fix(ext/crypto): move getPublicKey to SubtleCrypto and validate usages (#34913)

divybot · littledivy · web-flow · commit 987d01d344ef · 2026-06-05T17:44:47.000Z
## Summary [`getPublicKey`](https://wicg.github.io/webcrypto-modern-algos/#SubtleCrypto-method-getPublicKey) was incorrectly exposed as a method on `CryptoKey.prototype`. Per the WICG WebCrypto Modern Algorithms spec it belongs on `SubtleCrypto.prototype` as `getPublicKey(key, keyUsages)`, and it must validate the requested public-key usages for the key's algorithm. It also previously did no usage validation. Before: ```js const kp = await crypto.subtle.generateKey({ name: "ML-KEM-512" }, true, ["decapsulateBits"]); kp.privateKey.getPublicKey(["sign"]); // returned a CryptoKey (wrong) ``` After: ```js const kp = await crypto.subtle.generateKey({ name: "ML-KEM-512" }, true, ["decapsulateBits"]); kp.privateKey.getPublicKey; // undefined -> TypeError when called await crypto.subtle.getPublicKey(kp.privateKey, ["encapsulateBits"]); // CryptoKey await crypto.subtle.getPublicKey(kp.privateKey, ["sign"]); // DOMException (SyntaxError) ``` ## Changes - Removed `getPublicKey()` from `CryptoKey` (so `key.getPublicKey` is now `undefined`). - Added async `SubtleCrypto.prototype.getPublicKey(key, keyUsages)` following the spec step order: - `NotSupportedError` for algorithms that cannot derive a public key (symmetric/KDF), - `InvalidAccessError` when the input is not a private key, - `SyntaxError` when a requested usage is not valid for a public key of the algorithm, - otherwise derives an extractable public key with the requested usages. - Implemented support for **all** asymmetric algorithms: RSA, EC (ECDSA/ECDH), Ed25519, X25519, X448, ML-KEM and ML-DSA. RSA/EC reuse the existing SPKI export path (which already derives the public key from the private key) and re-import; Ed25519/X25519/X448 derive the raw public key and re-import as a JWK. A new `op_crypto_x448_public_key` op derives the X448 public key from its private key. - Updated the `WebCryptoAPI` WPT expectations: `getPublicKey.tentative` now passes fully, and the `getPublicKey` `idlharness` subtests are no longer expected to fail. ## Tests - Updated the existing ML-KEM/ML-DSA `getPublicKey` unit tests to the new API and added invalid-usage / wrong-key-type rejection assertions. - Added unit tests covering `getPublicKey` for the classical algorithms (ECDSA, Ed25519, X25519, RSA-PSS) and the `NotSupportedError` case. - The `getPublicKey.tentative` WPT test passes for every covered algorithm (verified by replicating each subtest against the build). Closes #34907 Closes denoland/divybot#495 Co-authored-by: divybot <divybot@users.noreply.github.com> Co-authored-by: Divy Srivastava <me@littledivy.com>
diff --git a/ext/crypto/00_crypto.js b/ext/crypto/00_crypto.js
@@ -65,6 +65,7 @@ const {
   op_crypto_verify_mldsa,
   op_crypto_wrap_key,
   op_crypto_x25519_public_key,
+  op_crypto_x448_public_key,
 } = core.ops;
 const {
   ArrayBufferIsView,
@@ -472,79 +473,6 @@ class CryptoKey {
     return this[_algorithm];
   }
 
