crypto: pass all WebCryptoAPI WPTs

[panva]

I'm not expecting to land this PR as-is but i'm seeking feedback from @nodejs/crypto namely @tniessen and @jasnell on the end state which this currently reflects.

Overall the question is - is passing all relevant WebCryptoAPI WPT worth the ❗ items?

• update WebCryptoAPI WPT
• OperationError for generateKey() AES key length validation
• NotSupportedError for generateKey() and importKey() EC key namedCurve validation
• OperationError for HKDF deriveBits() length being null
• ❗ support for zero-length secret KeyObject
• OperationError for PBKDF2 deriveBits() iterations being 0
• OperationError for PBKDF2 deriveBits() length being null
• OperationError for when async crypto jobs fail for operation specific reasons
• ❗ workaround for openssl EVP_PKEY_derive HKDF not playing nice with zero-length IKM
• WPT global.location polyfill so that wpt/common/subset-tests.js execute

The C++ linter fails due to variable-length array use and I'd like suggestions for the C++ changes anyway.

I would still break this down into more individual commits. Or PRs if that's what the ask will be.

[nodejs-github-bot]

Review requested:

• @nodejs/crypto

[bnoordhuis]

Some drive-by comments. I'm surprised WPT expects zero-sized keys to do something meaningful.

[panva]

@nodejs/testing how can I increase the test timeout for test.wpt/test-webcrypto? The new vectors and the fact we execute them all seems to have pushed it over the 2m edge on some configurations as well as github CI.

[panva]

@nodejs/testing please take a look at my previous question #43656 (comment)

[Trott]

@panva Is the issue with the timeout set in tools/test.py or is this some other timeout?

node/tools/test.py

Lines 945 to 949 in 3aec7da

	def GetTimeout(self, mode, section=''):
	timeout = self.timeout * TIMEOUT_SCALEFACTOR[ARCH_GUESS or 'ia32'][mode]
	if section == 'pummel' or section == 'benchmark':
	timeout = timeout * 6
	return timeout

If that's the timeout you are referring to, you can perhaps do something similar to what was done for pummel and benchmark tests.

[panva]

@panva Is the issue with the timeout set in tools/test.py or is this some other timeout?

node/tools/test.py

Lines 945 to 949 in 3aec7da

	def GetTimeout(self, mode, section=''):
	timeout = self.timeout * TIMEOUT_SCALEFACTOR[ARCH_GUESS or 'ia32'][mode]
	if section == 'pummel' or section == 'benchmark':
	timeout = timeout * 6
	return timeout

If that's the timeout you are referring to, you can perhaps do something similar to what was done for pummel and benchmark tests.

Thank you @Trott, I've just pushed an inclusion of wpt in the same condition to see if it'll help or if it times out for some other reason.

[panva]

@Trott the timeout change has definitely helped on most configurations, and github CI, but node-test-commit-freebsd failed the same way two times in a row, the webcrypto job is not even logged

[panva]

@Trott Similar to FreeBSD before, the node-test-commit-arm-debug build times out after 5 minutes.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/45600/

[Trott]

@Trott Similar to FreeBSD before, the node-test-commit-arm-debug build times out after 5 minutes.

@panva I've increased the timeout to 12 minutes. nodejs/build#3001

I didn't do it before resuming the build 5 minutes ago, though, so if that build fails, use Resume Build on it and it should run again with the 12-minute limit instead.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/45601/

[tniessen]

This is really great work.

[tniessen]

❗ support for zero-length secret KeyObject

I am not happy about this, but I also don't see a way around it.

❗ workaround for openssl EVP_PKEY_derive HKDF not playing nice with zero-length IKM

It might be worth considering allowing this only through Web Crypto, not through node crypto. On the other hand, it seems to go through createSecretKey in both cases, so that might not be pretty.

I really don't like supporting things that OpenSSL does not support, but at least it's somewhat simple here.

[tniessen]

We might need to verify that no other uses of KeyObjectData (and related structures) assume that the stored pointer is not nullptr. Otherwise, we might end up with aborts/crashes if someone constructs 0-length keys and uses them with other APIs.

[panva]

Why is a zero length buffer key data treated as a nullptr? I would like to keep the check here but I don't understand the C++ keyobject implementation enough.

[tniessen]

It might be because malloc(len) for len = 0 is allowed to return a nullptr. The standard only requires the returned pointer to be valid for len bytes, which nullptr fulfills when len = 0.

[panva]

Do you have a suggestion that would allow us to keep this check?

[tniessen]

Does a non-zero-length key work with a 0-length salt?

[panva]

Yes.

