Add jwk.crv validation

src/error.ts

@@ -44,6 +44,7 @@ export enum ErrorCode {
     INVALID_KEY_WRONG_ALG,
     INVALID_KEY_WRONG_USE,
     INVALID_KEY_WRONG_KID,
+    INVALID_KEY_WRONG_CRV,
     INVALID_KEY_SCHEMA,
     INVALID_KEY_PRIVATE,
     INVALID_KEY_X5C,
@@ -74,6 +75,7 @@ export const ExcludableErrors: ExcludableError[] = [
     new ExcludableError('invalid-key-wrong-alg', [ErrorCode.INVALID_KEY_WRONG_ALG]),
     new ExcludableError('invalid-key-wrong-use', [ErrorCode.INVALID_KEY_WRONG_USE]),
     new ExcludableError('invalid-key-wrong-kid', [ErrorCode.INVALID_KEY_WRONG_KID]),
+    new ExcludableError('invalid-key-wrong-crv', [ErrorCode.INVALID_KEY_WRONG_CRV]),
     new ExcludableError('invalid-key-schema', [ErrorCode.INVALID_KEY_SCHEMA]),
     new ExcludableError('not-yet-valid', [ErrorCode.NOT_YET_VALID]),
     new ExcludableError('fhir-schema-error', [ErrorCode.FHIR_SCHEMA_ERROR]),

src/generate-test-data.ts

@@ -36,7 +36,7 @@ void generateAndStoreKey('valid_key.json', { kty: 'EC', size: 'P-256', props: {
 void generateAndStoreKey('private_key.json', { kty: 'EC', size: 'P-256', props: { alg: 'ES256', crv: 'P-256', use: 'sig' }}, 1, true);
 void generateAndStoreKey('valid_keys.json', { kty: 'EC', size: 'P-256', props: { alg: 'ES256', crv: 'P-256', use: 'sig' } }, 3);
 void generateAndStoreKey('wrong_kid_key.json', { kty: 'EC', size: 'P-256', props: { alg: 'ES256', crv: 'P-256', use: 'sig', kid: 'ThisIsNotTheThumbprintOfTheKey' } });
-void generateAndStoreKey('wrong_curve_key.json', { kty: 'EC', size: 'P-384', props: { alg: 'ES384', crv: 'P-384', use: 'sig' } });
+void generateAndStoreKey('wrong_curve_key.json', { kty: 'EC', size: 'P-384', props: { alg: 'ES256', crv: 'P-384', use: 'sig' } });
 void generateAndStoreKey('wrong_use_key.json', { kty: 'EC', size: 'P-256', props: { alg: 'ES256', crv: 'P-256', use: 'enc' } });
 void generateAndStoreKey('wrong_alg_key.json', { kty: 'EC', size: 'P-256', props: { alg: 'ES256K', crv: 'P-256', use: 'sig' } });
 void generateAndStoreKey('wrong_kty_key.json', { kty: 'RSA', size: 2048 });

src/shcKeyValidator.ts

@@ -237,8 +237,11 @@ export async function verifyAndImportHealthCardIssuerKey(keySet: KeySet, log = n
             }
         }
 
+        let addKey : JWK.Key;
         try {
-            key = await keys.add(key, issuerURL);
+            // Note: keys.add() returns a key that no longer has a .crv property - so the .crv test below was failing
+            // We assign this key to its own variable and do the key property checks on the original key variable below
+            addKey = await keys.add(key, issuerURL);
         } catch (error) {
             return log.error('Error adding key to keyStore : ' + (error as Error).message, ErrorCode.INVALID_KEY_UNKNOWN);
         }
@@ -248,12 +251,12 @@ export async function verifyAndImportHealthCardIssuerKey(keySet: KeySet, log = n
             log.error(keyName + ': ' + "'kid' missing in issuer key", ErrorCode.INVALID_KEY_SCHEMA);
         } else {
 
-            await key.thumbprint('SHA-256')
+            await addKey.thumbprint('SHA-256')
                 .then(tpDigest => {
                     const thumbprint = jose.util.base64url.encode(tpDigest);
-                    if (key.kid !== thumbprint) {
+                    if (addKey.kid !== thumbprint) {
                         log.error(keyName + ': ' + "'kid' does not match thumbprint in issuer key. expected: "
-                            + thumbprint + ", actual: " + key.kid, ErrorCode.INVALID_KEY_WRONG_KID);
+                            + thumbprint + ", actual: " + addKey.kid, ErrorCode.INVALID_KEY_WRONG_KID);
                     }
                 })
                 .catch(err => {
@@ -281,6 +284,13 @@ export async function verifyAndImportHealthCardIssuerKey(keySet: KeySet, log = n
         } else if (key.use !== 'sig') {
             log.warn(keyName + ': ' + "wrong usage in issuer key. expected: 'sig', actual: " + key.use, ErrorCode.INVALID_KEY_WRONG_USE);
         }
+
+        // check that curve is 'P-256'
+        if (!key.crv) {
+            log.error(keyName + ': ' + "'crv' missing in issuer key", ErrorCode.INVALID_KEY_SCHEMA);
+        } else if (key.crv !== 'P-256') {
+            log.warn(keyName + ': ' + "wrong curve in issuer key. expected: 'P-256', actual: " + key.crv, ErrorCode.INVALID_KEY_WRONG_CRV);
+        }
     }
 
     return log;

tests/keys.test.ts

@@ -41,7 +41,7 @@ test("Keys: wrong key identifier (kid)", async () => {
 });
 
 test("Keys: wrong elliptic curve", async () => {
-    expect(await testKey('wrong_curve_key.json')).toContain(ErrorCode.INVALID_KEY_WRONG_ALG);
+    expect(await testKey('wrong_curve_key.json')).toContain(ErrorCode.INVALID_KEY_WRONG_CRV);
 });
 
 test("Keys: wrong key use (use)", async () => {