New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Distrust certs issued after 00:00:00 Oct. 21, 2016 by StartCom and WoSign #9469

Closed
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
@shigeki
Contributor

shigeki commented Nov 4, 2016

Checklist
  • make -j8 test (UNIX), or vcbuild test nosign (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines
Affected core subsystem(s)

crypto, tls and test.

Description of change

Per discussion of #9434, this PR checks the certs issued by StartCom and WoSign and if notBefore is after 00:00:00 Oct. 21 2016, the tls client connection is failed with CERT_REVOKED error.

This also includes CNNIC whitelist update since #1895 that expired certs were removed and a minor bug fix of test/parallel/test-tls-cnnic-whitelist.js which came from 2bc7841.

R: @bnoordhuis

@shigeki

This comment has been minimized.

Show comment
Hide comment
@shigeki
Contributor

shigeki commented Nov 4, 2016

@bnoordhuis

Mostly LGTM. There is a typo in the second commit log: s/udpate/update/

Show outdated Hide outdated src/node_crypto.cc
Show outdated Hide outdated test/fixtures/keys/Makefile
0x31, 0x2C, 0x30, 0x2A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x23, 0x53, 0x74,
0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F,
0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,

This comment has been minimized.

@not-an-aardvark

not-an-aardvark Nov 4, 2016

Member

Just as a precaution: How did you create these arrays? We might want to double-check that they are accurate. (I'm hoping to avoid an issue like this.)

@not-an-aardvark

not-an-aardvark Nov 4, 2016

Member

Just as a precaution: How did you create these arrays? We might want to double-check that they are accurate. (I'm hoping to avoid an issue like this.)

This comment has been minimized.

@shigeki

shigeki Nov 7, 2016

Contributor

The data is ASN.1 encoded with Name type. Here is a list of subject names included in StartComAndWoSignData.inc and they all matches the names listed in https://bugzilla.mozilla.org/show_bug.cgi?id=1309707#c16 and certdata.txt in Node.

$ cat printStartComWoSign.cc
#include <cstdint>
#include <cstdio>
#include <x509.h>
#include <bio.h>
#include "StartComAndWoSignData.inc"

int main() {
  char buf[1024];
  const unsigned char* startcom_wosign_data;
  X509_NAME* startcom_wosign_name;
  BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
  for(const auto& it : StartComAndWoSignDNs) {
    startcom_wosign_data = it.data;
    startcom_wosign_name = d2i_X509_NAME(NULL, &startcom_wosign_data, it.len);
    X509_NAME_oneline(startcom_wosign_name, buf, sizeof buf);
    BIO_printf(bio, "%s\n", buf);
  }
}
$ ./printStartComWoSign
/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6
/C=CN/O=WoSign CA Limited/CN=CA WoSign ECC Root
/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
@shigeki

shigeki Nov 7, 2016

Contributor

The data is ASN.1 encoded with Name type. Here is a list of subject names included in StartComAndWoSignData.inc and they all matches the names listed in https://bugzilla.mozilla.org/show_bug.cgi?id=1309707#c16 and certdata.txt in Node.

$ cat printStartComWoSign.cc
#include <cstdint>
#include <cstdio>
#include <x509.h>
#include <bio.h>
#include "StartComAndWoSignData.inc"

int main() {
  char buf[1024];
  const unsigned char* startcom_wosign_data;
  X509_NAME* startcom_wosign_name;
  BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
  for(const auto& it : StartComAndWoSignDNs) {
    startcom_wosign_data = it.data;
    startcom_wosign_name = d2i_X509_NAME(NULL, &startcom_wosign_data, it.len);
    X509_NAME_oneline(startcom_wosign_name, buf, sizeof buf);
    BIO_printf(bio, "%s\n", buf);
  }
}
$ ./printStartComWoSign
/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6
/C=CN/O=WoSign CA Limited/CN=CA WoSign ECC Root
/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
@@ -2678,9 +2682,40 @@ inline X509* FindRoot(STACK_OF(X509)* sk) {
}
// Whitelist check for certs issued by CNNIC. See
inline bool CertIsStartComOrWoSign(X509_NAME* name) {

This comment has been minimized.

@jasnell

jasnell Nov 7, 2016

Member

Hmm... would there possibly be a more generic way of doing this? Adding functions that are specific to StartCom and WoSign seems... troubling.

