grafana · catdevman · Jul 10, 2024 · Jul 10, 2024 · Jul 10, 2024 · Jul 10, 2024
@@ -181,7 +181,7 @@ func (aip *AESImportParams) ImportKey(
 ) (*CryptoKey, error) {
 	for _, usage := range keyUsages {
 		switch usage {
-		case EncryptCryptoKeyUsage, DecryptCryptoKeyUsage, WrapKeyCryptoKeyUsage, UnwrapKeyCryptoKeyUsage:
+		case EncryptCryptoKeyUsage, DecryptCryptoKeyUsage, WrapKeyCryptoKeyUsage, UnwrapKeyCryptoKeyUsage, DeriveKeyCryptoKeyUsage, DeriveBitsCryptoKeyUsage:
 			continue
 		default:
 			return nil, NewError(SyntaxError, "invalid key usage: "+usage)

@@ -51,6 +51,15 @@ const (
 
 	// ECDH represents the ECDH algorithm.
 	ECDH = "ECDH"
+
+	// HKDF represents the HKDF algoithm.
+	HKDF = "HKDF"
+
+	// PBKDF2 represents the PBKDF2 algoithm.
+	PBKDF2 = "PBKDF2"
+
+	// X25519 represents the X25519 algoithm.
+	X25519 = "X25519"
 )
 
 // HashAlgorithmIdentifier represents the name of a hash algorithm.
@@ -115,6 +124,9 @@ const (
 
 	// OperationIdentifierDigest represents the digest operation.
 	OperationIdentifierDigest OperationIdentifier = "digest"
+
+	// OperationGetKeyLength represents the get key length operation.
+	OperationGetKeyLength OperationIdentifier = "get key length"
 )
 
 // normalizeAlgorithm normalizes the given algorithm following the
@@ -151,7 +163,7 @@ func normalizeAlgorithm(rt *sobek.Runtime, v sobek.Value, op AlgorithmIdentifier
 	algorithm.Name = strings.ToUpper(algorithm.Name)
 
 	if !isRegisteredAlgorithm(algorithm.Name, op) {
-		return Algorithm{}, NewError(NotSupportedError, "unsupported algorithm: "+algorithm.Name)
+		return Algorithm{}, NewError(NotSupportedError, "unsupported algorithm: "+algorithm.Name+" for operation: "+op)
 	}
 
 	return algorithm, nil
@@ -173,11 +185,17 @@ func isRegisteredAlgorithm(algorithmName string, forOperation string) bool {
 			algorithmName == HMAC ||
 			isEllipticCurve(algorithmName)
 	case OperationIdentifierExportKey, OperationIdentifierImportKey:
-		return isAesAlgorithm(algorithmName) || algorithmName == HMAC || isEllipticCurve(algorithmName)
+		return isRSAAlgorithm(algorithmName) || isAesAlgorithm(algorithmName) || algorithmName == HMAC || isEllipticCurve(algorithmName) || algorithmName == PBKDF2 || algorithmName == HKDF
 	case OperationIdentifierEncrypt, OperationIdentifierDecrypt:
 		return isAesAlgorithm(algorithmName)
 	case OperationIdentifierSign, OperationIdentifierVerify:
 		return algorithmName == HMAC || algorithmName == ECDSA
+	case OperationIdentifierDeriveKey:
+		return algorithmName == ECDH || algorithmName == HKDF || algorithmName == PBKDF2
+	case OperationGetKeyLength:
+		return isAesAlgorithm(algorithmName)
+	case OperationIdentifierDeriveBits:
+		return algorithmName == ECDH || algorithmName == HKDF || algorithmName == PBKDF2 || algorithmName == X25519
 	default:
 		return false
 	}
@@ -191,6 +209,11 @@ func isHashAlgorithm(algorithmName string) bool {
 	return algorithmName == SHA1 || algorithmName == SHA256 || algorithmName == SHA384 || algorithmName == SHA512
 }
 
+func isRSAAlgorithm(algorithmName string) bool {
+	//TODO: make constants for these
+	return algorithmName == "RSASSA-PKCS1-v1_5" || algorithmName == "RSA-PSS" || algorithmName == "RSA-OAEP"
+}
+
 // hasAlg an internal interface that helps us to identify
 // if a given object has an algorithm method.
 type hasAlg interface {

