From cf3423d8b6656a55d50e1c7bfc318e36a85f6809 Mon Sep 17 00:00:00 2001
From: Shelley Vohr <shelley.vohr@gmail.com>
Date: Mon, 8 Nov 2021 15:44:38 +0100
Subject: [PATCH] crypto: trim input for NETSCAPE_SPKI_b64_decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs/node/pull/40757
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
---
 src/crypto/crypto_spkac.cc | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/crypto/crypto_spkac.cc b/src/crypto/crypto_spkac.cc
index ed0934513259d3..c29d94edc0f9f9 100644
--- a/src/crypto/crypto_spkac.cc
+++ b/src/crypto/crypto_spkac.cc
@@ -16,8 +16,15 @@ using v8::Value;
 namespace crypto {
 namespace SPKAC {
 bool VerifySpkac(const ArrayBufferOrViewContents<char>& input) {
+  size_t length = input.size();
+#ifdef OPENSSL_IS_BORINGSSL
+  // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
+  // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
+  // As such, we trim those characters here for compatibility.
+  length = std::string(input.data()).find_last_not_of(" \n\r\t") + 1;
+#endif
   NetscapeSPKIPointer spki(
-      NETSCAPE_SPKI_b64_decode(input.data(), input.size()));
+      NETSCAPE_SPKI_b64_decode(input.data(), length));
   if (!spki)
     return false;
 
@@ -45,8 +52,15 @@ ByteSource ExportPublicKey(Environment* env,
   BIOPointer bio(BIO_new(BIO_s_mem()));
   if (!bio) return ByteSource();
 
+  size_t length = input.size();
+#ifdef OPENSSL_IS_BORINGSSL
+  // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
+  // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
+  // As such, we trim those characters here for compatibility.
+  length = std::string(input.data()).find_last_not_of(" \n\r\t") + 1;
+#endif
   NetscapeSPKIPointer spki(
-      NETSCAPE_SPKI_b64_decode(input.data(), input.size()));
+      NETSCAPE_SPKI_b64_decode(input.data(), length));
   if (!spki) return ByteSource();
 
   EVPKeyPointer pkey(NETSCAPE_SPKI_get_pubkey(spki.get()));
@@ -73,8 +87,15 @@ void ExportPublicKey(const FunctionCallbackInfo<Value>& args) {
 }
 
 ByteSource ExportChallenge(const ArrayBufferOrViewContents<char>& input) {
+  size_t length = input.size();
+#ifdef OPENSSL_IS_BORINGSSL
+  // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters,
+  // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not.
+  // As such, we trim those characters here for compatibility.
+  length = std::string(input.data()).find_last_not_of(" \n\r\t") + 1;
+#endif
   NetscapeSPKIPointer sp(
-      NETSCAPE_SPKI_b64_decode(input.data(), input.size()));
+      NETSCAPE_SPKI_b64_decode(input.data(), length));
   if (!sp)
     return ByteSource();