chore: surface wrong-passphrase client cert PEM errors consistently in OpenSSL 3#33893
Open
mschile wants to merge 4 commits into
Open
chore: surface wrong-passphrase client cert PEM errors consistently in OpenSSL 3#33893mschile wants to merge 4 commits into
mschile wants to merge 4 commits into
Conversation
…OpenSSL 3 When `clientCertificates` was configured with an encrypted PEM key and the wrong passphrase, the underlying `createPrivateKey` call could surface either `ERR_OSSL_BAD_DECRYPT` or `error:1E08010C:DECODER routines::unsupported` depending on what bytes fell out of the failed decryption (the latter happens when the decrypted gibberish looks like a partial DER blob the decoder can't classify). Only the former was translated into the friendly "Cannot decrypt PEM key with supplied passphrase" message; the latter leaked through as a generic "Cannot parse PEM key" error. Also treat the DECODER-unsupported error as a passphrase failure, but only when the key file actually looks like an encrypted PEM, so a genuinely malformed key with a passphrase still surfaces "Cannot parse PEM key". This also de-flakes the EC and RSA invalid-passphrase unit tests (the RSA one had been `it.skip`'d for this reason and is re-enabled here).
![cypress-bot[bot]](https://avatars.githubusercontent.com/in/24384?s=60&v=4){kind=small}
cypress-bot
Bot
dismissed
their stale review
Cursor Bugbot risk assessment is no longer Low Risk. Auto-approval dismissed; manual review required.
cypress
 |
||||||||||||||||||||||||||||||||||||||||
| Project |
cypress
|
| Branch Review |
mschile/vibrant-bassi-341a5e
|
| Run status |
|
| Run duration | 18m 48s |
| Commit |
|
| Committer | Matt Schile |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
 |
0
|
 |
12
|
 |
1112
|
 |
0
|
 |
27307
|
| View all changes introduced in this branch ↗︎ | |
UI Coverage
62.67%
|
|
|---|---|
|
|
28
|
|
|
47
|
Accessibility
99%
|
|
|---|---|
|
|
0 critical
3 serious
1 moderate
0 minor
|
|
|
19
|
mschile
changed the title
cypress-bot
Bot
dismissed
their stale review
Cursor Bugbot risk assessment is no longer Low Risk. Auto-approval dismissed; manual review required.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
client_certificates.spec.ts > detects invalid EC PEM passphrase)Additional details
When
clientCertificatesis configured with an encrypted PEM key and the wrong passphrase,crypto.createPrivateKeycan surface one of two errors depending on what falls out of the failed decryption:ERR_OSSL_BAD_DECRYPT— the cipher's padding/MAC check fails.error:1E08010C:DECODER routines::unsupported— the decrypted bytes look like a partial DER blob the OpenSSL 3 decoder can't classify.Which one fires is data-dependent (random IV + random key material → random "decrypted" bytes), so the same wrong passphrase can produce different errors on different runs. The existing code only mapped
ERR_OSSL_BAD_DECRYPTto the friendlyCannot decrypt PEM key with supplied passphrasemessage; the other path leaked through as a genericCannot parse PEM key: error:1E08010C:DECODER routines::unsupported ….This change also treats the
DECODER routines::unsupportederror as a passphrase failure, but only when the key file actually looks like an encrypted PEM (-----BEGIN ENCRYPTED PRIVATE KEY-----orProc-Type: 4,ENCRYPTED), so a genuinely malformed key with a passphrase still surfacesCannot parse PEM key.Side effect: the previously
it.skip'ddetects invalid PEM key passphraseRSA test (skipped for exactly this flake) is now re-enabled, and the EC variant that prompted this fix is stable. The fullclient_certificates.spec.tssuite passed 10/10 consecutive runs locally.Note
Medium Risk
Adjusts PEM private-key error classification during client-certificate loading, which can change which failures are treated as passphrase vs malformed-key and affect TLS setup behavior.
Overview
Makes wrong-passphrase failures for encrypted PEM private keys surface consistently under OpenSSL 3 by also mapping the
DECODER routines::unsupportedpath to the existing “Cannot decrypt PEM key…” error, but only when the key text matches an encrypted-PEM pattern.Adds
isEncryptedPemKeyto detect encrypted PEM formats and re-enables the previously skipped unit test for invalid RSA PEM passphrases to prevent regressions.Reviewed by Cursor Bugbot for commit 29e67c1. Bugbot is set up for automated code reviews on this repo. Configure here.
Steps to test
clientCertificatespointing at an encrypted PEM key (either RSA or EC).Failed to load client certificates for clientCertificates[0]: Cannot decrypt PEM key with supplied passphrase (check the passphrase file content and that it doesn't have unexpected whitespace at the end).regardless of which OpenSSL 3 decoder path was hit.How has the user experience changed?
Users who supply a wrong passphrase for an encrypted PEM client certificate now reliably see the helpful "Cannot decrypt PEM key with supplied passphrase" message. Previously, a subset of runs would surface a low-level OpenSSL
error:1E08010C:DECODER routines::unsupportedmessage instead, which gave no hint that the passphrase was the problem.PR Tasks
cypress-documentation?type definitions?