Skip to content

Node silently allows using dh and x25519 keys for signing / verification #53742

New issue
New issue
Closed
#53774
Closed
Node silently allows using dh and x25519 keys for signing / verification#53742
#53774
Labels
confirmed-bugIssues with confirmed bugs.cryptoIssues and PRs related to the crypto subsystem.
@lucacasonato

Description

@lucacasonato
lucacasonato
opened on Jul 6, 2024

Version

v22.4.0

Platform

Linux pop-os 6.9.3-76060903-generic #202405300957171834820922.04~7817b67 SMP PREEMPT_DYNAMIC Mon J x86_64 x86_64 x86_64 GNU/Linux

Subsystem

crypto

What steps will reproduce the bug?

import crypto from 'node:crypto';

const { privateKey, publicKey } = crypto.generateKeyPairSync('x25519', {});

const sign = crypto.createSign('sha512');
sign.update('some data to sign');
sign.end();
const signature = sign.sign(privateKey);
console.log('Signature:', signature.toString('hex'));

const verify = crypto.createVerify('sha512');
verify.update('some data to sign');
verify.end();
console.log('Verify:', verify.verify(publicKey, signature));

Produces output like:

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

Node throws an error that x25519 keys can not be used for signing. Same should happen for dh keys.

What do you see instead?

Signature: 8603053600000000000000000000000000930436000000000000000000000000
Verify: false

(invalid output)

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    confirmed-bugIssues with confirmed bugs.cryptoIssues and PRs related to the crypto subsystem.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions