nodejs
diff --git a/‎test/parallel/test-webcrypto-cryptokey-brand-check.js‎
Lines changed: 120 additions & 0 deletions b/‎test/parallel/test-webcrypto-cryptokey-brand-check.js‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎test/parallel/test-webcrypto-cryptokey-clone-transfer.js‎
Lines changed: 251 additions & 0 deletions b/‎test/parallel/test-webcrypto-cryptokey-clone-transfer.js‎
Lines changed: 251 additions & 0 deletions
@@ -0,0 +1,120 @@
+'use strict';
+
+// The four CryptoKey prototype getters (`type`, `extractable`,
+// `algorithm`, `usages`) are user-configurable per Web IDL, so they
+// can be invoked with an arbitrary `this`. The native callbacks that
+// implement them must brand-check their receiver and throw cleanly
+// (ERR_INVALID_THIS) rather than crashing the process or returning
+// garbage. This test exercises four progressively more hostile
+// receiver shapes, including subverting `instanceof` via
+// `Symbol.hasInstance`, to make sure the C++ brand check holds.
+//
+// It also verifies that `util.types.isCryptoKey()` cannot be fooled
+// by prototype spoofing.
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('node:assert');
+const { types: { isCryptoKey } } = require('node:util');
+const { subtle } = globalThis.crypto;
+
+(async () => {
+  const key = await subtle.generateKey(
+    { name: 'HMAC', hash: 'SHA-256' },
+    true,
+    ['sign'],
+  );
+
+  const CryptoKey = key.constructor;
+
+  // Capture the underlying prototype getters once, so that subsequent
+  // tampering with `CryptoKey.prototype` cannot affect what we call.
+  const getters = {
+    type: Object.getOwnPropertyDescriptor(CryptoKey.prototype, 'type').get,
+    extractable:
+      Object.getOwnPropertyDescriptor(CryptoKey.prototype, 'extractable').get,
+    algorithm:
+      Object.getOwnPropertyDescriptor(CryptoKey.prototype, 'algorithm').get,
+    usages:
+      Object.getOwnPropertyDescriptor(CryptoKey.prototype, 'usages').get,
+  };
+
+  // Sanity: each getter works on a real CryptoKey.
+  Object.entries(getters).forEach(([name, getter]) => {
+    assert.notStrictEqual(getter.call(key), undefined, `baseline ${name}`);
+  });
+  assert.strictEqual(isCryptoKey(key), true);
+
+  const invalidThis = { code: 'ERR_INVALID_THIS', name: 'TypeError' };
+
+  // Plain object receiver.
+  Object.entries(getters).forEach(([, getter]) => {
+    assert.throws(() => getter.call({}), invalidThis);
+  });
+
+  // Null-prototype object receiver.
+  Object.entries(getters).forEach(([, getter]) => {
+    assert.throws(() => getter.call({ __proto__: null }), invalidThis);
+  });
+
+  // Primitive receiver.
+  Object.entries(getters).forEach(([, getter]) => {
+    assert.throws(() => getter.call(1), invalidThis);
+  });
+
+  // Null.
+  Object.entries(getters).forEach(([, getter]) => {
+    // eslint-disable-next-line no-useless-call
+    assert.throws(() => getter.call(null), invalidThis);
+  });
+
+  // Undefined.
+  Object.entries(getters).forEach(([, getter]) => {
+    assert.throws(() => getter.call(), invalidThis);
+  });
+
+  // Function
+  Object.entries(getters).forEach(([, getter]) => {
+    assert.throws(() => getter.call(function() {}), invalidThis);
+  });
+
+  // Prototype spoofing with InternalCryptoKey.prototype must not pass
+  // util.types.isCryptoKey().
+  const spoofed = {};
+  Object.setPrototypeOf(spoofed, Object.getPrototypeOf(key));
+  assert.strictEqual(spoofed instanceof CryptoKey, true);
+  assert.strictEqual(isCryptoKey(spoofed), false);
+
+  // Subvert `instanceof CryptoKey` via Symbol.hasInstance, then
+  // invoke the native getters on a forged object. The C++ tag
+  // check must reject the receiver even though `instanceof`
+  // reports true.
+  Object.defineProperty(CryptoKey, Symbol.hasInstance, {
+    configurable: true,
+    value: () => true,
+  });
+  const fake = { foo: 'bar' };
+  assert.strictEqual(fake instanceof CryptoKey, true);
+  assert.strictEqual(isCryptoKey(fake), false);
+  Object.entries(getters).forEach(([, getter]) => {
+    assert.throws(() => getter.call(fake), invalidThis);
+  });
+
+  // Subverted `instanceof` plus a real BaseObject of a different
+  // kind (a Buffer) as the receiver. Without the C++ tag check
+  // this would type-confuse `Unwrap<NativeCryptoKey>`.
+  const buf = Buffer.alloc(16);
+  assert.strictEqual(buf instanceof CryptoKey, true);
+  assert.strictEqual(isCryptoKey(buf), false);
+  Object.entries(getters).forEach(([, getter]) => {
+    assert.throws(() => getter.call(buf), invalidThis);
+  });
+
+  // The real CryptoKey continues to work after all of the above.
+  assert.strictEqual(getters.type.call(key), 'secret');
+  assert.strictEqual(getters.extractable.call(key), true);
+  assert.strictEqual(getters.algorithm.call(key).name, 'HMAC');
+  assert.deepStrictEqual(getters.usages.call(key), ['sign']);
+})().then(common.mustCall());
@@ -0,0 +1,251 @@
+'use strict';
+
+// Tests that CryptoKey instances can be structured-cloned (same-realm
+// via `structuredClone`, cross-realm via `MessagePort.postMessage` and
+// `Worker.postMessage`) and that the clones:
+//   1. preserve all of [[type]], [[extractable]], [[algorithm]],
+//      [[usages]] internal slots (as observed through both the public
+//      accessors and the custom util.inspect output),
+//   2. are usable in cryptographic operations (sign/verify/encrypt/
+//      decrypt/exportKey) and produce the same output as the original,
+//   3. can themselves be cloned again (round-trip), and
+//   4. work for secret, public, and private keys and for both
+//      extractable and non-extractable keys.
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('node:assert');
+const { inspect } = require('node:util');
+const { once } = require('node:events');
+const { Worker, MessageChannel } = require('node:worker_threads');
+const { subtle } = globalThis.crypto;
+
+function assertSameCryptoKey(a, b) {
+  assert.notStrictEqual(a, b);
+  assert.strictEqual(a.type, b.type);
+  assert.strictEqual(a.extractable, b.extractable);
+  assert.deepStrictEqual(a.algorithm, b.algorithm);
+  assert.deepStrictEqual([...a.usages].sort(), [...b.usages].sort());
+  // util.inspect reads native internal slots directly, so a clone's
+  // rendered form must match the original's.
+  assert.strictEqual(inspect(a, { depth: 4 }), inspect(b, { depth: 4 }));
+  // assert.deepStrictEqual on CryptoKey objects goes through the
+  // dedicated isCryptoKey branch in comparisons.js; a clone must be
+  // deep-equal to its source.
+  assert.deepStrictEqual(a, b);
+}
+
+async function roundTripViaMessageChannel(key) {
+  const { port1, port2 } = new MessageChannel();
+  port1.postMessage(key);
+  const [received] = await once(port2, 'message');
+  port1.close();
+  port2.close();
+  return received;
+}
+
+async function checkHmacKey(original) {
+  const data = Buffer.from('some data to sign');
+
+  const cloned = structuredClone(original);
+  assertSameCryptoKey(original, cloned);
+
+  const viaPort = await roundTripViaMessageChannel(original);
+  assertSameCryptoKey(original, viaPort);
+
+  // Round-trip: clone a clone.
+  const clonedAgain = structuredClone(viaPort);
+  assertSameCryptoKey(original, clonedAgain);
+  const viaPortAgain = await roundTripViaMessageChannel(cloned);
+  assertSameCryptoKey(original, viaPortAgain);
+
+  // Signatures produced by every copy must match.
+  const sigs = await Promise.all(
+    [original, cloned, viaPort, clonedAgain, viaPortAgain].map(
+      (k) => subtle.sign('HMAC', k, data),
+    ),
+  );
+  for (let i = 1; i < sigs.length; i++) {
+    assert.deepStrictEqual(Buffer.from(sigs[0]), Buffer.from(sigs[i]));
+  }
+
+  // Each copy must verify a signature produced by any other copy.
+  for (const verifier of [original, cloned, viaPort, clonedAgain]) {
+    for (const sig of sigs) {
+      assert.strictEqual(
+        await subtle.verify('HMAC', verifier, sig, data), true);
+    }
+  }
+
+  // Exported JWK must match byte-for-byte when extractable.
+  if (original.extractable) {
+    const jwks = await Promise.all(
+      [original, cloned, viaPort, clonedAgain].map(
+        (k) => subtle.exportKey('jwk', k),
+      ),
+    );
+    for (let i = 1; i < jwks.length; i++) {
+      assert.deepStrictEqual(jwks[0], jwks[i]);
+    }
+  } else {
+    // Non-extractable keys must refuse export on every copy.
+    for (const k of [cloned, viaPort, clonedAgain]) {
+      await assert.rejects(subtle.exportKey('jwk', k),
+                           { name: 'InvalidAccessError' });
+    }
+  }
+}
+
+async function checkAsymmetricKeyPair({ publicKey, privateKey }) {
+  const data = Buffer.from('payload');
+
+  for (const original of [publicKey, privateKey]) {
+    const cloned = structuredClone(original);
+    assertSameCryptoKey(original, cloned);
+    const viaPort = await roundTripViaMessageChannel(original);
+    assertSameCryptoKey(original, viaPort);
+    const clonedAgain = structuredClone(viaPort);
+    assertSameCryptoKey(original, clonedAgain);
+  }
+
+  // Sign with the original private key, verify with every cloned public key.
+  const signature = await subtle.sign(
+    { name: 'ECDSA', hash: 'SHA-256' }, privateKey, data);
+  const publicClones = [
+    publicKey,
+    structuredClone(publicKey),
+    await roundTripViaMessageChannel(publicKey),
+    structuredClone(await roundTripViaMessageChannel(publicKey)),
+  ];
+  for (const pub of publicClones) {
+    assert.strictEqual(
+      await subtle.verify({ name: 'ECDSA', hash: 'SHA-256' },
+                          pub, signature, data),
+      true);
+  }
+
+  // Sign with every cloned private key, verify with the original public key.
+  const privateClones = [
+    structuredClone(privateKey),
+    await roundTripViaMessageChannel(privateKey),
+    structuredClone(await roundTripViaMessageChannel(privateKey)),
+  ];
+  for (const priv of privateClones) {
+    const sig = await subtle.sign(
+      { name: 'ECDSA', hash: 'SHA-256' }, priv, data);
+    assert.strictEqual(
+      await subtle.verify({ name: 'ECDSA', hash: 'SHA-256' },
+                          publicKey, sig, data),
+      true);
+  }
+}
+
+async function checkTransferToWorker(key) {
+  // A one-shot worker that receives a key, asserts its properties,
+  // signs with it, and echoes the key back together with the signature.
