[njs] WebCrypto: fixed extractable handling for crypto.subtle.deriveKey().

noreply at nginx.com noreply at nginx.com
Thu May 8 16:31:02 UTC 2025 

details:   https://github.com/nginx/njs/commit/37b4c07719e12363f33de8a591a7a61815122c91
branches:  master
commit:    37b4c07719e12363f33de8a591a7a61815122c91
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Wed, 7 May 2025 20:49:21 -0700
description:
WebCrypto: fixed extractable handling for crypto.subtle.deriveKey().


---
 external/njs_webcrypto_module.c | 1 +
 external/qjs_webcrypto_module.c | 1 +
 test/webcrypto/derive.t.mjs     | 8 +++++++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/external/njs_webcrypto_module.c b/external/njs_webcrypto_module.c
index 6f4b49e1..dcca91ce 100644
--- a/external/njs_webcrypto_module.c
+++ b/external/njs_webcrypto_module.c
@@ -1722,6 +1722,7 @@ free:
             }
         }
 
+        dkey->extractable = njs_value_bool(njs_arg(args, nargs, 4));
         dkey->u.s.raw.start = k;
         dkey->u.s.raw.length = length;
 
diff --git a/external/qjs_webcrypto_module.c b/external/qjs_webcrypto_module.c
index 29aea329..937f96c3 100644
--- a/external/qjs_webcrypto_module.c
+++ b/external/qjs_webcrypto_module.c
@@ -1948,6 +1948,7 @@ free:
             }
         }
 
+        dkey->extractable = JS_ToBool(cx, argv[3]);
         dkey->u.s.raw.start = k;
         dkey->u.s.raw.length = length;
 
diff --git a/test/webcrypto/derive.t.mjs b/test/webcrypto/derive.t.mjs
index 4d865da3..e9a2aac1 100644
--- a/test/webcrypto/derive.t.mjs
+++ b/test/webcrypto/derive.t.mjs
@@ -22,7 +22,11 @@ async function test(params) {
     if (params.derive === "key") {
         let key = await crypto.subtle.deriveKey(params.algorithm, keyMaterial,
                                                 params.derivedAlgorithm,
-                                                true, params.usage);
+                                                params.extractable, params.usage);
+
+        if (key.extractable !== params.extractable) {
+            throw Error(`${params.algorithm.name} failed extractable ${params.extractable} vs ${key.extractable}`);
+        }
 
         if (has_usage(params.usage, "encrypt")) {
             r = await crypto.subtle.encrypt(params.derivedAlgorithm, key,
@@ -81,11 +85,13 @@ let derive_tsuite = {
           length: 256,
           iv: "55667788556677885566778855667788"
         },
+        extractable: true,
         usage: [ "encrypt", "decrypt" ]
     },
 
     tests: [
         { expected: "e7b55c9f9fda69b87648585f76c58109174aaa400cfa" },
+        { extractable: false, expected: "e7b55c9f9fda69b87648585f76c58109174aaa400cfa" },
         { pass: "pass2", expected: "e87d1787f2807ea0e1f7e1cb265b23004c575cf2ad7e" },
         { algorithm: { iterations: 10000 }, expected: "5add0059931ed1db1ca24c26dbe4de5719c43ed18a54" },
         { algorithm: { hash: "SHA-512" }, expected: "544d64e5e246fdd2ba290ea932b2d80ef411c76139f4" },

More information about the nginx-devel mailing list