From 018f61cb4f6e2145d3d6ba072b652334ad93c128 Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Tue, 14 Jun 2022 16:26:28 +0200
Subject: [PATCH] crypto: fix webcrypto AES-KW keys accepting encrypt/decrypt
 usages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs/node/pull/43431
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
---
 lib/internal/crypto/aes.js             | 10 +++++++---
 test/parallel/test-webcrypto-keygen.js | 18 ++++++++++--------
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/lib/internal/crypto/aes.js b/lib/internal/crypto/aes.js
index 2c74a49139a70a..324662e1f8b1b4 100644
--- a/lib/internal/crypto/aes.js
+++ b/lib/internal/crypto/aes.js
@@ -230,13 +230,17 @@ async function aesGenerateKey(algorithm, extractable, keyUsages) {
   validateInteger(length, 'algorithm.length');
   validateOneOf(length, 'algorithm.length', kAesKeyLengths);
 
-  const usageSet = new SafeSet(keyUsages);
+  const checkUsages = ['wrapKey', 'unwrapKey'];
+  if (name !== 'AES-KW')
+    ArrayPrototypePush(checkUsages, 'encrypt', 'decrypt');
 
-  if (hasAnyNotIn(usageSet, ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey'])) {
+  const usagesSet = new SafeSet(keyUsages);
+  if (hasAnyNotIn(usagesSet, checkUsages)) {
     throw lazyDOMException(
       'Unsupported key usage for an AES key',
       'SyntaxError');
   }
+
   return new Promise((resolve, reject) => {
     generateKey('aes', { length }, (err, key) => {
       if (err) {
@@ -249,7 +253,7 @@ async function aesGenerateKey(algorithm, extractable, keyUsages) {
       resolve(new InternalCryptoKey(
         key,
         { name, length },
-        ArrayFrom(usageSet),
+        ArrayFrom(usagesSet),
         extractable));
     });
   });
diff --git a/test/parallel/test-webcrypto-keygen.js b/test/parallel/test-webcrypto-keygen.js
index 948c755a9114bc..c3429af99e66a7 100644
--- a/test/parallel/test-webcrypto-keygen.js
+++ b/test/parallel/test-webcrypto-keygen.js
@@ -211,14 +211,16 @@ const vectors = {
       if (!vectors[name].usages.includes(usage))
         invalidUsages.push(usage);
     });
-    return assert.rejects(
-      subtle.generateKey(
-        {
-          name, ...vectors[name].algorithm
-        },
-        true,
-        invalidUsages),
-      { message: /Unsupported key usage/ });
+    for (const invalidUsage of invalidUsages) {
+      await assert.rejects(
+        subtle.generateKey(
+          {
+            name, ...vectors[name].algorithm
+          },
+          true,
+          [...vectors[name].usages, invalidUsage]),
+        { message: /Unsupported key usage/ });
+    }
   }
 
   const tests = Object.keys(vectors).map(test);