Skip to content

Commit

Permalink
crypto: ensure invalid SubtleCrypto JWK data import results in DataError
Browse files Browse the repository at this point in the history
PR-URL: #55041
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
  • Loading branch information
panva authored and marco-ippolito committed Nov 17, 2024
1 parent 0b985ec commit 2f678ea
Show file tree
Hide file tree
Showing 8 changed files with 79 additions and 20 deletions.
7 changes: 6 additions & 1 deletion lib/internal/crypto/aes.js
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,12 @@ async function aesImportKey(
}

const handle = new KeyObjectHandle();
handle.initJwk(keyData);
try {
handle.initJwk(keyData);
} catch (err) {
throw lazyDOMException(
'Invalid keyData', { name: 'DataError', cause: err });
}

({ length } = handle.keyDetail({ }));
validateKeyLength(length);
Expand Down
38 changes: 24 additions & 14 deletions lib/internal/crypto/cfrg.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ const {
kSignJobModeVerify,
} = internalBinding('crypto');

const {
codes: {
ERR_CRYPTO_INVALID_JWK,
},
} = require('internal/errors');

const {
getUsagesUnion,
hasAnyNotIn,
Expand Down Expand Up @@ -277,22 +283,26 @@ async function cfrgImportKey(
isPublic,
usagesSet);

const publicKeyObject = createCFRGRawKey(
name,
Buffer.from(keyData.x, 'base64'),
true);

if (isPublic) {
keyObject = publicKeyObject;
} else {
keyObject = createCFRGRawKey(
try {
const publicKeyObject = createCFRGRawKey(
name,
Buffer.from(keyData.d, 'base64'),
false);

if (!createPublicKey(keyObject).equals(publicKeyObject)) {
throw lazyDOMException('Invalid JWK', 'DataError');
Buffer.from(keyData.x, 'base64'),
true);

if (isPublic) {
keyObject = publicKeyObject;
} else {
keyObject = createCFRGRawKey(
name,
Buffer.from(keyData.d, 'base64'),
false);

if (!createPublicKey(keyObject).equals(publicKeyObject)) {
throw new ERR_CRYPTO_INVALID_JWK();
}
}
} catch (err) {
throw lazyDOMException('Invalid keyData', { name: 'DataError', cause: err });
}
break;
}
Expand Down
10 changes: 8 additions & 2 deletions lib/internal/crypto/ec.js
Original file line number Diff line number Diff line change
Expand Up @@ -240,9 +240,15 @@ async function ecImportKey(
}

const handle = new KeyObjectHandle();
const type = handle.initJwk(keyData, namedCurve);
let type;
try {
type = handle.initJwk(keyData, namedCurve);
} catch (err) {
throw lazyDOMException(
'Invalid keyData', { name: 'DataError', cause: err });
}
if (type === undefined)
throw lazyDOMException('Invalid JWK', 'DataError');
throw lazyDOMException('Invalid keyData', 'DataError');
keyObject = type === kKeyTypePrivate ?
new PrivateKeyObject(handle) :
new PublicKeyObject(handle);
Expand Down
7 changes: 6 additions & 1 deletion lib/internal/crypto/mac.js
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,12 @@ async function hmacImportKey(
}

const handle = new KeyObjectHandle();
handle.initJwk(keyData);
try {
handle.initJwk(keyData);
} catch (err) {
throw lazyDOMException(
'Invalid keyData', { name: 'DataError', cause: err });
}
keyObject = new SecretKeyObject(handle);
break;
}
Expand Down
10 changes: 8 additions & 2 deletions lib/internal/crypto/rsa.js
Original file line number Diff line number Diff line change
Expand Up @@ -275,9 +275,15 @@ async function rsaImportKey(
}

const handle = new KeyObjectHandle();
const type = handle.initJwk(keyData);
let type;
try {
type = handle.initJwk(keyData);
} catch (err) {
throw lazyDOMException(
'Invalid keyData', { name: 'DataError', cause: err });
}
if (type === undefined)
throw lazyDOMException('Invalid JWK', 'DataError');
throw lazyDOMException('Invalid keyData', 'DataError');

keyObject = type === kKeyTypePrivate ?
new PrivateKeyObject(handle) :
Expand Down
9 changes: 9 additions & 0 deletions test/parallel/test-webcrypto-export-import-cfrg.js
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,15 @@ async function testImportJwk({ name, publicUsages, privateUsages }, extractable)
extractable,
[/* empty usages */]),
{ name: 'SyntaxError', message: 'Usages cannot be empty when importing a private key.' });

await assert.rejects(
subtle.importKey(
'jwk',
{ kty: jwk.kty, /* missing x */ crv: jwk.crv },
{ name },
extractable,
publicUsages),
{ name: 'DataError', message: 'Invalid keyData' });
}

async function testImportRaw({ name, publicUsages }) {
Expand Down
9 changes: 9 additions & 0 deletions test/parallel/test-webcrypto-export-import-ec.js
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,15 @@ async function testImportJwk(
extractable,
[/* empty usages */]),
{ name: 'SyntaxError', message: 'Usages cannot be empty when importing a private key.' });

await assert.rejects(
subtle.importKey(
'jwk',
{ kty: jwk.kty, /* missing x */ y: jwk.y, crv: jwk.crv },
{ name, namedCurve },
extractable,
publicUsages),
{ name: 'DataError', message: 'Invalid keyData' });
}

async function testImportRaw({ name, publicUsages }, namedCurve) {
Expand Down
9 changes: 9 additions & 0 deletions test/parallel/test-webcrypto-export-import-rsa.js
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,15 @@ async function testImportJwk(
extractable,
[/* empty usages */]),
{ name: 'SyntaxError', message: 'Usages cannot be empty when importing a private key.' });

await assert.rejects(
subtle.importKey(
'jwk',
{ kty: jwk.kty, /* missing e */ n: jwk.n },
{ name, hash },
extractable,
publicUsages),
{ name: 'DataError', message: 'Invalid keyData' });
}

// combinations to test
Expand Down

0 comments on commit 2f678ea

Please sign in to comment.