From 7cc99987375f96818779b808caaf4981dd2c68ff Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Tue, 22 Nov 2022 00:22:08 +0100 Subject: [PATCH] crypto: fix ECDH webcrypto public CryptoKey usages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs/node/pull/45569 Reviewed-By: Antoine du Hamel Reviewed-By: Tobias Nießen --- lib/internal/crypto/ec.js | 9 ++++++++- test/parallel/test-webcrypto-derivebits-ecdh.js | 12 ++++++------ test/parallel/test-webcrypto-derivekey-ecdh.js | 8 ++++---- test/parallel/test-webcrypto-export-import-ec.js | 12 ++++++------ 4 files changed, 24 insertions(+), 17 deletions(-) diff --git a/lib/internal/crypto/ec.js b/lib/internal/crypto/ec.js index 4359294d343be0..bdc59e7737828a 100644 --- a/lib/internal/crypto/ec.js +++ b/lib/internal/crypto/ec.js @@ -58,7 +58,14 @@ function verifyAcceptableEcKeyUse(name, type, usages) { let checkSet; switch (name) { case 'ECDH': - checkSet = ['deriveKey', 'deriveBits']; + switch (type) { + case 'private': + checkSet = ['deriveKey', 'deriveBits']; + break; + case 'public': + checkSet = []; + break; + } break; case 'ECDSA': switch (type) { diff --git a/test/parallel/test-webcrypto-derivebits-ecdh.js b/test/parallel/test-webcrypto-derivebits-ecdh.js index 739155fba47818..2ab152ba5a7615 100644 --- a/test/parallel/test-webcrypto-derivebits-ecdh.js +++ b/test/parallel/test-webcrypto-derivebits-ecdh.js @@ -73,7 +73,7 @@ async function prepareKeys() { namedCurve }, true, - ['deriveKey', 'deriveBits']), + []), ]); keys[namedCurve] = { privateKey, @@ -235,17 +235,17 @@ async function prepareKeys() { name: 'ECDH', public: keys['P-521'].publicKey }, keys['P-521'].publicKey, null), { - message: /baseKey must be a private key/ + name: 'InvalidAccessError' }); } { - // Base key is not a private key + // Public is not a public key await assert.rejects(subtle.deriveBits({ name: 'ECDH', public: keys['P-521'].privateKey - }, keys['P-521'].publicKey, null), { - message: /algorithm\.public must be a public key/ + }, keys['P-521'].privateKey, null), { + name: 'InvalidAccessError' }); } @@ -262,7 +262,7 @@ async function prepareKeys() { name: 'ECDH', public: key }, keys['P-521'].publicKey, null), { - message: /algorithm\.public must be a public key/ + name: 'InvalidAccessError' }); } })().then(common.mustCall()); diff --git a/test/parallel/test-webcrypto-derivekey-ecdh.js b/test/parallel/test-webcrypto-derivekey-ecdh.js index 2ca54957a55304..d3ba660fde6d5b 100644 --- a/test/parallel/test-webcrypto-derivekey-ecdh.js +++ b/test/parallel/test-webcrypto-derivekey-ecdh.js @@ -68,7 +68,7 @@ async function prepareKeys() { namedCurve }, true, - ['deriveKey', 'deriveBits']), + []), ]); keys[namedCurve] = { privateKey, @@ -209,7 +209,7 @@ async function prepareKeys() { }, keys['P-521'].publicKey, ...otherArgs), - { message: /baseKey must be a private key/ }); + { name: 'InvalidAccessError' }); } { @@ -222,7 +222,7 @@ async function prepareKeys() { }, keys['P-521'].publicKey, ...otherArgs), - { message: /algorithm\.public must be a public key/ }); + { name: 'InvalidAccessError' }); } { @@ -242,6 +242,6 @@ async function prepareKeys() { }, keys['P-521'].publicKey, ...otherArgs), - { message: /algorithm\.public must be a public key/ }); + { name: 'InvalidAccessError' }); } })().then(common.mustCall()); diff --git a/test/parallel/test-webcrypto-export-import-ec.js b/test/parallel/test-webcrypto-export-import-ec.js index 79f82a3d4adc26..ec5615b6582f88 100644 --- a/test/parallel/test-webcrypto-export-import-ec.js +++ b/test/parallel/test-webcrypto-export-import-ec.js @@ -333,19 +333,19 @@ async function testImportRaw({ name, publicUsages }, namedCurve) { const rsaPrivate = crypto.createPrivateKey( fixtures.readKey('rsa_private_2048.pem')); - for (const [name, [publicUsage, privateUsage]] of Object.entries({ - 'ECDSA': ['verify', 'sign'], - 'ECDH': ['deriveBits', 'deriveBits'], - })) { + for (const [name, publicUsages, privateUsages] of [ + ['ECDSA', ['verify'], ['sign']], + ['ECDH', [], ['deriveBits', 'deriveBits']], + ]) { assert.rejects(subtle.importKey( 'spki', rsaPublic.export({ format: 'der', type: 'spki' }), { name, hash: 'SHA-256', namedCurve: 'P-256' }, - true, [publicUsage]), { message: /Invalid key type/ }); + true, publicUsages), { message: /Invalid key type/ }); assert.rejects(subtle.importKey( 'pkcs8', rsaPrivate.export({ format: 'der', type: 'pkcs8' }), { name, hash: 'SHA-256', namedCurve: 'P-256' }, - true, [privateUsage]), { message: /Invalid key type/ }); + true, privateUsages), { message: /Invalid key type/ }); } }