crypto: fix webcrypto ed(25519|448) spki/pkcs8 import

panva · panva · commit 314cd8015f93 · 2021-09-16T22:12:13.000+02:00
diff --git a/lib/internal/crypto/ec.js b/lib/internal/crypto/ec.js
@@ -269,14 +269,12 @@ async function ecImportKey(
         case 'NODE-X25519':
           // Fall through
         case 'NODE-X448':
-          checkNamedCurve = false;
           if (algorithm.name !== 'ECDH')
             throw lazyDOMException('Invalid algorithm name.', 'DataError');
           break;
         case 'NODE-ED25519':
           // Fall through
         case 'NODE-ED448':
-          checkNamedCurve = false;
           if (algorithm.name !== namedCurve)
             throw lazyDOMException('Invalid algorithm name.', 'DataError');
           break;
@@ -310,7 +308,6 @@ async function ecImportKey(
         throw lazyDOMException('Invalid JWK keyData', 'DataError');
       switch (keyData.kty) {
         case 'OKP': {
-          checkNamedCurve = false;
           const isPublic = keyData.d === undefined;
 
           let type;
@@ -395,7 +392,6 @@ async function ecImportKey(
         case 'NODE-X25519':
           // Fall through
         case 'NODE-X448':
-          checkNamedCurve = false;
           if (algorithm.public !== undefined)
             validateBoolean(algorithm.public, 'algorithm.public');
           if (algorithm.name !== 'ECDH')
@@ -409,7 +405,6 @@ async function ecImportKey(
         case 'NODE-ED25519':
           // Fall through
         case 'NODE-ED448':
-          checkNamedCurve = false;
           if (algorithm.public !== undefined)
             validateBoolean(algorithm.public, 'algorithm.public');
           if (algorithm.name !== namedCurve)
@@ -436,30 +431,27 @@ async function ecImportKey(
         throw lazyDOMException('Invalid key type', 'DataError');
       break;
     case 'ECDH':
-      if (
-        algorithm.namedCurve === 'NODE-X25519' &&
-        keyObject.asymmetricKeyType !== 'x25519'
-      ) {
-        throw lazyDOMException('Invalid key type', 'DataError');
-      } else if (
-        algorithm.namedCurve === 'NODE-X448' &&
-        keyObject.asymmetricKeyType !== 'x448'
-      ) {
-        throw lazyDOMException('Invalid key type', 'DataError');
-      } else if (
-        algorithm.namedCurve.startsWith('P') &&
-        keyObject.asymmetricKeyType !== 'ec'
-      ) {
+      if (algorithm.namedCurve === 'NODE-X25519') {
+        if (keyObject.asymmetricKeyType !== 'x25519')
+          throw lazyDOMException('Invalid key type', 'DataError');
+        checkNamedCurve = false
+      } else if (algorithm.namedCurve === 'NODE-X448') {
+        if (keyObject.asymmetricKeyType !== 'x448')
+          throw lazyDOMException('Invalid key type', 'DataError');
+        checkNamedCurve = false
+      } else if (keyObject.asymmetricKeyType !== 'ec') {
         throw lazyDOMException('Invalid key type', 'DataError');
       }
       break;
     case 'NODE-ED25519':
       if (keyObject.asymmetricKeyType !== 'ed25519')
         throw lazyDOMException('Invalid key type', 'DataError');
+      checkNamedCurve = false;
       break;
     case 'NODE-ED448':
       if (keyObject.asymmetricKeyType !== 'ed448')
         throw lazyDOMException('Invalid key type', 'DataError');
+      checkNamedCurve = false;
       break;
   }
 
diff --git a/test/parallel/test-webcrypto-ed25519-ed448.js b/test/parallel/test-webcrypto-ed25519-ed448.js
@@ -382,6 +382,20 @@ assert.rejects(
         assert.strictEqual(cryptoKey.algorithm.name, namedCurve);
       }, common.mustNotCall());
 
+      subtle.importKey(
+        keyObject.type === 'private' ? 'pkcs8' : 'spki',
+        keyObject.export({
+          format: 'der',
+          type: keyObject.type === 'private' ? 'pkcs8' : 'spki',
+        }),
+        { name: namedCurve, namedCurve },
+        true,
+        keyObject.type === 'private' ? ['sign'] : ['verify'],
+      ).then((cryptoKey) => {
+        assert.strictEqual(cryptoKey.type, keyObject.type);
+        assert.strictEqual(cryptoKey.algorithm.name, namedCurve);
+      }, common.mustNotCall());
+
       assert.rejects(
         subtle.importKey(
           'node.keyObject',
diff --git a/test/parallel/test-webcrypto-x25519-x448.js b/test/parallel/test-webcrypto-x25519-x448.js
@@ -285,16 +285,35 @@ assert.rejects(
     const { publicKey, privateKey } = generateKeyPairSync(asymmetricKeyType);
     for (const keyObject of [publicKey, privateKey]) {
       const namedCurve = `NODE-${asymmetricKeyType.toUpperCase()}`;
-      subtle.importKey(
-        'node.keyObject',
-        keyObject,
-        { name: 'ECDH', namedCurve },
-        true,
-        keyObject.type === 'private' ? ['deriveBits', 'deriveKey'] : [],
-      ).then((cryptoKey) => {
-        assert.strictEqual(cryptoKey.type, keyObject.type);
-        assert.strictEqual(cryptoKey.algorithm.name, 'ECDH');
-      }, common.mustNotCall());
+      {
+        subtle.importKey(
+          'node.keyObject',
+          keyObject,
+          { name: 'ECDH', namedCurve },
+          true,
+          keyObject.type === 'private' ? ['deriveBits', 'deriveKey'] : [],
+        ).then((cryptoKey) => {
+          assert.strictEqual(cryptoKey.type, keyObject.type);
+          assert.strictEqual(cryptoKey.algorithm.name, 'ECDH');
+        }, common.mustNotCall());
+      }
+
+      {
+        subtle.importKey(
+          keyObject.type === 'private' ? 'pkcs8' : 'spki',
+          keyObject.export({
+            format: 'der',
+            type: keyObject.type === 'private' ? 'pkcs8' : 'spki',
+          }),
+          { name: namedCurve, namedCurve },
+          true,
+          keyObject.type === 'private' ? ['deriveBits'] : [],
+        ).then((cryptoKey) => {
+          assert.strictEqual(cryptoKey.type, keyObject.type);
+          assert.strictEqual(cryptoKey.algorithm.name, 'ECDH');
+          assert.strictEqual(cryptoKey.algorithm.namedCurve, namedCurve);
+        }, common.mustNotCall());
+      }
     }
   }
 }
