Skip to content

Commit

Permalink
crypto: fix ECDH webcrypto public CryptoKey usages
Browse files Browse the repository at this point in the history
PR-URL: nodejs#45569
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
  • Loading branch information
panva authored and nodejs-github-bot committed Nov 26, 2022
1 parent 7d47b6a commit 8fef474
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 17 deletions.
9 changes: 8 additions & 1 deletion lib/internal/crypto/ec.js
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,14 @@ function verifyAcceptableEcKeyUse(name, type, usages) {
let checkSet;
switch (name) {
case 'ECDH':
checkSet = ['deriveKey', 'deriveBits'];
switch (type) {
case 'private':
checkSet = ['deriveKey', 'deriveBits'];
break;
case 'public':
checkSet = [];
break;
}
break;
case 'ECDSA':
switch (type) {
Expand Down
12 changes: 6 additions & 6 deletions test/parallel/test-webcrypto-derivebits-ecdh.js
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ async function prepareKeys() {
namedCurve
},
true,
['deriveKey', 'deriveBits']),
[]),
]);
keys[namedCurve] = {
privateKey,
Expand Down Expand Up @@ -235,17 +235,17 @@ async function prepareKeys() {
name: 'ECDH',
public: keys['P-521'].publicKey
}, keys['P-521'].publicKey, null), {
message: /baseKey must be a private key/
name: 'InvalidAccessError'
});
}

{
// Base key is not a private key
// Public is not a public key
await assert.rejects(subtle.deriveBits({
name: 'ECDH',
public: keys['P-521'].privateKey
}, keys['P-521'].publicKey, null), {
message: /algorithm\.public must be a public key/
}, keys['P-521'].privateKey, null), {
name: 'InvalidAccessError'
});
}

Expand All @@ -262,7 +262,7 @@ async function prepareKeys() {
name: 'ECDH',
public: key
}, keys['P-521'].publicKey, null), {
message: /algorithm\.public must be a public key/
name: 'InvalidAccessError'
});
}
})().then(common.mustCall());
8 changes: 4 additions & 4 deletions test/parallel/test-webcrypto-derivekey-ecdh.js
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ async function prepareKeys() {
namedCurve
},
true,
['deriveKey', 'deriveBits']),
[]),
]);
keys[namedCurve] = {
privateKey,
Expand Down Expand Up @@ -209,7 +209,7 @@ async function prepareKeys() {
},
keys['P-521'].publicKey,
...otherArgs),
{ message: /baseKey must be a private key/ });
{ name: 'InvalidAccessError' });
}

{
Expand All @@ -222,7 +222,7 @@ async function prepareKeys() {
},
keys['P-521'].publicKey,
...otherArgs),
{ message: /algorithm\.public must be a public key/ });
{ name: 'InvalidAccessError' });
}

{
Expand All @@ -242,6 +242,6 @@ async function prepareKeys() {
},
keys['P-521'].publicKey,
...otherArgs),
{ message: /algorithm\.public must be a public key/ });
{ name: 'InvalidAccessError' });
}
})().then(common.mustCall());
12 changes: 6 additions & 6 deletions test/parallel/test-webcrypto-export-import-ec.js
Original file line number Diff line number Diff line change
Expand Up @@ -333,19 +333,19 @@ async function testImportRaw({ name, publicUsages }, namedCurve) {
const rsaPrivate = crypto.createPrivateKey(
fixtures.readKey('rsa_private_2048.pem'));

for (const [name, [publicUsage, privateUsage]] of Object.entries({
'ECDSA': ['verify', 'sign'],
'ECDH': ['deriveBits', 'deriveBits'],
})) {
for (const [name, publicUsages, privateUsages] of [
['ECDSA', ['verify'], ['sign']],
['ECDH', [], ['deriveBits', 'deriveBits']],
]) {
assert.rejects(subtle.importKey(
'spki',
rsaPublic.export({ format: 'der', type: 'spki' }),
{ name, hash: 'SHA-256', namedCurve: 'P-256' },
true, [publicUsage]), { message: /Invalid key type/ });
true, publicUsages), { message: /Invalid key type/ });
assert.rejects(subtle.importKey(
'pkcs8',
rsaPrivate.export({ format: 'der', type: 'pkcs8' }),
{ name, hash: 'SHA-256', namedCurve: 'P-256' },
true, [privateUsage]), { message: /Invalid key type/ });
true, privateUsages), { message: /Invalid key type/ });
}
}

0 comments on commit 8fef474

Please sign in to comment.