@@ -3,8 +3,11 @@ package webcrypto
 type bitsDeriver func(CryptoKey, CryptoKey) ([]byte, error)
 
 func newBitsDeriver(algName string) (bitsDeriver, error) {
-	if algName == ECDH {
+	switch algName {
+	case ECDH:
 		return deriveBitsECDH, nil
+	case PBKDF2:
+		return deriveBitsPBKDF2, nil
 	}
 
 	return nil, NewError(NotSupportedError, "unsupported algorithm for derive bits: "+algName)

@@ -0,0 +1,12 @@
+package webcrypto
+
+import "github.com/grafana/sobek"
+
+func newECDHDeriveParams(rt *sobek.Runtime, normalized Algorithm, params sobek.Value) (*ECDHKeyDeriveParams, error) {
+	//TODO: add implmentation
+	return nil, nil
+}
+
+func (e *ECDHKeyDeriveParams) DeriveKey() (CryptoKeyGenerationResult, error){
+	return nil, nil
+}
@@ -495,6 +495,14 @@ func deriveBitsECDH(privateKey CryptoKey, publicKey CryptoKey) ([]byte, error) {
 	return pk.ECDH(pc)
 }
 
+func deriveBitsHKDF() ([]byte, error) {
+	return nil, nil
+}
+
+func deriveBitsPBKDF2(privateKey, publicKey CryptoKey) ([]byte, error) {
+	return nil, nil
+}
+
 // The ECDSAParams represents the object that should be passed as the algorithm
 // parameter into `SubtleCrypto.Sign` or `SubtleCrypto.Verify“ when using the
 // ECDSA algorithm.

@@ -0,0 +1,12 @@
+package webcrypto
+
+import "github.com/grafana/sobek"
+
+func newHKDFKeyDeriveParams(rt *sobek.Runtime, normalized Algorithm, params sobek.Value) (*HKDFParams, error) {
+	//TODO: add implmentation
+	return nil, nil
+}
+
+func (h HKDFParams) DeriveKey() (CryptoKeyGenerationResult, error){
+	return nil, nil
+}
@@ -216,6 +216,8 @@ func newKeyImporter(rt *sobek.Runtime, normalized Algorithm, params sobek.Value)
 		ki, err = newHMACImportParams(rt, normalized, params)
 	case ECDH, ECDSA:
 		ki, err = newEcKeyImportParams(rt, normalized, params)
+	case PBKDF2:
+		ki, err = newPBKDF2KeyImportParams(rt, normalized, params)
 	default:
 		return nil, errors.New("key import not implemented for algorithm " + normalized.Name)
 	}

@@ -56,12 +56,23 @@ type HMACSignatureParams struct {
 	Name AlgorithmIdentifier
 }
 
+// ECDHKeyDeriveParams represents the object that should be passed as the algorithm
+// parameter into `SubtleCrypto.DeriveKey`, when using the ECDHKeyDerive algorithm.
+type ECDHKeyDeriveParams struct {
+	// Name should be set to AlgorithmKindECDH
+	Name AlgorithmIdentifier
+
+	// Public shoudl set the PublicKey part of a CryptoKeyPair
+	Public *CryptoKey
+}
+
 // PBKDF2Params represents the object that should be passed as the algorithm
 // parameter into `SubtleCrypto.DeriveKey`, when using the PBKDF2 algorithm.
 type PBKDF2Params struct {
 	// Name should be set to AlgorithmKindPbkdf2.
 	Name AlgorithmIdentifier
 
+	//TODO: This really needs fixed before I can call deriveKey DONE
 	// FIXME: should also include SHA-1, unfortunately
 	// Hash identifies the name of the digest algorithm to use.
 	// You can use any of the following:

