crypto: add SubtleCrypto.supports feature detection in Web Crypto API

Author: panva

doc/api/webcrypto.md

@@ -351,6 +351,74 @@ async function digest(data, algorithm = 'SHA-512') {
 }
 ```
 
+### Checking for runtime algorithm support
+
+> Stability: 1.0 - Early development. SubleCrypto.supports is an experimental
+> implementation based on [Modern Algorithms in the Web Cryptography API][] as
+> of 8 January 2025
+
+This example derives a key from a password using Argon2, if available,
+or PBKDF2, otherwise; and then encrypts and decrypts some text with it
+using AES-OCB, if available, and AES-GCM, otherwise.
+
+```mjs
+const password = 'correct horse battery staple';
+const derivationAlg =
+  SubtleCrypto.supports?.('importKey', 'Argon2id') ?
+    'Argon2id' :
+    'PBKDF2';
+const encryptionAlg =
+  SubtleCrypto.supports?.('importKey', 'AES-OCB') ?
+    'AES-OCB' :
+    'AES-GCM';
+const passwordKey = await crypto.subtle.importKey(
+  'raw',
+  new TextEncoder().encode(password),
+  derivationAlg,
+  false,
+  ['deriveKey'],
+);
+const nonce = crypto.getRandomValues(new Uint8Array(16));
+const derivationParams =
+  derivationAlg === 'Argon2id' ?
+    {
+      nonce,
+      parallelism: 4,
+      memory: 2 ** 21,
+      passes: 1,
+    } :
+    {
+      salt: nonce,
+      iterations: 100_000,
+      hash: 'SHA-256',
+    };
+const key = await crypto.subtle.deriveKey(
+  {
+    name: derivationAlg,
+    ...derivationParams,
+  },
+  passwordKey,
+  {
+    name: encryptionAlg,
+    length: 256,
+  },
+  false,
+  ['encrypt', 'decrypt'],
+);
+const plaintext = 'Hello, world!';
+const iv = crypto.getRandomValues(new Uint8Array(16));
+const encrypted = await crypto.subtle.encrypt(
+  { name: encryptionAlg, iv },
+  key,
+  new TextEncoder().encode(plaintext),
+);
+const decrypted = new TextDecoder().decode(await crypto.subtle.decrypt(
+  { name: encryptionAlg, iv },
+  key,
+  encrypted,
+));
+```
+
 ## Algorithm matrix
 
 The table details the algorithms supported by the Node.js Web Crypto API
@@ -549,6 +617,28 @@ added: v15.0.0
 added: v15.0.0
 -->
 
+### Static method: `SubtleCrypto.supports(operation, algorithm[, lengthOrAdditionalAlgorithm])`
+
+> Stability: 1.0 - Early development. An experimental implementation of SubtleCrypto.supports from
+> [Modern Algorithms in the Web Cryptography API][] as of 8 January 2025
+
+<!-- YAML
+added: REPLACEME
+-->
+
+<!--lint disable maximum-line-length remark-lint-->
+
+* `operation`: {string} "encrypt", "decrypt", "sign", "verify", "digest", "generateKey", "deriveKey", "deriveBits", "importKey", "exportKey", "wrapKey" or "unwrapKey"
+* `algorithm`: {AesCbcParams|AesCtrParams|AesGcmParams|AesKeyGenParams|AlgorithmIdentifier|EcdhKeyDeriveParams|EcdsaParams|EcKeyGenParams|EcKeyImportParams|Ed448Params|HkdfParams|HmacImportParams|HmacKeyGenParams|Pbkdf2Params|RsaHashedImportParams|RsaHashedKeyGenParams|RsaOaepParams|RsaPssParams|string}
+* `lengthOrAdditionalAlgorithm`: Depending on the operation this is either ignored, the value of the SubtleCrypto method's length argument, the algorithm of key to be derived when operation is "deriveKey", the algorithm of key to be exported before wrapping when operation is "wrapKey", and the algorithm of key to be imported after unwrapping when operation is "unwrapKey"
+* Returns: {boolean} Indicating whether the implementation supports the given operation
+
+<!--lint enable maximum-line-length remark-lint-->
+
+Allows feature detection in Web Crypto API, which can be used to detect whether
+a given algorithm identifier (including any of its parameters) is supported for
+the given operation.
+
 ### `subtle.decrypt(algorithm, key, data)`
 
 <!-- YAML
@@ -1653,6 +1743,7 @@ The length (in bytes) of the random salt to use.
 
 [JSON Web Key]: https://tools.ietf.org/html/rfc7517
 [Key usages]: #cryptokeyusages
+[Modern Algorithms in the Web Cryptography API]: https://twiss.github.io/webcrypto-modern-algos/
 [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
 [RFC 4122]: https://www.rfc-editor.org/rfc/rfc4122.txt
 [Secure Curves in the Web Cryptography API]: https://wicg.github.io/webcrypto-secure-curves/

lib/internal/crypto/hkdf.js

@@ -170,4 +170,5 @@ module.exports = {
   hkdf,
   hkdfSync,
   hkdfDeriveBits,
+  validateHkdfDeriveBitsLength,
 };

lib/internal/crypto/pbkdf2.js

@@ -128,4 +128,5 @@ module.exports = {
   pbkdf2,
   pbkdf2Sync,
   pbkdf2DeriveBits,
+  validatePbkdf2DeriveBitsLength,
 };

lib/internal/crypto/util.js

@@ -175,6 +175,20 @@ const kSupportedAlgorithms = {
     'SHA-384': null,
     'SHA-512': null,
   },
+  'exportKey': {
+    'RSASSA-PKCS1-v1_5': null,
+    'RSA-PSS': null,
+    'RSA-OAEP': null,
+    'ECDSA': null,
+    'ECDH': null,
+    'HMAC': null,
+    'AES-CTR': null,
+    'AES-CBC': null,
+    'AES-GCM': null,
+    'AES-KW': null,
+    'Ed25519': null,
+    'X25519': null,
+  },
   'generateKey': {
     'RSASSA-PKCS1-v1_5': 'RsaHashedKeyGenParams',
     'RSA-PSS': 'RsaHashedKeyGenParams',
@@ -259,12 +273,14 @@ const experimentalAlgorithms = ObjectEntries({
     generateKey: null,
     importKey: null,
     deriveBits: 'EcdhKeyDeriveParams',
+    exportKey: null,
   },
   'Ed448': {
     generateKey: null,
     sign: 'Ed448Params',
     verify: 'Ed448Params',
     importKey: null,
+    exportKey: null,
   },
 });
 

lib/internal/crypto/webcrypto.js

@@ -47,6 +47,7 @@ const {
 } = require('internal/crypto/util');
 
 const {
+  emitExperimentalWarning,
   kEnumerableProperty,
   lazyDOMException,
 } = require('internal/util');
@@ -922,7 +923,149 @@ class SubtleCrypto {
   constructor() {
     throw new ERR_ILLEGAL_CONSTRUCTOR();
   }
+
+  static supports(operation, algorithm, lengthOrAdditionalAlgorithm = null) {
+    emitExperimentalWarning('The supports Web Crypto API method');
+    if (this !== SubtleCrypto) throw new ERR_INVALID_THIS('SubtleCrypto constructor');
+    webidl ??= require('internal/crypto/webidl');
+    const prefix = "Failed to execute 'supports' on 'SubtleCrypto'";
+    webidl.requiredArguments(arguments.length, 2, { prefix });
+
+    operation = webidl.converters.DOMString(operation, {
+      prefix,
+      context: '1st argument',
+    });
+    algorithm = webidl.converters.AlgorithmIdentifier(algorithm, {
+      prefix,
+      context: '2nd argument',
+    });
+
+    switch (operation) {
+      case 'encrypt':
+      case 'decrypt':
+      case 'sign':
+      case 'verify':
+      case 'digest':
+      case 'generateKey':
+      case 'deriveKey':
+      case 'deriveBits':
+      case 'importKey':
+      case 'exportKey':
+      case 'wrapKey':
+      case 'unwrapKey':
+        break;
+      default:
+        return false;
+    }
+
+    let length;
+    let additionalAlgorithm;
+    if (operation === 'deriveKey') {
+      additionalAlgorithm = webidl.converters.AlgorithmIdentifier(lengthOrAdditionalAlgorithm, {
+        prefix,
+        context: '3rd argument',
+      });
+
+      if (!check('importKey', additionalAlgorithm) || !check('get key length', additionalAlgorithm)) {
+        return false;
+      }
+    }
+
+    if (operation === 'wrapKey') {
+      additionalAlgorithm = webidl.converters.AlgorithmIdentifier(lengthOrAdditionalAlgorithm, {
+        prefix,
+        context: '3rd argument',
+      });
+
+      if (!check('exportKey', additionalAlgorithm)) {
+        return false;
+      }
+    }
+
+    if (operation === 'unwrapKey') {
+      additionalAlgorithm = webidl.converters.AlgorithmIdentifier(lengthOrAdditionalAlgorithm, {
+        prefix,
+        context: '3rd argument',
+      });
+
+      if (!check('importKey', additionalAlgorithm)) {
+        return false;
+      }
+    }
+
+    if (operation === 'deriveBits') {
+      length = lengthOrAdditionalAlgorithm;
+      if (length !== null) {
+        length = webidl.converters['unsigned long'](length, {
+          prefix,
+          context: '3rd argument',
+        });
+      }
+    }
+
+    return check(operation, algorithm, length);
+  }
+}
+
+function check(op, alg, length) {
+  if (op === 'deriveKey') {
+    op = 'deriveBits';
+  }
+
+  let normalizedAlgorithm;
+  try {
+    normalizedAlgorithm = normalizeAlgorithm(alg, op);
+  } catch {
+    if (op === 'wrapKey') {
+      return check('encrypt', alg);
+    }
+
+    if (op === 'unwrapKey') {
+      return check('decrypt', alg);
+    }
+
+    return false;
+  }
+
+  switch (op) {
+    case 'encrypt':
+    case 'get key length':
+    case 'decrypt':
+    case 'sign':
+    case 'verify':
+    case 'digest':
+    case 'generateKey':
+    case 'importKey':
+    case 'exportKey':
+    case 'wrapKey':
+    case 'unwrapKey':
+      return true;
+    case 'deriveBits': {
+      if (normalizedAlgorithm.name === 'HKDF') {
+        try {
+          require('internal/crypto/hkdf').validateHkdfDeriveBitsLength(length);
+        } catch {
+          return false;
+        }
+      }
+
+      if (normalizedAlgorithm.name === 'PBKDF2') {
+        try {
+          require('internal/crypto/pbkdf2').validatePbkdf2DeriveBitsLength(length);
+        } catch {
+          return false;
+        }
+      }
+
+      return true;
+    }
+    default: {
+      const assert = require('internal/assert');
+      assert.fail('Unreachable code');
+    }
+  }
 }
+
 const subtle = ReflectConstruct(function() {}, [], SubtleCrypto);
 
 class Crypto {