crypto: unify asymmetric key import through KeyObjectHandle::Init

Consolidate all asymmetric key import paths (DER/PEM, JWK, raw) into
a single KeyObjectHandle::Init() entry point with a uniform signature.

Remove the per-type C++ init methods (InitECRaw, InitEDRaw, InitPqcRaw,
InitJwk, InitECPrivateRaw) and their JS-side callers, replacing them
with shared C++ and JS helpers.

createPublicKey, createPrivateKey, sign, verify, and other operations
that accept key material now handle JWK and raw formats directly in
C++, removing redundant JS-to-C++ key handle round-trips.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
PR-URL: nodejs#62499
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

Author: panva

lib/internal/crypto/aes.js

@@ -9,6 +9,8 @@ const {
   AESCipherJob,
   KeyObjectHandle,
   kCryptoJobAsync,
+  kKeyFormatJWK,
+  kKeyTypeSecret,
   kKeyVariantAES_CTR_128,
   kKeyVariantAES_CBC_128,
   kKeyVariantAES_GCM_128,
@@ -29,7 +31,6 @@ const {
 const {
   hasAnyNotIn,
   jobPromise,
-  validateKeyOps,
   kHandle,
   kKeyObject,
 } = require('internal/crypto/util');
@@ -46,6 +47,10 @@ const {
   kAlgorithm,
 } = require('internal/crypto/keys');
 
+const {
+  validateJwk,
+} = require('internal/crypto/webcrypto_util');
+
 const {
   generateKey: _generateKey,
 } = require('internal/crypto/keygen');
@@ -244,31 +249,11 @@ function aesImportKey(
       break;
     }
     case 'jwk': {
-      if (!keyData.kty)
-        throw lazyDOMException('Invalid keyData', 'DataError');
-
-      if (keyData.kty !== 'oct')
-        throw lazyDOMException('Invalid JWK "kty" Parameter', 'DataError');
-
-      if (usagesSet.size > 0 &&
-          keyData.use !== undefined &&
-          keyData.use !== 'enc') {
-        throw lazyDOMException('Invalid JWK "use" Parameter', 'DataError');
-      }
-
-      validateKeyOps(keyData.key_ops, usagesSet);
-
-      if (keyData.ext !== undefined &&
-          keyData.ext === false &&
-          extractable === true) {
-        throw lazyDOMException(
-          'JWK "ext" Parameter and extractable mismatch',
-          'DataError');
-      }
+      validateJwk(keyData, 'oct', extractable, usagesSet, 'enc');
 
       const handle = new KeyObjectHandle();
       try {
-        handle.initJwk(keyData);
+        handle.init(kKeyTypeSecret, keyData, kKeyFormatJWK, null, null);
       } catch (err) {
         throw lazyDOMException(
           'Invalid keyData', { name: 'DataError', cause: err });

lib/internal/crypto/cfrg.js

@@ -3,32 +3,27 @@
 const {
   SafeSet,
   StringPrototypeToLowerCase,
+  TypedArrayPrototypeGetBuffer,
 } = primordials;
 
 const { Buffer } = require('buffer');
 
 const {
-  ECKeyExportJob,
-  KeyObjectHandle,
   SignJob,
   kCryptoJobAsync,
-  kKeyTypePrivate,
-  kKeyTypePublic,
+  kKeyFormatDER,
+  kKeyFormatRawPublic,
   kSignJobModeSign,
   kSignJobModeVerify,
+  kWebCryptoKeyFormatPKCS8,
+  kWebCryptoKeyFormatRaw,
+  kWebCryptoKeyFormatSPKI,
 } = internalBinding('crypto');
 
-const {
-  codes: {
-    ERR_CRYPTO_INVALID_JWK,
-  },
-} = require('internal/errors');
-
 const {
   getUsagesUnion,
   hasAnyNotIn,
   jobPromise,
-  validateKeyOps,
   kHandle,
   kKeyObject,
 } = require('internal/crypto/util');
@@ -44,13 +39,16 @@ const {
 
 const {
   InternalCryptoKey,
-  PrivateKeyObject,
-  PublicKeyObject,
-  createPrivateKey,
-  createPublicKey,
   kKeyType,
 } = require('internal/crypto/keys');
 
