mirror of
https://github.com/oven-sh/bun
synced 2026-02-09 18:38:55 +00:00
f78d197523
## Summary Fixes #11029 - `crypto.verify()` now correctly handles null/undefined algorithm parameter for RSA keys, matching Node.js behavior. ## Problem When calling `crypto.verify()` with a null or undefined algorithm parameter, Bun was throwing an error: ``` error: error:06000077:public key routines:OPENSSL_internal:NO_DEFAULT_DIGEST ``` ## Root Cause The issue stems from the difference between OpenSSL (used by Node.js) and BoringSSL (used by Bun): - **OpenSSL v3**: Automatically provides SHA256 as the default digest for RSA keys when NULL is passed - **BoringSSL**: Returns an error when NULL digest is passed for RSA keys ## Solution This fix explicitly sets SHA256 as the default digest for RSA keys when no algorithm is specified, achieving OpenSSL-compatible behavior. ## OpenSSL v3 Source Code Analysis I traced through the OpenSSL v3 source code to understand exactly how it handles null digests: ### 1. Entry Point (`crypto/evp/m_sigver.c`) When `EVP_DigestSignInit` or `EVP_DigestVerifyInit` is called with NULL digest: ```c // Lines 215-220 in do_sigver_init function if (mdname == NULL && !reinit) { if (evp_keymgmt_util_get_deflt_digest_name(tmp_keymgmt, provkey, locmdname, sizeof(locmdname)) > 0) { mdname = canon_mdname(locmdname); } } ``` ### 2. Default Digest Query (`crypto/evp/keymgmt_lib.c`) ```c // Lines 533-571 in evp_keymgmt_util_get_deflt_digest_name params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_DEFAULT_DIGEST, mddefault, sizeof(mddefault)); if (!evp_keymgmt_get_params(keymgmt, keydata, params)) return 0; ``` ### 3. RSA Provider Implementation (`providers/implementations/keymgmt/rsa_kmgmt.c`) ```c // Line 54: Define the default #define RSA_DEFAULT_MD "SHA256" // Lines 351-355: Return it for RSA keys if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL && (rsa_type != RSA_FLAG_TYPE_RSASSAPSS || ossl_rsa_pss_params_30_is_unrestricted(pss_params))) { if (!OSSL_PARAM_set_utf8_string(p, RSA_DEFAULT_MD)) return 0; } ``` ## Implementation Details The fix includes extensive documentation in the source code explaining: - The OpenSSL v3 mechanism with specific file paths and line numbers - Why BoringSSL behaves differently - Why Ed25519/Ed448 keys are handled differently (they don't need a digest) ## Test Plan ✅ Added comprehensive regression test in `test/regression/issue/11029-crypto-verify-null-algorithm.test.ts` ✅ Tests cover: - RSA keys with null/undefined algorithm - Ed25519 keys with null algorithm - Cross-verification between null and explicit SHA256 - `createVerify()` compatibility ✅ All tests pass and behavior matches Node.js ## Verification ```bash # Test with Bun bun test test/regression/issue/11029-crypto-verify-null-algorithm.test.ts # Compare with Node.js behavior node -e "const crypto = require('crypto'); const {publicKey, privateKey} = crypto.generateKeyPairSync('rsa', {modulusLength: 2048}); const data = Buffer.from('test'); const sig = crypto.sign(null, data, privateKey); console.log('Node.js verify with null:', crypto.verify(null, data, publicKey, sig));" ``` 🤖 Generated with [Claude Code](https://claude.ai/code) --------- Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Tests
Finding tests
Tests are located in the test/ directory and are organized using the following structure:
test/js/- tests for JavaScript APIs.cli/- tests for commands, configs, and stdout.bundler/- tests for the transpiler/bundler.regression/- tests that reproduce a specific issue.harness.ts- utility functions that can be imported from any test.
The tests in test/js/ directory are further categorized by the type of API.
test/js/bun/- tests forBun-specific APIs.node/- tests for Node.js APIs.web/- tests for Web APIs, likefetch().first_party/- tests for npm packages that are built-in, likeundici.third_party/- tests for npm packages that are not built-in, but are popular, likeesbuild.
Running tests
To run a test, use Bun's built-in test command: bun test.
bun test # Run all tests
bun test js/bun # Only run tests in a directory
bun test sqlite.test.ts # Only run a specific test
If you encounter lots of errors, try running bun install, then trying again.
Writing tests
Tests are written in TypeScript (preferred) or JavaScript using Jest's describe(), test(), and expect() APIs.
import { describe, test, expect } from "bun:test";
import { gcTick } from "harness";
describe("TextEncoder", () => {
test("can encode a string", async () => {
const encoder = new TextEncoder();
const actual = encoder.encode("bun");
await gcTick();
expect(actual).toBe(new Uint8Array([0x62, 0x75, 0x6E]));
});
});
If you are fixing a bug that was reported from a GitHub issue, remember to add a test in the test/regression/ directory.
// test/regression/issue/02005.test.ts
import { it, expect } from "bun:test";
it("regex literal should work with non-latin1", () => {
const text = "这是一段要替换的文字";
expect(text.replace(new RegExp("要替换"), "")).toBe("这是一段的文字");
expect(text.replace(/要替换/, "")).toBe("这是一段的文字");
});
In the future, a bot will automatically close or re-open issues when a regression is detected or resolved.
Zig tests
These tests live in various .zig files throughout Bun's codebase, leveraging Zig's builtin test keyword.
Currently, they're not run automatically nor is there a simple way to run all of them. We will make this better soon.
TypeScript
Test files should be written in TypeScript. The types in packages/bun-types should be updated to support all new APIs. Changes to the .d.ts files in packages/bun-types will be immediately reflected in test files; no build step is necessary.
Writing a test will often require using invalid syntax, e.g. when checking for errors when an invalid input is passed to a function. TypeScript provides a number of escape hatches here.
// @ts-expect-error- This should be your first choice. It tells TypeScript that the next line should fail typechecking.// @ts-ignore- Ignore the next line entirely.// @ts-nocheck- Put this at the top of the file to disable typechecking on the entire file. Useful for autogenerated test files, or when ignoring/disabling type checks an a per-line basis is too onerous.