tools: prevent lib code from reading KeyObject and CryptoKey accessors

Add ESLint rules that reject public KeyObject and CryptoKey accessor
reads after internal brand checks. Internal code must use the private
key helpers so it reads native-backed slots instead of user-replaceable
properties.

Add a separate rule that rejects instanceof checks against KeyObject
and CryptoKey constructors, including the global CryptoKey constructor.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
PR-URL: #63111
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

Author: panva

lib/eslint.config_partial.mjs

@@ -424,6 +424,9 @@ export default [
       'node-core/lowercase-name-for-primitive': 'error',
       'node-core/non-ascii-character': 'error',
       'node-core/no-array-destructuring': 'error',
+      'node-core/no-cryptokey-public-accessors': 'error',
+      'node-core/no-keyobject-cryptokey-instanceof': 'error',
+      'node-core/no-keyobject-public-accessors': 'error',
       'node-core/prefer-primordials': [
         'error',
         { name: 'AggregateError' },

lib/internal/crypto/diffiehellman.js

@@ -55,6 +55,8 @@ const {
   getCryptoKeyAlgorithm,
   getCryptoKeyHandle,
   getCryptoKeyType,
+  getKeyObjectAsymmetricKeyType,
+  getKeyObjectType,
   preparePrivateKey,
   preparePublicOrPrivateKey,
 } = require('internal/crypto/keys');
@@ -296,20 +298,22 @@ function diffieHellman(options, callback) {
     throw new ERR_INVALID_ARG_VALUE('options.publicKey', publicKey);
 
   if (isKeyObject(privateKey)) {
-    if (privateKey.type !== 'private')
-      throw new ERR_CRYPTO_INVALID_KEY_OBJECT_TYPE(privateKey.type, 'private');
+    const type = getKeyObjectType(privateKey);
+    if (type !== 'private')
+      throw new ERR_CRYPTO_INVALID_KEY_OBJECT_TYPE(type, 'private');
   }
 
   if (isKeyObject(publicKey)) {
-    if (publicKey.type !== 'public' && publicKey.type !== 'private') {
-      throw new ERR_CRYPTO_INVALID_KEY_OBJECT_TYPE(publicKey.type,
+    const type = getKeyObjectType(publicKey);
+    if (type !== 'public' && type !== 'private') {
+      throw new ERR_CRYPTO_INVALID_KEY_OBJECT_TYPE(type,
                                                    'private or public');
     }
   }
 
   if (isKeyObject(privateKey) && isKeyObject(publicKey)) {
-    const privateType = privateKey.asymmetricKeyType;
-    const publicType = publicKey.asymmetricKeyType;
+    const privateType = getKeyObjectAsymmetricKeyType(privateKey);
+    const publicType = getKeyObjectAsymmetricKeyType(publicKey);
     if (privateType !== publicType || !dhEnabledKeyTypes.has(privateType)) {
       throw new ERR_CRYPTO_INCOMPATIBLE_KEY('key types for Diffie-Hellman',
                                             `${privateType} and ${publicType}`);

test/parallel/test-eslint-no-cryptokey-public-accessors.js

@@ -0,0 +1,88 @@
+'use strict';
+
+const common = require('../common');
+common.skipIfEslintMissing();
+
+const RuleTester = require('../../tools/eslint/node_modules/eslint').RuleTester;
+const rule = require('../../tools/eslint-rules/no-cryptokey-public-accessors');
+
+new RuleTester().run('no-cryptokey-public-accessors', rule, {
+  valid: [
+    'foo.algorithm;',
+    `
+    const { isCryptoKey, getCryptoKeyAlgorithm } =
+      require('internal/crypto/keys');
+    if (isCryptoKey(key)) {
+      getCryptoKeyAlgorithm(key);
+    }
+    `,
+    `
+    const { CryptoKey } = require('internal/crypto/keys');
+    class Key extends CryptoKey {
+      get type() { return 'secret'; }
+    }
+    `,
+    `
+    key = webidl.converters.KeyFormat(key);
+    key.algorithm;
+    `,
+  ],
+  invalid: [
+    {
+      code: `
+      const { isCryptoKey } = require('internal/crypto/keys');
+      if (isCryptoKey(key)) {
+        key.type;
+      }
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      const { isCryptoKey: check } = require('internal/crypto/keys');
+      if (check(key) && key.extractable) {}
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      const { isCryptoKey } = require('internal/crypto/keys');
+      if (!isCryptoKey(key)) {
+        throw new TypeError();
+      }
+      key.algorithm.name;
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      const keys = require('internal/crypto/keys');
+      if (!keys.isCryptoKey(key)) throw new TypeError();
+      key['usages'];
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      key = webidl.converters.CryptoKey(key);
+      key.algorithm;
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      const key = webidl.converters.CryptoKey(value);
+      key.usages;
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      class CryptoKey {
+        inspect() { return this.algorithm; }
+      }
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+  ],
+});

