fix(ext/crypto): check extractable in exportKey (#14222)

cli/tests/unit/webcrypto_test.ts

@@ -1750,3 +1750,23 @@ Deno.test(async function importJwkWithUse() {
 
   assert(key instanceof CryptoKey);
 });
+
+// https://github.com/denoland/deno/issues/14215
+Deno.test(async function exportKeyNotExtractable() {
+  const key = await crypto.subtle.generateKey(
+    {
+      name: "HMAC",
+      hash: "SHA-512",
+    },
+    false,
+    ["sign", "verify"],
+  );
+
+  assert(key);
+  assertEquals(key.extractable, false);
+
+  await assertRejects(async () => {
+    // Should fail
+    await crypto.subtle.exportKey("raw", key);
+  }, DOMException);
+});

ext/crypto/00_crypto.js

@@ -984,28 +984,43 @@
 
       const algorithmName = key[_algorithm].name;
 
+      let result;
+
       switch (algorithmName) {
         case "HMAC": {
-          return exportKeyHMAC(format, key, innerKey);
+          result = exportKeyHMAC(format, key, innerKey);
+          break;
         }
         case "RSASSA-PKCS1-v1_5":
         case "RSA-PSS":
         case "RSA-OAEP": {
-          return exportKeyRSA(format, key, innerKey);
+          result = exportKeyRSA(format, key, innerKey);
+          break;
         }
         case "ECDH":
         case "ECDSA": {
-          return exportKeyEC(format, key, innerKey);
+          result = exportKeyEC(format, key, innerKey);
+          break;
         }
         case "AES-CTR":
         case "AES-CBC":
         case "AES-GCM":
         case "AES-KW": {
-          return exportKeyAES(format, key, innerKey);
+          result = exportKeyAES(format, key, innerKey);
+          break;
         }
         default:
           throw new DOMException("Not implemented", "NotSupportedError");
       }
+
+      if (key.extractable === false) {
+        throw new DOMException(
+          "Key is not extractable",
+          "InvalidAccessError",
+        );
+      }
+
+      return result;
     }
 
     /**