-
Notifications
You must be signed in to change notification settings - Fork 29.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: return a clearer error when loading an unsupported pkcs12 #54485
crypto: return a clearer error when loading an unsupported pkcs12 #54485
Conversation
Review requested:
|
0c3e70b
to
48b65f7
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #54485 +/- ##
==========================================
+ Coverage 87.31% 87.60% +0.28%
==========================================
Files 648 650 +2
Lines 182365 182832 +467
Branches 34988 35382 +394
==========================================
+ Hits 159236 160173 +937
+ Misses 16393 15927 -466
+ Partials 6736 6732 -4
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
CI errors here is an actual failures, in the sharedlibs_openssl111fips config - should be able to find some time to fix that up and finish this in the next couple of days, watch this space. |
468e3e9
to
f4db363
Compare
OpenSSL 111 test are now passing! It looks like the only remaining failures here are spurious so I'll rerun those soon once CI finishes. A rereview would be nice when you have a minute @lpinca @mertcanaltin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Landed in 65b4fb8 |
PR-URL: #54485 Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Currently when a PFX file with an unsupported format is used, it will throw an error because it's not supported (typically because you need the OpenSSL legacy provider). That fails with:
unsupported
Lots of users run into this (e.g. #40672 - and there's plenty of other similar issues) but it's not really clear from this error what's going on, or which of the options they've provided is failing and why.
This PR improves that for the common
LoadPKCS12
case, with an explicit error describing what is not supported (you're loading a PFX file that is not supported) and a standard error code so you can recognize and google this more usefully (ERR_CRYPTO_UNSUPPORTED_OPERATION
). The code is also useful for people building on Node.js and processing user-provided PFX files (this is me) who would like to be able to recognize failures in processing these automatically & reliably.I explored trying to get more info from OpenSSL's errors on exactly what was unsupported, but the best available is the data string, which looks something like
Global default library context, Algorithm (RC2-CBC : 3), Properties ()
(as a plain string - I can't see a way to reach the data itself directly). I assume that's not really useful/friendly enough to include here, but happy to add that if people disagree.The tests here use a PFX I've generated manually with an old OpenSSL version using RC2-40-CBC. You can see the contents with
openssl pkcs12 -info -legacy -in ./test/fixtures/keys/legacy.pfx
and passwordlegacy
(note that without the-legacy
OpenSSL flag it will fail to open).