crypto: fix webcrypto AES-KW keys accepting encrypt/decrypt usages

panva · panva · commit d51d18a6206d · 2022-06-14T17:37:22.000+02:00
diff --git a/lib/internal/crypto/aes.js b/lib/internal/crypto/aes.js
@@ -230,13 +230,17 @@ async function aesGenerateKey(algorithm, extractable, keyUsages) {
   validateInteger(length, 'algorithm.length');
   validateOneOf(length, 'algorithm.length', kAesKeyLengths);
 
-  const usageSet = new SafeSet(keyUsages);
+  const checkUsages = ['wrapKey', 'unwrapKey'];
+  if (name !== 'AES-KW')
+    ArrayPrototypePush(checkUsages, 'encrypt', 'decrypt');
 
-  if (hasAnyNotIn(usageSet, ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey'])) {
+  const usagesSet = new SafeSet(keyUsages);
+  if (hasAnyNotIn(usagesSet, checkUsages)) {
     throw lazyDOMException(
       'Unsupported key usage for an AES key',
       'SyntaxError');
   }
+
   return new Promise((resolve, reject) => {
     generateKey('aes', { length }, (err, key) => {
       if (err) {
@@ -249,7 +253,7 @@ async function aesGenerateKey(algorithm, extractable, keyUsages) {
       resolve(new InternalCryptoKey(
         key,
         { name, length },
-        ArrayFrom(usageSet),
+        ArrayFrom(usagesSet),
         extractable));
     });
   });
diff --git a/test/parallel/test-webcrypto-keygen.js b/test/parallel/test-webcrypto-keygen.js
@@ -206,11 +206,6 @@ const vectors = {
 // Test bad usages
 {
   async function test(name) {
-    const invalidUsages = [];
-    allUsages.forEach((usage) => {
-      if (!vectors[name].usages.includes(usage))
-        invalidUsages.push(usage);
-    });
     await assert.rejects(
       subtle.generateKey(
         {
@@ -219,14 +214,22 @@ const vectors = {
         true,
         []),
       { message: /Usages cannot be empty/ });
-    return assert.rejects(
-      subtle.generateKey(
-        {
-          name, ...vectors[name].algorithm
-        },
-        true,
-        invalidUsages),
-      { message: /Unsupported key usage/ });
+
+    const invalidUsages = [];
+    allUsages.forEach((usage) => {
+      if (!vectors[name].usages.includes(usage))
+        invalidUsages.push(usage);
+    });
+    for (const invalidUsage of invalidUsages) {
+      await assert.rejects(
+        subtle.generateKey(
+          {
+            name, ...vectors[name].algorithm
+          },
+          true,
+          [...vectors[name].usages, invalidUsage]),
+        { message: /Unsupported key usage/ });
+    }
   }
 
   const tests = Object.keys(vectors).map(test);
diff --git a/test/wpt/status/WebCryptoAPI.json b/test/wpt/status/WebCryptoAPI.json
@@ -48,7 +48,6 @@
   "generateKey/failures_AES-KW.https.any.js": {
     "fail": {
       "unexpected": [
-        "assert_unreached: Operation succeeded, but should not have Reached unreachable code",
         "assert_equals: Bad algorithm property not supported expected \"OperationError\" but got \"TypeError\"",
         "assert_equals: Bad algorithm property not supported expected \"OperationError\" but got \"SyntaxError\""
       ]

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,6 @@`
`48`	`48`	`"generateKey/failures_AES-KW.https.any.js": {`
`49`	`49`	`"fail": {`
`50`	`50`	`"unexpected": [`
`51`		`- "assert_unreached: Operation succeeded, but should not have Reached unreachable code",`
`52`	`51`	`"assert_equals: Bad algorithm property not supported expected \"OperationError\" but got \"TypeError\"",`
`53`	`52`	`"assert_equals: Bad algorithm property not supported expected \"OperationError\" but got \"SyntaxError\""`
`54`	`53`	`]`