Derive Key

examples/derive_key/derive-key-pbkdf2.js

@@ -0,0 +1,7 @@
+import { crypto } from "k6/x/webcrypto";
+
+export default async function () {
+  const key = await crypto.subtle.deriveKey();
+
+  console.log(JSON.stringify(key));
+}

webcrypto/algorithm.go

@@ -51,6 +51,12 @@ const (
 
 	// ECDH represents the ECDH algorithm.
 	ECDH = "ECDH"
+
+	// HKDF represents the HKDF algoithm.
+	HKDF = "HKDF"
+
+	// PBKDF2 represents the PBKDF2 algoithm.
+	PBKDF2 = "PBKDF2"
 )
 
 // HashAlgorithmIdentifier represents the name of a hash algorithm.
@@ -115,6 +121,9 @@ const (
 
 	// OperationIdentifierDigest represents the digest operation.
 	OperationIdentifierDigest OperationIdentifier = "digest"
+
+	// OperationGetKeyLength represents the get key length operation.
+	OperationGetKeyLength OperationIdentifier = "getKeyLength"
 )
 
 // normalizeAlgorithm normalizes the given algorithm following the
@@ -178,6 +187,8 @@ func isRegisteredAlgorithm(algorithmName string, forOperation string) bool {
 		return isAesAlgorithm(algorithmName)
 	case OperationIdentifierSign, OperationIdentifierVerify:
 		return algorithmName == HMAC || algorithmName == ECDSA
+	case OperationIdentifierDeriveBits, OperationGetKeyLength:
+		return algorithmName == ECDH || algorithmName == HKDF || algorithmName == PBKDF2
 	default:
 		return false
 	}

webcrypto/ecdh.go

@@ -0,0 +1,12 @@
+package webcrypto
+
+import "github.com/grafana/sobek"
+
+func newECDHDeriveParams(rt *sobek.Runtime, normalized Algorithm, params sobek.Value) (*ECDHKeyDeriveParams, error) {
+	//TODO: add implmentation
+	return nil, nil
+}
+
+func (e *ECDHKeyDeriveParams) DeriveKey() (CryptoKeyGenerationResult, error){
+	return nil, nil
+}

webcrypto/elliptic_curve.go

@@ -495,6 +495,14 @@ func deriveBitsECDH(privateKey CryptoKey, publicKey CryptoKey) ([]byte, error) {
 	return pk.ECDH(pc)
 }
 
+func deriveBitsHKDF() ([]byte, error) {
+	return nil, nil
+}
+
+func deriveBitsPBKDF2() ([]byte, error) {
+	return nil, nil
+}
+
 // The ECDSAParams represents the object that should be passed as the algorithm
 // parameter into `SubtleCrypto.Sign` or `SubtleCrypto.Verify“ when using the
 // ECDSA algorithm.

webcrypto/hkdf.go

@@ -0,0 +1,12 @@
+package webcrypto
+
+import "github.com/grafana/sobek"
+
+func newHKDFKeyDeriveParams(rt *sobek.Runtime, normalized Algorithm, params sobek.Value) (*HKDFParams, error) {
+	//TODO: add implmentation
+	return nil, nil
+}
+
+func (h HKDFParams) DeriveKey() (CryptoKeyGenerationResult, error){
+	return nil, nil
+}

webcrypto/params.go

@@ -56,12 +56,23 @@ type HMACSignatureParams struct {
 	Name AlgorithmIdentifier
 }
 
+// ECDHKeyDeriveParams represents the object that should be passed as the algorithm
+// parameter into `SubtleCrypto.DeriveKey`, when using the ECDHKeyDerive algorithm.
+type ECDHKeyDeriveParams struct {
+	// Name should be set to AlgorithmKindECDH
+	Name AlgorithmIdentifier
+
+	// Public shoudl set the PublicKey part of a CryptoKeyPair
+	Public *CryptoKey
+}
+
 // PBKDF2Params represents the object that should be passed as the algorithm
 // parameter into `SubtleCrypto.DeriveKey`, when using the PBKDF2 algorithm.
 type PBKDF2Params struct {
 	// Name should be set to AlgorithmKindPbkdf2.
 	Name AlgorithmIdentifier
 
+	//TODO: This really needs fixed before I can call deriveKey DONE
 	// FIXME: should also include SHA-1, unfortunately
 	// Hash identifies the name of the digest algorithm to use.
 	// You can use any of the following:

webcrypto/pbkdf2.go

@@ -0,0 +1,26 @@
+package webcrypto
+
+import "github.com/grafana/sobek"
+
+func newPBKDF2KeyDeriveParams(rt *sobek.Runtime, normalized Algorithm, params sobek.Value) (*PBKDF2Params, error) {
+	//TODO: add implmentation
+	hashValue, err := traverseObject(rt, params, "hash")
+	if err != nil {
+		return nil, NewError(SyntaxError, "could not get hash from algorithm parameter")
+	}
+
+	normalizedHash, err := normalizeAlgorithm(rt, hashValue, OperationIdentifierDeriveKey)
+	if err != nil {
+
+		return nil, err
+	}
+	return &PBKDF2Params{
+		Name: normalized.Name,
+		Hash: normalizedHash.Name,
+		Salt: []byte{},
+	}, nil
+}
+
+func (p PBKDF2Params) DeriveKey() (CryptoKeyGenerationResult, error){
+	return nil, nil
+}

webcrypto/subtle_crypto.go

@@ -564,6 +564,24 @@
 	return promise
 }
 
+// [x] Let algorithm, baseKey, derivedKeyType, extractable and usages be the algorithm, baseKey, derivedKeyType, extractable and keyUsages parameters passed to the deriveKey method, respectively.
+// [x] Let normalizedAlgorithm be the result of normalizing an algorithm, with alg set to algorithm and op set to "deriveBits".
+// [x] If an error occurred, return a Promise rejected with normalizedAlgorithm.
+// [x] Let normalizedDerivedKeyAlgorithmImport be the result of normalizing an algorithm, with alg set to derivedKeyType and op set to "importKey".
+// [x] If an error occurred, return a Promise rejected with normalizedDerivedKeyAlgorithmImport.
+// [x] Let normalizedDerivedKeyAlgorithmLength be the result of normalizing an algorithm, with alg set to derivedKeyType and op set to "get key length".
+// [x] If an error occurred, return a Promise rejected with normalizedDerivedKeyAlgorithmLength.
+// [x] Let promise be a new Promise.
+// [x] Return promise and asynchronously perform the remaining steps.
+// [x] If the following steps or referenced procedures say to throw an error, reject promise with the returned error and then terminate the algorithm.
+// [ ] If the name member of normalizedAlgorithm is not equal to the name attribute of the [[algorithm]] internal slot of baseKey then throw an InvalidAccessError.
+// [ ] If the [[usages]] internal slot of baseKey does not contain an entry that is "deriveKey", then throw an InvalidAccessError.
+// [ ] Let length be the result of performing the get key length algorithm specified by normalizedDerivedKeyAlgorithmLength using derivedKeyType.
+// [ ] Let secret be the result of performing the derive bits operation specified by normalizedAlgorithm using key, algorithm and length.
+// [ ] Let result be the result of performing the import key operation specified by normalizedDerivedKeyAlgorithmImport using "raw" as format, secret as keyData, derivedKeyType as algorithm and using extractable and usages.
+// [ ] If the [[type]] internal slot of result is "secret" or "private" and usages is empty, then throw a SyntaxError.
+// [ ] Resolve promise with result.
+
 // DeriveKey can be used to derive a secret key from a master key.
 //
 // It takes as arguments some initial key material, the derivation
@@ -587,25 +605,80 @@
 // function: for example, for PBKDF2 it might be a password, imported as a `SubtleCrypto.CryptoKey`
 // using `SubtleCrypto.ImportKey`.
 //
-// The `derivedKeyAlgorithm` parameter should be one of:
+// The `derivedKeyType` parameter should be one of:
 //   - an `SubtleCrypto.HMACKeyGenParams` object
 //   - For AES-CTR, AES-CBC, AES-GCM, AES-KW: pass an `SubtleCrypto.AESKeyGenParams`
 //
 // The `extractable` parameter indicates whether it will be possible to export the key
 // using `SubtleCrypto.ExportKey` or `SubtleCrypto.WrapKey`.
 //
 // The `keyUsages` parameter is an array of strings indicating what the key can be used for.
-//
-//nolint:revive // remove the nolint directive when the method is implemented
 func (sc *SubtleCrypto) DeriveKey(
 	algorithm sobek.Value,
 	baseKey sobek.Value,
-	derivedKeyAlgorithm sobek.Value,
+	derivedKeyType sobek.Value,
 	extractable bool,
 	keyUsages []CryptoKeyUsage,
 ) *sobek.Promise {
-	// TODO: implementation
-	return nil
+	rt := sc.vu.Runtime()
+	var normalizedAlgorithm, normalizedDerivedKeyAlgorithmImport, normalizedDerivedKeyAlgorithmLength Algorithm
+	var bk CryptoKey
+	err := func() error {
+		normalizedAlgorithm, err := normalizeAlgorithm(rt, algorithm, OperationIdentifierDeriveBits)
+		if err != nil {
+			return err
+		}
+		normalizedDerivedKeyAlgorithmImport, err := normalizeAlgorithm(rt, derivedKeyType, OperationIdentifierImportKey)
+		if err != nil {
+			return err
+		}
+		normalizedDerivedKeyAlgorithmLength, err := normalizeAlgorithm(rt, derivedKeyType, OperationGetKeyLength)
+		if err != nil {
+			return err
+		}
+		return nil
+	}()
+
+	promise, resolve, reject := rt.NewPromise()
+	if err != nil {
+		reject(err)
+		return promise
+	}
+
+	callback := sc.vu.RegisterCallback()
+	go func() {
+		result, err := func() (CryptoKeyGenerationResult, error) {
+			if err = rt.ExportTo(baseKey, &bk); err != nil {
+				return nil, NewError(TypeError, "baseKey is not good")
+			}
+			baseKeyAlgorithmNameValue, err := traverseObject(rt, baseKey.ToObject(rt), "algorithm", "name")
+			if err != nil {
+				return nil, err
+			}
+
+			if normalizedAlgorithm.Name != baseKeyAlgorithmNameValue.String() {
+				return nil, NewError(InvalidAccessError, "Key algorithm mismatch")
+			}
+
+			if !bk.ContainsUsage(DeriveKeyCryptoKeyUsage) {
+				return nil, NewError(InvalidAccessError, "baseKey does not have deriveKey usage")
+			}
+
+			return nil, nil
+		}()
+
+		callback(func() error {
+			if err != nil {
+				reject(err)
+				return nil //nolint:nilerr // we return nil to indicate that the error was handled
+			}
+
+			resolve(result)
+			return nil
+		})
+	}()
+
+	return promise
 }
 
 // DeriveBits derives an array of bits from a base key.

webcrypto/tests/cmd_run_test.go

@@ -62,6 +62,7 @@ func TestExamplesInputOutput(t *testing.T) {
 		"../../examples/randomUUID.js",
 		"../../examples/generateKey",
 		"../../examples/derive_bits",
+		"../../examples/derive_key",
 		"../../examples/encrypt_decrypt",
 		"../../examples/sign_verify",
 		"../../examples/import_export",