Skip to content

Commit ad8217c

Browse files
panvapanva
committed
fixup! lib: improve Web Cryptography key validation ordering
1 parent 663a0eb commit ad8217c

File tree

6 files changed

+38
-38
lines changed

6 files changed

+38
-38
lines changed

lib/internal/crypto/webcrypto.js

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -920,12 +920,12 @@ async function wrapKey(format, key, wrappingKey, algorithm) {
920920
algorithm = normalizeAlgorithm(algorithm, 'encrypt');
921921
}
922922

923-
if (algorithm.name !== wrappingKey[kAlgorithm].name ||
924-
!ArrayPrototypeIncludes(wrappingKey[kKeyUsages], 'wrapKey')) {
923+
if (algorithm.name !== wrappingKey[kAlgorithm].name)
924+
throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
925+
926+
if (!ArrayPrototypeIncludes(wrappingKey[kKeyUsages], 'wrapKey'))
925927
throw lazyDOMException(
926-
'The requested operation is not valid for the provided key',
927-
'InvalidAccessError');
928-
}
928+
'Unable to use this key to wrapKey', 'InvalidAccessError');
929929

930930
let keyData = await FunctionPrototypeCall(exportKey, this, format, key);
931931

@@ -1005,12 +1005,12 @@ async function unwrapKey(
10051005

10061006
unwrappedKeyAlgo = normalizeAlgorithm(unwrappedKeyAlgo, 'importKey');
10071007

1008-
if (unwrapAlgo.name !== unwrappingKey[kAlgorithm].name ||
1009-
!ArrayPrototypeIncludes(unwrappingKey[kKeyUsages], 'unwrapKey')) {
1008+
if (unwrapAlgo.name !== unwrappingKey[kAlgorithm].name)
1009+
throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
1010+
1011+
if (!ArrayPrototypeIncludes(unwrappingKey[kKeyUsages], 'unwrapKey'))
10101012
throw lazyDOMException(
1011-
'The requested operation is not valid for the provided key',
1012-
'InvalidAccessError');
1013-
}
1013+
'Unable to use this key to unwrapKey', 'InvalidAccessError');
10141014

10151015
let keyData = await cipherOrWrap(
10161016
kWebCryptoCipherDecrypt,
@@ -1186,12 +1186,12 @@ async function encrypt(algorithm, key, data) {
11861186

11871187
algorithm = normalizeAlgorithm(algorithm, 'encrypt');
11881188

1189-
if (algorithm.name !== key[kAlgorithm].name ||
1190-
!ArrayPrototypeIncludes(key[kKeyUsages], 'encrypt')) {
1189+
if (algorithm.name !== key[kAlgorithm].name)
1190+
throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
1191+
1192+
if (!ArrayPrototypeIncludes(key[kKeyUsages], 'encrypt'))
11911193
throw lazyDOMException(
1192-
'The requested operation is not valid for the provided key',
1193-
'InvalidAccessError');
1194-
}
1194+
'Unable to use this key to encrypt', 'InvalidAccessError');
11951195

11961196
return await cipherOrWrap(
11971197
kWebCryptoCipherEncrypt,
@@ -1223,12 +1223,12 @@ async function decrypt(algorithm, key, data) {
12231223

12241224
algorithm = normalizeAlgorithm(algorithm, 'decrypt');
12251225

1226-
if (algorithm.name !== key[kAlgorithm].name ||
1227-
!ArrayPrototypeIncludes(key[kKeyUsages], 'decrypt')) {
1226+
if (algorithm.name !== key[kAlgorithm].name)
1227+
throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
1228+
1229+
if (!ArrayPrototypeIncludes(key[kKeyUsages], 'decrypt'))
12281230
throw lazyDOMException(
1229-
'The requested operation is not valid for the provided key',
1230-
'InvalidAccessError');
1231-
}
1231+
'Unable to use this key to decrypt', 'InvalidAccessError');
12321232

12331233
return await cipherOrWrap(
12341234
kWebCryptoCipherDecrypt,

test/parallel/test-webcrypto-encrypt-decrypt-aes.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ async function testEncryptNoEncrypt({ keyBuffer, algorithm, plaintext }) {
4949
['decrypt']);
5050

5151
return assert.rejects(subtle.encrypt(algorithm, key, plaintext), {
52-
message: /The requested operation is not valid for the provided key/
52+
message: /Unable to use this key to encrypt/
5353
});
5454
}
5555

@@ -65,7 +65,7 @@ async function testEncryptNoDecrypt({ keyBuffer, algorithm, plaintext }) {
6565
const output = await subtle.encrypt(algorithm, key, plaintext);
6666

6767
return assert.rejects(subtle.decrypt(algorithm, key, output), {
68-
message: /The requested operation is not valid for the provided key/
68+
message: /Unable to use this key to decrypt/
6969
});
7070
}
7171

@@ -80,7 +80,7 @@ async function testEncryptWrongAlg({ keyBuffer, algorithm, plaintext }, alg) {
8080
['encrypt']);
8181

8282
return assert.rejects(subtle.encrypt(algorithm, key, plaintext), {
83-
message: /The requested operation is not valid for the provided key/
83+
message: /Key algorithm mismatch/
8484
});
8585
}
8686

test/parallel/test-webcrypto-encrypt-decrypt-chacha20-poly1305.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ async function testEncryptNoEncrypt({ keyBuffer, algorithm, plaintext }) {
4848
['decrypt']);
4949

