Skip to content

lib: improve Web Cryptography key validation ordering#62749

Open
panva wants to merge 4 commits intonodejs:mainfrom
panva:webcrypto-key-check-order
Open

lib: improve Web Cryptography key validation ordering#62749
panva wants to merge 4 commits intonodejs:mainfrom
panva:webcrypto-key-check-order

Conversation

@panva
Copy link
Copy Markdown
Member

@panva panva commented Apr 15, 2026
edited
Loading

Fixes key validation to match the Web Cryptography specification step ordering.

wrapKey / unwrapKey: Move the wrapping key algorithm name and usage checks from the shared cipherOrWrap() helper into each individual caller (encrypt, decrypt, wrapKey, unwrapKey). This ensures wrapKey validates the wrapping key (steps 9–10 of https://w3c.github.io/webcrypto/#SubtleCrypto-method-wrapKey) before attempting exportKey (step 12), producing the correct InvalidAccessError instead of a confusing NotSupportedError from the export step.

Split the previously combined algorithm + usage check across all operations (encrypt, decrypt, wrapKey, unwrapKey, sign, verify) into two distinct checks with separate error messages: "Key algorithm mismatch" when the key's algorithm does not match the requested operation, and "Unable to use this key to <op>" when the key lacks the required usage. Previously, both conditions produced the same generic message.

@panva
lib: improve Web Cryptography key validation ordering
9ce84b8 
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
@panva panva added crypto Issues and PRs related to the crypto subsystem. webcrypto labels Apr 15, 2026
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 15, 2026

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Apr 15, 2026
@panva panva added the request-ci Add this label to start a Jenkins CI on a PR. label Apr 15, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 15, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.69%. Comparing base (ed05549) to head (a2f2c8e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62749      +/-   ##
==========================================
- Coverage   89.69%   89.69%   -0.01%     
==========================================
  Files         706      706              
  Lines      218127   218146      +19     
  Branches    41734    41760      +26     
==========================================
+ Hits       195651   195662      +11     
- Misses      14400    14413      +13     
+ Partials     8076     8071       -5
Files with missing lines Coverage Δ
lib/internal/crypto/webcrypto.js 96.60% <100.00%> (+0.03%) ⬆️

... and 45 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@aduh95 aduh95 added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Apr 15, 2026
tniessen
tniessen approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@tniessen tniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch.

@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 15, 2026
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 15, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/72702/

@panva panva added the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tniessen tniessen tniessen approved these changes

@aduh95 aduh95 aduh95 approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. webcrypto

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@panva @nodejs-github-bot @tniessen @aduh95