fix(ext/crypto): reject empty usages in SubtleCrypto#importKey (#25759)

Fixes #19051
denoland · Sep 20, 2024 · a92ebd9 · a92ebd9
1 parent cbdeb35
commit a92ebd9
Show file tree

Hide file tree

Showing 2 changed files with 115 additions and 580 deletions.
diff --git a/ext/crypto/00_crypto.js b/ext/crypto/00_crypto.js
@@ -939,7 +939,6 @@ class SubtleCrypto {
    * @param {KeyUsages[]} keyUsages
    * @returns {Promise<any>}
    */
-  // deno-lint-ignore require-await
   async importKey(format, keyData, algorithm, extractable, keyUsages) {
     webidl.assertBranded(this, SubtleCryptoPrototype);
     const prefix = "Failed to execute 'importKey' on 'SubtleCrypto'";
@@ -977,86 +976,24 @@ class SubtleCrypto {
 
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, "importKey");
 
-    const algorithmName = normalizedAlgorithm.name;
+    // 8.
+    const result = await importKeyInner(
+      format,
+      normalizedAlgorithm,
+      keyData,
+      extractable,
+      keyUsages,
+    );
 
-    switch (algorithmName) {
-      case "HMAC": {
-        return importKeyHMAC(
-          format,
-          normalizedAlgorithm,
-          keyData,
-          extractable,
-          keyUsages,
-        );
-      }
-      case "ECDH":
-      case "ECDSA": {
-        return importKeyEC(
-          format,
-          normalizedAlgorithm,
-          keyData,
-          extractable,
-          keyUsages,
-        );
-      }
-      case "RSASSA-PKCS1-v1_5":
-      case "RSA-PSS":
-      case "RSA-OAEP": {
-        return importKeyRSA(
-          format,
-          normalizedAlgorithm,
-          keyData,
-          extractable,
-          keyUsages,
-        );
-      }
-      case "HKDF": {
-        return importKeyHKDF(format, keyData, extractable, keyUsages);
-      }
-      case "PBKDF2": {
-        return importKeyPBKDF2(format, keyData, extractable, keyUsages);
-      }
-      case "AES-CTR":
-      case "AES-CBC":
-      case "AES-GCM": {
-        return importKeyAES(
-          format,
-          normalizedAlgorithm,
-          keyData,
-          extractable,
-          keyUsages,
-          ["encrypt", "decrypt", "wrapKey", "unwrapKey"],
-        );
-      }
-      case "AES-KW": {
-        return importKeyAES(
-          format,
-          normalizedAlgorithm,
-          keyData,
-          extractable,
-          keyUsages,
-          ["wrapKey", "unwrapKey"],
-        );
-      }
-      case "X25519": {
-        return importKeyX25519(
-          format,
-          keyData,
-          extractable,
-          keyUsages,
-        );
-      }
-      case "Ed25519": {
-        return importKeyEd25519(
-          format,
-          keyData,
-          extractable,
-          keyUsages,
-        );
-      }
-      default:
-        throw new DOMException("Not implemented", "NotSupportedError");
+    // 9.
+    if (
+      ArrayPrototypeIncludes(["private", "secret"], result[_type]) &&
+      keyUsages.length == 0
+    ) {
+      throw new SyntaxError("Invalid key usage");
     }
+
+    return result;
   }
 
   /**
@@ -3352,6 +3289,96 @@ function importKeyEC(
   }
 }
 
+// deno-lint-ignore require-await
+async function importKeyInner(
+  format,
+  normalizedAlgorithm,
+  keyData,
+  extractable,
+  keyUsages,
+) {
+  const algorithmName = normalizedAlgorithm.name;
+
+  switch (algorithmName) {
+    case "HMAC": {
+      return importKeyHMAC(
+        format,
+        normalizedAlgorithm,
+        keyData,
+        extractable,
+        keyUsages,
+      );
+    }
+    case "ECDH":
+    case "ECDSA": {
+      return importKeyEC(
+        format,
+        normalizedAlgorithm,
+        keyData,
+        extractable,
+        keyUsages,
+      );
+    }
+    case "RSASSA-PKCS1-v1_5":
+    case "RSA-PSS":
+    case "RSA-OAEP": {
+      return importKeyRSA(
+        format,
+        normalizedAlgorithm,
+        keyData,
+        extractable,
+        keyUsages,
+      );
+    }
+    case "HKDF": {
+      return importKeyHKDF(format, keyData, extractable, keyUsages);
+    }
+    case "PBKDF2": {
+      return importKeyPBKDF2(format, keyData, extractable, keyUsages);
+    }
+    case "AES-CTR":
+    case "AES-CBC":
+    case "AES-GCM": {
+      return importKeyAES(
+        format,
+        normalizedAlgorithm,
+        keyData,
+        extractable,
+        keyUsages,
+        ["encrypt", "decrypt", "wrapKey", "unwrapKey"],
+      );
+    }
+    case "AES-KW": {
+      return importKeyAES(
+        format,
+        normalizedAlgorithm,
+        keyData,
+        extractable,
+        keyUsages,
+        ["wrapKey", "unwrapKey"],
+      );
+    }
+    case "X25519": {
+      return importKeyX25519(
+        format,
+        keyData,
+        extractable,
+        keyUsages,
+      );
+    }
+    case "Ed25519": {
+      return importKeyEd25519(
+        format,
+        keyData,
+        extractable,
+        keyUsages,
+      );
+    }
+    default:
+      throw new DOMException("Not implemented", "NotSupportedError");
+  }
+}
+
 const SUPPORTED_KEY_USAGES = {
   "RSASSA-PKCS1-v1_5": {
     public: ["verify"],