1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

crypto: refactor verify acceptable key usage functions

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/45569
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
This commit is contained in:
Filip Skokan 2022-11-22 12:46:05 +01:00 committed by Node.js GitHub Bot
parent 8fef4746fc
commit a6dd939ce8
3 changed files with 37 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
lib/internal/crypto/cfrg.js
View File

@ -47,32 +47,22 @@ const {
const generateKeyPair = promisify(_generateKeyPair); const generateKeyPair = promisify(_generateKeyPair);
function verifyAcceptableCfrgKeyUse(name, type, usages) { function verifyAcceptableCfrgKeyUse(name, isPublic, usages) {
let checkSet; let checkSet;
switch (name) { switch (name) {
case 'X25519': case 'X25519':
// Fall through // Fall through
case 'X448': case 'X448':
switch (type) { checkSet = isPublic ? [] : ['deriveKey', 'deriveBits'];
case 'private':
checkSet = ['deriveKey', 'deriveBits'];
break;
case 'public':
checkSet = [];
break;
}
break; break;
case 'Ed25519': case 'Ed25519':
// Fall through // Fall through
case 'Ed448': case 'Ed448':
switch (type) { checkSet = isPublic ? ['verify'] : ['sign'];
case 'private': break;
checkSet = ['sign']; default:
break; throw lazyDOMException(
case 'public': 'The algorithm is not supported', 'NotSupportedError');
checkSet = ['verify'];
break;
}
} }
if (hasAnyNotIn(usages, checkSet)) { if (hasAnyNotIn(usages, checkSet)) {
throw lazyDOMException( throw lazyDOMException(
@ -219,7 +209,7 @@ async function cfrgImportKey(
const usagesSet = new SafeSet(keyUsages); const usagesSet = new SafeSet(keyUsages);
switch (format) { switch (format) {
case 'spki': { case 'spki': {
verifyAcceptableCfrgKeyUse(name, 'public', usagesSet); verifyAcceptableCfrgKeyUse(name, true, usagesSet);
try { try {
keyObject = createPublicKey({ keyObject = createPublicKey({
key: keyData, key: keyData,
@ -233,7 +223,7 @@ async function cfrgImportKey(
break; break;
} }
case 'pkcs8': { case 'pkcs8': {
verifyAcceptableCfrgKeyUse(name, 'private', usagesSet); verifyAcceptableCfrgKeyUse(name, false, usagesSet);
try { try {
keyObject = createPrivateKey({ keyObject = createPrivateKey({
key: keyData, key: keyData,
@ -298,7 +288,7 @@ async function cfrgImportKey(
verifyAcceptableCfrgKeyUse( verifyAcceptableCfrgKeyUse(
name, name,
isPublic ? 'public' : 'private', isPublic,
usagesSet); usagesSet);
const publicKeyObject = createCFRGRawKey( const publicKeyObject = createCFRGRawKey(
@ -321,7 +311,7 @@ async function cfrgImportKey(
break; break;
} }
case 'raw': { case 'raw': {
verifyAcceptableCfrgKeyUse(name, 'public', usagesSet); verifyAcceptableCfrgKeyUse(name, true, usagesSet);
keyObject = createCFRGRawKey(name, keyData, true); keyObject = createCFRGRawKey(name, keyData, true);
break; break;
} }

