fix(ext/crypto): fix jwk key_ops validation (#27827)

denoland · Jan 28, 2025 · ce31688 · ce31688
1 parent 094e268
commit ce31688
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 8 deletions.
diff --git a/ext/crypto/00_crypto.js b/ext/crypto/00_crypto.js
@@ -2988,8 +2988,8 @@ function importKeyAES(
 
         if (
           !ArrayPrototypeEvery(
-            jwk.key_ops,
-            (u) => ArrayPrototypeIncludes(keyUsages, u),
+            keyUsages,
+            (u) => ArrayPrototypeIncludes(jwk.key_ops, u),
           )
         ) {
           throw new DOMException(
@@ -3163,8 +3163,8 @@ function importKeyHMAC(
 
         if (
           !ArrayPrototypeEvery(
-            jwk.key_ops,
-            (u) => ArrayPrototypeIncludes(keyUsages, u),
+            keyUsages,
+            (u) => ArrayPrototypeIncludes(jwk.key_ops, u),
           )
         ) {
           throw new DOMException(
@@ -3429,8 +3429,8 @@ function importKeyEC(
 
         if (
           !ArrayPrototypeEvery(
-            jwk.key_ops,
-            (u) => ArrayPrototypeIncludes(keyUsages, u),
+            keyUsages,
+            (u) => ArrayPrototypeIncludes(jwk.key_ops, u),
           )
         ) {
           throw new DOMException(
@@ -3843,8 +3843,8 @@ function importKeyRSA(
 
         if (
           !ArrayPrototypeEvery(
-            jwk.key_ops,
-            (u) => ArrayPrototypeIncludes(keyUsages, u),
+            keyUsages,
+            (u) => ArrayPrototypeIncludes(jwk.key_ops, u),
           )
         ) {
           throw new DOMException(

diff --git a/tests/unit/webcrypto_test.ts b/tests/unit/webcrypto_test.ts
@@ -2086,6 +2086,42 @@ Deno.test(async function x25519SharedSecret() {
   assertEquals(new Uint8Array(sharedSecret1), new Uint8Array(sharedSecret2));
 });
 
+// https://github.com/denoland/deno/issues/26870
+Deno.test(async function jwkKeyOpsValidation() {
+  const { privateKey } = await crypto.subtle.generateKey(
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: { name: "SHA-256" },
+      publicExponent: new Uint8Array([1, 0, 1]),
+      modulusLength: 2048,
+    },
+    true,
+    ["sign", "verify"],
+  );
+
+  // https://github.com/node-opcua/node-opcua-crypto/blob/a2a1b8a4d416fe176cd1a38796c4b13f938cd01c/packages/node-opcua-crypto/source/x509/_build_public_key.ts#L30-L49
+  const jwk = await crypto.subtle.exportKey("jwk", privateKey);
+  delete jwk.d;
+  delete jwk.dp;
+  delete jwk.dq;
+  delete jwk.q;
+  delete jwk.qi;
+  jwk.key_ops = [
+    "encrypt",
+    "sign",
+  ];
+
+  const publicKey = await crypto.subtle.importKey(
+    "jwk",
+    jwk,
+    { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-256" } },
+    true,
+    [],
+  );
+
+  assert(publicKey);
+});
+
 Deno.test(async function x25519ExportJwk() {
   const keyPair = await crypto.subtle.generateKey(
     {