crypto: add ChaCha20-Poly1305 Web Cryptography algorithm

PR-URL: #59365 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ethan Arrowood <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Joyee Cheung <[email protected]>

Author: panva

deps/ncrypto/ncrypto.cc

@@ -2927,6 +2927,7 @@ const Cipher Cipher::AES_256_GCM = Cipher::FromNid(NID_aes_256_gcm);
 const Cipher Cipher::AES_128_KW = Cipher::FromNid(NID_id_aes128_wrap);
 const Cipher Cipher::AES_192_KW = Cipher::FromNid(NID_id_aes192_wrap);
 const Cipher Cipher::AES_256_KW = Cipher::FromNid(NID_id_aes256_wrap);
+const Cipher Cipher::CHACHA20_POLY1305 = Cipher::FromNid(NID_chacha20_poly1305);
 
 boolCipher::isGcmMode() const{
 if (!cipher_) returnfalse;

deps/ncrypto/ncrypto.h

@@ -373,6 +373,7 @@ class Cipher final{
 staticconst Cipher AES_128_KW;
 staticconst Cipher AES_192_KW;
 staticconst Cipher AES_256_KW;
+staticconst Cipher CHACHA20_POLY1305;
 
 structCipherParams{
 int padding;

doc/api/webcrypto.md

@@ -0,0 +1,191 @@
+'use strict';
+
+const{
+ ArrayBufferIsView,
+ ArrayBufferPrototypeSlice,
+ ArrayFrom,
+ PromiseReject,
+ SafeSet,
+ TypedArrayPrototypeSlice,
+}=primordials;
+
+const{
+ ChaCha20Poly1305CipherJob,
+ KeyObjectHandle,
+ kCryptoJobAsync,
+ kWebCryptoCipherDecrypt,
+ kWebCryptoCipherEncrypt,
+}=internalBinding('crypto');
+
+const{
+ hasAnyNotIn,
+ jobPromise,
+ validateKeyOps,
+ kHandle,
+ kKeyObject,
+}=require('internal/crypto/util');
+
+const{
+ lazyDOMException,
+ promisify,
+}=require('internal/util');
+
+const{
+ InternalCryptoKey,
+ SecretKeyObject,
+ createSecretKey,
+}=require('internal/crypto/keys');
+
+const{
+randomBytes: _randomBytes,
+}=require('internal/crypto/random');
+
+constrandomBytes=promisify(_randomBytes);
+
+functionvalidateKeyLength(length){
+if(length!==256)
+throwlazyDOMException('Invalid key length','DataError');
+}
+
+functionc20pCipher(mode,key,data,algorithm){
+lettag;
+switch(mode){
+casekWebCryptoCipherDecrypt: {
+constslice=ArrayBufferIsView(data) ?
+TypedArrayPrototypeSlice : ArrayBufferPrototypeSlice;
+
+if(data.byteLength<16){
+returnPromiseReject(lazyDOMException(
+'The provided data is too small.',
+'OperationError'));
+}
+
+tag=slice(data,-16);
+data=slice(data,0,-16);
+break;
+}
+casekWebCryptoCipherEncrypt:
+tag=16;
+break;
+}
+
+returnjobPromise(()=>newChaCha20Poly1305CipherJob(
+kCryptoJobAsync,
+mode,
+key[kKeyObject][kHandle],
+data,
+algorithm.iv,
+tag,
+algorithm.additionalData));
+}
+
+asyncfunctionc20pGenerateKey(algorithm,extractable,keyUsages){
+const{ name }=algorithm;
+
+constcheckUsages=['encrypt','decrypt','wrapKey','unwrapKey'];
+
+constusagesSet=newSafeSet(keyUsages);
+if(hasAnyNotIn(usagesSet,checkUsages)){
+throwlazyDOMException(
+`Unsupported key usage for a ${algorithm.name} key`,
+'SyntaxError');
+}
+
+constkeyData=awaitrandomBytes(32).catch((err)=>{
+throwlazyDOMException(
+'The operation failed for an operation-specific reason'+
+`[${err.message}]`,
+{name: 'OperationError',cause: err});
+});
+
+returnnewInternalCryptoKey(
+createSecretKey(keyData),
+{ name },
+ArrayFrom(usagesSet),
+extractable);
+}
+
+functionc20pImportKey(
+algorithm,
+format,
+keyData,
+extractable,
+keyUsages){
+const{ name }=algorithm;
+constcheckUsages=['encrypt','decrypt','wrapKey','unwrapKey'];
+
+constusagesSet=newSafeSet(keyUsages);
+if(hasAnyNotIn(usagesSet,checkUsages)){
+throwlazyDOMException(
+`Unsupported key usage for a ${algorithm.name} key`,
+'SyntaxError');
+}
+
+letkeyObject;
+switch(format){
+case'KeyObject': {
+keyObject=keyData;
+break;
+}
+case'raw-secret': {
+keyObject=createSecretKey(keyData);
+break;
+}
+case'jwk': {
+if(!keyData.kty)
+throwlazyDOMException('Invalid keyData','DataError');
+
+if(keyData.kty!=='oct')
+throwlazyDOMException('Invalid JWK "kty" Parameter','DataError');
+
+if(usagesSet.size>0&&
+keyData.use!==undefined&&
+keyData.use!=='enc'){
+throwlazyDOMException('Invalid JWK "use" Parameter','DataError');
+}
+
+validateKeyOps(keyData.key_ops,usagesSet);
+
+if(keyData.ext!==undefined&&
+keyData.ext===false&&
+extractable===true){
+throwlazyDOMException(
+'JWK "ext" Parameter and extractable mismatch',
+'DataError');
+}
+
+consthandle=newKeyObjectHandle();
+try{
+handle.initJwk(keyData);
+}catch(err){
+throwlazyDOMException(
+'Invalid keyData',{name: 'DataError',cause: err});
+}
+
+if(keyData.alg!==undefined&&keyData.alg!=='C20P'){
+throwlazyDOMException(
+'JWK "alg" does not match the requested algorithm',
+'DataError');
+}
+
+keyObject=newSecretKeyObject(handle);
+break;
+}
+default:
+returnundefined;
+}
+
+validateKeyLength(keyObject.symmetricKeySize*8);
+
+returnnewInternalCryptoKey(
+keyObject,
+{ name },
+keyUsages,
+extractable);
+}
+
+module.exports={
+ c20pCipher,
+ c20pGenerateKey,
+ c20pImportKey,
+};

