fixup! crypto: add raw key formats support to the KeyObject APIs

panva · panva · commit 6b1fa5833f55 · 2026-03-13T18:14:21.000+01:00
diff --git a/lib/internal/crypto/keys.js b/lib/internal/crypto/keys.js
@@ -395,6 +395,10 @@ const {
           return this[kHandle].rawPrivateKey();
         }
         case 'raw-seed':
+          if (!hasPqcSupport) {
+            throw new ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS(
+              'raw-seed', 'is not supported');
+          }
           return this[kHandle].rawSeed();
         default: {
           const {
diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc
@@ -279,57 +279,39 @@ bool ExportJWKInner(Environment* env,
 }
 
 int GetNidFromName(const char* name) {
-  int nid;
-  if (OPENSSL_strcasecmp(name, "Ed25519") == 0) {
-    nid = EVP_PKEY_ED25519;
-  } else if (OPENSSL_strcasecmp(name, "Ed448") == 0) {
-    nid = EVP_PKEY_ED448;
-  } else if (OPENSSL_strcasecmp(name, "X25519") == 0) {
-    nid = EVP_PKEY_X25519;
-  } else if (OPENSSL_strcasecmp(name, "X448") == 0) {
-    nid = EVP_PKEY_X448;
+  static constexpr struct {
+    const char* name;
+    int nid;
+  } kNameToNid[] = {
+    {"Ed25519", EVP_PKEY_ED25519},
+    {"Ed448", EVP_PKEY_ED448},
+    {"X25519", EVP_PKEY_X25519},
+    {"X448", EVP_PKEY_X448},
 #if OPENSSL_WITH_PQC
-  } else if (OPENSSL_strcasecmp(name, "ML-DSA-44") == 0) {
-    nid = EVP_PKEY_ML_DSA_44;
-  } else if (OPENSSL_strcasecmp(name, "ML-DSA-65") == 0) {
-    nid = EVP_PKEY_ML_DSA_65;
-  } else if (OPENSSL_strcasecmp(name, "ML-DSA-87") == 0) {
-    nid = EVP_PKEY_ML_DSA_87;
-  } else if (OPENSSL_strcasecmp(name, "ML-KEM-512") == 0) {
-    nid = EVP_PKEY_ML_KEM_512;
-  } else if (OPENSSL_strcasecmp(name, "ML-KEM-768") == 0) {
-    nid = EVP_PKEY_ML_KEM_768;
-  } else if (OPENSSL_strcasecmp(name, "ML-KEM-1024") == 0) {
-    nid = EVP_PKEY_ML_KEM_1024;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHA2-128f") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHA2_128F;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHA2-128s") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHA2_128S;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHA2-192f") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHA2_192F;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHA2-192s") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHA2_192S;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHA2-256f") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHA2_256F;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHA2-256s") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHA2_256S;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHAKE-128f") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHAKE_128F;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHAKE-128s") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHAKE_128S;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHAKE-192f") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHAKE_192F;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHAKE-192s") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHAKE_192S;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHAKE-256f") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHAKE_256F;
-  } else if (OPENSSL_strcasecmp(name, "SLH-DSA-SHAKE-256s") == 0) {
-    nid = EVP_PKEY_SLH_DSA_SHAKE_256S;
+    {"ML-DSA-44", EVP_PKEY_ML_DSA_44},
+    {"ML-DSA-65", EVP_PKEY_ML_DSA_65},
+    {"ML-DSA-87", EVP_PKEY_ML_DSA_87},
+    {"ML-KEM-512", EVP_PKEY_ML_KEM_512},
+    {"ML-KEM-768", EVP_PKEY_ML_KEM_768},
+    {"ML-KEM-1024", EVP_PKEY_ML_KEM_1024},
+    {"SLH-DSA-SHA2-128f", EVP_PKEY_SLH_DSA_SHA2_128F},
+    {"SLH-DSA-SHA2-128s", EVP_PKEY_SLH_DSA_SHA2_128S},
+    {"SLH-DSA-SHA2-192f", EVP_PKEY_SLH_DSA_SHA2_192F},
+    {"SLH-DSA-SHA2-192s", EVP_PKEY_SLH_DSA_SHA2_192S},
+    {"SLH-DSA-SHA2-256f", EVP_PKEY_SLH_DSA_SHA2_256F},
+    {"SLH-DSA-SHA2-256s", EVP_PKEY_SLH_DSA_SHA2_256S},
+    {"SLH-DSA-SHAKE-128f", EVP_PKEY_SLH_DSA_SHAKE_128F},
+    {"SLH-DSA-SHAKE-128s", EVP_PKEY_SLH_DSA_SHAKE_128S},
+    {"SLH-DSA-SHAKE-192f", EVP_PKEY_SLH_DSA_SHAKE_192F},
+    {"SLH-DSA-SHAKE-192s", EVP_PKEY_SLH_DSA_SHAKE_192S},
+    {"SLH-DSA-SHAKE-256f", EVP_PKEY_SLH_DSA_SHAKE_256F},
+    {"SLH-DSA-SHAKE-256s", EVP_PKEY_SLH_DSA_SHAKE_256S},
 #endif
-  } else {
-    nid = NID_undef;
+  };
+  for (const auto& entry : kNameToNid) {
+    if (StringEqualNoCase(name, entry.name)) return entry.nid;
   }
-  return nid;
+  return NID_undef;
 }
 }  // namespace
 
@@ -885,7 +867,7 @@ void KeyObjectHandle::InitEDRaw(const FunctionCallbackInfo<Value>& args) {
       break;
     }
     default:
-      UNREACHABLE();
+      return args.GetReturnValue().Set(false);
   }
 
   args.GetReturnValue().Set(true);
@@ -936,7 +918,7 @@ void KeyObjectHandle::InitPqcRaw(const FunctionCallbackInfo<Value>& args) {
                                    : EVPKeyPointer::NewRawPublic;
       break;
     default:
-      UNREACHABLE();
+      return args.GetReturnValue().Set(false);
   }
 
   auto pkey = fn(id,
diff --git a/test/parallel/test-crypto-key-objects-raw.js b/test/parallel/test-crypto-key-objects-raw.js
@@ -217,7 +217,7 @@ if (hasOpenSSL(3, 5)) {
   }), { code: 'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS' });
 }
 
-// raw-seed cannot be used for slh-dsa, ec, and the montgomery curves
+// raw-seed export is rejected for key types that do not support seeds
 {
   const ecPriv = crypto.createPrivateKey(
     fixtures.readKey('ec_p256_private.pem', 'ascii'));

Original file line number	Diff line number	Diff line change
`@@ -217,7 +217,7 @@ if (hasOpenSSL(3, 5)) {`
`217`	`217`	`}), { code: 'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS' });`
`218`	`218`	`}`
`219`	`219`
`220`		`-// raw-seed cannot be used for slh-dsa, ec, and the montgomery curves`
	`220`	`+// raw-seed export is rejected for key types that do not support seeds`
`221`	`221`	`{`
`222`	`222`	`const ecPriv = crypto.createPrivateKey(`
`223`	`223`	`fixtures.readKey('ec_p256_private.pem', 'ascii'));`