fix(ext/crypto): fix jwk key_ops validation (#27827)

2025-02-07 23:06:50 -05:00 · 2025-01-28 18:13:17 +05:30 · 2025-01-28 18:13:17 +05:30 · ce31688225
commit ce31688225
parent 094e268002
2 changed files with 44 additions and 8 deletions
--- a/ext/crypto/00_crypto.js
+++ b/ext/crypto/00_crypto.js
@ -2988,8 +2988,8 @@ function importKeyAES(

        if (
          !ArrayPrototypeEvery(
-            jwk.key_ops,
-            (u) => ArrayPrototypeIncludes(keyUsages, u),
+            keyUsages,
+            (u) => ArrayPrototypeIncludes(jwk.key_ops, u),
          )
        ) {
          throw new DOMException(
@ -3163,8 +3163,8 @@ function importKeyHMAC(

        if (
          !ArrayPrototypeEvery(
-            jwk.key_ops,
-            (u) => ArrayPrototypeIncludes(keyUsages, u),
+            keyUsages,
+            (u) => ArrayPrototypeIncludes(jwk.key_ops, u),
          )
        ) {
          throw new DOMException(
@ -3429,8 +3429,8 @@ function importKeyEC(

        if (
          !ArrayPrototypeEvery(
-            jwk.key_ops,
-            (u) => ArrayPrototypeIncludes(keyUsages, u),
+            keyUsages,
+            (u) => ArrayPrototypeIncludes(jwk.key_ops, u),
          )
        ) {
          throw new DOMException(
@ -3843,8 +3843,8 @@ function importKeyRSA(

        if (
          !ArrayPrototypeEvery(
-            jwk.key_ops,
-            (u) => ArrayPrototypeIncludes(keyUsages, u),
+            keyUsages,
+            (u) => ArrayPrototypeIncludes(jwk.key_ops, u),
          )
        ) {
          throw new DOMException(
--- a/tests/unit/webcrypto_test.ts
+++ b/tests/unit/webcrypto_test.ts
@ -2086,6 +2086,42 @@ Deno.test(async function x25519SharedSecret() {
  assertEquals(new Uint8Array(sharedSecret1), new Uint8Array(sharedSecret2));
 });

+// https://github.com/denoland/deno/issues/26870
+Deno.test(async function jwkKeyOpsValidation() {
+  const { privateKey } = await crypto.subtle.generateKey(
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: { name: "SHA-256" },
+      publicExponent: new Uint8Array([1, 0, 1]),
+      modulusLength: 2048,
+    },
+    true,
+    ["sign", "verify"],
+  );
+
+  // https://github.com/node-opcua/node-opcua-crypto/blob/a2a1b8a4d416fe176cd1a38796c4b13f938cd01c/packages/node-opcua-crypto/source/x509/_build_public_key.ts#L30-L49
+  const jwk = await crypto.subtle.exportKey("jwk", privateKey);
+  delete jwk.d;
+  delete jwk.dp;
+  delete jwk.dq;
+  delete jwk.q;
+  delete jwk.qi;
+  jwk.key_ops = [
+    "encrypt",
+    "sign",
+  ];
+
+  const publicKey = await crypto.subtle.importKey(
+    "jwk",
+    jwk,
+    { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-256" } },
+    true,
+    [],
+  );
+
+  assert(publicKey);
+});
+
 Deno.test(async function x25519ExportJwk() {
  const keyPair = await crypto.subtle.generateKey(
    {