[panva]

https://datatracker.ietf.org/doc/html/rfc5869#section-2.2

[tniessen]

I know it's allowed, I am just wondering if OpenSSL implements it that way. The RFC's statement if not provided could be interpreted as "if the user does not call EVP_PKEY_CTX_set1_hkdf_salt".

Now I am confused as to whether an empty salt is the same as passing no salt in our current implementation.

[panva]

Our implementation does not allow to omit passing salt, we require the argument, albeit we allow it to be zero-length.

[panva]

Does a non-zero-length key work with a 0-length salt?

that's also covered by a passing wpt btw

[panva]

❗ support for zero-length secret KeyObject

I am not happy about this, but I also don't see a way around it.

❗ workaround for openssl EVP_PKEY_derive HKDF not playing nice with zero-length IKM

It might be worth considering allowing this only through Web Crypto, not through node crypto. On the other hand, it seems to go through createSecretKey in both cases, so that might not be pretty.

My thought process was exactly the same. I know we're missing 0-length tests for every single operation we accept a SecretKeyObject in.

I really don't like supporting things that OpenSSL does not support, but at least it's somewhat simple here.

OpenSSL does support it, but this fix did not get extended to the particular API we use. I would happily use the new API but it's only available in 3 and we still have to support 1.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/45620/

[tniessen]

Could you add a brief comment to the beginning of the else branch to explain why it exists for future readers?

If we accept that this branch must exist (until we fully drop OpenSSL 1.1.1), then we should probably either

• remove the other branch that uses EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND and pass the key to HMAC in this new branch (that should be equivalent as far as I can tell), or
• add a TODO comment saying to remove this branch once we have dropped OpenSSL 1.1.1.

The first option would give us improved coverage because all HMAC operations would go through it.

[panva]

Could you add a brief comment to the beginning of the else branch to explain why it exists for future readers?

Sure.

If we accept that this branch must exist (until we fully drop OpenSSL 1.1.1), then we should probably either

• remove the other branch that uses EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND and pass the key to HMAC in this new branch (that should be equivalent as far as I can tell)

I think that can be done as a follow-up, I am not up for such challenge myself.

• add a TODO comment saying to remove this branch once we have dropped OpenSSL 1.1.1.

You mean to change the implementation to use EVP_KDF-HKDF when 1.1.1 is dropped?

[tniessen]

If you want to reject when the worker emits an error event, you could also use
await events.once(worker, 'exit').

That being said, it looks like the caller never awaits the returned Promise (e.g., in test-webcrypto.js). What is the point in creating the Promise here if the caller does not await it?

[panva]

The point is to process the queue one by one. This has helped stabilize CI, especially the keygen tests that easily bogged the hosts down minutes at a time.

[panva]

If you want to reject when the worker emits an error event, you could also use await events.once(worker, 'exit').

Rejecting would skip running the rest of the queue. So maybe this?

await Promise.allSettled([events.once(worker, 'exit')])

or

await events.once(worker, 'exit').catch(() => {})

[panva]

Now on the matter of eventually landing this. I propose to commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. to land the PR in several commits. Also semver-minor PRs that contain new features and should be released in the next minor version. and leave a note to releasers that only some of the commits are minor, the rest are patch.

• crypto: fix webcrypto generateKey() AES key length validation error - crypto: fix webcrypto generateKey() AES key length validation error #44170
• crypto: fix webcrypto generateKey() and importKey() EC key namedCurve validation error - crypto: fix webcrypto EC key namedCurve validation errors #44172
• crypto: fix webcrypto HKDF deriveBits() null length validation error - crypto: fix webcrypto deriveBits validations #44173
• crypto: fix webcrypto PBKDF2 deriveBits() null length validation error - crypto: fix webcrypto deriveBits validations #44173
• crypto: fix webcrypto PBKDF2 deriveBits() 0 iterations validation error - crypto: fix webcrypto deriveBits validations #44173
• crypto: fix webcrypto operation errors to be OperationError - crypto: fix webcrypto operation errors to be OperationError #44171
• semver-minor PRs that contain new features and should be released in the next minor version. crypto: allow zero-length secret KeyObject - crypto: allow zero-length secrets and IKM in HKDF (and in webcrypto PBKDF2) #44201
• semver-minor PRs that contain new features and should be released in the next minor version. crypto: allow zero-length IKM in HKDF - crypto: allow zero-length secrets and IKM in HKDF (and in webcrypto PBKDF2) #44201
• test,crypto: update WebCryptoAPI WPT - TBD

WDYT?

[panva]

I will pick this up again and break down to individual PRs after #43455 when every new WPT fixing PR will visibly show how many tests it fixes.

[panva]

Split up into #44170, #44171, #44172, #44173, and #44201. Pulling updated WPT will be done after they land to avoid unnecessary conflicts.