@@ -0,0 +1,74 @@
+package webcrypto
+
+import "github.com/grafana/sobek"
+
+func newPBKDF2KeyDeriveParams(rt *sobek.Runtime, normalized Algorithm, params sobek.Value) (*PBKDF2Params, error) {
+	//TODO: add implmentation
+	hashValue, err := traverseObject(rt, params, "hash")
+	if err != nil {
+		return nil, NewError(SyntaxError, "could not get hash from algorithm parameter")
+	}
+
+	normalizedHash, err := normalizeAlgorithm(rt, hashValue, OperationIdentifierDeriveKey)
+	if err != nil {
+
+		return nil, err
+	}
+	return &PBKDF2Params{
+		Name: normalized.Name,
+		Hash: normalizedHash.Name,
+		Salt: []byte{},
+	}, nil
+}
+
+func (p PBKDF2Params) DeriveKey() (CryptoKeyGenerationResult, error) {
+	return nil, nil
+}
+
+// EcKeyImportParams represents the object that should be passed as the algorithm parameter
+// into `SubtleCrypto.ImportKey` or `SubtleCrypto.UnwrapKey`, when generating any elliptic-curve-based
+// key pair: that is, when the algorithm is identified as either of ECDSA or ECDH.
+type PBKDF2KeyImportParams struct {
+	Algorithm
+}
+
+func newPBKDF2KeyImportParams(rt *sobek.Runtime, normalized Algorithm, params sobek.Value) (*PBKDF2KeyImportParams, error) {
+
+	return &PBKDF2KeyImportParams{
+		Algorithm: normalized,
+	}, nil
+}
+
+func (keyParams PBKDF2KeyImportParams) ImportKey(format KeyFormat, keyData []byte, keyUsages []CryptoKeyUsage) (*CryptoKey, error) {
+	for _, usage := range keyUsages {
+		switch usage {
+		case EncryptCryptoKeyUsage, DecryptCryptoKeyUsage, WrapKeyCryptoKeyUsage, UnwrapKeyCryptoKeyUsage, DeriveBitsCryptoKeyUsage, DeriveKeyCryptoKeyUsage:
+			continue
+		default:
+			return nil, NewError(SyntaxError, "invalid key usage: "+usage)
+		}
+	}
+	return &CryptoKey{
+		Algorithm: PBKDF2KeyAlgorithm{
+			Algorithm: keyParams.Algorithm,
+		},
+		Type:   SecretCryptoKeyType,
+		handle: keyData,
+	}, nil
+}
+
+// Ensure that EcKeyImportParams implements the KeyImporter interface.
+var _ KeyImporter = &PBKDF2KeyImportParams{}
+
+// PBKDF2KeyAlgorithm is the algorithm for PBKDF2 keys as defined in the [specification].
+//
+// [specification]: https://www.w3.org/TR/WebCryptoAPI/#dfn-PBKDF2KeyAlgorithm //TODO: update this to something real
+type PBKDF2KeyAlgorithm struct {
+	Algorithm
+}
+
+var _ hasAlg = (*PBKDF2KeyAlgorithm)(nil)
+
+func (aka PBKDF2KeyAlgorithm) alg() string {
+	return aka.Name
+}
@@ -564,6 +564,24 @@ func (sc *SubtleCrypto) GenerateKey(
 	return promise
 }
 
