fix(ext/crypto): fix JWK import of Ed25519 (#19279)

Fixes: #18049 --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
2024-11-24 15:19:26 -05:00 · 2023-06-05 14:52:02 +02:00 · 2023-06-05 14:52:02 +02:00 · 11dd5a0ae7
commit 11dd5a0ae7
parent d2047f1337
3 changed files with 93 additions and 10 deletions
--- a/ext/crypto/00_crypto.js
+++ b/ext/crypto/00_crypto.js
@ -2319,7 +2319,12 @@ function importKeyEd25519(
      // 9.
      if (jwk.d !== undefined) {
        // https://www.rfc-editor.org/rfc/rfc8037#section-2
-        const privateKeyData = ops.op_crypto_base64url_decode(jwk.d);
+        let privateKeyData;
+        try {
+          privateKeyData = ops.op_crypto_base64url_decode(jwk.d);
+        } catch (_) {
+          throw new DOMException("invalid private key data", "DataError");
+        }

        const handle = {};
        WeakMapPrototypeSet(KEY_STORE, handle, privateKeyData);
@ -2337,7 +2342,12 @@ function importKeyEd25519(
        );
      } else {
        // https://www.rfc-editor.org/rfc/rfc8037#section-2
-        const publicKeyData = ops.op_crypto_base64url_decode(jwk.x);
+        let publicKeyData;
+        try {
+          publicKeyData = ops.op_crypto_base64url_decode(jwk.x);
+        } catch (_) {
+          throw new DOMException("invalid public key data", "DataError");
+        }

        const handle = {};
        WeakMapPrototypeSet(KEY_STORE, handle, publicKeyData);
--- a/ext/crypto/lib.rs
+++ b/ext/crypto/lib.rs
@ -116,10 +116,11 @@ deno_core::extension!(deno_crypto,
 );

 #[op]
-pub fn op_crypto_base64url_decode(data: String) -> ZeroCopyBuf {
-  let data: Vec<u8> =
-    base64::decode_config(data, base64::URL_SAFE_NO_PAD).unwrap();
-  data.into()
+pub fn op_crypto_base64url_decode(
+  data: String,
+) -> Result<ZeroCopyBuf, AnyError> {
+  let data: Vec<u8> = base64::decode_config(data, base64::URL_SAFE_NO_PAD)?;
+  Ok(data.into())
 }

