Bug 1822947 [wpt PR 37063] - Initial implementation of the X25519 algorithm, a=testonly

Automatic update from web-platform-tests Initial implementation of the X25519 algorithm This CL implements the DeriveBits and import/export operations for the X25519 algorithms (spki, pkcs, raw and jwk). Additionally, it adds the new algorithm in the registry and implements its normalization, which is quite simple due to the lack of parameters. The feature is implemented behind the WebCryptoCurve25519 runtime flag for now. See the intent-to-prototype request [1] for details. [1] https://groups.google.com/a/chromium.org/g/blink-dev/c/n0uKIqfypW0/m/xu5UBbaBAwAJ Bug: 1370697 Change-Id: Ibad2a728a5b25b40c130e4da270747104ae056ab Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4016576 Reviewed-by: Jeremy Roman <jbroman@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: David Benjamin <davidben@chromium.org> Commit-Queue: Javier Fernandez <jfernandez@igalia.com> Cr-Commit-Position: refs/heads/main@{#1118402} -- wpt-commits: 1406b5c0d07b5e8dd08e328c451e42c23f3b96c8 wpt-pr: 37063
2023-03-20 20:15:27 +00:00 · 2023-03-20 20:15:27 +00:00 · f0d04fa0fa
--- a/testing/web-platform/tests/WebCryptoAPI/derive_bits_keys/cfrg_curves_bits.js
+++ b/testing/web-platform/tests/WebCryptoAPI/derive_bits_keys/cfrg_curves_bits.js
@ -23,6 +23,53 @@ function define_tests() {
      "X448": new Uint8Array([240, 246, 197, 241, 127, 148, 244, 41, 30, 171, 113, 120, 134, 109, 55, 236, 137, 6, 221, 108, 81, 65, 67, 220, 133, 190, 124, 242, 141, 239, 243, 155, 114, 110, 15, 109, 207, 129, 14, 181, 148, 220, 169, 123, 72, 130, 189, 68, 196, 62, 167, 220, 103, 244, 154, 78])
  };

+  var kSmallOrderPoint = {
+      "X25519": [
+          { order: "0",                vector : new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) },
+          { order: "1",                vector : new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) },
+          { order: "8",                vector : new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0, 224, 235, 122, 124, 59, 65, 184, 174, 22, 86, 227, 250, 241, 159, 196, 106, 218, 9, 141, 235, 156, 50, 177, 253, 134, 98, 5, 22, 95, 73, 184, 0]) },
+          { order: "p-1 (order 2)",    vector : new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0, 236, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 127]) },
+          { order: "p (=0, order 4)",  vector : new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0, 237, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 127]) },
+          { order: "p+1 (=1, order 1)", vector : new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0, 238, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 127]) },
+      ],
+      "X448": [
+          { order: "0",                 vector : new Uint8Array([48, 66, 48, 5, 6, 3, 43, 101, 111, 3, 57, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) },
+          { order: "1",                 vector : new Uint8Array([48, 66, 48, 5, 6, 3, 43, 101, 111, 3, 57, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) },
+          { order: "p-1 (order 2)",     vector : new Uint8Array([48, 66, 48, 5, 6, 3, 43, 101, 111, 3, 57, 0, 254, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 254, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255]) },
+          { order: "p (=0, order 4)",   vector : new Uint8Array([48, 66, 48, 5, 6, 3, 43, 101, 111, 3, 57, 0, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 254, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255]) },
+          { order: "p+1 (=1, order 1)", vector : new Uint8Array([48, 66, 48, 5, 6, 3, 43, 101, 111, 3, 57, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255]) },
+      ]
+  };
+
+  // Verify the derive functions perform checks against the all-zero value results,
+  // ensuring small-order points are rejected.
+  // https://www.rfc-editor.org/rfc/rfc7748#section-6.1
+  // TODO: The spec states that the check must be done on use, but there is discussion about doing it on import.