+// [x] Let algorithm, baseKey, derivedKeyType, extractable and usages be the algorithm, baseKey, derivedKeyType, extractable and keyUsages parameters passed to the deriveKey method, respectively.
+// [x] Let normalizedAlgorithm be the result of normalizing an algorithm, with alg set to algorithm and op set to "deriveBits".
+// [x] If an error occurred, return a Promise rejected with normalizedAlgorithm.
+// [x] Let normalizedDerivedKeyAlgorithmImport be the result of normalizing an algorithm, with alg set to derivedKeyType and op set to "importKey".
+// [x] If an error occurred, return a Promise rejected with normalizedDerivedKeyAlgorithmImport.
+// [x] Let normalizedDerivedKeyAlgorithmLength be the result of normalizing an algorithm, with alg set to derivedKeyType and op set to "get key length".
+// [x] If an error occurred, return a Promise rejected with normalizedDerivedKeyAlgorithmLength.
+// [x] Let promise be a new Promise.
+// [x] Return promise and asynchronously perform the remaining steps.
+// [x] If the following steps or referenced procedures say to throw an error, reject promise with the returned error and then terminate the algorithm.
+// [ ] If the name member of normalizedAlgorithm is not equal to the name attribute of the [[algorithm]] internal slot of baseKey then throw an InvalidAccessError.
+// [ ] If the [[usages]] internal slot of baseKey does not contain an entry that is "deriveKey", then throw an InvalidAccessError.
+// [ ] Let length be the result of performing the get key length algorithm specified by normalizedDerivedKeyAlgorithmLength using derivedKeyType.
+// [ ] Let secret be the result of performing the derive bits operation specified by normalizedAlgorithm using key, algorithm and length.
+// [ ] Let result be the result of performing the import key operation specified by normalizedDerivedKeyAlgorithmImport using "raw" as format, secret as keyData, derivedKeyType as algorithm and using extractable and usages.
+// [ ] If the [[type]] internal slot of result is "secret" or "private" and usages is empty, then throw a SyntaxError.
+// [ ] Resolve promise with result.
+
 // DeriveKey can be used to derive a secret key from a master key.
 //
 // It takes as arguments some initial key material, the derivation
@@ -587,25 +605,84 @@ func (sc *SubtleCrypto) GenerateKey(
 // function: for example, for PBKDF2 it might be a password, imported as a `SubtleCrypto.CryptoKey`
 // using `SubtleCrypto.ImportKey`.
 //
-// The `derivedKeyAlgorithm` parameter should be one of:
+// The `derivedKeyType` parameter should be one of:
 //   - an `SubtleCrypto.HMACKeyGenParams` object
 //   - For AES-CTR, AES-CBC, AES-GCM, AES-KW: pass an `SubtleCrypto.AESKeyGenParams`
 //
 // The `extractable` parameter indicates whether it will be possible to export the key
 // using `SubtleCrypto.ExportKey` or `SubtleCrypto.WrapKey`.
 //
 // The `keyUsages` parameter is an array of strings indicating what the key can be used for.
-//
-//nolint:revive // remove the nolint directive when the method is implemented
 func (sc *SubtleCrypto) DeriveKey(
 	algorithm sobek.Value,
 	baseKey sobek.Value,
-	derivedKeyAlgorithm sobek.Value,
+	derivedKeyType sobek.Value,
 	extractable bool,
 	keyUsages []CryptoKeyUsage,
 ) *sobek.Promise {
-	// TODO: implementation
-	return nil
+	rt := sc.vu.Runtime()
+	var normalizedAlgorithm, normalizedDerivedKeyAlgorithmImport, normalizedDerivedKeyAlgorithmLength Algorithm
+	var err error
+	var bk CryptoKey
+	err = func() error {
+		normalizedAlgorithm, err = normalizeAlgorithm(rt, algorithm, OperationIdentifierDeriveBits)
+		if err != nil {
+			return err
+		}
+		normalizedDerivedKeyAlgorithmImport, err = normalizeAlgorithm(rt, derivedKeyType, OperationIdentifierImportKey)
+		if err != nil {
+			return err
+		}
+		normalizedDerivedKeyAlgorithmLength, err = normalizeAlgorithm(rt, derivedKeyType, OperationGetKeyLength)
+		if err != nil {
+			return err
+		}
+		return nil
+	}()
+
+	promise, resolve, reject := rt.NewPromise()
+	if err != nil {
+		reject(err)
+		return promise
+	}
+
+	callback := sc.vu.RegisterCallback()
+	go func() {
+		result, err := func() (CryptoKeyGenerationResult, error) {
+			//TODO: remove this when checks are all in, here to elminiate no use check
+			if normalizedAlgorithm.Name == "WHAT" && normalizedDerivedKeyAlgorithmImport.Name == "IS" && normalizedDerivedKeyAlgorithmLength.Name == "THIS" {
+			}
+			if err = rt.ExportTo(baseKey, &bk); err != nil {
+				return nil, NewError(TypeError, "baseKey is not good")
+			}
+			baseKeyAlgorithmNameValue, err := traverseObject(rt, baseKey.ToObject(rt), "algorithm", "name")
+			if err != nil {
+				return nil, err
+			}
+
+			if normalizedAlgorithm.Name != baseKeyAlgorithmNameValue.String() {
+				return nil, NewError(InvalidAccessError, "Key algorithm mismatch")
+			}
+
+			if !bk.ContainsUsage(DeriveKeyCryptoKeyUsage) {
+				return nil, NewError(InvalidAccessError, "baseKey does not have deriveKey usage")
+			}
+
+			return nil, nil
+		}()
+
+		callback(func() error {
+			if err != nil {
+				reject(err)
+				return nil //nolint:nilerr // we return nil to indicate that the error was handled
+			}
+
+			resolve(result)
+			return nil
+		})
+	}()
+
+	return promise
 }
 
 // DeriveBits derives an array of bits from a base key.

@@ -212,6 +212,20 @@ func TestSubtleCryptoDeriveBitsKeys(t *testing.T) {
 
 		assert.NoError(t, gotErr)
 	})
+	t.Run("pbkdf2", func(t *testing.T) {
+		t.Parallel()
+
+		ts := newConfiguredRuntime(t)
+
+		gotErr := ts.EventLoop.Start(func() error {
+			err := executeTestScripts(ts.VU.Runtime(), "./tests/derive_bits_keys", "pbkdf2_vectors.js", "pbkdf2.js")
+
+			return err
+		})
+
+		assert.NoError(t, gotErr)
+	})
+
 }
 
 func executeTestScripts(rt *sobek.Runtime, base string, scripts ...string) error {