crypto: Assertation failed when createPrivateKey(PUBLIC)

[tespent]

• Version: 12.11.1 and 12.7.0 (and more, i believe)
• Platform: Linux dev 5.3.5-arch1-1-ARCH deps: update openssl to 1.0.1j #1 SMP PREEMPT Mon Oct 7 19:03:08 UTC 2019 x86_64 GNU/Linux

crypto.createPrivateKey raise an assertation failure when trying to import a public key.

Output of v12.11.1:

> keyPair.publicKey.export({format:'der',type:'spki'}).toString('base64')
'PUBLIC_KEY_IN_BASE64'
> pubkey=require('crypto').createPrivateKey({key:Buffer.from('PUBLIC_KEY_IN_BASE64','base64'),format:'der',type:'spki'})
node[8267]: ../src/node_crypto.cc:3299:node::crypto::ParseKeyResult node::crypto::ParsePrivateKey(node::crypto::EVPKeyPointer*, const node::crypto::PrivateKeyEncodingConfig&, const char*, size_t): Assertion `(config.type_.ToChecked()) == (kKeyEncodingSEC1)' failed.
 1: 0x9d33e0 node::Abort() [node]
 2: 0x9d3467  [node]
 3: 0xace6ea  [node]
 4: 0xadf83e  [node]
 5: 0xae03e7 node::crypto::KeyObject::Init(v8::FunctionCallbackInfo<v8::Value> const&) [node]
 6: 0xb9ec19  [node]
 7: 0xba0a07 v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [node]
 8: 0x136d639  [node]
Aborted (core dumped)

I have tried keyPair=require('crypto').generateKeyPairSync('rsa',{modulusLength:4096}) and keyPair=require('crypto').generateKeyPairSync('ec',{namedCurve:'P-256'}), the result are the same.

[addaleax]

@nodejs/crypto @tniessen

[sam-github]

@tespent can you provide a runnable reproduction, I can't repro:

% node --version; node -p "require('crypto').generateKeyPairSync('ec',{namedCurve:'P-256'}).publicKey.export({format:'der',type:'spki'}).toString('base64')" 
v12.11.1
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBEGMUwSkAYZNhIctHCL6VV/ufsVjGax0gWxBhCP9rZckKlcI1HQhIMv1qPzIS5zbFpud0YgrvZnYFkgWlJs5Ig==

[tespent]

@tespent can you provide a runnable reproduction, I can't repro:

% node --version; node -p "require('crypto').generateKeyPairSync('ec',{namedCurve:'P-256'}).publicKey.export({format:'der',type:'spki'}).toString('base64')" 
v12.11.1
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBEGMUwSkAYZNhIctHCL6VV/ufsVjGax0gWxBhCP9rZckKlcI1HQhIMv1qPzIS5zbFpud0YgrvZnYFkgWlJs5Ig==

node -p "require('crypto').createPrivateKey({key:Buffer.from('MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBEGMUwSkAYZNhIctHCL6VV/ufsVjGax0gWxBhCP9rZckKlcI1HQhIMv1qPzIS5zbFpud0YgrvZnYFkgWlJs5Ig==','base64'),format:'der',type:'spki'})"

@sam-github

[sam-github]

Thanks, I can repro

[sam-github]

Its because spki is a public key format, and it isn't handled in the private key parsing code. I'm rebuildign to see if this fixes it:

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 3405fbb5b4..c2a22d0d20 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -3345,6 +3345,8 @@ static ParseKeyResult ParsePrivateKey(EVPKeyPointer* pkey,
         if (p8inf)
           pkey->reset(EVP_PKCS82PKEY(p8inf.get()));
       }
+    } else if (config.type_.ToChecked() == kKeyEncodingSPKI) {
+      return ParseKeyResult::kParseKeyFailed;
     } else {
       CHECK_EQ(config.type_.ToChecked(), kKeyEncodingSEC1);
       const unsigned char* p = reinterpret_cast<const unsigned char*>(key);

[tniessen]

Right, but I believe execution shouldn't even get to ParsePrivateKey in this case. Possible fix in #29913.