Implement crypto.subtle.deriveKey()

[oleiade]

Implement and test the SubtleCrypto.deriveKey() function. As described in MDN, and specified in the specification

[catdevman]

@oleiade I am going to take a crack at this... I need this functionality for work so figured why not. I have never done this type of crypto work before so please be extra careful with anything that I do that might not be the for best security. I specifically need the PBKDF2 bit of this but I will do my best to write it in a way that will handle the three current algorithms.

[oleiade]

Hey @catdevman 👋🏻

I'm super happy to read you're going for it. We'd very much appreciate your (future) contribution 🎉 🙇🏻

In general, there are a couple of things to be aware of when approaching the development of this extension specifically, and maybe I can provide small tips to make your experience more enjoyable. I don't know how familiar you are with implementing specifications, so I'll assume no knowledge here.

Webcrypto Cryptography API

We base this set of implementations on the official specification of the Webcrypto Cryptography API. In your case, you will want to implement the algorithm described in the deriveKey method as described here.

Specification

The end implementation should make sure to stick to the algorithm as close as possible to the algorithm description. Sometimes, some steps might either not be possible or not relevant in the context of k6. When that is the case, I'd recommend adding a comment with the step number indicating why we don't do it so that the next person looking at it doesn't need to lose time figuring out why the code they are looking at is different from the steps.

Web Platform Tests

The whole implementation aims to pass as many Web Platform Tests (note that 👈🏻 points to a specific version of the test suite) as possible for the web crypto module implementation.

As you can see in the webcrypto/tests folder, we currently approach it by copying the files from the Web Platform Tests webcrypto set of test files, adapting them, and making as much of the existing (relevant) tests pass. In my experience, you'll be much faster in this specific context if you approach the development in a test-driven approach. We have been generally porting the algorithm to code without spending too much time on making it perfect and then actively working towards making the tests for it pass. As you will likely notice, the tests contain much more details on the expected behavior of the implementation than the specification.

In general, I would recommend to mimic what is already there, and ask away whenever something is missing, unclear or confusing (lots of complexity in this project, it's expected to be confused).

Libraries

We aim to stick to the golang standard library as much as possible, but wherever that's not possible we find it acceptable (on a case by case basis) to resort to the most maintained and mainstream library implementing a feature we need.

---

We'll happily support you through the implementation, just feel free to ask us anything here, or in a dedicated PR. We've been actively working on this module and passing Web Platform tests in general, and we'll be happy to help 🙇🏻