From 48b594986dad173926c7ea6a23bb52854eb5129d Mon Sep 17 00:00:00 2001 From: hotpineapple Date: Sun, 12 Oct 2025 11:25:17 +0900 Subject: [PATCH] crypto: implement rfc7517 recommendation print warning with unrelated key combination --- lib/internal/crypto/util.js | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/lib/internal/crypto/util.js b/lib/internal/crypto/util.js index a91a60e09c04dd..aa8ff5f809e041 100644 --- a/lib/internal/crypto/util.js +++ b/lib/internal/crypto/util.js @@ -16,6 +16,7 @@ const { ObjectKeys, ObjectPrototypeHasOwnProperty, Promise, + SafeSet, StringPrototypeToUpperCase, Symbol, TypedArrayPrototypeGetBuffer, @@ -757,9 +758,26 @@ const kKeyOps = { deriveBits: 8, }; +const allowedGroups = [ + new SafeSet(['sign', 'verify']), + new SafeSet(['encrypt', 'decrypt']), + new SafeSet(['wrapKey', 'unwrapKey']), +]; + function validateKeyOps(keyOps, usagesSet) { if (keyOps === undefined) return; validateArray(keyOps, 'keyData.key_ops'); + const keyOpsSet = new SafeSet(keyOps); + const isValidCombo = allowedGroups.some((group) => { + return [...keyOpsSet].every((op) => group.has(op)); + }); + if (!isValidCombo && keyOpsSet.size > 1) { + process.emitWarning( + 'Using unrelated key_ops combinations (RFC7517 section 4.3) is deprecated and will throw in a future version.', + 'DeprecationWarning', + ); + } + let flags = 0; for (let n = 0; n < keyOps.length; n++) { const op = keyOps[n]; @@ -771,10 +789,6 @@ function validateKeyOps(keyOps, usagesSet) { if (flags & (1 << op_flag)) throw lazyDOMException('Duplicate key operation', 'DataError'); flags |= (1 << op_flag); - - // TODO(@jasnell): RFC7517 section 4.3 strong recommends validating - // key usage combinations. Specifically, it says that unrelated key - // ops SHOULD NOT be used together. We're not yet validating that here. } if (usagesSet !== undefined) {