fix: only use secp256k1 keys for signing/verification

panva · Oct 29, 2019 · 9588223 · 9588223
1 parent 3cf22e2
commit 9588223
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 29 deletions.
diff --git a/lib/jwk/key/ec.js b/lib/jwk/key/ec.js
@@ -98,7 +98,7 @@ class ECKey extends Key {
 
         return new Set([crvToDSA(this.crv)])
       case 'deriveKey':
-        if (use === 'sig') {
+        if (use === 'sig' || this.crv === secp256k1) {
           return new Set()
         }
 

diff --git a/test/jwk/P-256K.import.test.js b/test/jwk/P-256K.import.test.js
@@ -37,7 +37,7 @@ Object.entries({
     test(`${crv} EC Private key algorithms (no operation)`, t => {
       const result = key.algorithms()
       t.is(result.constructor, Set)
-      t.deepEqual([...result], [alg, 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'])
+      t.deepEqual([...result], [alg])
     })
 
     test(`${crv} EC Private key algorithms (no operation, w/ alg)`, t => {
@@ -122,7 +122,7 @@ Object.entries({
     test(`${crv} EC Private key .algorithms("deriveKey")`, t => {
       const result = key.algorithms('deriveKey')
       t.is(result.constructor, Set)
-      t.deepEqual([...result], ['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'])
+      t.deepEqual([...result], [])
     })
 
     test(`${crv} EC Private key .algorithms("wrapKey") when use is sig`, t => {
@@ -169,7 +169,7 @@ Object.entries({
     test(`${crv} EC Public key algorithms (no operation)`, t => {
       const result = key.algorithms()
       t.is(result.constructor, Set)
-      t.deepEqual([...result], [alg, 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'])
+      t.deepEqual([...result], [alg])
     })
 
     test(`${crv} EC Public key algorithms (no operation, w/ alg)`, t => {
@@ -254,7 +254,7 @@ Object.entries({
     test(`${crv} EC Public key .algorithms("deriveKey")`, t => {
       const result = key.algorithms('deriveKey')
       t.is(result.constructor, Set)
-      t.deepEqual([...result], ['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'])
+      t.deepEqual([...result], [])
     })
 
     test(`${crv} EC Public key .algorithms("wrapKey") when use is sig`, t => {

diff --git a/test/jwk/ec.test.js b/test/jwk/ec.test.js
@@ -32,10 +32,10 @@ Object.entries({
   'P-384': ['ES384', '5gebayAhpztJCs4Pxo-z1hhsN0upoyG2NAoKpiiH2b0'],
   'P-521': ['ES512', 'BQtkbSY3xgN4M2ZP3IHMLG7-Rp1L29teCMfNqgJHtTY']
 }).forEach(([crv, [alg, kid]]) => {
-  const ECDH = ['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW']
+  let ECDH = ['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW']
   if ('electron' in process.versions) {
     if (crv === 'secp256k1') return
-    ECDH.splice(1, ECDH.length - 1)
+    ECDH = []
   }
   if (crv === 'secp256k1' && 'electron' in process.versions) return
   // private
@@ -58,11 +58,19 @@ Object.entries({
     test(`${crv} EC Private key`, hasProperty, key, 'type', 'private')
     test(`${crv} EC Private key`, hasProperty, key, 'use', undefined)
 
-    test(`${crv} EC Private key algorithms (no operation)`, t => {
-      const result = key.algorithms()
-      t.is(result.constructor, Set)
-      t.deepEqual([...result], [alg, ...ECDH])
-    })
+    if (crv === 'secp256k1') {
+      test(`${crv} EC Private key algorithms (no operation)`, t => {
+        const result = key.algorithms()
+        t.is(result.constructor, Set)
+        t.deepEqual([...result], [alg])
+      })
+    } else {
+      test(`${crv} EC Private key algorithms (no operation)`, t => {
+        const result = key.algorithms()
+        t.is(result.constructor, Set)
+        t.deepEqual([...result], [alg, ...ECDH])
+      })
+    }
 
     test(`${crv} EC Private key algorithms (no operation, w/ alg)`, t => {
       const key = new ECKey(keyObject, { alg })
@@ -143,11 +151,19 @@ Object.entries({
       t.deepEqual([...result], [])
     })
 