+const {
+  importDerKey,
+  importJwkKey,
+  importRawKey,
+  validateJwk,
+} = require('internal/crypto/webcrypto_util');
+
 const generateKeyPair = promisify(_generateKeyPair);
 
 function verifyAcceptableCfrgKeyUse(name, isPublic, usages) {
@@ -77,39 +75,6 @@ function verifyAcceptableCfrgKeyUse(name, isPublic, usages) {
   }
 }
 
-function createCFRGRawKey(name, keyData, isPublic) {
-  const handle = new KeyObjectHandle();
-
-  switch (name) {
-    case 'Ed25519':
-    case 'X25519':
-      if (keyData.byteLength !== 32) {
-        throw lazyDOMException(
-          `${name} raw keys must be exactly 32-bytes`, 'DataError');
-      }
-      break;
-    case 'Ed448':
-      if (keyData.byteLength !== 57) {
-        throw lazyDOMException(
-          `${name} raw keys must be exactly 57-bytes`, 'DataError');
-      }
-      break;
-    case 'X448':
-      if (keyData.byteLength !== 56) {
-        throw lazyDOMException(
-          `${name} raw keys must be exactly 56-bytes`, 'DataError');
-      }
-      break;
-  }
-
-  const keyType = isPublic ? kKeyTypePublic : kKeyTypePrivate;
-  if (!handle.initEDRaw(name, keyData, keyType)) {
-    throw lazyDOMException('Invalid keyData', 'DataError');
-  }
-
-  return isPublic ? new PublicKeyObject(handle) : new PrivateKeyObject(handle);
-}
-
 async function cfrgGenerateKey(algorithm, extractable, keyUsages) {
   const { name } = algorithm;
 
@@ -171,7 +136,7 @@ async function cfrgGenerateKey(algorithm, extractable, keyUsages) {
     case 'X25519':
       // Fall through
     case 'X448':
-      publicUsages = new SafeSet();
+      publicUsages = [];
       privateUsages = getUsagesUnion(usageSet, 'deriveKey', 'deriveBits');
       break;
   }
@@ -196,10 +161,29 @@ async function cfrgGenerateKey(algorithm, extractable, keyUsages) {
 }
 
 function cfrgExportKey(key, format) {
-  return jobPromise(() => new ECKeyExportJob(
-    kCryptoJobAsync,
-    format,
-    key[kKeyObject][kHandle]));
+  try {
+    switch (format) {
+      case kWebCryptoKeyFormatRaw: {
+        const handle = key[kKeyObject][kHandle];
+        return TypedArrayPrototypeGetBuffer(
+          key[kKeyType] === 'private' ? handle.rawPrivateKey() : handle.rawPublicKey());
+      }
+      case kWebCryptoKeyFormatSPKI: {
+        return TypedArrayPrototypeGetBuffer(
+          key[kKeyObject][kHandle].export(kKeyFormatDER, kWebCryptoKeyFormatSPKI));
+      }
+      case kWebCryptoKeyFormatPKCS8: {
+        return TypedArrayPrototypeGetBuffer(
+          key[kKeyObject][kHandle].export(kKeyFormatDER, kWebCryptoKeyFormatPKCS8, null, null));
+      }
+      default:
+        return undefined;
+    }
+  } catch (err) {
+    throw lazyDOMException(
+      'The operation failed for an operation-specific reason',
+      { name: 'OperationError', cause: err });
+  }
 }
 
