crypto: reject inherited key type names

JonathanLopes404 · web-flow · commit 800f5828dce6 · 2026-04-23T17:20:28.000Z
Use an own-property check when dispatching generateKeyPair's NID-only algorithm table Fixes: #62874 Signed-off-by: Jonathan Lopes <jonathan15989@protonmail.com> PR-URL: #62875 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
diff --git a/lib/internal/crypto/keygen.js b/lib/internal/crypto/keygen.js
@@ -181,6 +181,7 @@ function parseKeyEncoding(keyType, options = kEmptyObject) {
 }
 
 const nidOnlyKeyPairs = {
+  '__proto__': null,
   'ed25519': EVP_PKEY_ED25519,
   'ed448': EVP_PKEY_ED448,
   'x25519': EVP_PKEY_X25519,
diff --git a/test/parallel/test-crypto-keygen.js b/test/parallel/test-crypto-keygen.js
@@ -55,6 +55,20 @@ const { hasOpenSSL3 } = require('../common/crypto');
     code: 'ERR_INVALID_ARG_VALUE',
     message: "The argument 'type' must be a supported key type. Received 'rsa2'"
   });
+
+  for (const type of ['toString', 'constructor']) {
+    assert.throws(() => generateKeyPairSync(type, {}), {
+      name: 'TypeError',
+      code: 'ERR_INVALID_ARG_VALUE',
+      message: `The argument 'type' must be a supported key type. Received '${type}'`
+    });
+
+    assert.throws(() => generateKeyPair(type, {}, common.mustNotCall()), {
+      name: 'TypeError',
+      code: 'ERR_INVALID_ARG_VALUE',
+      message: `The argument 'type' must be a supported key type. Received '${type}'`
+    });
+  }
 }
 
 {

Original file line number	Diff line number	Diff line change
`@@ -181,6 +181,7 @@ function parseKeyEncoding(keyType, options = kEmptyObject) {`
`181`	`181`	`}`
`182`	`182`
`183`	`183`	`const nidOnlyKeyPairs = {`
	`184`	`+ '__proto__': null,`
`184`	`185`	`'ed25519': EVP_PKEY_ED25519,`
`185`	`186`	`'ed448': EVP_PKEY_ED448,`
`186`	`187`	`'x25519': EVP_PKEY_X25519,`