crypto: support non-byte WebCrypto lengths#63988
Open
panva wants to merge 1 commit into
Open
Conversation
Collaborator
|
Review requested:
|
019cc7b to
348cf8c
Compare
Add shared bit-length helpers for WebCrypto operations that accept bit sequences whose length is not byte-aligned. Use the helpers for cSHAKE output, ECDH-derived bits, HMAC/KMAC key generation/import/derivation, and KMAC sign/verify output. Preserve the requested bit length in CryptoKey algorithm metadata while storing and exporting rounded-up byte material with unused low bits cleared. Keep byte-multiple validation for algorithms whose specs require it. Signed-off-by: Filip Skokan <panva.ip@gmail.com>
348cf8c to
f27f79a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Align Node.js WebCrypto bit-length handling with the specs by accepting non-byte lengths where the algorithms operate on bit sequences, while preserving byte-multiple rejection where the specs require it.
The WebCrypto spec defines a byte sequence containing a bit sequence by zero-padding to the minimal whole-byte length. HMAC key generation/import/export are specified in bits:
HmacKeyGenParams.length,HmacImportParams.length, andHmacKeyAlgorithm.lengthare key lengths in bits, generated keys use that bit length, imports use the first requested bits, and export returns a byte sequence containing the raw key bits:The same bit-sequence conversion applies to non-byte
deriveBits()output for ECDH and X25519, and to X448 in Secure Curves:Modern Algorithms specifies cSHAKE and KMAC output lengths in bits. cSHAKE passes
outputLengthas the NIST SP 800-185Lparameter and returns a byte sequence containing the result. KMAC similarly uses bit-based key lengths and bit-based MAC output lengths:This adds shared JS and C++ helpers for rounding bit lengths up to bytes and clearing unused low bits in the final byte. It uses them for cSHAKE output, ECDH/X25519/X448 derived bits, HMAC/KMAC key generation/import/derivation, and KMAC sign/verify.
CryptoKey.algorithm.lengthnow preserves the requested non-byte bit length for generated, imported, and derived HMAC/KMAC keys. Raw/JWK export still serializes whole bytes with unused low bits cleared; raw/JWK round-trips preserve non-byte precision only when the unwrap/import algorithm supplies the explicit bit length.Byte-multiple validation is intentionally kept for algorithms whose specs require it, including HKDF, PBKDF2, Argon2, TurboSHAKE, and KangarooTwelve: