Skip to content

Commit 8f348bc

Browse files
authored
crypto: reject duplicate ML-KEM JWK key_ops
Signed-off-by: Filip Skokan <[email protected]> PR-URL: #62905 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]>
1 parent fe7ebcc commit 8f348bc

2 files changed

Lines changed: 17 additions & 0 deletions

File tree

lib/internal/crypto/util.js

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -801,6 +801,10 @@ const kKeyOps = {
801801
unwrapKey: 6,
802802
deriveKey: 7,
803803
deriveBits: 8,
804+
encapsulateKey: 9,
805+
encapsulateBits: 10,
806+
decapsulateKey: 11,
807+
decapsulateBits: 12,
804808
};
805809

806810
function validateKeyOps(keyOps, usagesSet) {

test/parallel/test-webcrypto-export-import-ml-kem.js

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -491,3 +491,16 @@ async function testImportJwk({ name, publicUsages, privateUsages }, extractable)
491491
});
492492
}
493493
})().then(common.mustCall());
494+
495+
// Regression test: JWK `key_ops` validation must recognize ML-KEM operations
496+
// (encapsulateKey, encapsulateBits, decapsulateKey, decapsulateBits) so that
497+
// duplicate entries are rejected
498+
(async function() {
499+
for (const op of ['encapsulateKey', 'encapsulateBits',
500+
'decapsulateKey', 'decapsulateBits']) {
501+
const jwk = { ...keyData['ML-KEM-768'].jwk, key_ops: [op, op] };
502+
await assert.rejects(
503+
subtle.importKey('jwk', jwk, { name: 'ML-KEM-768' }, true, [op]),
504+
{ name: 'DataError', message: /Duplicate key operation/ });
505+
}
506+
})().then(common.mustCall());

0 commit comments

Comments
 (0)