refactor!: drop support for JWK key_ops and CryptoKey usages "(un)wrapKey" and "deriveKey"

panva · panva · commit ef918be8bab1 · 2025-02-22T15:13:58.000+01:00
diff --git a/src/lib/crypto_key.ts b/src/lib/crypto_key.ts
@@ -26,23 +26,15 @@ function getNamedCurve(alg: string) {
   }
 }
 
-function checkUsage(key: CryptoKey, usages: KeyUsage[]) {
-  if (usages.length && !usages.some((expected) => key.usages.includes(expected))) {
-    let msg = 'CryptoKey does not support this operation, its usages must include '
-    if (usages.length > 2) {
-      const last = usages.pop()
-      msg += `one of ${usages.join(', ')}, or ${last}.`
-    } else if (usages.length === 2) {
-      msg += `one of ${usages[0]} or ${usages[1]}.`
-    } else {
-      msg += `${usages[0]}.`
-    }
-
-    throw new TypeError(msg)
+function checkUsage(key: CryptoKey, usage?: KeyUsage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(
+      `CryptoKey does not support this operation, its usages must include ${usage}.`,
+    )
   }
 }
 
-export function checkSigCryptoKey(key: CryptoKey, alg: string, ...usages: KeyUsage[]) {
+export function checkSigCryptoKey(key: CryptoKey, alg: string, usage: KeyUsage) {
   switch (alg) {
     case 'HS256':
     case 'HS384':
@@ -95,10 +87,10 @@ export function checkSigCryptoKey(key: CryptoKey, alg: string, ...usages: KeyUsa
       throw new TypeError('CryptoKey does not support this operation')
   }
 
-  checkUsage(key, usages)
+  checkUsage(key, usage)
 }
 
-export function checkEncCryptoKey(key: CryptoKey, alg: string, ...usages: KeyUsage[]) {
+export function checkEncCryptoKey(key: CryptoKey, alg: string, usage?: KeyUsage) {
   switch (alg) {
     case 'A128GCM':
     case 'A192GCM':
@@ -148,5 +140,5 @@ export function checkEncCryptoKey(key: CryptoKey, alg: string, ...usages: KeyUsa
       throw new TypeError('CryptoKey does not support this operation')
   }
 
-  checkUsage(key, usages)
+  checkUsage(key, usage)
 }
diff --git a/src/runtime/generate.ts b/src/runtime/generate.ts
@@ -130,7 +130,7 @@ export async function generateKeyPair(alg: string, options?: GenerateKeyPairOpti
     case 'ECDH-ES+A128KW':
     case 'ECDH-ES+A192KW':
     case 'ECDH-ES+A256KW': {
-      keyUsages = ['deriveKey', 'deriveBits']
+      keyUsages = ['deriveBits']
       const crv = options?.crv ?? 'P-256'
       switch (crv) {
         case 'P-256':
diff --git a/src/runtime/normalize_key.ts b/src/runtime/normalize_key.ts
@@ -63,7 +63,7 @@ const handleKeyObject = (key: ConvertableKeyObject, alg: string) => {
     cryptoKey = key.toCryptoKey(
       key.asymmetricKeyType,
       true,
-      key.type === 'private' ? ['deriveBits', 'deriveKey'] : [],
+      key.type === 'private' ? ['deriveBits'] : [],
     )
   }
 
@@ -176,7 +176,7 @@ const handleKeyObject = (key: ConvertableKeyObject, alg: string) => {
           namedCurve,
         },
         true,
-        key.type === 'private' ? ['deriveBits', 'deriveKey'] : [],
+        key.type === 'private' ? ['deriveBits'] : [],
       )
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -26,23 +26,15 @@ function getNamedCurve(alg: string) {`
`26`	`26`	`}`
`27`	`27`	`}`
`28`	`28`
`29`		`-function checkUsage(key: CryptoKey, usages: KeyUsage[]) {`
`30`		`- if (usages.length && !usages.some((expected) => key.usages.includes(expected))) {`
`31`		`- let msg = 'CryptoKey does not support this operation, its usages must include '`
`32`		`- if (usages.length > 2) {`
`33`		`- const last = usages.pop()`
`34`		- msg += `one of ${usages.join(', ')}, or ${last}.`
`35`		`- } else if (usages.length === 2) {`
`36`		- msg += `one of ${usages[0]} or ${usages[1]}.`
`37`		`- } else {`
`38`		- msg += `${usages[0]}.`
`39`		`- }`
`40`		`-`
`41`		`- throw new TypeError(msg)`
	`29`	`+function checkUsage(key: CryptoKey, usage?: KeyUsage) {`
	`30`	`+ if (usage && !key.usages.includes(usage)) {`
	`31`	`+ throw new TypeError(`
	`32`	+ `CryptoKey does not support this operation, its usages must include ${usage}.`,
	`33`	`+ )`
`42`	`34`	`}`
`43`	`35`	`}`
`44`	`36`
`45`		`-export function checkSigCryptoKey(key: CryptoKey, alg: string, ...usages: KeyUsage[]) {`
	`37`	`+export function checkSigCryptoKey(key: CryptoKey, alg: string, usage: KeyUsage) {`
`46`	`38`	`switch (alg) {`
`47`	`39`	`case 'HS256':`
`48`	`40`	`case 'HS384':`
`@@ -95,10 +87,10 @@ export function checkSigCryptoKey(key: CryptoKey, alg: string, ...usages: KeyUsa`
`95`	`87`	`throw new TypeError('CryptoKey does not support this operation')`
`96`	`88`	`}`
`97`	`89`
`98`		`- checkUsage(key, usages)`
	`90`	`+ checkUsage(key, usage)`
`99`	`91`	`}`
`100`	`92`
`101`		`-export function checkEncCryptoKey(key: CryptoKey, alg: string, ...usages: KeyUsage[]) {`
	`93`	`+export function checkEncCryptoKey(key: CryptoKey, alg: string, usage?: KeyUsage) {`
`102`	`94`	`switch (alg) {`
`103`	`95`	`case 'A128GCM':`
`104`	`96`	`case 'A192GCM':`
`@@ -148,5 +140,5 @@ export function checkEncCryptoKey(key: CryptoKey, alg: string, ...usages: KeyUsa`
`148`	`140`	`throw new TypeError('CryptoKey does not support this operation')`
`149`	`141`	`}`
`150`	`142`
`151`		`- checkUsage(key, usages)`
	`143`	`+ checkUsage(key, usage)`
`152`	`144`	`}`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ const handleKeyObject = (key: ConvertableKeyObject, alg: string) => {`
`63`	`63`	`cryptoKey = key.toCryptoKey(`
`64`	`64`	`key.asymmetricKeyType,`
`65`	`65`	`true,`
`66`		`- key.type === 'private' ? ['deriveBits', 'deriveKey'] : [],`
	`66`	`+ key.type === 'private' ? ['deriveBits'] : [],`
`67`	`67`	`)`
`68`	`68`	`}`
`69`	`69`
`@@ -176,7 +176,7 @@ const handleKeyObject = (key: ConvertableKeyObject, alg: string) => {`
`176`	`176`	`namedCurve,`
`177`	`177`	`},`
`178`	`178`	`true,`
`179`		`- key.type === 'private' ? ['deriveBits', 'deriveKey'] : [],`
	`179`	`+ key.type === 'private' ? ['deriveBits'] : [],`
`180`	`180`	`)`
`181`	`181`	`}`
`182`	`182`	`}`