@jasnell

jasnell Nov 7, 2016

Member

Hmm... would there possibly be a more generic way of doing this? Adding functions that are specific to StartCom and WoSign seems... troubling.

This comment has been minimized.

@shigeki

shigeki Nov 7, 2016

Contributor

I don't think it leads troubling because this function checks the cert subject name with a specific type of structure provided by Mozilla only for StartCom and WoSign distrusting.
This function (and this features) will be removed after deprecating their root cert when all issued certs are expired. So I don't think it need to be more generic.

@shigeki

shigeki Nov 7, 2016

Contributor

I don't think it leads troubling because this function checks the cert subject name with a specific type of structure provided by Mozilla only for StartCom and WoSign distrusting.
This function (and this features) will be removed after deprecating their root cert when all issued certs are expired. So I don't think it need to be more generic.

Show outdated Hide outdated test/parallel/test-tls-startcom-wosign-whitelist.js
@shigeki

This comment has been minimized.

Show comment
Hide comment
@shigeki

shigeki Nov 7, 2016

Contributor

Fixed this according to the comments except the one from @jasnell .

@indutny Sorry for missing you to mention. Please look at this if you have time.

Contributor

shigeki commented Nov 7, 2016

Fixed this according to the comments except the one from @jasnell .

@indutny Sorry for missing you to mention. Please look at this if you have time.

@indutny

indutny approved these changes Nov 7, 2016

LGTM, if CI is green.

if (!CertIsStartComOrWoSign(root_name))
return true;
time_t october_21_2016 = static_cast<time_t>(1477008000);

This comment has been minimized.

@indutny

indutny Nov 7, 2016

Member

could it be const?

@indutny

indutny Nov 7, 2016

Member

could it be const?

This comment has been minimized.

@shigeki

shigeki Nov 7, 2016

Contributor

It's not. I'm not sure why.

int X509_cmp_time(const ASN1_TIME *s, time_t *t);
@shigeki

shigeki Nov 7, 2016

Contributor

It's not. I'm not sure why.

int X509_cmp_time(const ASN1_TIME *s, time_t *t);
@shigeki

This comment has been minimized.

Show comment
Hide comment
@shigeki
Contributor

shigeki commented Nov 7, 2016

Show outdated Hide outdated src/node_crypto.cc

@ChALkeR ChALkeR added the security label Nov 7, 2016

@ChALkeR

This comment has been minimized.

Show comment
Hide comment
@ChALkeR

ChALkeR Dec 24, 2016

Member

@bnoordhuis, does that look good to you now?

Member

ChALkeR commented Dec 24, 2016

@bnoordhuis, does that look good to you now?

@shigeki

This comment has been minimized.

Show comment
Hide comment
@shigeki

shigeki Dec 26, 2016

Contributor

I've just resolved the conflict of test/parallel/test-tls-cnnic-whitelist.js and rebased against the latest master.

Firefox51 is to be stable on Jan 24th and Chrome56 is on Jan 31st, 2017. They will begin to have WoSing/StartCom checks in their stable release.

I think it is better to land this in the end of Jan, 2017 to align the browser release.

Contributor

shigeki commented Dec 26, 2016

I've just resolved the conflict of test/parallel/test-tls-cnnic-whitelist.js and rebased against the latest master.

Firefox51 is to be stable on Jan 24th and Chrome56 is on Jan 31st, 2017. They will begin to have WoSing/StartCom checks in their stable release.

I think it is better to land this in the end of Jan, 2017 to align the browser release.

@shigeki

This comment has been minimized.

Show comment
Hide comment
@shigeki

shigeki Jan 26, 2017

Contributor

Chrome 56 is released today. It is ready to land this. The approval from @bnoordhuis is needed. How is it?

Contributor

shigeki commented Jan 26, 2017

Chrome 56 is released today. It is ready to land this. The approval from @bnoordhuis is needed. How is it?

@bnoordhuis

LGTM. s/certifiate/certificate/ in the first commit log and I'd say "Remove expired certificates from CNNIC whitelist." in the second one.

@shigeki

This comment has been minimized.

Show comment
Hide comment
@shigeki

shigeki Jan 26, 2017

Contributor

@bnoordhuis Oh, typo. Thanks. Fixed.