+  // https://github.com/WICG/webcrypto-secure-curves/pull/13
+  Object.keys(kSmallOrderPoint).forEach(function(algorithmName) {
+      kSmallOrderPoint[algorithmName].forEach(function(test) {
+          promise_test(async() => {
+              let derived;
+              let privateKey = await subtle.importKey("pkcs8", pkcs8[algorithmName],
+                                                  {name: algorithmName},
+                                                  false, ["deriveBits", "deriveKey"]);
+              let publicKey = await subtle.importKey("spki", test.vector,
+                                                 {name: algorithmName},
+                                                 false, [])
+              try {
+                  derived = await subtle.deriveKey({name: algorithmName, public: publicKey}, privateKey,
+                                                   {name: "HMAC", hash: "SHA-256", length: 256}, true,
+                                                   ["sign", "verify"]);
+              } catch (err) {
+                  assert_false(privateKey === undefined, "Private key should be valid.");
+                  assert_false(publicKey === undefined, "Public key should be valid.");
+                  assert_equals(err.name, "OperationError", "Should throw correct error, not " + err.name + ": " + err.message + ".");
+              }
+              assert_equals(derived, undefined, "Operation succeeded, but should not have.");
+          }, algorithmName + " key derivation checks for all-zero value result with a key of order " + test.order);
+      });
+  });
+
  return importKeys(pkcs8, spki, sizes)
  .then(function(results) {
      publicKeys = results.publicKeys;
--- a/testing/web-platform/tests/WebCryptoAPI/derive_bits_keys/cfrg_curves_keys.js
+++ b/testing/web-platform/tests/WebCryptoAPI/derive_bits_keys/cfrg_curves_keys.js
@ -23,6 +23,20 @@ function define_tests() {
      "X448": new Uint8Array([240, 246, 197, 241, 127, 148, 244, 41, 30, 171, 113, 120, 134, 109, 55, 236, 137, 6, 221, 108, 81, 65, 67, 220, 133, 190, 124, 242, 141, 239, 243, 155, 114, 110, 15, 109, 207, 129, 14, 181, 148, 220, 169, 123, 72, 130, 189, 68, 196, 62, 167, 220, 103, 244, 154, 78])
  };

+  // Ensure the keys generated by each algorithm are valid for key derivation.
+  Object.keys(sizes).forEach(function(algorithmName) {
+      promise_test(async() => {
+          let derived;
+          try {
+              let key = await subtle.generateKey({name: algorithmName}, true, ["deriveKey", "deriveBits"]);
+              derived = await subtle.deriveKey({name: algorithmName, public: key.publicKey}, key.privateKey, {name: "HMAC", hash: "SHA-256", length: 256}, true, ["sign", "verify"]);
+          } catch (err) {
+              assert_unreached("Threw an unexpected error: " + err.toString() + " -");
+          }
+          assert_false (derived === undefined, "Key derivation failed.");
+      }, "Key derivation using a " + algorithmName + " generated keys.");
+  });
+
  return importKeys(pkcs8, spki, sizes)
  .then(function(results) {
      publicKeys = results.publicKeys;
--- a/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures.js
+++ b/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures.js
