Skip to content

Commit

Permalink
crypto: clear OpenSSL error queue after calling X509_verify()
Browse files Browse the repository at this point in the history
Prior to this commit, functions accessing the OpenSSL error queue did
not work properly after x509.verify() returned false.

PR-URL: #45377
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
  • Loading branch information
takuro-sato authored and danielleadams committed Jan 3, 2023
1 parent 597c7fc commit dae92e7
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/crypto/crypto_x509.cc
Original file line number Diff line number Diff line change
Expand Up @@ -468,6 +468,8 @@ void X509Certificate::Verify(const FunctionCallbackInfo<Value>& args) {
ASSIGN_OR_RETURN_UNWRAP(&key, args[0]);
CHECK_EQ(key->Data()->GetKeyType(), kKeyTypePublic);

ClearErrorOnReturn clear_error_on_return;

args.GetReturnValue().Set(
X509_verify(
cert->get(),
Expand Down
5 changes: 5 additions & 0 deletions test/parallel/test-crypto-x509.js
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,11 @@ const der = Buffer.from(
code: 'ERR_INVALID_ARG_VALUE'
});

// Confirm failure of X509Certificate:verify() doesn't affect other functions that use OpenSSL.
assert(!x509.verify(x509.publicKey));
// This call should not throw.
createPrivateKey(key);

// X509Certificate can be cloned via MessageChannel/MessagePort
const mc = new MessageChannel();
mc.port1.onmessage = common.mustCall(({ data }) => {
Expand Down

0 comments on commit dae92e7

Please sign in to comment.