Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always return a boolean from NodeRSA.isPrivate #173

Merged
merged 1 commit into from
Mar 28, 2020
Merged

Always return a boolean from NodeRSA.isPrivate #173

merged 1 commit into from
Mar 28, 2020

Conversation

hurryabit
Copy link
Contributor

@hurryabit hurryabit commented Mar 20, 2020
edited

Currently, the NodeRSA.isPrivate method returns the d component of
the key when the key is indeed a private key. Obviously, this result
is truthy and hence does the job. However, I would classify it as a
security risk since the name isPrivate raises the expectation that
the result is a boolean and hence can safely be sent over the wire.
This might leak the most private part of the key though, which would
most likely be a disaster.

This change is Reviewable

@hurryabit
Always return a boolean from NodeRSA.isPrivate
d6e4e97 
Currently, the `NodeRSA.isPrivate` method returns the `d` component of
the key when the key is indeed a private key. Obviously, this result
is truthy and hence does the job. However, I would classify it as a
security risk since the name `isPrivate` raises the expectation that
the result is a boolean and hence can safely be sent over the wire.
This might leak the most private part of the key though, which would
most likely be a disaster.
@hurryabit
Copy link
Contributor Author

@rzcoder Who can review and approve or reject this PR?

@rzcoder rzcoder merged commit b87ef00 into rzcoder:master Mar 28, 2020
@rzcoder
Copy link
Owner

rzcoder commented Mar 28, 2020

@hurryabit hey! Thanks for PR.

@hurryabit hurryabit deleted the boolean-is-private branch March 29, 2020 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sportshead sportshead sportshead approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hurryabit @rzcoder @sportshead