Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secureHeap not used for some key material. #57750

Open
warren-gallagher opened this issue Apr 4, 2025 · 0 comments
Open

secureHeap not used for some key material. #57750

warren-gallagher opened this issue Apr 4, 2025 · 0 comments

Comments

@warren-gallagher
Copy link

Version

v23.11.0

Platform

Darwin Warrens-MacBook-Air.local 24.4.0 Darwin Kernel Version 24.4.0: Wed Mar 19 21:18:03 PDT 2025; root:xnu-11417.101.15~1/RELEASE_ARM64_T8112 arm64

Subsystem

webcryptoAPI

What steps will reproduce the bug?

When running with --secure-heap, a few of the key management APIs do not appear to use the secure heap.

  • Importing an EdDSA private JWK that uses crv: 'ed25519' does not consume any secure heap.
  • Importing a raw symmetric key used to sign/verify using HMAC does not consume any secure heap.

Example EdDSA

# Run 
node --secure-heap=16384 index.js
import { secureHeapUsed, subtle } from 'node:crypto';
console.log(`Initial: ${JSON.stringify(secureHeapUsed(),null,2)}`);
const keyUsages: readonly KeyUsage[] = ['sign'];
const edDSAPrivateJWK = {
  'crv': 'Ed25519',
  'd': '4qj1TfnAkXM_ghBXw1ER-k6rSkkayZzMgz8Kw-rnNak',
  'x': 'v2OsopN2TaOvgNSYq-0RUAlMs2IWZijAv7zaa7uyYRc',
  'kty': 'OKP'
};
const edDSAAlgorithm = {name: edDSAPrivateJWK.crv, namedCurve: edDSAPrivateJWK.crv};
const edDSAPrivate = await crypto.subtle.importKey('jwk', edDSAPrivateJWK, edDSAAlgorithm, true, keyUsages);
console.log(`After import of EdDSA private JWK ${JSON.stringify(secureHeapUsed(),null,2)}`);

Example Raw symmetric key

# Run 
node --secure-heap=16384 index.js
import { secureHeapUsed, subtle } from 'node:crypto';
console.log(`Initial: ${JSON.stringify(secureHeapUsed(),null,2)}`);
const symmetricKey = '58c19f2dae60bd28ba13c704401b8fdc76de9f5359b1ee43443bda4b5406eae3';
let secretAsBuffer = Buffer.from(symmetricKey, 'hex');
let importedSymmetricSigningKey = await subtle.importKey('raw', secretAsBuffer, {name: 'HMAC', hash: 'SHA-256'}, true, ['sign', 'verify']);
console.log(`After importedSymmetricSigningKey: ${JSON.stringify(secureHeapUsed(),null,2)}`);

How often does it reproduce? Is there a required condition?

Every time

What is the expected behavior? Why is that the expected behavior?

The expected behavior is that some secure heap would be consumed to represent the private key.

I expect this because:

  • If I import an EC P256 JWK it does use secure heap
  • If I import an EdDSA ed25519 der formatted key it uses the secure heap

What do you see instead?

  "total": 16384,
  "used": 0,
  "utilization": 0,
  "min": 2
}
After import of EdDSA private JWK {
  "total": 16384,
  "used": 0,
  "utilization": 0,
  "min": 2
}

Additional information

The example keys were randomly generated for the purposes of this example.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@warren-gallagher