git.kaiwu.me - njs.git/commit

author	Dmitry Volyntsev <xeioex@nginx.com>
	Mon, 2 Mar 2026 17:35:48 +0000 (09:35 -0800)
committer	Dmitry Volyntsev <xeioexception@gmail.com>
	Tue, 3 Mar 2026 17:03:28 +0000 (09:03 -0800)
commit	8b7036fac15498bc1aae95d5548ef9093e9839e6
tree	86b269c8714a12cfd353e4e9b859d4e2ea4a82ed	tree \| snapshot
parent	d92e1ee74caf1d4815559d31bcb51df20e20d9a3	commit \| diff

WebCrypto: validate JWK key type against algorithm in importKey().

Previously, importKey() did not verify that the JWK "kty" field
matched the requested algorithm.  For example, importing a JWK with
kty "oct" (symmetric) while specifying an asymmetric algorithm like
ECDH caused a SEGV in EVP_PKEY_free() during cleanup.  This happened
because the symmetric key data written into the union's "raw" member
overlapped with the "pkey" pointer, corrupting it.

The fix validates kty before calling any JWK import function:
    - "RSA" is only accepted for RSA-OAEP, RSA-PSS, RSASSA-PKCS1-v1_5
    - "EC" is only accepted for ECDSA, ECDH
    - "oct" is only accepted for HMAC, AES-GCM, AES-CTR, AES-CBC

Found by Akshay Jain (akshaythe@gmail.com).

external/njs_webcrypto_module.c		diff \| blob \| history
external/qjs_webcrypto_module.c		diff \| blob \| history
test/webcrypto/import.t.mjs		diff \| blob \| history