diff --git a/lib/internal/crypto/keys.js b/lib/internal/crypto/keys.js index 1eb4a6f7be7006..93d350e4e74320 100644 --- a/lib/internal/crypto/keys.js +++ b/lib/internal/crypto/keys.js @@ -186,14 +186,18 @@ function parseKeyEncoding(enc, keyType, isPublic, objName) { if (isPublic !== true) { ({ cipher, passphrase } = enc); - if (!isInput && cipher != null) { - if (typeof cipher !== 'string') + if (!isInput) { + if (cipher != null) { + if (typeof cipher !== 'string') + throw new ERR_INVALID_OPT_VALUE(option('cipher', objName), cipher); + if (format === kKeyFormatDER && + (type === kKeyEncodingPKCS1 || + type === kKeyEncodingSEC1)) { + throw new ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS( + encodingNames[type], 'does not support encryption'); + } + } else if (passphrase !== undefined) { throw new ERR_INVALID_OPT_VALUE(option('cipher', objName), cipher); - if (format === kKeyFormatDER && - (type === kKeyEncodingPKCS1 || - type === kKeyEncodingSEC1)) { - throw new ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS( - encodingNames[type], 'does not support encryption'); } } diff --git a/test/parallel/test-crypto-key-objects.js b/test/parallel/test-crypto-key-objects.js index 66ba19101aa6a8..fb35b9ae924e5a 100644 --- a/test/parallel/test-crypto-key-objects.js +++ b/test/parallel/test-crypto-key-objects.js @@ -244,3 +244,17 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', assert.strictEqual(privateKey.asymmetricKeyType, 'dsa'); assert.strictEqual(privateKey.symmetricKeySize, undefined); } + +{ + // Exporting an encrypted private key requires a cipher + const privateKey = createPrivateKey(privatePem); + common.expectsError(() => { + privateKey.export({ + format: 'pem', type: 'pkcs8', passphrase: 'super-secret' + }); + }, { + type: TypeError, + code: 'ERR_INVALID_OPT_VALUE', + message: 'The value "undefined" is invalid for option "cipher"' + }); +}