+  const worker = new Worker(`
+    'use strict';
+    const { parentPort } = require('node:worker_threads');
+    const { subtle } = globalThis.crypto;
+    parentPort.once('message', async ({ key, expected }) => {
+      try {
+        if (key.type !== expected.type ||
+            key.extractable !== expected.extractable ||
+            key.algorithm.name !== expected.algorithm.name ||
+            key.algorithm.hash?.name !== expected.algorithm.hash?.name) {
+          throw new Error('slot mismatch in worker');
+        }
+        const sig = await subtle.sign('HMAC', key, Buffer.from('wdata'));
+        // Echo the key back so the parent can verify round-trip.
+        parentPort.postMessage({ key, sig: Buffer.from(sig) });
+      } catch (err) {
+        parentPort.postMessage({ error: err.message });
+      }
+    });
+  `, { eval: true });
+
+  worker.postMessage({
+    key,
+    expected: {
+      type: key.type,
+      extractable: key.extractable,
+      algorithm: {
+        name: key.algorithm.name,
+        hash: key.algorithm.hash ? { name: key.algorithm.hash.name } : undefined,
+      },
+    },
+  });
+  const [msg] = await once(worker, 'message');
+  await worker.terminate();
+
+  assert.strictEqual(msg.error, undefined, msg.error);
+  // The key echoed back from the worker must itself be a fully-formed
+  // CryptoKey with all slots preserved.
+  assertSameCryptoKey(key, msg.key);
+  // The signature produced inside the worker must verify against the
+  // parent-side key.
+  assert.strictEqual(
+    await subtle.verify('HMAC', key, msg.sig, Buffer.from('wdata')),
+    true);
+}
+
+(async () => {
+  // Extractable HMAC (secret)
+  const hmacExtractable = await subtle.importKey(
+    'raw',
+    Buffer.from(
+      '000102030405060708090a0b0c0d0e0f' +
+      '101112131415161718191a1b1c1d1e1f', 'hex'),
+    { name: 'HMAC', hash: 'SHA-256' },
+    true,
+    ['sign', 'verify']);
+  await checkHmacKey(hmacExtractable);
+  await checkTransferToWorker(hmacExtractable);
+
+  // Non-extractable HMAC (secret)
+  const hmacNonExtractable = await subtle.generateKey(
+    { name: 'HMAC', hash: 'SHA-384' },
+    false,
+    ['sign', 'verify']);
+  await checkHmacKey(hmacNonExtractable);
+  await checkTransferToWorker(hmacNonExtractable);
+
+  // AES-GCM secret key
+  {
+    const key = await subtle.generateKey(
+      { name: 'AES-GCM', length: 256 }, true, ['encrypt', 'decrypt']);
+    const cloned = structuredClone(key);
+    assertSameCryptoKey(key, cloned);
+    const viaPort = await roundTripViaMessageChannel(key);
+    assertSameCryptoKey(key, viaPort);
+    const clonedAgain = structuredClone(viaPort);
+    assertSameCryptoKey(key, clonedAgain);
+
+    const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+    const plaintext = Buffer.from('secret payload');
+    const ciphertext = await subtle.encrypt(
+      { name: 'AES-GCM', iv }, key, plaintext);
+    // Decrypt with every clone.
+    for (const k of [cloned, viaPort, clonedAgain]) {
+      const decrypted = await subtle.decrypt(
+        { name: 'AES-GCM', iv }, k, ciphertext);
+      assert.deepStrictEqual(Buffer.from(decrypted), plaintext);
+    }
+  }
+
+  // ECDSA keypair (public extractable, private non-extractable)
+  const ecKeypair = await subtle.generateKey(
+    { name: 'ECDSA', namedCurve: 'P-256' },
+    false,
+    ['sign', 'verify']);
+  await checkAsymmetricKeyPair(ecKeypair);
+
+  // ECDSA with extractable private key (covers the extractable-private path)
+  const ecKeypairExtractable = await subtle.generateKey(
+    { name: 'ECDSA', namedCurve: 'P-384' },
+    true,
+    ['sign', 'verify']);
+  await checkAsymmetricKeyPair(ecKeypairExtractable);
+})().then(common.mustCall());