diff --git a/cli/tests/unit/webcrypto_test.ts b/cli/tests/unit/webcrypto_test.ts index 0828f07162..b1d4e96376 100644 --- a/cli/tests/unit/webcrypto_test.ts +++ b/cli/tests/unit/webcrypto_test.ts @@ -690,3 +690,26 @@ unitTest(async function testAesKeyGen() { assertEquals(algorithm.name, "AES-GCM"); assertEquals(algorithm.length, 256); }); + +unitTest(async function testDecryptWithInvalidIntializationVector() { + const data = new Uint8Array([42, 42, 42, 42]); + const key = await crypto.subtle.generateKey( + { name: "AES-CBC", length: 256 }, + true, + ["encrypt", "decrypt"], + ); + const initVector = crypto.getRandomValues(new Uint8Array(16)); + const encrypted = await crypto.subtle.encrypt( + { name: "AES-CBC", iv: initVector }, + key, + data, + ); + const initVector2 = crypto.getRandomValues(new Uint8Array(16)); + assertRejects(async () => { + await crypto.subtle.decrypt( + { name: "AES-CBC", iv: initVector2 }, + key, + encrypted, + ); + }, DOMException); +}); diff --git a/ext/crypto/lib.rs b/ext/crypto/lib.rs index b0cd7ef061..dcf03d64cc 100644 --- a/ext/crypto/lib.rs +++ b/ext/crypto/lib.rs @@ -1603,7 +1603,12 @@ pub async fn op_crypto_decrypt_key( block_modes::Cbc; let cipher = Aes128Cbc::new_from_slices(key, &iv)?; - cipher.decrypt_vec(data)? + cipher.decrypt_vec(data).map_err(|_| { + custom_error( + "DOMExceptionOperationError", + "Decryption failed".to_string(), + ) + })? } 192 => { // Section 10.3 Step 2 of RFC 2315 https://www.rfc-editor.org/rfc/rfc2315 @@ -1611,7 +1616,12 @@ pub async fn op_crypto_decrypt_key( block_modes::Cbc; let cipher = Aes192Cbc::new_from_slices(key, &iv)?; - cipher.decrypt_vec(data)? + cipher.decrypt_vec(data).map_err(|_| { + custom_error( + "DOMExceptionOperationError", + "Decryption failed".to_string(), + ) + })? } 256 => { // Section 10.3 Step 2 of RFC 2315 https://www.rfc-editor.org/rfc/rfc2315 @@ -1619,7 +1629,12 @@ pub async fn op_crypto_decrypt_key( block_modes::Cbc; let cipher = Aes256Cbc::new_from_slices(key, &iv)?; - cipher.decrypt_vec(data)? + cipher.decrypt_vec(data).map_err(|_| { + custom_error( + "DOMExceptionOperationError", + "Decryption failed".to_string(), + ) + })? } _ => unreachable!(), }; diff --git a/tools/wpt/expectation.json b/tools/wpt/expectation.json index cd3af186cf..a3c4e15cc6 100644 --- a/tools/wpt/expectation.json +++ b/tools/wpt/expectation.json @@ -3098,16 +3098,7 @@ "AES-CBC 256-bit key with mismatched key and algorithm", "AES-CBC 128-bit key without decrypt usage", "AES-CBC 192-bit key without decrypt usage", - "AES-CBC 256-bit key without decrypt usage", - "AES-CBC 128-bit key, zeroPadChar", - "AES-CBC 128-bit key, bigPadChar", - "AES-CBC 128-bit key, inconsistentPadChars", - "AES-CBC 192-bit key, zeroPadChar", - "AES-CBC 192-bit key, bigPadChar", - "AES-CBC 192-bit key, inconsistentPadChars", - "AES-CBC 256-bit key, zeroPadChar", - "AES-CBC 256-bit key, bigPadChar", - "AES-CBC 256-bit key, inconsistentPadChars" + "AES-CBC 256-bit key without decrypt usage" ], "aes_cbc.https.any.worker.html": [ "AES-CBC 128-bit key without encrypt usage", @@ -3118,16 +3109,7 @@ "AES-CBC 256-bit key with mismatched key and algorithm", "AES-CBC 128-bit key without decrypt usage", "AES-CBC 192-bit key without decrypt usage", - "AES-CBC 256-bit key without decrypt usage", - "AES-CBC 128-bit key, zeroPadChar", - "AES-CBC 128-bit key, bigPadChar", - "AES-CBC 128-bit key, inconsistentPadChars", - "AES-CBC 192-bit key, zeroPadChar", - "AES-CBC 192-bit key, bigPadChar", - "AES-CBC 192-bit key, inconsistentPadChars", - "AES-CBC 256-bit key, zeroPadChar", - "AES-CBC 256-bit key, bigPadChar", - "AES-CBC 256-bit key, inconsistentPadChars" + "AES-CBC 256-bit key without decrypt usage" ], "aes_ctr.https.any.html": [ "AES-CTR 128-bit key",