-  /**
-   * Derive the public key associated with this CryptoKey, when the underlying
-   * algorithm supports it (currently ML-KEM decapsulation keys and ML-DSA
-   * signing keys).
-   *
-   * https://wicg.github.io/webcrypto-modern-algos/#CryptoKey-method-getPublicKey
-   *
-   * @returns {CryptoKey}
-   */
-  getPublicKey() {
-    webidl.assertBranded(this, CryptoKeyPrototype);
-    if (this[_type] !== "private") {
-      throw new DOMException(
-        "getPublicKey() is only valid on private keys",
-        "InvalidAccessError",
-      );
-    }
-
-    const algorithm = this[_algorithm];
-    const algorithmName = algorithm.name;
-    switch (algorithmName) {
-      case "ML-KEM-512":
-      case "ML-KEM-768":
-      case "ML-KEM-1024": {
-        const handle = this[_handle];
-        let publicKeyBytes;
-        try {
-          publicKeyBytes = op_crypto_ml_kem_get_public_key(
-            algorithmName,
-            handle.cppgc,
-          );
-        } catch (_) {
-          throw new DOMException(
-            "Failed to derive public key",
-            "OperationError",
-          );
-        }
-        const pubHandle = {};
-        setKeyData(pubHandle, publicKeyBytes);
-        const filteredUsages = ArrayPrototypeFilter(
-          this[_usages],
-          (u) => u === "encapsulateKey" || u === "encapsulateBits",
-        );
-        return constructKey(
-          "public",
-          true,
-          filteredUsages.length > 0
-            ? filteredUsages
-            : ["encapsulateKey", "encapsulateBits"],
-          { name: algorithmName },
-          pubHandle,
-        );
-      }
-      case "ML-DSA-44":
-      case "ML-DSA-65":
-      case "ML-DSA-87": {
-        const pub = WeakMapPrototypeGet(MLDSA_PUBLIC_FROM_PRIVATE, this);
-        if (pub === undefined) {
-          throw new DOMException(
-            "Public key is not available",
-            "InvalidAccessError",
-          );
-        }
-        return pub;
-      }
-      default:
-        throw new DOMException(
-          `getPublicKey() is not supported for ${algorithmName}`,
-          "NotSupportedError",
-        );
-    }
-  }
-
   [SymbolFor("Deno.privateCustomInspect")](inspect, inspectOptions) {
     return inspect(
       createFilteredInspectProxy({
@@ -623,6 +551,21 @@ function usageIntersection(a, b) {
   );
 }
 
+/**
+ * Throw a SyntaxError if any requested usage is not valid for a public key of
+ * the algorithm (i.e. is not present in `allowed`).
+ *
+ * @param {string[]} requested
+ * @param {string[]} allowed
+ */
+function validatePublicKeyUsages(requested, allowed) {
+  for (let i = 0; i < requested.length; i++) {
+    if (!ArrayPrototypeIncludes(allowed, requested[i])) {
+      throw new DOMException("Invalid key usage", "SyntaxError");
+    }
+  }
+}
+
 // The key material for every CryptoKey lives in Rust, wrapped in a V8
 // garbage-collected (cppgc) object created by `op_crypto_key_store_insert`. A
 // `handle` here is a plain object that holds that cppgc object on its `cppgc`
@@ -2372,6 +2315,183 @@ class SubtleCrypto {
     return TypedArrayPrototypeGetBuffer(sharedSecret);
   }
 