I also added an announcement link from apple https://support.apple.com/en-us/HT204132 in the commit log. I will land this tomorrow after rebasing and running CI.

After that, it should be discussed if it should be backported to LTS.

Contributor

shigeki commented Jan 26, 2017

@bnoordhuis Oh, typo. Thanks. Fixed.

I also added an announcement link from apple https://support.apple.com/en-us/HT204132 in the commit log. I will land this tomorrow after rebasing and running CI.

After that, it should be discussed if it should be backported to LTS.

@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell Jan 27, 2017

Member

I'm +1 on backporting this to 6 and 4. @nodejs/lts

Member

jasnell commented Jan 27, 2017

I'm +1 on backporting this to 6 and 4. @nodejs/lts

@shigeki

This comment has been minimized.

Show comment
Hide comment
@shigeki

shigeki Jan 31, 2017

Contributor

Running CI with rebasing in the current master for final check before landing. https://ci.nodejs.org/job/node-test-pull-request/6116/

Contributor

shigeki commented Jan 31, 2017

Running CI with rebasing in the current master for final check before landing. https://ci.nodejs.org/job/node-test-pull-request/6116/

@shigeki

This comment has been minimized.

Show comment
Hide comment
@shigeki

shigeki Jan 31, 2017

Contributor

There were lint errors for using var and assert.equal. The fixes were made in 00017cef833274b41d6c0c7bc63e4bce10e8c456.
There are still errors on CI on windows due to git errors. Wait for fixing for now.

Contributor

shigeki commented Jan 31, 2017

There were lint errors for using var and assert.equal. The fixes were made in 00017cef833274b41d6c0c7bc63e4bce10e8c456.
There are still errors on CI on windows due to git errors. Wait for fixing for now.

imyller added a commit to imyller/meta-nodejs that referenced this pull request Mar 2, 2017

2017-02-21, Version 7.6.0 (Current)
    Notable changes:

    * deps:
        * update V8 to 5.5 (Michaël Zasso) [#11029](nodejs/node#11029)
        * upgrade libuv to 1.11.0 (cjihrig) [#11094](nodejs/node#11094)
        * add node-inspect 1.10.4 (Jan Krems) [#10187](nodejs/node#10187)
        * upgrade zlib to 1.2.11 (Sam Roberts) [#10980](nodejs/node#10980)
    * lib: build `node inspect` into `node` (Anna Henningsen) [#10187](nodejs/node#10187)
    * crypto: Remove expired certs from CNNIC whitelist (Shigeki Ohtsu) [#9469](nodejs/node#9469)
    * inspector: add --inspect-brk (Josh Gavant) [#11149](nodejs/node#11149)
    * fs: allow WHATWG URL objects as paths (James M Snell) [#10739](nodejs/node#10739)
    * src: support UTF-8 in compiled-in JS source files (Ben Noordhuis) [#11129](nodejs/node#11129)
    * url: extend url.format to support WHATWG URL (James M Snell) [#10857](nodejs/node#10857)

    PR-URL: nodejs/node#11185

Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>

jasnell added a commit that referenced this pull request Mar 7, 2017

crypto: Remove expired certs from CNNIC whitelist
CNNIC Whitelist was updated with removing expired certificates.

Fixes: #1895
PR-URL: #9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

jasnell added a commit that referenced this pull request Mar 7, 2017

crypto: add cert check issued by StartCom/WoSign
When tls client connects to the server with certification issued by
either StartCom or WoSign listed in StartComAndWoSignData.inc, check
notBefore of the server certificate and CERT_REVOKED error returns if
it is after 00:00:00 on October 21, 2016.

See for details in
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/,
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
and
https://support.apple.com/en-us/HT204132

Fixes: #9434
PR-URL: #9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

jasnell added a commit that referenced this pull request Mar 7, 2017

crypto: Remove expired certs from CNNIC whitelist
CNNIC Whitelist was updated with removing expired certificates.

Fixes: #1895
PR-URL: #9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

jasnell added a commit that referenced this pull request Mar 7, 2017

crypto: add cert check issued by StartCom/WoSign
When tls client connects to the server with certification issued by
either StartCom or WoSign listed in StartComAndWoSignData.inc, check
notBefore of the server certificate and CERT_REVOKED error returns if
it is after 00:00:00 on October 21, 2016.

