fix(ext/crypto) - exportKey JWK for AES/HMAC must use base64url (#13264)

Co-authored-by: Divy Srivastava <dj.srivastava23@gmail.com>
author: Sean Michael Wykes <8363933+SeanWykes@users.noreply.github.com> 2022-01-04 21:00:37 -0300
committer: GitHub <noreply@github.com> 2022-01-05 01:00:37 +0100
commit: c4a0a43ce832c85de6bb97a4afc9ecf915e63e5a (patch)
tree: c078f2dd3b0721b4ecedf63622015a189361d01c /ext/crypto
parent: 80bf2828c6398d000968d61f56f2f808a569adc2 (diff)
2 files changed, 55 insertions, 20 deletions
diff --git a/ext/crypto/00_crypto.js b/ext/crypto/00_crypto.js
index 5d216dbf4..95eb18daa 100644
--- a/ext/crypto/00_crypto.js
+++ b/ext/crypto/00_crypto.js
@@ -12,7 +12,6 @@
   const core = window.Deno.core;
   const webidl = window.__bootstrap.webidl;
   const { DOMException } = window.__bootstrap.domException;
-  const { btoa } = window.__bootstrap.base64;
 
   const {
     ArrayBuffer,
@@ -25,8 +24,6 @@
     Int32Array,
     Int8Array,
     ObjectAssign,
-    StringFromCharCode,
-    StringPrototypeReplace,
     StringPrototypeToLowerCase,
     StringPrototypeToUpperCase,
     Symbol,
@@ -175,15 +172,6 @@
     },
   };
 
-  function unpaddedBase64(bytes) {
-    let binaryString = "";
-    for (let i = 0; i < bytes.length; i++) {
-      binaryString += StringFromCharCode(bytes[i]);
-    }
-    const base64String = btoa(binaryString);
-    return StringPrototypeReplace(base64String, /=/g, "");
-  }
-
   // See https://www.w3.org/TR/WebCryptoAPI/#dfn-normalize-an-algorithm
   // 18.4.4
   function normalizeAlgorithm(algorithm, op) {
@@ -1836,16 +1824,18 @@
         return data.buffer;
       }
       case "jwk": {
-        // 1-3.
+        // 1-2.
         const jwk = {
           kty: "oct",
-          // 5.
-          ext: key[_extractable],
-          // 6.
-          "key_ops": key.usages,
-          k: unpaddedBase64(innerKey.data),
         };
 
+        // 3.
+        const data = core.opSync("op_crypto_export_key", {
+          format: "jwksecret",
+          algorithm: "AES",
+        }, innerKey);
+        ObjectAssign(jwk, data);
+
         // 4.
         const algorithm = key[_algorithm];
         switch (algorithm.length) {
@@ -1865,6 +1855,12 @@
             );
         }
 
+        // 5.
+        jwk.key_ops = key.usages;
+
+        // 6.
+        jwk.ext = key[_extractable];
+
         // 7.
         return jwk;
       }
@@ -3092,11 +3088,18 @@
         return bits.buffer;
       }
       case "jwk": {
-        // 1-3.
+        // 1-2.
         const jwk = {
           kty: "oct",
-          k: unpaddedBase64(innerKey.data),
         };
+
+        // 3.
+        const data = core.opSync("op_crypto_export_key", {
+          format: "jwksecret",
+          algorithm: key[_algorithm].name,
+        }, innerKey);
+        jwk.k = data.k;
+
         // 4.
         const algorithm = key[_algorithm];
         // 5.
diff --git a/ext/crypto/export_key.rs b/ext/crypto/export_key.rs
index 2e74d61f2..25faf1791 100644
--- a/ext/crypto/export_key.rs
+++ b/ext/crypto/export_key.rs
@@ -26,6 +26,7 @@ pub enum ExportKeyFormat {
   Spki,
   JwkPublic,
   JwkPrivate,
+  JwkSecret,
 }
 
 #[derive(Deserialize)]
@@ -37,6 +38,10 @@ pub enum ExportKeyAlgorithm {
   RsaPss {},
   #[serde(rename = "RSA-OAEP")]
   RsaOaep {},
+  #[serde(rename = "AES")]
+  Aes {},
+  #[serde(rename = "HMAC")]
+  Hmac {},
 }
 
 #[derive(Serialize)]
@@ -44,6 +49,9 @@ pub enum ExportKeyAlgorithm {
 pub enum ExportKeyResult {
   Pkcs8(ZeroCopyBuf),
   Spki(ZeroCopyBuf),
+  JwkSecret {
+    k: String,
+  },
   JwkPublicRsa {
     n: String,
     e: String,
@@ -69,6 +77,9 @@ pub fn op_crypto_export_key(
     ExportKeyAlgorithm::RsassaPkcs1v15 {}
     | ExportKeyAlgorithm::RsaPss {}
     | ExportKeyAlgorithm::RsaOaep {} => export_key_rsa(opts.format, key_data),
+    ExportKeyAlgorithm::Aes {} | ExportKeyAlgorithm::Hmac {} => {
+      export_key_symmetric(opts.format, key_data)
+    }
   }
 }
 
@@ -76,6 +87,10 @@ fn uint_to_b64(bytes: UIntBytes) -> String {
   base64::encode_config(bytes.as_bytes(), base64::URL_SAFE_NO_PAD)
 }
 
+fn bytes_to_b64(bytes: &[u8]) -> String {
+  base64::encode_config(bytes, base64::URL_SAFE_NO_PAD)
+}
+
 fn export_key_rsa(
   format: ExportKeyFormat,
   key_data: RawKeyData,
@@ -166,5 +181,22 @@ fn export_key_rsa(
         qi: uint_to_b64(private_key.coefficient),
       })
     }
+    _ => Err(unsupported_format()),
+  }
+}
+
+fn export_key_symmetric(
+  format: ExportKeyFormat,
+  key_data: RawKeyData,
+) -> Result<ExportKeyResult, deno_core::anyhow::Error> {
+  match format {
+    ExportKeyFormat::JwkSecret => {
+      let bytes = key_data.as_secret_key()?;
+
+      Ok(ExportKeyResult::JwkSecret {
+        k: bytes_to_b64(bytes),
+      })
+    }
+    _ => Err(unsupported_format()),
   }
 }
author	Sean Michael Wykes <8363933+SeanWykes@users.noreply.github.com>	2022-01-04 21:00:37 -0300
committer	GitHub <noreply@github.com>	2022-01-05 01:00:37 +0100
commit	c4a0a43ce832c85de6bb97a4afc9ecf915e63e5a (patch)
tree	c078f2dd3b0721b4ecedf63622015a189361d01c /ext/crypto
parent	80bf2828c6398d000968d61f56f2f808a569adc2 (diff)