fix: improve subtle.supports per spec, rename KMAC/cSHAKE length → outputLength#1026
Merged
Conversation
- Expose `supports` as instance method so `subtle.supports(...)` works, in addition to the existing static `Subtle.supports(...)`. - Add composed-operation decomposition for `wrapKey`, `unwrapKey`, `encapsulateKey`, and `decapsulateKey`. `encapsulateKey`/`decapsulateKey` reject HMAC/KMAC sharedKeyAlgorithm with non-default length. - Run per-algorithm length validators for `deriveBits` (HKDF, PBKDF2, Argon2) so `supports` returns false for inputs the actual implementation would reject. - Rename KMAC `KmacParams.length` → `KmacParams.outputLength` and cSHAKE `CShakeParams.length` → `CShakeParams.outputLength` to match the WICG modern-algos spec rename. cSHAKE outputLength is now in bits (divided by 8 for the underlying SHAKE).
The jwk round-trip test for KMAC was still passing `length` to subtle.sign, which now requires `outputLength` per the WICG modern-algos spec rename.
…h op The WICG webcrypto-modern-algos spec defines `SubtleCrypto.supports` as static-only; calling `subtle.supports(...)` would throw in Node and any spec-compliant browser. Remove the instance form and the test that covered it so RNQC stays portable. Also pass `'get key length'` (rather than `'importKey'`) to `normalizeAlgorithm` from the deriveKey decomposition path, mirroring Node's webcrypto.js:1558. RNQC's `normalizeAlgorithm` ignores the op argument today, so this is intent-only — but it leaves the call site correctly wired for #1025 (hardening normalizeAlgorithm with WebIDL validators).
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
🤖 End-to-End Test Results - iOSStatus: ✅ Passed 📸 Final Test ScreenshotScreenshot automatically captured from End-to-End tests and will expire in 30 days This comment is automatically updated on each test run. |
Contributor
🤖 End-to-End Test Results - AndroidStatus: ✅ Passed 📸 Final Test ScreenshotScreenshot automatically captured from End-to-End tests and will expire in 30 days This comment is automatically updated on each test run. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the gaps in
Subtle.supportsand the WICGKmacParams/CShakeParamsrename tracked in #1004. Brings RNQC's capability detector close to Node'swebcrypto.js:1506-1731SubtleCrypto.supportsand lands thelength→outputLengthrename throughout KMAC sign/verify and cSHAKE digest.Changes
Subtle.supportsrewrite — composed-operation decomposition forderiveKey,wrapKey,unwrapKey,encapsulateKey,decapsulateKey,getPublicKey; per-algorithm length validators forderiveBits(HKDF / PBKDF2 / Argon2); HMAC + SHA3 generateKey-without-length now returnsfalse;wrapKey/unwrapKeyfall back toencrypt/decryptwhen normalize fails (mirrors Node'scheck()).outputLength—kmacSignVerifynow readsalgorithm.outputLength(in bits, required), rejects missing values withOperationErrorand non-multiple-of-8 withNotSupportedError. Removed the silent 256/512-bit default that previously masked spec violations.SubtleAlgorithmgainsoutputLength?: number.outputLength—asyncDigestreadsalgorithm.outputLengthforcSHAKE128/cSHAKE256per the WICGCShakeParamsrename.outputLength.'get key length'to mirror Node's algorithm map; thederiveKeypath now uses it for thegetKeyLengthlookup.Notes for review
supportson thesubtleinstance. After review the instance form was removed: the WICG spec WebIDL declaresstatic boolean supports(...), and Node throwsERR_INVALID_THISwhen called off the constructor. Keeping the instance form would mean RNQC users writingsubtle.supports(...)get code that breaks anywhere else.Subtle.supports(...)(static) is the only call form.normalizeAlgorithmis permissive (only canonicalizesname), soSubtle.supports('encapsulateKey', 'ML-KEM-768', 'HMAC')returnstruehere butfalsein Node (Node rejects HMAC withouthash). HardeningnormalizeAlgorithmwith WebIDL converters has too large a blast radius for this PR.Test plan
bun tscclean (verified locally on both packages)subtle.supportssuite — composed-op decomposition casessubtle.sign/verifyKMAC suite withoutputLengthsubtle.digestcSHAKE128/256 withoutputLengthsubtle.importKey/exportKeyKMAC JWK round-tripCloses #1004
Refs #1025