 function cfrgImportKey(
@@ -220,113 +204,42 @@ function cfrgImportKey(
     }
     case 'spki': {
       verifyAcceptableCfrgKeyUse(name, true, usagesSet);
-      try {
-        keyObject = createPublicKey({
-          key: keyData,
-          format: 'der',
-          type: 'spki',
-        });
-      } catch (err) {
-        throw lazyDOMException(
-          'Invalid keyData', { name: 'DataError', cause: err });
-      }
+      keyObject = importDerKey(keyData, true);
       break;
     }
     case 'pkcs8': {
       verifyAcceptableCfrgKeyUse(name, false, usagesSet);
-      try {
-        keyObject = createPrivateKey({
-          key: keyData,
-          format: 'der',
-          type: 'pkcs8',
-        });
-      } catch (err) {
-        throw lazyDOMException(
-          'Invalid keyData', { name: 'DataError', cause: err });
-      }
+      keyObject = importDerKey(keyData, false);
       break;
     }
     case 'jwk': {
-      if (!keyData.kty)
-        throw lazyDOMException('Invalid keyData', 'DataError');
-      if (keyData.kty !== 'OKP')
-        throw lazyDOMException('Invalid JWK "kty" Parameter', 'DataError');
+      const expectedUse = (name === 'X25519' || name === 'X448') ? 'enc' : 'sig';
+      validateJwk(keyData, 'OKP', extractable, usagesSet, expectedUse);
+
       if (keyData.crv !== name)
         throw lazyDOMException(
           'JWK "crv" Parameter and algorithm name mismatch', 'DataError');
-      const isPublic = keyData.d === undefined;
-
-      if (usagesSet.size > 0 && keyData.use !== undefined) {
-        let checkUse;
-        switch (name) {
-          case 'Ed25519':
-            // Fall through
-          case 'Ed448':
-            checkUse = 'sig';
-            break;
-          case 'X25519':
-            // Fall through
-          case 'X448':
-            checkUse = 'enc';
-            break;
-        }
-        if (keyData.use !== checkUse)
-          throw lazyDOMException('Invalid JWK "use" Parameter', 'DataError');
-      }
-
-      validateKeyOps(keyData.key_ops, usagesSet);
-
-      if (keyData.ext !== undefined &&
-          keyData.ext === false &&
-          extractable === true) {
-        throw lazyDOMException(
-          'JWK "ext" Parameter and extractable mismatch',
-          'DataError');
-      }
 
       if (keyData.alg !== undefined && (name === 'Ed25519' || name === 'Ed448')) {
-        if (keyData.alg !== name && keyData.alg !== 'EdDSA') {
+        if (keyData.alg !== name && keyData.alg !== 'EdDSA')
           throw lazyDOMException(
-            'JWK "alg" does not match the requested algorithm',
-            'DataError');
-        }
+            'JWK "alg" does not match the requested algorithm', 'DataError');
       }
 
-      if (!isPublic && typeof keyData.x !== 'string') {
-        throw lazyDOMException('Invalid JWK', 'DataError');
-      }
-
-      verifyAcceptableCfrgKeyUse(
-        name,
-        isPublic,
-        usagesSet);
-
-      try {
-        const publicKeyObject = createCFRGRawKey(
-          name,
-          Buffer.from(keyData.x, 'base64'),
-          true);
-
-        if (isPublic) {
-          keyObject = publicKeyObject;
-        } else {
-          keyObject = createCFRGRawKey(
-            name,
-            Buffer.from(keyData.d, 'base64'),
-            false);
+      const isPublic = keyData.d === undefined;
+      verifyAcceptableCfrgKeyUse(name, isPublic, usagesSet);
+      keyObject = importJwkKey(isPublic, keyData);
 
-          if (!createPublicKey(keyObject).equals(publicKeyObject)) {
-            throw new ERR_CRYPTO_INVALID_JWK();
-          }
-        }
-      } catch (err) {
-        throw lazyDOMException('Invalid keyData', { name: 'DataError', cause: err });
+      if (!isPublic) {
+        const publicKey = Buffer.from(keyData.x, 'base64url');
+        if (!Buffer.from(keyObject[kHandle].rawPublicKey()).equals(publicKey))
+          throw lazyDOMException('Invalid keyData', 'DataError');
       }
       break;
     }
     case 'raw': {
       verifyAcceptableCfrgKeyUse(name, true, usagesSet);
-      keyObject = createCFRGRawKey(name, keyData, true);
+      keyObject = importRawKey(true, keyData, kKeyFormatRawPublic, name);
       break;
     }
     default:
@@ -340,7 +253,7 @@ function cfrgImportKey(
   return new InternalCryptoKey(
     keyObject,
     { name },
-    usagesSet,
+    keyUsages,
     extractable);
 }
 
@@ -358,6 +271,7 @@ async function eddsaSignVerify(key, data, algorithm, signature) {
     undefined,
     undefined,
     undefined,
+    undefined,
     data,
     undefined,
     undefined,