mirrors/nodejs
mirrors/nodejs
0
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-29 23:16:30 +01:00
Code Issues Releases Activity
d8f9e3a332
nodejs/test/fixtures/0-dns
History
David Benjamin 6ebdb69472
crypto: fix Node_SignFinal 
PR #11705 switched Node away from using using OpenSSL's legacy EVP_Sign*
and EVP_Verify* APIs. Instead, it computes a hash normally via
EVP_Digest* and then uses EVP_PKEY_sign and EVP_PKEY_verify to verify
the hash directly. This change corrects two problems:

1. The documentation still recommends the signature algorithm EVP_MD
   names of OpenSSL's legacy APIs. OpenSSL has since moved away from
   thosee, which is why ECDSA was strangely inconsistent. (This is why
   "ecdsa-with-SHA256" was missing.)

2. Node_SignFinal copied some code from EVP_SignFinal's internals. This
   is problematic for OpenSSL 1.1.0 and is missing a critical check
   that prevents pkey->pkey.ptr from being cast to the wrong type.

To resolve this, remove the non-EVP_PKEY_sign codepath. This codepath is
no longer necessary. PR #11705's verify half was already assuming all
EVP_PKEYs supported EVP_PKEY_sign and EVP_PKEY_verify. Also, in the
documentation, point users towards using hash function names which are
more consisent. This avoids an ECDSA special-case and some strangeness
around RSA-PSS ("RSA-SHA256" is the OpenSSL name of the
sha256WithRSAEncryption OID which is not used for RSA-PSS).

PR-URL: https://github.com/nodejs/node/pull/15024
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2017-09-11 00:18:02 -03:00
..
0-dns-cert.pem
0-dns-key.pem
0-dns-rsapub.der
create-cert.js
package.json
README.md

README.md

Purpose

The test cert file for use test/parallel/test-tls-0-dns-altname.js can be created by using asn1.js and asn1.js-rfc5280,

How to create a test cert.

$ openssl genrsa -out 0-dns-key.pem 2048
Generating RSA private key, 2048 bit long modulus
...................+++
..............................................................................................+++
e is 65537 (0x10001)
$ openssl rsa -in 0-dns-key.pem -RSAPublicKey_out -outform der -out 0-dns-rsapub.der
writing RSA key
$ npm install
0-dns@1.0.0 /home/github/node/test/fixtures/0-dns
+-- asn1.js@4.9.1
| +-- bn.js@4.11.6
| +-- inherits@2.0.3
| `-- minimalistic-assert@1.0.0
`-- asn1.js-rfc5280@1.2.2

$ node ./createCert.js
$ openssl x509 -text -in 0-dns-cert.pem
(You can not see evil.example.com in subjectAltName field)