test/parallel/test-eslint-no-keyobject-cryptokey-instanceof.js

@@ -0,0 +1,78 @@
+'use strict';
+
+const common = require('../common');
+common.skipIfEslintMissing();
+
+const RuleTester = require('../../tools/eslint/node_modules/eslint').RuleTester;
+const rule = require('../../tools/eslint-rules/no-keyobject-cryptokey-instanceof');
+
+new RuleTester().run('no-keyobject-cryptokey-instanceof', rule, {
+  valid: [
+    'key instanceof Buffer;',
+    'key instanceof KeyObject;',
+    `
+    const { isKeyObject } = require('internal/crypto/keys');
+    isKeyObject(key);
+    `,
+    `
+    const { isCryptoKey } = require('internal/crypto/keys');
+    isCryptoKey(key);
+    `,
+  ],
+  invalid: [
+    {
+      code: `
+      const { KeyObject } = require('internal/crypto/keys');
+      key instanceof KeyObject;
+      `,
+      errors: [{ messageId: 'noKeyObjectInstanceof' }],
+    },
+    {
+      code: `
+      const { KeyObject: KO } = require('internal/crypto/keys');
+      key instanceof KO;
+      `,
+      errors: [{ messageId: 'noKeyObjectInstanceof' }],
+    },
+    {
+      code: `
+      const keys = require('internal/crypto/keys');
+      key instanceof keys.KeyObject;
+      `,
+      errors: [{ messageId: 'noKeyObjectInstanceof' }],
+    },
+    {
+      code: `
+      key instanceof CryptoKey;
+      `,
+      errors: [{ messageId: 'noCryptoKeyInstanceof' }],
+    },
+    {
+      code: `
+      const { CryptoKey } = require('internal/crypto/keys');
+      key instanceof CryptoKey;
+      `,
+      errors: [{ messageId: 'noCryptoKeyInstanceof' }],
+    },
+    {
+      code: `
+      const { CryptoKey: CK } = require('internal/crypto/webcrypto');
+      key instanceof CK;
+      `,
+      errors: [{ messageId: 'noCryptoKeyInstanceof' }],
+    },
+    {
+      code: `
+      const webcrypto = require('internal/crypto/webcrypto');
+      key instanceof webcrypto.CryptoKey;
+      `,
+      errors: [{ messageId: 'noCryptoKeyInstanceof' }],
+    },
+    {
+      code: `
+      key instanceof globalThis.CryptoKey;
+      `,
+      errors: [{ messageId: 'noCryptoKeyInstanceof' }],
+    },
+  ],
+});

test/parallel/test-eslint-no-keyobject-public-accessors.js

@@ -0,0 +1,85 @@
+'use strict';
+
+const common = require('../common');
+common.skipIfEslintMissing();
+
+const RuleTester = require('../../tools/eslint/node_modules/eslint').RuleTester;
+const rule = require('../../tools/eslint-rules/no-keyobject-public-accessors');
+
+new RuleTester().run('no-keyobject-public-accessors', rule, {
+  valid: [
+    'foo.type;',
+    `
+    const { isKeyObject, getKeyObjectType } =
+      require('internal/crypto/keys');
+    if (isKeyObject(key)) {
+      getKeyObjectType(key);
+    }
+    `,
+    `
+    const { isKeyObject } = require('internal/crypto/keys');
+    if (format === 'raw-public') {
+      key.asymmetricKeyType;
+    }
+    `,
+    `
+    const { KeyObject } = require('internal/crypto/keys');
+    class Key extends KeyObject {
+      get type() { return 'secret'; }
+    }
+    `,
+  ],
+  invalid: [
+    {
+      code: `
+      const { isKeyObject } = require('internal/crypto/keys');
+      if (isKeyObject(key)) {
+        key.type;
+      }
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      const { isKeyObject: check } = require('internal/crypto/keys');
+      if (check(key) && key.symmetricKeySize === 32) {}
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      const { isKeyObject } = require('internal/crypto/keys');
+      if (!isKeyObject(otherKeyObject)) {
+        throw new TypeError();
+      }
+      otherKeyObject.asymmetricKeyType;
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      const keys = require('internal/crypto/keys');
+      if (!keys.isKeyObject(otherKeyObject)) throw new TypeError();
+      otherKeyObject.asymmetricKeyDetails;
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      class SecretKeyObject extends KeyObject {
+        export() { return this.symmetricKeySize; }
+      }
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+    {
+      code: `
+      const { isKeyObject } = require('internal/crypto/keys');
+      if (isKeyObject(key)) {
+        key.equals(otherKey);
+      }
+      `,
+      errors: [{ messageId: 'noPublicAccessor' }],
+    },
+  ],
+});