-    test(`${crv} EC Private key .algorithms("deriveKey")`, t => {
-      const result = key.algorithms('deriveKey')
-      t.is(result.constructor, Set)
-      t.deepEqual([...result], ECDH)
-    })
+    if (crv === 'secp256k1') {
+      test(`${crv} EC Private key .algorithms("deriveKey")`, t => {
+        const result = key.algorithms('deriveKey')
+        t.is(result.constructor, Set)
+        t.deepEqual([...result], [])
+      })
+    } else {
+      test(`${crv} EC Private key .algorithms("deriveKey")`, t => {
+        const result = key.algorithms('deriveKey')
+        t.is(result.constructor, Set)
+        t.deepEqual([...result], ECDH)
+      })
+    }
 
     test(`${crv} EC Private key .algorithms("wrapKey") when use is sig`, t => {
       const sigKey = new ECKey(keyObject, { use: 'sig' })
@@ -190,11 +206,19 @@ Object.entries({
     test(`${crv} EC Public key`, hasProperty, key, 'type', 'public')
     test(`${crv} EC Public key`, hasProperty, key, 'use', undefined)
 
-    test(`${crv} EC Public key algorithms (no operation)`, t => {
-      const result = key.algorithms()
-      t.is(result.constructor, Set)
-      t.deepEqual([...result], [alg, ...ECDH])
-    })
+    if (crv === 'secp256k1') {
+      test(`${crv} EC Public key algorithms (no operation)`, t => {
+        const result = key.algorithms()
+        t.is(result.constructor, Set)
+        t.deepEqual([...result], [alg])
+      })
+    } else {
+      test(`${crv} EC Public key algorithms (no operation)`, t => {
+        const result = key.algorithms()
+        t.is(result.constructor, Set)
+        t.deepEqual([...result], [alg, ...ECDH])
+      })
+    }
 
     test(`${crv} EC Public key algorithms (no operation, w/ alg)`, t => {
       const key = new ECKey(keyObject, { alg })
@@ -275,11 +299,19 @@ Object.entries({
       t.deepEqual([...result], [])
     })
 
-    test(`${crv} EC Public key .algorithms("deriveKey")`, t => {
-      const result = key.algorithms('deriveKey')
-      t.is(result.constructor, Set)
-      t.deepEqual([...result], ECDH)
-    })
+    if (crv === 'secp256k1') {
+      test(`${crv} EC Public key .algorithms("deriveKey")`, t => {
+        const result = key.algorithms('deriveKey')
+        t.is(result.constructor, Set)
+        t.deepEqual([...result], [])
+      })
+    } else {
+      test(`${crv} EC Public key .algorithms("deriveKey")`, t => {
+        const result = key.algorithms('deriveKey')
+        t.is(result.constructor, Set)
+        t.deepEqual([...result], ECDH)
+      })
+    }
 
     test(`${crv} EC Public key .algorithms("wrapKey") when use is sig`, t => {
       const sigKey = new ECKey(keyObject, { use: 'sig' })

diff --git a/test/jwk/generate.test.js b/test/jwk/generate.test.js
@@ -48,9 +48,7 @@ const { JWK: { generate, generateSync }, errors } = require('../..')
   ['EC', 'secp256k1', { use: 'sig' }],
   ['EC', 'secp256k1', { use: 'enc' }],
   ['EC', 'secp256k1', { use: 'sig', alg: 'ES256K' }],
-  ['EC', 'secp256k1', { use: 'enc', alg: 'ECDH-ES' }],
   ['EC', 'secp256k1', { alg: 'ES256K' }],
-  ['EC', 'secp256k1', { alg: 'ECDH-ES' }],
   ['EC', 'P-384'],
   ['EC', 'P-384', { use: 'sig' }],
   ['EC', 'P-384', { use: 'enc' }],