 #[op]
--- a/tools/wpt/expectation.json
+++ b/tools/wpt/expectation.json
@ -1159,12 +1159,84 @@
        "Good parameters: X448 bits (pkcs8, buffer(72), {name: X448}, false, [deriveBits])",
        "Good parameters: X448 bits (jwk, object(crv, d, x, kty), {name: X448}, false, [deriveBits])"
      ],
-      "okp_importKey_failures_Ed25519.https.any.html": false,
-      "okp_importKey_failures_Ed25519.https.any.worker.html": false,
+      "okp_importKey_failures_Ed25519.https.any.html": [
+        "Bad key length: importKey(raw, {name: Ed25519}, true, [verify])",
+        "Bad key length: importKey(raw, {name: Ed25519}, false, [verify])",
+        "Bad key length: importKey(raw, {name: Ed25519}, true, [verify, verify])",
+        "Bad key length: importKey(raw, {name: Ed25519}, false, [verify, verify])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: Ed25519}, true, [sign])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: Ed25519}, false, [sign])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: Ed25519}, true, [sign, sign])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: Ed25519}, false, [sign, sign])",
+        "Invalid key pair: importKey(jwk(private), {name: Ed25519}, true, [sign])",
+        "Invalid key pair: importKey(jwk(private), {name: Ed25519}, true, [sign, sign])"
+      ],
+      "okp_importKey_failures_Ed25519.https.any.worker.html": [
+        "Bad key length: importKey(raw, {name: Ed25519}, true, [verify])",
+        "Bad key length: importKey(raw, {name: Ed25519}, false, [verify])",
+        "Bad key length: importKey(raw, {name: Ed25519}, true, [verify, verify])",
+        "Bad key length: importKey(raw, {name: Ed25519}, false, [verify, verify])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: Ed25519}, true, [sign])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: Ed25519}, false, [sign])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: Ed25519}, true, [sign, sign])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: Ed25519}, false, [sign, sign])",
+        "Invalid key pair: importKey(jwk(private), {name: Ed25519}, true, [sign])",
+        "Invalid key pair: importKey(jwk(private), {name: Ed25519}, true, [sign, sign])"
+      ],
      "okp_importKey_failures_Ed448.https.any.html": false,
      "okp_importKey_failures_Ed448.https.any.worker.html": false,
-      "okp_importKey_failures_X25519.https.any.html": false,
-      "okp_importKey_failures_X25519.https.any.worker.html": false,
+      "okp_importKey_failures_X25519.https.any.html": [
+        "Bad key length: importKey(raw, {name: X25519}, true, [])",
+        "Bad key length: importKey(raw, {name: X25519}, false, [])",
+        "Bad key length: importKey(jwk (public) , {name: X25519}, true, [])",
+        "Bad key length: importKey(jwk (public) , {name: X25519}, false, [])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, true, [deriveKey])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, false, [deriveKey])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, true, [deriveBits, deriveKey])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, false, [deriveBits, deriveKey])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, true, [deriveBits])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, false, [deriveBits])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, true, [deriveKey, deriveBits, deriveKey, deriveBits])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, false, [deriveKey, deriveBits, deriveKey, deriveBits])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, true, [deriveKey])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, false, [deriveKey])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, true, [deriveBits, deriveKey])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, false, [deriveBits, deriveKey])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, true, [deriveBits])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, false, [deriveBits])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, true, [deriveKey, deriveBits, deriveKey, deriveBits])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, false, [deriveKey, deriveBits, deriveKey, deriveBits])",
+        "Invalid key pair: importKey(jwk(private), {name: X25519}, true, [deriveKey])",
+        "Invalid key pair: importKey(jwk(private), {name: X25519}, true, [deriveBits, deriveKey])",
+        "Invalid key pair: importKey(jwk(private), {name: X25519}, true, [deriveBits])",
+        "Invalid key pair: importKey(jwk(private), {name: X25519}, true, [deriveKey, deriveBits, deriveKey, deriveBits])"
+      ],
+      "okp_importKey_failures_X25519.https.any.worker.html": [
+        "Bad key length: importKey(raw, {name: X25519}, true, [])",
+        "Bad key length: importKey(raw, {name: X25519}, false, [])",
+        "Bad key length: importKey(jwk (public) , {name: X25519}, true, [])",
+        "Bad key length: importKey(jwk (public) , {name: X25519}, false, [])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, true, [deriveKey])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, false, [deriveKey])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, true, [deriveBits, deriveKey])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, false, [deriveBits, deriveKey])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, true, [deriveBits])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, false, [deriveBits])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, true, [deriveKey, deriveBits, deriveKey, deriveBits])",
+        "Bad key length: importKey(jwk(private), {name: X25519}, false, [deriveKey, deriveBits, deriveKey, deriveBits])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, true, [deriveKey])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, false, [deriveKey])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, true, [deriveBits, deriveKey])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, false, [deriveBits, deriveKey])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, true, [deriveBits])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, false, [deriveBits])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, true, [deriveKey, deriveBits, deriveKey, deriveBits])",
+        "Missing JWK 'x' parameter: importKey(jwk(private), {name: X25519}, false, [deriveKey, deriveBits, deriveKey, deriveBits])",
+        "Invalid key pair: importKey(jwk(private), {name: X25519}, true, [deriveKey])",
+        "Invalid key pair: importKey(jwk(private), {name: X25519}, true, [deriveBits, deriveKey])",
+        "Invalid key pair: importKey(jwk(private), {name: X25519}, true, [deriveBits])",
+        "Invalid key pair: importKey(jwk(private), {name: X25519}, true, [deriveKey, deriveBits, deriveKey, deriveBits])"
+      ],
      "okp_importKey_failures_X448.https.any.html": false,
      "okp_importKey_failures_X448.https.any.worker.html": false
    },