lib: improve Web Cryptography key validation ordering

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Author: panva

lib/internal/crypto/webcrypto.js

@@ -919,6 +919,14 @@ async function wrapKey(format, key, wrappingKey, algorithm) {
   } catch {
     algorithm = normalizeAlgorithm(algorithm, 'encrypt');
   }
+
+  if (algorithm.name !== wrappingKey[kAlgorithm].name ||
+      !ArrayPrototypeIncludes(wrappingKey[kKeyUsages], 'wrapKey')) {
+    throw lazyDOMException(
+      'The requested operation is not valid for the provided key',
+      'InvalidAccessError');
+  }
+
   let keyData = await FunctionPrototypeCall(exportKey, this, format, key);
 
   if (format === 'jwk') {
@@ -997,6 +1005,13 @@ async function unwrapKey(
 
   unwrappedKeyAlgo = normalizeAlgorithm(unwrappedKeyAlgo, 'importKey');
 
+  if (unwrapAlgo.name !== unwrappingKey[kAlgorithm].name ||
+      !ArrayPrototypeIncludes(unwrappingKey[kKeyUsages], 'unwrapKey')) {
+    throw lazyDOMException(
+      'The requested operation is not valid for the provided key',
+      'InvalidAccessError');
+  }
+
   let keyData = await cipherOrWrap(
     kWebCryptoCipherDecrypt,
     unwrapAlgo,
@@ -1030,12 +1045,12 @@ async function signVerify(algorithm, key, data, signature) {
   }
   algorithm = normalizeAlgorithm(algorithm, usage);
 
-  if (!ArrayPrototypeIncludes(key[kKeyUsages], usage) ||
-      algorithm.name !== key[kAlgorithm].name) {
+  if (algorithm.name !== key[kAlgorithm].name)
+    throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+
+  if (!ArrayPrototypeIncludes(key[kKeyUsages], usage))
     throw lazyDOMException(
-      `Unable to use this key to ${usage}`,
-      'InvalidAccessError');
-  }
+      `Unable to use this key to ${usage}`, 'InvalidAccessError');
 
   switch (algorithm.name) {
     case 'RSA-PSS':
@@ -1120,18 +1135,6 @@ async function verify(algorithm, key, signature, data) {
 }
 
 async function cipherOrWrap(mode, algorithm, key, data, op) {
-  // We use a Node.js style error here instead of a DOMException because
-  // the WebCrypto spec is not specific what kind of error is to be thrown
-  // in this case. Both Firefox and Chrome throw simple TypeErrors here.
-  // The key algorithm and cipher algorithm must match, and the
-  // key must have the proper usage.
-  if (key[kAlgorithm].name !== algorithm.name ||
-      !ArrayPrototypeIncludes(key[kKeyUsages], op)) {
-    throw lazyDOMException(
-      'The requested operation is not valid for the provided key',
-      'InvalidAccessError');
-  }
-
   // While WebCrypto allows for larger input buffer sizes, we limit
   // those to sizes that can fit within uint32_t because of limitations
   // in the OpenSSL API.
@@ -1182,6 +1185,14 @@ async function encrypt(algorithm, key, data) {
   });
 
   algorithm = normalizeAlgorithm(algorithm, 'encrypt');
+
+  if (algorithm.name !== key[kAlgorithm].name ||
+      !ArrayPrototypeIncludes(key[kKeyUsages], 'encrypt')) {
+    throw lazyDOMException(
+      'The requested operation is not valid for the provided key',
+      'InvalidAccessError');
+  }
+
   return await cipherOrWrap(
     kWebCryptoCipherEncrypt,
     algorithm,
@@ -1211,6 +1222,14 @@ async function decrypt(algorithm, key, data) {
   });
 
   algorithm = normalizeAlgorithm(algorithm, 'decrypt');
+
+  if (algorithm.name !== key[kAlgorithm].name ||
+      !ArrayPrototypeIncludes(key[kKeyUsages], 'decrypt')) {
+    throw lazyDOMException(
+      'The requested operation is not valid for the provided key',
+      'InvalidAccessError');
+  }
+
   return await cipherOrWrap(
     kWebCryptoCipherDecrypt,
     algorithm,

test/parallel/test-webcrypto-sign-verify-ecdsa.js

@@ -88,17 +88,17 @@ async function testVerify({ name,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.verify({ name, hash }, hmacKey, signature, plaintext), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.verify({ name, hash }, rsaKeys.publicKey, signature, plaintext), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.verify({ name, hash }, okpKeys.publicKey, signature, plaintext), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   // Test failure when signature is altered
@@ -210,17 +210,17 @@ async function testSign({ name,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.sign({ name, hash }, hmacKey, plaintext), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.sign({ name, hash }, rsaKeys.privateKey, plaintext), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.sign({ name, hash }, okpKeys.privateKey, plaintext), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 }
 

test/parallel/test-webcrypto-sign-verify-eddsa.js

@@ -101,17 +101,17 @@ async function testVerify({ name,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.verify({ name, context }, hmacKey, signature, data), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.verify({ name, context }, rsaKeys.publicKey, signature, data), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.verify({ name, context }, ecKeys.publicKey, signature, data), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   if (name === 'Ed448' && supportsContext) {
@@ -227,17 +227,17 @@ async function testSign({ name,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.sign({ name, context }, hmacKey, data), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.sign({ name, context }, rsaKeys.privateKey, data), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.sign({ name, context }, ecKeys.privateKey, data), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 
   if (name === 'Ed448' && supportsContext) {