39
lib/internal/crypto/ec.js
View File

@ -54,28 +54,18 @@ const {
const generateKeyPair = promisify(_generateKeyPair); const generateKeyPair = promisify(_generateKeyPair);
function verifyAcceptableEcKeyUse(name, type, usages) { function verifyAcceptableEcKeyUse(name, isPublic, usages) {
let checkSet; let checkSet;
switch (name) { switch (name) {
case 'ECDH': case 'ECDH':
switch (type) { checkSet = isPublic ? [] : ['deriveKey', 'deriveBits'];
case 'private':
checkSet = ['deriveKey', 'deriveBits'];
break;
case 'public':
checkSet = [];
break;
}
break; break;
case 'ECDSA': case 'ECDSA':
switch (type) { checkSet = isPublic ? ['verify'] : ['sign'];
case 'private': break;
checkSet = ['sign']; default:
break; throw lazyDOMException(
case 'public': 'The algorithm is not supported', 'NotSupportedError');
checkSet = ['verify'];
break;
}
} }
if (hasAnyNotIn(usages, checkSet)) { if (hasAnyNotIn(usages, checkSet)) {
throw lazyDOMException( throw lazyDOMException(
@ -186,7 +176,7 @@ async function ecImportKey(
const usagesSet = new SafeSet(keyUsages); const usagesSet = new SafeSet(keyUsages);
switch (format) { switch (format) {
case 'spki': { case 'spki': {
verifyAcceptableEcKeyUse(name, 'public', usagesSet); verifyAcceptableEcKeyUse(name, true, usagesSet);
try { try {
keyObject = createPublicKey({ keyObject = createPublicKey({
key: keyData, key: keyData,
@ -200,7 +190,7 @@ async function ecImportKey(
break; break;
} }
case 'pkcs8': { case 'pkcs8': {
verifyAcceptableEcKeyUse(name, 'private', usagesSet); verifyAcceptableEcKeyUse(name, false, usagesSet);
try { try {
keyObject = createPrivateKey({ keyObject = createPrivateKey({
key: keyData, key: keyData,
@ -221,11 +211,10 @@ async function ecImportKey(
if (keyData.crv !== namedCurve) if (keyData.crv !== namedCurve)
throw lazyDOMException('Named curve mismatch', 'DataError'); throw lazyDOMException('Named curve mismatch', 'DataError');
if (keyData.d !== undefined) { verifyAcceptableEcKeyUse(
verifyAcceptableEcKeyUse(name, 'private', usagesSet); name,
} else { keyData.d === undefined,
verifyAcceptableEcKeyUse(name, 'public', usagesSet); usagesSet);
}
if (usagesSet.size > 0 && keyData.use !== undefined) { if (usagesSet.size > 0 && keyData.use !== undefined) {
if (algorithm.name === 'ECDSA' && keyData.use !== 'sig') if (algorithm.name === 'ECDSA' && keyData.use !== 'sig')
@ -265,7 +254,7 @@ async function ecImportKey(
break; break;
} }
case 'raw': { case 'raw': {
verifyAcceptableEcKeyUse(name, 'public', usagesSet); verifyAcceptableEcKeyUse(name, true, usagesSet);
keyObject = createECPublicKeyRaw(namedCurve, keyData); keyObject = createECPublicKeyRaw(namedCurve, keyData);
break; break;
} }

32
lib/internal/crypto/rsa.js
View File

@ -74,28 +74,20 @@ const kRsaVariants = {
}; };
const generateKeyPair = promisify(_generateKeyPair); const generateKeyPair = promisify(_generateKeyPair);
function verifyAcceptableRsaKeyUse(name, type, usages) { function verifyAcceptableRsaKeyUse(name, isPublic, usages) {
let checkSet; let checkSet;
switch (name) { switch (name) {
case 'RSA-OAEP': case 'RSA-OAEP':
switch (type) { checkSet = isPublic ? ['encrypt', 'wrapKey'] : ['decrypt', 'unwrapKey'];
case 'private': break;
checkSet = ['decrypt', 'unwrapKey']; case 'RSA-PSS':
break; // Fall through
case 'public': case 'RSASSA-PKCS1-v1_5':
checkSet = ['encrypt', 'wrapKey']; checkSet = isPublic ? ['verify'] : ['sign'];
break;
}
break; break;
default: default:
switch (type) { throw lazyDOMException(
case 'private': 'The algorithm is not supported', 'NotSupportedError');
checkSet = ['sign'];
break;
case 'public':
checkSet = ['verify'];
break;
}
} }
if (hasAnyNotIn(usages, checkSet)) { if (hasAnyNotIn(usages, checkSet)) {
throw lazyDOMException( throw lazyDOMException(
@ -244,7 +236,7 @@ async function rsaImportKey(
let keyObject; let keyObject;
switch (format) { switch (format) {
case 'spki': { case 'spki': {
verifyAcceptableRsaKeyUse(algorithm.name, 'public', usagesSet); verifyAcceptableRsaKeyUse(algorithm.name, true, usagesSet);
try { try {
keyObject = createPublicKey({ keyObject = createPublicKey({
key: keyData, key: keyData,
@ -258,7 +250,7 @@ async function rsaImportKey(
break; break;
} }
case 'pkcs8': { case 'pkcs8': {
verifyAcceptableRsaKeyUse(algorithm.name, 'private', usagesSet); verifyAcceptableRsaKeyUse(algorithm.name, false, usagesSet);
try { try {
keyObject = createPrivateKey({ keyObject = createPrivateKey({
key: keyData, key: keyData,
@ -277,7 +269,7 @@ async function rsaImportKey(
verifyAcceptableRsaKeyUse( verifyAcceptableRsaKeyUse(
algorithm.name, algorithm.name,
keyData.d !== undefined ? 'private' : 'public', keyData.d === undefined,
usagesSet); usagesSet);
if (keyData.kty !== 'RSA') if (keyData.kty !== 'RSA')