lib/internal/crypto/chacha20_poly1305.js

@@ -199,6 +199,10 @@ const{
 result=require('internal/crypto/aes')
 .aesImportKey(algorithm,'KeyObject',this,extractable,keyUsages);
 break;
+case'ChaCha20-Poly1305':
+result=require('internal/crypto/chacha20_poly1305')
+.c20pImportKey(algorithm,'KeyObject',this,extractable,keyUsages);
+break;
 case'HKDF':
 // Fall through
 case'PBKDF2':

lib/internal/crypto/keys.js

@@ -245,13 +245,13 @@ const kSupportedAlgorithms ={
 'encrypt': {
 'RSA-OAEP': 'RsaOaepParams',
 'AES-CBC': 'AesCbcParams',
-'AES-GCM': 'AesGcmParams',
+'AES-GCM': 'AeadParams',
 'AES-CTR': 'AesCtrParams',
 },
 'decrypt': {
 'RSA-OAEP': 'RsaOaepParams',
 'AES-CBC': 'AesCbcParams',
-'AES-GCM': 'AesGcmParams',
+'AES-GCM': 'AeadParams',
 'AES-CTR': 'AesCtrParams',
 },
 'get key length': {
@@ -290,6 +290,14 @@ const experimentalAlgorithms = ObjectEntries({
 'SHA3-256': {digest: null},
 'SHA3-384': {digest: null},
 'SHA3-512': {digest: null},
+'ChaCha20-Poly1305': {
+'encrypt': 'AeadParams',
+'decrypt': 'AeadParams',
+'generateKey': null,
+'importKey': null,
+'exportKey': null,
+'get key length': null,
+},
 });
 