test/parallel/test-webcrypto-sign-verify-hmac.js

@@ -62,7 +62,7 @@ async function testVerify({ hash,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.verify({ name, hash }, rsaKeys.publicKey, signature, plaintext), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   // Test failure when signature is altered
@@ -165,7 +165,7 @@ async function testSign({ hash,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.sign({ name, hash }, rsaKeys.privateKey, plaintext), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 }
 

test/parallel/test-webcrypto-sign-verify-kmac.js

@@ -69,7 +69,7 @@ async function testVerify({ algorithm,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.verify(signParams, keyPair.publicKey, expected, data), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   // Test failure when signature is altered
@@ -177,7 +177,7 @@ async function testSign({ algorithm,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.sign(signParams, keyPair.privateKey, data), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 }
 

test/parallel/test-webcrypto-sign-verify-ml-dsa.js

@@ -86,17 +86,17 @@ async function testVerify({ name,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.verify({ name, context }, hmacKey, signature, data), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.verify({ name, context }, rsaKeys.publicKey, signature, data), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.verify({ name, context }, ecKeys.publicKey, signature, data), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   // Test failure when too long context
@@ -194,17 +194,17 @@ async function testSign({ name,
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.sign({ name, context }, hmacKey, data), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.sign({ name, context }, rsaKeys.privateKey, data), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.sign({ name, context }, ecKeys.privateKey, data), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 
   // Test failure when too long context

test/parallel/test-webcrypto-sign-verify-rsa.js

@@ -82,12 +82,12 @@ async function testVerify({
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.verify(algorithm, hmacKey, signature, plaintext), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.verify(algorithm, ecdsaKeys.publicKey, signature, plaintext), {
-      message: /Unable to use this key to verify/
+      message: /Key algorithm mismatch/
     });
 
   // Test failure when signature is altered
@@ -185,12 +185,12 @@ async function testSign({
   // Test failure when using the wrong algorithms
   await assert.rejects(
     subtle.sign(algorithm, hmacKey, plaintext), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 
   await assert.rejects(
     subtle.sign(algorithm, ecdsaKeys.privateKey, plaintext), {
-      message: /Unable to use this key to sign/
+      message: /Key algorithm mismatch/
     });
 }
 

test/parallel/test-webcrypto-wrap-unwrap.js

@@ -378,3 +378,68 @@ function testWrapping(name, keys) {
   });
   await Promise.all(variations);
 })().then(common.mustCall());
+
+// Test that wrapKey validates the wrapping key's algorithm and usage
+// before attempting to export the key to be wrapped.
+// Spec: https://w3c.github.io/webcrypto/#SubtleCrypto-method-wrapKey
+// Steps 9-10 (wrapping key checks) must precede step 12 (exportKey).
+(async function() {
+  const hmacKey = await subtle.generateKey(
+    { name: 'HMAC', hash: 'SHA-256' },
+    true,
+    ['sign', 'verify'],
+  );
+
+  const ecKey = await subtle.generateKey(
+    { name: 'ECDSA', namedCurve: 'P-256' },
+    true,
+    ['sign', 'verify'],
+  );
+
+  // Wrong algorithm: wrapping key is HMAC but algorithm says AES-GCM.
+  // Even though exporting ecKey.privateKey as 'spki' would also fail
+  // (wrong key type for spki), the wrapping key check must come first.
+  await assert.rejects(
+    subtle.wrapKey('spki', ecKey.privateKey, hmacKey, {
+      name: 'AES-GCM',
+      iv: new Uint8Array(12),
+    }), {
+      name: 'InvalidAccessError',
+      message: 'The requested operation is not valid for the provided key',
+    });
+
+  // Missing wrapKey usage: aesKey only has encrypt/decrypt, not wrapKey.
+  // Even though exporting ecKey.privateKey as 'spki' would also fail,
+  // the usage check must come first.
+  const aesKey = await subtle.generateKey(
+    { name: 'AES-GCM', length: 128 },
+    true,
+    ['encrypt', 'decrypt'],
+  );
+
+  await assert.rejects(
+    subtle.wrapKey('spki', ecKey.privateKey, aesKey, {
+      name: 'AES-GCM',
+      iv: new Uint8Array(12),
+    }), {
+      name: 'InvalidAccessError',
+      message: 'The requested operation is not valid for the provided key',
+    });
+
+  // Correct wrapping key algorithm and usage results in the expected
+  // exportKey error (not the wrapping key validation error).
+  const wrapKey = await subtle.generateKey(
+    { name: 'AES-GCM', length: 128 },
+    true,
+    ['wrapKey'],
+  );
+
+  await assert.rejects(
+    subtle.wrapKey('spki', ecKey.privateKey, wrapKey, {
+      name: 'AES-GCM',
+      iv: new Uint8Array(12),
+    }), {
+      // exportKey('spki', privateKey) throws NotSupportedError
+      name: 'NotSupportedError',
+    });
+})().then(common.mustCall());