7 +103,7 @@ function cacheSet(cache, key, value, error) {
103103
}
104104

105105
function performDetectPrivateKeyAlgorithm(key) {
106-
if (key.includes(publicKeyPemMatcher) || key.includes(publicKeyX509CertMatcher)) {
106+
if (key.match(publicKeyPemMatcher) || key.includes(publicKeyX509CertMatcher)) {
107107
throw new TokenError(TokenError.codes.invalidKey, 'Public keys are not supported for signing.')
108108
}
109109

@@ -157,7 +157,7 @@ function performDetectPrivateKeyAlgorithm(key) {
157157
function performDetectPublicKeyAlgorithms(key) {
158158
if (key.match(privateKeyPemMatcher)) {
159159
throw new TokenError(TokenError.codes.invalidKey, 'Private keys are not supported for verifying.')
160-
} else if (!key.includes(publicKeyPemMatcher) && !key.includes(publicKeyX509CertMatcher)) {
160+
} else if (!key.match(publicKeyPemMatcher) && !key.includes(publicKeyX509CertMatcher)) {
161161
// Not a PEM, assume a plain secret
162162
return hsAlgorithms
163163
}
@@ -226,7 +226,6 @@ function detectPublicKeyAlgorithms(key) {
226226
if (!key) {
227227
return 'none'
228228
}
229-
230229
// Check cache first
231230
const [cached, error] = publicKeysCache.get(key) || []
232231

@@ -243,7 +242,6 @@ function detectPublicKeyAlgorithms(key) {
243242
} else if (typeof key !== 'string') {
244243
throw new TokenError(TokenError.codes.invalidKey, 'The public key must be a string or a buffer.')
245244
}
246-
247245
return cacheSet(publicKeysCache, key, performDetectPublicKeyAlgorithms(key))
248246
} catch (e) {
249247
throw cacheSet(

test/crypto.spec.js

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -43,8 +43,7 @@ const detectedAlgorithms = {
4343
PS: rsaAlgorithms
4444
}
4545

46-
const invalidPrivatePKCS8 = `
47-
-----BEGIN PRIVATE KEY-----
46+
const invalidPrivatePKCS8 = `-----BEGIN PRIVATE KEY-----
4847
MIIBSwIBADCCASsGByqGSM44BAEwggEeAoGBAMGxOb7Tft3j9ibDnbRQmSzNFVWI
4948
zXgZuKcImr0hfaTHiCezcafkUCydrdlE+UddkS7i8I2USopaAC8qXm9MakL7aTLa
5049
PdCJIPBjmcMSXfxqngeIko1mGySNRVCc2QxGHvMSkjTrY7TEzvgI4cJDg9ykZGU1
@@ -55,16 +54,14 @@ sZjIEvC33/YIQaP8Gvw0zKIQFS9vMwQXAhUAxRK28V19J5W4jfBY+3L3Zy/XbIo=
5554
-----END PRIVATE KEY-----
5655
`
5756

58-
const invalidPrivateCurve = `
59-
-----BEGIN EC PRIVATE KEY-----
57+
const invalidPrivateCurve = `-----BEGIN EC PRIVATE KEY-----
6058
MHECAQEEHgMIJ+JtbK1h1Hr+VuYfQD/lWlBSRo2Fx4+10MljjKAKBggqhkjOPQMA
6159
DaFAAz4ABH2YBzIol9aAQrQERTRHF31ztVeZ6dr8T8qJiitVoAFKep39qV9n/7sV
6260
NspwxJ55TbI7tJiW6tcF2/MdOw==
6361
-----END EC PRIVATE KEY-----
6462
`
6563

66-
const invalidPublicPKCS8 = `
67-
-----BEGIN PUBLIC KEY-----
64+
const invalidPublicPKCS8 = `-----BEGIN PUBLIC KEY-----
6865
MIIBtzCCASwGByqGSM44BAEwggEfAoGBALqI31HbMCIw1QPaf2nGT6z7DaYu/NRV
6966
sdQ8cBkQSvegBXOTbAS+hxNq3rMcwm240ukBKnpvdEB3gyegsmNK2UVjrBgdl6Xs
7067
0H9TK5Utnv5HspziTKgCy6Zf5IrAsiitrwnb+fBYLJrVGRAJErNmVVTXo6wiDHhW
@@ -78,8 +75,7 @@ dceK/5cqXl02B+Q=
7875
-----END PUBLIC KEY-----
7976
`
8077

81-
const invalidPublicCurve = `
82-
-----BEGIN PUBLIC KEY-----
78+
const invalidPublicCurve = `-----BEGIN PUBLIC KEY-----
8379
MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAEBaKDc/7IW3cMDxat8ivVjqDq1TZ+
8480
T7r5sAUIWaF0Q5uk5NYmLOnCFxoP8Ua16sraCbAozdvg0wfvT7Cq
8581
-----END PUBLIC KEY-----

0 commit comments

Comments
 (0)