Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: fix webcrypto derive(Bits|Key) resolve values and docs #38148

Closed
wants to merge 1 commit into from
Closed

crypto: fix webcrypto derive(Bits|Key) resolve values and docs #38148

wants to merge 1 commit into from

Conversation

panva
Copy link
Member

@panva panva commented Apr 8, 2021
edited
Loading

Couple of issues discovered in #38115 addressed by this PR

  • PBKDF2 deriveBits resolve value type
  • NODE-SCRYPT deriveBits resolve value type
  • docs: subtle.deriveKey resolve value type
  • docs: ### Deriving bits and keys example does not work with deriveBits
  • test: assert deriveBits resolve with ArrayBuffer

ad resolve value types see SubtleCrypto interface definition.

@nodejs-github-bot nodejs-github-bot added crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Apr 8, 2021
@panva panva mentioned this pull request Apr 8, 2021
Closed
@panva panva requested review from jasnell and tniessen April 8, 2021 08:48
@nodejs-github-bot

This comment has been minimized.

Sign in to view
@panva panva added doc Issues and PRs related to the documentations. webcrypto and removed needs-ci PRs that need a full CI run. labels Apr 8, 2021
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/37286/

tniessen
tniessen approved these changes Apr 8, 2021
View reviewed changes
lib/internal/crypto/pbkdf2.js
@@ -122,7 +122,7 @@ async function pbkdf2DeriveBits(algorithm, baseKey, length) {
return new Promise((resolve, reject) => {
pbkdf2(raw, salt, iterations, byteLength, hash, (err, result) => {
if (err) return reject(err);
resolve(result);
resolve(result.buffer);
Copy link
Member

@tniessen tniessen Apr 8, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically, pbkdf2 is only required to give us a Buffer, which does not necessarily have the same byte length as the backing ArrayBuffer:

> Buffer.from([1, 2, 3]).buffer.byteLength
8192
> crypto.randomFillSync(Buffer.allocUnsafe(1024)).buffer.byteLength
8192

That's one of many reasons why WebCrypto doesn't align well with Node.js. However, we know that the implementation of PBKDF2 always returns a Buffer that has the same byteLength as the backing ArrayBuffer. And, hopefully, tests will catch it if that ever changes.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, i've checked that they do. Alternatively we can do new Uint8Array(result).buffer

> const foo = Buffer.from('foo')
> foo.buffer.byteLength
8192
> new Uint8Array(foo).buffer
ArrayBuffer { [Uint8Contents]: <66 6f 6f>, byteLength: 3 }

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these would be places where adding assertions about matching lengths and byteOffsets might make sense :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively we can do new Uint8Array(result).buffer

That would create an unnecessary copy of sensitive data (the result of PBKDF2 is considered secret). And yes, I realize that arguing about memory safety is moot in JavaScript :)

@panva panva added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Apr 8, 2021
panva added a commit that referenced this pull request Apr 12, 2021
@panva
crypto: fix webcrypto derive(Bits|Key) resolve values and docs
896dc39 
fixes #38115

PR-URL: #38148
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
@panva
Copy link
Member Author

panva commented Apr 12, 2021

Landed in 896dc39

@panva panva closed this Apr 12, 2021
@panva panva deleted the fix-38115 branch April 12, 2021 21:28
BethGriggs pushed a commit that referenced this pull request Apr 15, 2021
@panva @BethGriggs
crypto: fix webcrypto derive(Bits|Key) resolve values and docs
4323865 
fixes #38115

PR-URL: #38148
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
@BethGriggs BethGriggs mentioned this pull request Apr 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tniessen tniessen tniessen approved these changes

@addaleax addaleax addaleax left review comments

@jasnell jasnell jasnell approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. crypto Issues and PRs related to the crypto subsystem. doc Issues and PRs related to the documentations. webcrypto
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@panva @nodejs-github-bot @jasnell @addaleax @tniessen @targos