@ -99,7 +99,7 @@ function run_test(algorithmNames) {
    }

    function validUsages(usages, format, data) {
-        if (format === 'spki') return usages.publicUsages
+        if (format === 'spki' || format === 'raw') return usages.publicUsages
        if (format === 'pkcs8') return usages.privateUsages
        if (format === 'jwk') {
            if (data === undefined)
--- a/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures_Ed25519.https.any.js
+++ b/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures_Ed25519.https.any.js
@ -15,6 +15,10 @@ var validKeyData = [
      format: "pkcs8",
      data: new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32, 243, 200, 244, 196, 141, 248, 120, 20, 110, 140, 211, 191, 109, 244, 229, 14, 56, 155, 167, 7, 78, 21, 194, 53, 45, 205, 93, 48, 141, 76, 168, 31])
    },
+    {
+      format: "raw",
+      data: new Uint8Array([216, 225, 137, 99, 216, 9, 212, 135, 217, 84, 154, 204, 174, 198, 116, 46, 126, 235, 162, 77, 138, 13, 59, 20, 183, 227, 202, 234, 6, 137, 61, 204])
+    },
    {
      format: "jwk",
      data: {
@ -44,6 +48,10 @@ var badKeyLengthData = [
        format: "pkcs8",
        data: new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32, 243, 200, 244, 196, 141, 248, 120, 20, 110, 140, 211, 191, 109, 244, 229, 14, 56, 155, 167, 7, 78, 21, 194, 53, 45, 205, 93, 48, 141, 76, 168])
    },
+    {
+        format: "raw",
+        data: new Uint8Array([216, 225, 137, 99, 216, 9, 212, 135, 217, 84, 154, 204, 174, 198, 116, 46, 126, 235, 162, 77, 138, 13, 59, 20, 183, 227, 202, 234, 6, 137, 61])
+    },
    {
        format: "jwk",
        data: {
--- a/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures_Ed448.https.any.js
+++ b/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures_Ed448.https.any.js
@ -15,6 +15,10 @@ var validKeyData = [
        format: "pkcs8",
        data: new Uint8Array([48, 71, 2, 1, 0, 48, 5, 6, 3, 43, 101, 113, 4, 59, 4, 57, 14, 255, 3, 69, 140, 40, 224, 23, 156, 82, 29, 227, 18, 201, 105, 183, 131, 67, 72, 236, 171, 153, 26, 96, 227, 178, 233, 167, 158, 76, 217, 228, 128, 239, 41, 23, 18, 210, 200, 61, 4, 114, 114, 213, 201, 244, 40, 102, 79, 105, 109, 38, 112, 69, 143, 29, 46]),
    },
+    {
+        format: "raw",
+        data: new Uint8Array([171, 75, 184, 133, 253, 125, 44, 90, 242, 78, 131, 113, 12, 255, 160, 199, 74, 87, 226, 116, 128, 29, 178, 5, 123, 11, 220, 94, 160, 50, 182, 254, 107, 199, 139, 128, 69, 54, 90, 235, 38, 232, 110, 31, 20, 253, 52, 157, 7, 196, 132, 149, 245, 164, 106, 90, 128]),
+    },
    {
        format: "jwk",
        data: {
@ -44,6 +48,10 @@ var badKeyLengthData = [
        format: "pkcs8",
        data: new Uint8Array([48, 71, 2, 1, 0, 48, 5, 6, 3, 43, 101, 113, 4, 59, 4, 57, 14, 255, 3, 69, 140, 40, 224, 23, 156, 82, 29, 227, 18, 201, 105, 183, 131, 67, 72, 236, 171, 153, 26, 96, 227, 178, 233, 167, 158, 76, 217, 228, 128, 239, 41, 23, 18, 210, 200, 61, 4, 114, 114, 213, 201, 244, 40, 102, 79, 105, 109, 38, 112, 69, 143, 29]),
    },
+    {
+        format: "raw",
+        data: new Uint8Array([171, 75, 184, 133, 253, 125, 44, 90, 242, 78, 131, 113, 12, 255, 160, 199, 74, 87, 226, 116, 128, 29, 178, 5, 123, 11, 220, 94, 160, 50, 182, 254, 107, 199, 139, 128, 69, 54, 90, 235, 38, 232, 110, 31, 20, 253, 52, 157, 7, 196, 132, 149, 245, 164, 106, 90]),