 for(const{0: algorithm,1: nid}of[
@@ -325,7 +333,7 @@ for (let i = 0; i < experimentalAlgorithms.length; i++){
 }
 
 constsimpleAlgorithmDictionaries={
-AesGcmParams: {iv: 'BufferSource',additionalData: 'BufferSource'},
+AeadParams: {iv: 'BufferSource',additionalData: 'BufferSource'},
 RsaHashedKeyGenParams: {hash: 'HashAlgorithmIdentifier'},
 EcKeyGenParams: {},
 HmacKeyGenParams: {hash: 'HashAlgorithmIdentifier'},

lib/internal/crypto/util.js

@@ -155,6 +155,11 @@ async function generateKey(
 result=awaitrequire('internal/crypto/aes')
 .aesGenerateKey(algorithm,extractable,keyUsages);
 break;
+case'ChaCha20-Poly1305':
+resultType='CryptoKey';
+result=awaitrequire('internal/crypto/chacha20_poly1305')
+.c20pGenerateKey(algorithm,extractable,keyUsages);
+break;
 case'ML-DSA-44':
 // Fall through
 case'ML-DSA-65':
@@ -252,6 +257,8 @@ function getKeyLength({name, length, hash }){
 case'HKDF':
 case'PBKDF2':
 returnnull;
+case'ChaCha20-Poly1305':
+return256;
 }
 }
 
@@ -431,7 +438,7 @@ async function exportKeyRawSeed(key){
 }
 }
 
-asyncfunctionexportKeyRawSecret(key){
+asyncfunctionexportKeyRawSecret(key,format){
 switch(key.algorithm.name){
 case'AES-CTR':
 // Fall through
@@ -443,6 +450,11 @@ async function exportKeyRawSecret(key){
 // Fall through
 case'HMAC':
 returnkey[kKeyObject][kHandle].export().buffer;
+case'ChaCha20-Poly1305':
+if(format==='raw-secret'){
+returnkey[kKeyObject][kHandle].export().buffer;
+}
+returnundefined;
 default:
 returnundefined;
 }
@@ -504,6 +516,9 @@ async function exportKeyJWK(key){
 parameters.alg=require('internal/crypto/aes')
 .getAlgorithmName(key.algorithm.name,key.algorithm.length);
 break;
+case'ChaCha20-Poly1305':
+parameters.alg='C20P';
+break;
 case'HMAC': {
 constalg=normalizeHashName(
 key.algorithm.hash.name,
@@ -563,7 +578,7 @@ async function exportKey(format, key){
 }
 case'raw-secret': {
 if(key.type==='secret'){
-result=awaitexportKeyRawSecret(key);
+result=awaitexportKeyRawSecret(key,format);
 }
 break;
 }
@@ -581,7 +596,7 @@ async function exportKey(format, key){
 }
 case'raw': {
 if(key.type==='secret'){
-result=awaitexportKeyRawSecret(key);
+result=awaitexportKeyRawSecret(key,format);
 }elseif(key.type==='public'){
 result=awaitexportKeyRawPublic(key,format);
 }
@@ -687,6 +702,10 @@ async function importKey(
 result=require('internal/crypto/aes')
 .aesImportKey(algorithm,format,keyData,extractable,keyUsages);
 break;
+case'ChaCha20-Poly1305':
+result=require('internal/crypto/chacha20_poly1305')
+.c20pImportKey(algorithm,format,keyData,extractable,keyUsages);
+break;
 case'HKDF':
 // Fall through
 case'PBKDF2':
@@ -975,6 +994,9 @@ async function cipherOrWrap(mode, algorithm, key, data, op){
 case'AES-GCM':
 returnrequire('internal/crypto/aes')
 .aesCipher(mode,key,data,algorithm);
+case'ChaCha20-Poly1305':
+returnrequire('internal/crypto/chacha20_poly1305')
+.c20pCipher(mode,key,data,algorithm);
 case'AES-KW':
 if(op==='wrapKey'||op==='unwrapKey'){
 returnrequire('internal/crypto/aes')