crypto: fix JWK RSA-PSS SubtleCrypto.exportKey

[panva]

Allows JWK export from WebCryptoAPI whilst keeping the restriction on KeyObject.prototype.export()

Refs #39805

[panva]

cc @nodejs/crypto

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/39612/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/39616/

[tniessen]

Does this intentionally drop RSA-PSS parameters? That seems to be in violation of the Web Crypto API spec (RSA-PSS "Export Key" operation), and it also seems wrong to remove parameters from a key. If crypto does that (#39805 (comment)), then that's probably a bug in crypto.

[tniessen]

Making my concerns explicit.

[panva]

Does this intentionally drop RSA-PSS parameters? That seems to be in violation of the Web Crypto API spec (RSA-PSS "Export Key" operation), and it also seems wrong to remove parameters from a key. If crypto does that (#39805 (comment)), then that's probably a bug in crypto.

@tniessen You've got it backwards - this explicitly allows the JWK export only in Web Crypto API because the CryptoKey instance is already tied to a single Algorithm that represents the digest and use/value of RSA-PSS parameters. WebCryptoAPI exports the "alg" in addition to the key material here in accordance with the Web Cryptography API specification RSA-PSS > Export Key > JWK. The WebCrypto API does not drop anything.

However, because KeyObject does not have that strong tie between its instance and digest and RSA-PSS parameters (and it therefore does not export any "alg" value) we continue to not allow rsa-pss key export as JWK from KeyObject.prototype.export(). This was not allowed ever since its first added in #37081 and it is why this fix is only applied to WebCrypto where it is as per its spec accompanied by an "alg".

[panva]

This is actually fixing a regression introduced in #39319

[tniessen]

You've got it backwards - this explicitly allows the JWK export only in Web Crypto API because the CryptoKey instance is already tied to a single Algorithm that represents the digest and use/value of RSA-PSS parameters.

Ah, so the import function ensures that the alg matches the PSS params when importing non-JWK / node.KeyObject? So a PKCS#8 → JWK conversion through Web Crypto always preserves the correct params that were included with the PKCS#8 structure?

[tniessen]

Could you add assertions about the returned JWK then? In particular, that it preserves the hash function?

[panva]

done.

[panva]

Ah, so the import function ensures that the alg matches the PSS params when importing non-JWK / node.KeyObject? So a PKCS#8 → JWK conversion through Web Crypto always preserves the correct params that were included with the PKCS#8 structure?

Since we have no way of checking the PSS Params (as you know) it does not. You can end up with CryptoKey that does have a different algorithm than the underlying key material. Such key will however fail to be used with both sign and verify. I would say that is a different bug in the Web Crypto API implementation that we should think about how to fix - i.e. how to add RSA-PSS params to keyObject.asymmetricKeyDetails() so that these import checks can be performed.

[tniessen]

I trust your judgement on this, @panva. If this is a regression fix and only affects WebCrypto, not Node.js crypto, and is spec compliant, it should be fine.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/39622/ 💚

[jasnell]

Landed in 4441c3e