+    },
    {
        format: "jwk",
        data: {
--- a/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures_X25519.https.any.js
+++ b/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures_X25519.https.any.js
@ -15,6 +15,10 @@ var validKeyData = [
      format: "pkcs8",
      data: new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 110, 4, 34, 4, 32, 200, 131, 142, 118, 208, 87, 223, 183, 216, 201, 90, 105, 225, 56, 22, 10, 221, 99, 115, 253, 113, 164, 210, 118, 187, 86, 227, 168, 27, 100, 255, 97]),
    },
+    {
+      format: "raw",
+      data: new Uint8Array([28, 242, 177, 230, 2, 46, 197, 55, 55, 30, 215, 245, 62, 84, 250, 17, 84, 216, 62, 152, 235, 100, 234, 81, 250, 229, 179, 48, 124, 254, 151, 6]),
+    },
    {
      format: "jwk",
      data: {
@ -44,6 +48,10 @@ var badKeyLengthData = [
        format: "pkcs8",
        data: new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 110, 4, 34, 4, 32, 200, 131, 142, 118, 208, 87, 223, 183, 216, 201, 90, 105, 225, 56, 22, 10, 221, 99, 115, 253, 113, 164, 210, 118, 187, 86, 227, 168, 27, 100, 255]),
    },
+    {
+        format: "raw",
+        data: new Uint8Array([28, 242, 177, 230, 2, 46, 197, 55, 55, 30, 215, 245, 62, 84, 250, 17, 84, 216, 62, 152, 235, 100, 234, 81, 250, 229, 179, 48, 124, 254, 151]),
+    },
    {
        format: "jwk",
        data: {
--- a/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures_X448.https.any.js
+++ b/testing/web-platform/tests/WebCryptoAPI/import_export/okp_importKey_failures_X448.https.any.js
@ -15,6 +15,10 @@ var validKeyData = [
        format: "pkcs8",
        data: new Uint8Array([48, 70, 2, 1, 0, 48, 5, 6, 3, 43, 101, 111, 4, 58, 4, 56, 88, 199, 210, 154, 62, 181, 25, 178, 157, 0, 207, 177, 145, 187, 100, 252, 109, 138, 66, 216, 241, 113, 118, 39, 43, 137, 242, 39, 45, 24, 25, 41, 92, 101, 37, 192, 130, 150, 113, 176, 82, 239, 7, 39, 83, 15, 24, 142, 49, 208, 204, 83, 191, 38, 146, 158]),
    },
+    {
+        format: "raw",
+        data: new Uint8Array([182, 4, 161, 209, 165, 205, 29, 148, 38, 213, 97, 239, 99, 10, 158, 177, 108, 190, 105, 213, 185, 202, 97, 94, 220, 83, 99, 62, 251, 82, 234, 49, 230, 230, 160, 161, 219, 172, 198, 231, 108, 188, 230, 72, 45, 126, 75, 163, 213, 93, 158, 128, 39, 101, 206, 111]),
+    },
    {
        format: "jwk",
        data: {
@ -44,6 +48,10 @@ var badKeyLengthData = [
        format: "pkcs8",
        data: new Uint8Array([48, 70, 2, 1, 0, 48, 5, 6, 3, 43, 101, 111, 4, 58, 4, 56, 88, 199, 210, 154, 62, 181, 25, 178, 157, 0, 207, 177, 145, 187, 100, 252, 109, 138, 66, 216, 241, 113, 118, 39, 43, 137, 242, 39, 45, 24, 25, 41, 92, 101, 37, 192, 130, 150, 113, 176, 82, 239, 7, 39, 83, 15, 24, 142, 49, 208, 204, 83, 191, 38, 146]),
    },
+    {
+        format: "raw",
+        data: new Uint8Array([182, 4, 161, 209, 165, 205, 29, 148, 38, 213, 97, 239, 99, 10, 158, 177, 108, 190, 105, 213, 185, 202, 97, 94, 220, 83, 99, 62, 251, 82, 234, 49, 230, 230, 160, 161, 219, 172, 198, 231, 108, 188, 230, 72, 45, 126, 75, 163, 213, 93, 158, 128, 39, 101, 206]),
+    },
    {
        format: "jwk",
        data: {