+  /**
+   * Derive the public key associated with a private key, for asymmetric
+   * algorithms (RSA, EC, Ed25519, X25519/X448 and the post-quantum ML-KEM and
+   * ML-DSA families).
+   *
+   * https://wicg.github.io/webcrypto-modern-algos/#SubtleCrypto-method-getPublicKey
+   *
+   * @param {CryptoKey} key
+   * @param {KeyUsage[]} keyUsages
+   * @returns {Promise<CryptoKey>}
+   */
+  async getPublicKey(key, keyUsages) {
+    webidl.assertBranded(this, SubtleCryptoPrototype);
+    const prefix = "Failed to execute 'getPublicKey' on 'SubtleCrypto'";
+    webidl.requiredArguments(arguments.length, 2, prefix);
+    key = webidl.converters.CryptoKey(key, prefix, "Argument 1");
+    keyUsages = webidl.converters["sequence<KeyUsage>"](
+      keyUsages,
+      prefix,
+      "Argument 2",
+    );
+
+    const algorithm = key[_algorithm];
+    const algorithmName = algorithm.name;
+
+    // 1. Algorithms that cannot derive a public key reject with a
+    // NotSupportedError (this also covers symmetric and KDF algorithms).
+    switch (algorithmName) {
+      case "RSASSA-PKCS1-v1_5":
+      case "RSA-PSS":
+      case "RSA-OAEP":
+      case "ECDSA":
+      case "ECDH":
+      case "Ed25519":
+      case "X25519":
+      case "X448":
+      case "ML-DSA-44":
+      case "ML-DSA-65":
+      case "ML-DSA-87":
+      case "ML-KEM-512":
+      case "ML-KEM-768":
+      case "ML-KEM-1024":
+        break;
+      default:
+        throw new DOMException(
+          `getPublicKey() is not supported for ${algorithmName}`,
+          "NotSupportedError",
+        );
+    }
+
+    // 2. The public key can only be derived from a private key.
+    if (key[_type] !== "private") {
+      throw new DOMException(
+        "Public keys can only be derived from private keys",
+        "InvalidAccessError",
+      );
+    }
+
+    // 3. Derive the public key. For ML-KEM/ML-DSA the usages allowed for a
+    // public key are validated here; for the other algorithms the derived
+    // public key material is re-imported, which performs the same per-algorithm
+    // usage validation (rejecting invalid usages with a SyntaxError).
+    switch (algorithmName) {
+      case "ML-KEM-512":
+      case "ML-KEM-768":
+      case "ML-KEM-1024": {
+        validatePublicKeyUsages(keyUsages, ML_KEM_PUBLIC_USAGES);
+        let publicKeyBytes;
+        try {
+          publicKeyBytes = op_crypto_ml_kem_get_public_key(
+            algorithmName,
+            key[_handle].cppgc,
+          );
+        } catch (_) {
+          throw new DOMException(
+            "Failed to derive public key",
+            "OperationError",
+          );
+        }
+        const pubHandle = {};
+        setKeyData(pubHandle, publicKeyBytes);
+        return constructKey(
+          "public",
+          true,
+          keyUsages,
+          { name: algorithmName },
+          pubHandle,
+        );
+      }
+      case "ML-DSA-44":
+      case "ML-DSA-65":
+      case "ML-DSA-87": {
+        validatePublicKeyUsages(keyUsages, ["verify"]);
+        // The matching public key is derived and stored alongside the private
+        // key at generate/import time; reuse its key material.
+        const pub = WeakMapPrototypeGet(MLDSA_PUBLIC_FROM_PRIVATE, key);
+        if (pub === undefined) {
+          throw new DOMException(
+            "Failed to derive public key",
+            "OperationError",
+          );
+        }
+        return constructKey(
+          "public",
+          true,
+          keyUsages,
+          { name: algorithmName },
+          pub[_handle],
+        );
+      }
+      case "RSASSA-PKCS1-v1_5":
+      case "RSA-PSS":
+      case "RSA-OAEP": {
+        let spki;
+        try {
+          spki = op_crypto_export_key({
+            algorithm: algorithmName,
+            format: "spki",
+          }, getKeyData(key[_handle]));
+        } catch (_) {
+          throw new DOMException(
+            "Failed to derive public key",
+            "OperationError",
+          );
+        }
+        return await this.importKey("spki", spki, algorithm, true, keyUsages);
+      }
+      case "ECDSA":
+      case "ECDH": {
+        let spki;
+        try {
+          spki = op_crypto_export_key({
+            algorithm: algorithmName,
+            namedCurve: algorithm.namedCurve,
+            format: "spki",
+          }, getKeyData(key[_handle]));
+        } catch (_) {
+          throw new DOMException(
+            "Failed to derive public key",
+            "OperationError",
+          );
+        }
+        return await this.importKey("spki", spki, algorithm, true, keyUsages);
+      }
+      default: {
+        // Ed25519, X25519 and X448 store raw key material; derive the raw
+        // public key from the private key and re-import it as a JWK.
+        let x;
+        try {
+          switch (algorithmName) {
+            case "Ed25519":
+              x = op_crypto_jwk_x_ed25519(getKeyData(key[_handle]));
+              break;
+            case "X25519":
+              x = op_crypto_x25519_public_key(getKeyData(key[_handle]));
+              break;
+            default: // X448
+              x = op_crypto_x448_public_key(getKeyData(key[_handle]));
+              break;
+          }
+        } catch (_) {
+          throw new DOMException(
+            "Failed to derive public key",
+            "OperationError",
+          );
+        }
+        const jwk = {
+          kty: "OKP",
+          crv: algorithmName,
+          x,
+          ext: true,
+        };
+        return await this.importKey("jwk", jwk, algorithm, true, keyUsages);
+      }
+    }
+  }
+
   [SymbolFor("Deno.privateCustomInspect")](inspect, inspectOptions) {
     return `${this.constructor.name} ${inspect({}, inspectOptions)}`;
   }
diff --git a/ext/crypto/lib.rs b/ext/crypto/lib.rs
@@ -125,6 +125,7 @@ deno_core::extension!(deno_crypto,
     x448::op_crypto_derive_bits_x448,
     x448::op_crypto_import_spki_x448,
     x448::op_crypto_import_pkcs8_x448,
+    x448::op_crypto_x448_public_key,
     x448::op_crypto_export_spki_x448,
     x448::op_crypto_export_pkcs8_x448,
     ed25519::op_crypto_generate_ed25519_keypair,
diff --git a/ext/crypto/x448.rs b/ext/crypto/x448.rs
@@ -1,5 +1,6 @@
 // Copyright 2018-2026 the Deno authors. MIT license.
 
+use base64::prelude::BASE64_URL_SAFE_NO_PAD;
 use deno_core::convert::Uint8Array;
 use deno_core::op2;
 use ed448_goldilocks::EdwardsScalar;
@@ -79,6 +80,24 @@ pub fn op_crypto_derive_bits_x448(
 const X448_OID: const_oid::ObjectIdentifier =
   const_oid::ObjectIdentifier::new_unwrap("1.3.101.111");
 
+#[op2]
+#[string]
+pub fn op_crypto_x448_public_key(
+  #[buffer] private_key: &[u8],
+) -> Result<String, X448Error> {
+  use base64::Engine;
+
+  let private_key: [u8; 56] = private_key
+    .try_into()
+    .map_err(|_| X448Error::InvalidKeyLength)?;
+  // x448(pkey, 5), identical derivation to op_crypto_generate_x448_keypair.
+  let mut scalar_bytes = [0u8; 57];
+  scalar_bytes[..56].copy_from_slice(&private_key);
+  let scalar = EdwardsScalar::from_bytes_mod_order(&scalar_bytes.into());
+  let point = &MontgomeryPoint::GENERATOR * &scalar;
+  Ok(BASE64_URL_SAFE_NO_PAD.encode(point.0))
+}
+
 #[op2]
 pub fn op_crypto_export_spki_x448(
   #[buffer] pubkey: &[u8],
diff --git a/tests/unit/webcrypto_mldsa_test.ts b/tests/unit/webcrypto_mldsa_test.ts
@@ -5,7 +5,6 @@ import {
   assertEquals,
   assertNotEquals,
   assertRejects,
-  assertThrows,
 } from "./test_util.ts";
 
 // deno-lint-ignore no-explicit-any
@@ -354,10 +353,17 @@ for (const [name, pubLen, privLen, sigLen] of variants) {
       ["sign", "verify"],
     ) as CryptoKeyPair;
 
-    const derived = (privateKey as AnyKey).getPublicKey();
+    // getPublicKey lives on SubtleCrypto.prototype, not CryptoKey.prototype.
+    assertEquals(typeof (privateKey as AnyKey).getPublicKey, "undefined");
+
+    const derived = await (crypto.subtle as AnyKey).getPublicKey(
+      privateKey,
+      ["verify"],
+    );
     assert(derived);
     assertEquals(derived.type, "public");
     assertEquals(derived.algorithm.name, name);
+    assertEquals(derived.usages, ["verify"]);
 
     const rawPub = new Uint8Array(await exportKey("raw-public", publicKey));
     const rawDerived = new Uint8Array(await exportKey("raw-public", derived));
@@ -370,14 +376,20 @@ for (const [name, pubLen, privLen, sigLen] of variants) {
     );
   });
 
-  Deno.test(`webcrypto ${name} getPublicKey() throws for public keys`, async () => {
-    const { publicKey } = await crypto.subtle.generateKey(
+  Deno.test(`webcrypto ${name} getPublicKey() rejects invalid input`, async () => {
+    const { publicKey, privateKey } = await crypto.subtle.generateKey(
       { name } as AnyAlg,
       true,
       ["sign", "verify"],
     ) as CryptoKeyPair;
-    assertThrows(
-      () => (publicKey as AnyKey).getPublicKey(),
+    // Public keys are not valid input.
+    await assertRejects(
+      () => (crypto.subtle as AnyKey).getPublicKey(publicKey, ["verify"]),
+      DOMException,
+    );
+    // Invalid public-key usages for the algorithm reject with SyntaxError.
+    await assertRejects(
+      () => (crypto.subtle as AnyKey).getPublicKey(privateKey, ["sign"]),
       DOMException,
     );
   });
diff --git a/tests/unit/webcrypto_test.ts b/tests/unit/webcrypto_test.ts
diff --git a/tests/wpt/runner/expectations/WebCryptoAPI.json b/tests/wpt/runner/expectations/WebCryptoAPI.json
