Curve25519 allows raw import/export of private keys

[vlovich]

• Version: master
• Platform: N/A
• Subsystem: WebCrypto

What steps will reproduce the bug?

The tests for EDDSA (& EDDH?) rely on this so they're already broken.

How often does it reproduce? Is there a required condition?

100%. Export a private EDDSA (e.g. ed25519) key with the "raw" format.

What is the expected behavior?

WebCrypto defines ECDSA and ECDH as not allowing import/export of private keys in the "raw" format. The proposed spec indicates raw export of private keys should similarly not be allowed & I raised this point in tQsW/webcrypto-curve25519#8 and w3c/webcrypto#233.

What do you see instead?

The tests don't cover that "raw" export of private keys is disallowed. Additionally, the tests rely on this functionality.

Additional information

Helpful conversion of raw key format to pkcs8/spki. These keys can be added & the tests reworked.

This point was noted in the original feature work but it seems like it was overlooked?

pkcs8 9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60 => new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32, 157, 97, 177, 157, 239, 253, 90, 96, 186, 132, 74, 244, 146, 236, 44, 196, 68, 73, 197, 105, 123, 50, 105, 25, 112, 59, 172, 3, 28, 174, 127, 96])
spki d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a => new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 112, 3, 33, 0, 215, 90, 152, 1, 130, 177, 10, 183, 213, 75, 254, 211, 201, 100, 7, 58, 14, 225, 114, 243, 218, 166, 35, 37, 175, 2, 26, 104, 247, 7, 81, 26])

pkcs8 4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb => new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32, 76, 205, 8, 155, 40, 255, 150, 218, 157, 182, 195, 70, 236, 17, 78, 15, 91, 138, 49, 159, 53, 171, 166, 36, 218, 140, 246, 237, 79, 184, 166, 251])
spki 3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c => new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 112, 3, 33, 0, 61, 64, 23, 195, 232, 67, 137, 90, 146, 183, 10, 167, 77, 27, 126, 188, 156, 152, 44, 207, 46, 196, 150, 140, 192, 205, 85, 241, 42, 244, 102, 12])

pkcs8 c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7 => new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32, 197, 170, 141, 244, 63, 159, 131, 123, 237, 183, 68, 47, 49, 220, 183, 177, 102, 211, 133, 53, 7, 111, 9, 75, 133, 206, 58, 46, 11, 68, 88, 247])
spki fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025 => new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 112, 3, 33, 0, 252, 81, 205, 142, 98, 24, 161, 163, 141, 164, 126, 208, 2, 48, 240, 88, 8, 22, 237, 19, 186, 51, 3, 172, 93, 235, 145, 21, 72, 144, 128, 37])

pkcs8 f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5 => new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32, 245, 229, 118, 124, 241, 83, 49, 149, 23, 99, 15, 34, 104, 118, 184, 108, 129, 96, 204, 88, 59, 192, 19, 116, 76, 107, 242, 85, 245, 204, 14, 229])
spki 278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e => new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 112, 3, 33, 0, 39, 129, 23, 252, 20, 76, 114, 52, 15, 103, 208, 242, 49, 110, 131, 134, 206, 255, 191, 43, 36, 40, 201, 197, 31, 239, 124, 89, 127, 29, 66, 110])

[Trott]

@nodejs/crypto @jasnell

[panva]

@vlovich it is worth pointing out that Node.js does not implement the proposal, it is intentionally using Vendor-specific proprietary extensions for Ed25519/X25519/Ed448/X25519. Nevertheless it was not intended to have them exportable, I've raised #38668 to correct this.