Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node silently allows using dh and x25519 keys for signing / verification #53742

Open
lucacasonato opened this issue Jul 6, 2024 · 1 comment · May be fixed by #53774
Open

Node silently allows using dh and x25519 keys for signing / verification #53742

lucacasonato opened this issue Jul 6, 2024 · 1 comment · May be fixed by #53774
Labels
confirmed-bug Issues with confirmed bugs. crypto Issues and PRs related to the crypto subsystem.

Comments

@lucacasonato
Copy link

lucacasonato commented Jul 6, 2024
edited
Loading

Version

v22.4.0

Platform

Linux pop-os 6.9.3-76060903-generic #202405300957171834820922.04~7817b67 SMP PREEMPT_DYNAMIC Mon J x86_64 x86_64 x86_64 GNU/Linux

Subsystem

crypto

What steps will reproduce the bug?

import crypto from 'node:crypto';

const { privateKey, publicKey } = crypto.generateKeyPairSync('x25519', {});

const sign = crypto.createSign('sha512');
sign.update('some data to sign');
sign.end();
const signature = sign.sign(privateKey);
console.log('Signature:', signature.toString('hex'));

const verify = crypto.createVerify('sha512');
verify.update('some data to sign');
verify.end();
console.log('Verify:', verify.verify(publicKey, signature));

Produces output like:

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

Node throws an error that x25519 keys can not be used for signing. Same should happen for dh keys.

What do you see instead?

Signature: 8603053600000000000000000000000000930436000000000000000000000000
Verify: false

(invalid output)

Additional information

No response
@RedYetiDev RedYetiDev added the crypto Issues and PRs related to the crypto subsystem. label Jul 6, 2024
@RedYetiDev
Copy link
Member

RedYetiDev commented Jul 6, 2024
edited
Loading

@nodejs/crypto PTAL
JLHwung added a commit to JLHwung/node that referenced this issue Jul 9, 2024
@JLHwung
crypto: reject dh,x25518,x448 in {Sign,Verify}Final
fcdcfd9 
Fixes: nodejs#53742
JLHwung added a commit to JLHwung/node that referenced this issue Jul 9, 2024
@JLHwung
crypto: reject dh,x25519,x448 in {Sign,Verify}Final
f335ac6 
Fixes: nodejs#53742
JLHwung added a commit to JLHwung/node that referenced this issue Jul 9, 2024
@JLHwung
crypto: reject dh,x25519,x448 in {Sign,Verify}Final
7518c53 
Fixes: nodejs#53742
@JLHwung JLHwung linked a pull request Jul 9, 2024 that will close this issue
Open
@tniessen tniessen added the confirmed-bug Issues with confirmed bugs. label Jul 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed-bug Issues with confirmed bugs. crypto Issues and PRs related to the crypto subsystem.
3 participants
@tniessen @lucacasonato @RedYetiDev