5050
return assert.rejects(subtle.encrypt(algorithm, key, plaintext), {
51-
message: /The requested operation is not valid for the provided key/
51+
message: /Unable to use this key to encrypt/
5252
});
5353
}
5454

@@ -63,7 +63,7 @@ async function testEncryptNoDecrypt({ keyBuffer, algorithm, plaintext }) {
6363
const output = await subtle.encrypt(algorithm, key, plaintext);
6464

6565
return assert.rejects(subtle.decrypt(algorithm, key, output), {
66-
message: /The requested operation is not valid for the provided key/
66+
message: /Unable to use this key to decrypt/
6767
});
6868
}
6969

@@ -77,7 +77,7 @@ async function testEncryptWrongAlg({ keyBuffer, algorithm, plaintext }, alg) {
7777
['encrypt']);
7878

7979
return assert.rejects(subtle.encrypt(algorithm, key, plaintext), {
80-
message: /The requested operation is not valid for the provided key/
80+
message: /Key algorithm mismatch/
8181
});
8282
}
8383

test/parallel/test-webcrypto-encrypt-decrypt-rsa.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,7 @@ async function testEncryptionWrongKey({ algorithm,
147147
['decrypt']);
148148
return assert.rejects(
149149
subtle.encrypt(algorithm, privateKey, plaintext), {
150-
message: /The requested operation is not valid/
150+
message: /Unable to use this key to encrypt/
151151
});
152152
}
153153

@@ -167,7 +167,7 @@ async function testEncryptionBadUsage({ algorithm,
167167
['decrypt']);
168168
return assert.rejects(
169169
subtle.encrypt(algorithm, publicKey, plaintext), {
170-
message: /The requested operation is not valid/
170+
message: /Unable to use this key to encrypt/
171171
});
172172
}
173173

@@ -191,7 +191,7 @@ async function testDecryptionWrongKey({ ciphertext,
191191

192192
return assert.rejects(
193193
subtle.decrypt(algorithm, publicKey, ciphertext), {
194-
message: /The requested operation is not valid/
194+
message: /Unable to use this key to decrypt/
195195
});
196196
}
197197

@@ -215,7 +215,7 @@ async function testDecryptionBadUsage({ ciphertext,
215215

216216
return assert.rejects(
217217
subtle.decrypt(algorithm, publicKey, ciphertext), {
218-
message: /The requested operation is not valid/
218+
message: /Unable to use this key to decrypt/
219219
});
220220
}
221221

test/parallel/test-webcrypto-encrypt-decrypt.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -43,14 +43,14 @@ const { subtle } = globalThis.crypto;
4343
name: 'RSA-OAEP',
4444
}, privateKey, buf), {
4545
name: 'InvalidAccessError',
46-
message: 'The requested operation is not valid for the provided key'
46+
message: 'Unable to use this key to encrypt'
4747
});
4848

4949
await assert.rejects(() => subtle.decrypt({
5050
name: 'RSA-OAEP',
5151
}, publicKey, ciphertext), {
5252
name: 'InvalidAccessError',
53-
message: 'The requested operation is not valid for the provided key'
53+
message: 'Unable to use this key to decrypt'
5454
});
5555
}
5656

@@ -88,14 +88,14 @@ if (!process.features.openssl_is_boringssl) {
8888
name: 'RSA-OAEP',
8989
}, privateKey, buf), {
9090
name: 'InvalidAccessError',
91-
message: 'The requested operation is not valid for the provided key'
91+
message: 'Unable to use this key to encrypt'
9292
});
9393

9494
await assert.rejects(() => subtle.decrypt({
9595
name: 'RSA-OAEP',
9696
}, publicKey, ciphertext), {
9797
name: 'InvalidAccessError',
98-
message: 'The requested operation is not valid for the provided key'
98+
message: 'Unable to use this key to decrypt'
9999
});
100100
}
101101

test/parallel/test-webcrypto-wrap-unwrap.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -405,7 +405,7 @@ function testWrapping(name, keys) {
405405
iv: new Uint8Array(12),
406406
}), {
407407
name: 'InvalidAccessError',
408-
message: 'The requested operation is not valid for the provided key',
408+
message: 'Key algorithm mismatch',
409409
});
410410

411411
// Missing wrapKey usage: aesKey only has encrypt/decrypt, not wrapKey.
@@ -423,7 +423,7 @@ function testWrapping(name, keys) {
423423
iv: new Uint8Array(12),
424424
}), {
425425
name: 'InvalidAccessError',
426-
message: 'The requested operation is not valid for the provided key',
426+
message: 'Unable to use this key to wrapKey',
427427
});
428428

429429
// Correct wrapping key algorithm and usage results in the expected
@@ -454,7 +454,7 @@ function testWrapping(name, keys) {
454454
iv: new Uint8Array(12),
455455
}, { name: 'AES-GCM', length: 128 }, true, ['encrypt']), {
456456
name: 'InvalidAccessError',
457-
message: 'The requested operation is not valid for the provided key',
457+
message: 'Key algorithm mismatch',
458458
});
459459

460460
// Missing unwrapKey usage: aesKey only has encrypt/decrypt, not unwrapKey.
@@ -464,6 +464,6 @@ function testWrapping(name, keys) {
464464
iv: new Uint8Array(12),
465465
}, { name: 'AES-GCM', length: 128 }, true, ['encrypt']), {
466466
name: 'InvalidAccessError',
467-
message: 'The requested operation is not valid for the provided key',
467+
message: 'Unable to use this key to unwrapKey',
468468
});
469469
})().then(common.mustCall());

0 commit comments

Comments
 (0)