See for details in
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/,
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
and
https://support.apple.com/en-us/HT204132

Fixes: #9434
PR-URL: #9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

MylesBorins added a commit that referenced this pull request Mar 9, 2017

crypto: Remove expired certs from CNNIC whitelist
CNNIC Whitelist was updated with removing expired certificates.

Fixes: #1895
PR-URL: #9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

MylesBorins added a commit that referenced this pull request Mar 9, 2017

crypto: add cert check issued by StartCom/WoSign
When tls client connects to the server with certification issued by
either StartCom or WoSign listed in StartComAndWoSignData.inc, check
notBefore of the server certificate and CERT_REVOKED error returns if
it is after 00:00:00 on October 21, 2016.

See for details in
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/,
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
and
https://support.apple.com/en-us/HT204132

Fixes: #9434
PR-URL: #9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

@MylesBorins MylesBorins referenced this pull request Mar 9, 2017

Merged

v6.10.1 proposal #11759

MylesBorins added a commit that referenced this pull request Mar 9, 2017

crypto: Remove expired certs from CNNIC whitelist
CNNIC Whitelist was updated with removing expired certificates.

Fixes: #1895
PR-URL: #9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

MylesBorins added a commit that referenced this pull request Mar 9, 2017

crypto: add cert check issued by StartCom/WoSign
When tls client connects to the server with certification issued by
either StartCom or WoSign listed in StartComAndWoSignData.inc, check
notBefore of the server certificate and CERT_REVOKED error returns if
it is after 00:00:00 on October 21, 2016.

See for details in
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/,
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
and
https://support.apple.com/en-us/HT204132

Fixes: #9434
PR-URL: #9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

@MylesBorins MylesBorins referenced this pull request Mar 9, 2017

Merged

v4.8.1 proposal #11760

shigeki added a commit that referenced this pull request Mar 28, 2017

crypto: fix memory leak if certificate is revoked
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: #9469
Fixes: #12033
PR-URL: #12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

MylesBorins added a commit that referenced this pull request Mar 28, 2017

crypto: fix memory leak if certificate is revoked
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: #9469
Fixes: #12033
PR-URL: #12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

MylesBorins added a commit that referenced this pull request Mar 29, 2017

crypto: fix memory leak if certificate is revoked
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: #9469
Fixes: #12033
PR-URL: #12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

MylesBorins added a commit that referenced this pull request Mar 29, 2017

crypto: fix memory leak if certificate is revoked
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: #9469
Fixes: #12033
PR-URL: #12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

MylesBorins added a commit that referenced this pull request Mar 29, 2017

crypto: fix memory leak if certificate is revoked
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: #9469
Fixes: #12033
PR-URL: #12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

MylesBorins added a commit that referenced this pull request Mar 29, 2017

crypto: fix memory leak if certificate is revoked
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: #9469
Fixes: #12033
PR-URL: #12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

MylesBorins added a commit that referenced this pull request Mar 29, 2017

crypto: fix memory leak if certificate is revoked
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: #9469
Fixes: #12033
PR-URL: #12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

kevinsawicki added a commit to electron/node that referenced this pull request May 16, 2017

crypto: add cert check issued by StartCom/WoSign
When tls client connects to the server with certification issued by
either StartCom or WoSign listed in StartComAndWoSignData.inc, check
notBefore of the server certificate and CERT_REVOKED error returns if
it is after 00:00:00 on October 21, 2016.

See for details in
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/,
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
and
https://support.apple.com/en-us/HT204132

Fixes: nodejs/node#9434
PR-URL: nodejs/node#9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

kevinsawicki added a commit to electron/node that referenced this pull request May 16, 2017

crypto: Remove expired certs from CNNIC whitelist
CNNIC Whitelist was updated with removing expired certificates.

Fixes: nodejs/node#1895
PR-URL: nodejs/node#9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

kevinsawicki added a commit to electron/node that referenced this pull request May 16, 2017

crypto: fix memory leak if certificate is revoked
The additional validity checks applied to StartCom and WoSign
certificates failed to free memory before returning.

Refs: nodejs/node#9469
Fixes: nodejs/node#12033
PR-URL: nodejs/node#12089
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment