crypto: add ChaCha20-Poly1305 Web Cryptography algorithm

PR-URL: #59365
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>

Author: panva

deps/ncrypto/ncrypto.cc

@@ -2927,6 +2927,7 @@ const Cipher Cipher::AES_256_GCM = Cipher::FromNid(NID_aes_256_gcm);
 const Cipher Cipher::AES_128_KW = Cipher::FromNid(NID_id_aes128_wrap);
 const Cipher Cipher::AES_192_KW = Cipher::FromNid(NID_id_aes192_wrap);
 const Cipher Cipher::AES_256_KW = Cipher::FromNid(NID_id_aes256_wrap);
+const Cipher Cipher::CHACHA20_POLY1305 = Cipher::FromNid(NID_chacha20_poly1305);
 
 bool Cipher::isGcmMode() const {
   if (!cipher_) return false;

deps/ncrypto/ncrypto.h

@@ -373,6 +373,7 @@ class Cipher final {
   static const Cipher AES_128_KW;
   static const Cipher AES_192_KW;
   static const Cipher AES_256_KW;
+  static const Cipher CHACHA20_POLY1305;
 
   struct CipherParams {
     int padding;

doc/api/webcrypto.md

@@ -0,0 +1,191 @@
+'use strict';
+
+const {
+  ArrayBufferIsView,
+  ArrayBufferPrototypeSlice,
+  ArrayFrom,
+  PromiseReject,
+  SafeSet,
+  TypedArrayPrototypeSlice,
+} = primordials;
+
+const {
+  ChaCha20Poly1305CipherJob,
+  KeyObjectHandle,
+  kCryptoJobAsync,
+  kWebCryptoCipherDecrypt,
+  kWebCryptoCipherEncrypt,
+} = internalBinding('crypto');
+
+const {
+  hasAnyNotIn,
+  jobPromise,
+  validateKeyOps,
+  kHandle,
+  kKeyObject,
+} = require('internal/crypto/util');
+
+const {
+  lazyDOMException,
+  promisify,
+} = require('internal/util');
+
+const {
+  InternalCryptoKey,
+  SecretKeyObject,
+  createSecretKey,
+} = require('internal/crypto/keys');
+
+const {
+  randomBytes: _randomBytes,
+} = require('internal/crypto/random');
+
+const randomBytes = promisify(_randomBytes);
+
+function validateKeyLength(length) {
+  if (length !== 256)
+    throw lazyDOMException('Invalid key length', 'DataError');
+}
+
+function c20pCipher(mode, key, data, algorithm) {
+  let tag;
+  switch (mode) {
+    case kWebCryptoCipherDecrypt: {
+      const slice = ArrayBufferIsView(data) ?
+        TypedArrayPrototypeSlice : ArrayBufferPrototypeSlice;
+
+      if (data.byteLength < 16) {
+        return PromiseReject(lazyDOMException(
+          'The provided data is too small.',
+          'OperationError'));
+      }
+
+      tag = slice(data, -16);
+      data = slice(data, 0, -16);
+      break;
+    }
+    case kWebCryptoCipherEncrypt:
+      tag = 16;
+      break;
+  }
+
+  return jobPromise(() => new ChaCha20Poly1305CipherJob(
+    kCryptoJobAsync,
+    mode,
+    key[kKeyObject][kHandle],
+    data,
+    algorithm.iv,
+    tag,
+    algorithm.additionalData));
+}
+
+async function c20pGenerateKey(algorithm, extractable, keyUsages) {
+  const { name } = algorithm;
+
+  const checkUsages = ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey'];
+
+  const usagesSet = new SafeSet(keyUsages);
+  if (hasAnyNotIn(usagesSet, checkUsages)) {
+    throw lazyDOMException(
+      `Unsupported key usage for a ${algorithm.name} key`,
+      'SyntaxError');
+  }
+
+  const keyData = await randomBytes(32).catch((err) => {
+    throw lazyDOMException(
+      'The operation failed for an operation-specific reason' +
+      `[${err.message}]`,
+      { name: 'OperationError', cause: err });
+  });
+
+  return new InternalCryptoKey(
+    createSecretKey(keyData),
+    { name },
+    ArrayFrom(usagesSet),
+    extractable);
+}
+
+function c20pImportKey(
+  algorithm,
+  format,
+  keyData,
+  extractable,
+  keyUsages) {
+  const { name } = algorithm;
+  const checkUsages = ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey'];
+
+  const usagesSet = new SafeSet(keyUsages);
+  if (hasAnyNotIn(usagesSet, checkUsages)) {
+    throw lazyDOMException(
+      `Unsupported key usage for a ${algorithm.name} key`,
+      'SyntaxError');
+  }
+
+  let keyObject;
+  switch (format) {
+    case 'KeyObject': {
+      keyObject = keyData;
+      break;
+    }
+    case 'raw-secret': {
+      keyObject = createSecretKey(keyData);
+      break;
+    }
+    case 'jwk': {
+      if (!keyData.kty)
+        throw lazyDOMException('Invalid keyData', 'DataError');
+
+      if (keyData.kty !== 'oct')
+        throw lazyDOMException('Invalid JWK "kty" Parameter', 'DataError');
+
+      if (usagesSet.size > 0 &&
+          keyData.use !== undefined &&
+          keyData.use !== 'enc') {
+        throw lazyDOMException('Invalid JWK "use" Parameter', 'DataError');
+      }
+
+      validateKeyOps(keyData.key_ops, usagesSet);
+
+      if (keyData.ext !== undefined &&
+          keyData.ext === false &&
+          extractable === true) {
+        throw lazyDOMException(
+          'JWK "ext" Parameter and extractable mismatch',
+          'DataError');
+      }
+
+      const handle = new KeyObjectHandle();
+      try {
+        handle.initJwk(keyData);
+      } catch (err) {
+        throw lazyDOMException(
+          'Invalid keyData', { name: 'DataError', cause: err });
+      }
+
+      if (keyData.alg !== undefined && keyData.alg !== 'C20P') {
+        throw lazyDOMException(
+          'JWK "alg" does not match the requested algorithm',
+          'DataError');
+      }
+
+      keyObject = new SecretKeyObject(handle);
+      break;
+    }
+    default:
+      return undefined;
+  }
+
+  validateKeyLength(keyObject.symmetricKeySize * 8);
+
+  return new InternalCryptoKey(
+    keyObject,
+    { name },
+    keyUsages,
+    extractable);
+}
+
+module.exports = {
+  c20pCipher,
+  c20pGenerateKey,
+  c20pImportKey,
+};

lib/internal/crypto/chacha20_poly1305.js

@@ -199,6 +199,10 @@ const {
           result = require('internal/crypto/aes')
             .aesImportKey(algorithm, 'KeyObject', this, extractable, keyUsages);
           break;
+        case 'ChaCha20-Poly1305':
+          result = require('internal/crypto/chacha20_poly1305')
+            .c20pImportKey(algorithm, 'KeyObject', this, extractable, keyUsages);
+          break;
         case 'HKDF':
           // Fall through
         case 'PBKDF2':

lib/internal/crypto/keys.js

@@ -245,13 +245,13 @@ const kSupportedAlgorithms = {
   'encrypt': {
     'RSA-OAEP': 'RsaOaepParams',
     'AES-CBC': 'AesCbcParams',
-    'AES-GCM': 'AesGcmParams',
+    'AES-GCM': 'AeadParams',
     'AES-CTR': 'AesCtrParams',
   },
   'decrypt': {
     'RSA-OAEP': 'RsaOaepParams',
     'AES-CBC': 'AesCbcParams',
-    'AES-GCM': 'AesGcmParams',
+    'AES-GCM': 'AeadParams',
     'AES-CTR': 'AesCtrParams',
   },
   'get key length': {
@@ -290,6 +290,14 @@ const experimentalAlgorithms = ObjectEntries({
   'SHA3-256': { digest: null },
   'SHA3-384': { digest: null },
   'SHA3-512': { digest: null },
+  'ChaCha20-Poly1305': {
+    'encrypt': 'AeadParams',
+    'decrypt': 'AeadParams',
+    'generateKey': null,
+    'importKey': null,
+    'exportKey': null,
+    'get key length': null,
+  },
 });
 
 for (const { 0: algorithm, 1: nid } of [
@@ -325,7 +333,7 @@ for (let i = 0; i < experimentalAlgorithms.length; i++) {
 }
 
 const simpleAlgorithmDictionaries = {
-  AesGcmParams: { iv: 'BufferSource', additionalData: 'BufferSource' },
+  AeadParams: { iv: 'BufferSource', additionalData: 'BufferSource' },
   RsaHashedKeyGenParams: { hash: 'HashAlgorithmIdentifier' },
   EcKeyGenParams: {},
   HmacKeyGenParams: { hash: 'HashAlgorithmIdentifier' },

lib/internal/crypto/util.js

@@ -155,6 +155,11 @@ async function generateKey(
       result = await require('internal/crypto/aes')
         .aesGenerateKey(algorithm, extractable, keyUsages);
       break;
+    case 'ChaCha20-Poly1305':
+      resultType = 'CryptoKey';
+      result = await require('internal/crypto/chacha20_poly1305')
+        .c20pGenerateKey(algorithm, extractable, keyUsages);
+      break;
     case 'ML-DSA-44':
       // Fall through
     case 'ML-DSA-65':
@@ -252,6 +257,8 @@ function getKeyLength({ name, length, hash }) {
     case 'HKDF':
     case 'PBKDF2':
       return null;
+    case 'ChaCha20-Poly1305':
+      return 256;
   }
 }
 
@@ -431,7 +438,7 @@ async function exportKeyRawSeed(key) {
   }
 }
 
-async function exportKeyRawSecret(key) {
+async function exportKeyRawSecret(key, format) {
   switch (key.algorithm.name) {
     case 'AES-CTR':
       // Fall through
@@ -443,6 +450,11 @@ async function exportKeyRawSecret(key) {
       // Fall through
     case 'HMAC':
       return key[kKeyObject][kHandle].export().buffer;
+    case 'ChaCha20-Poly1305':
+      if (format === 'raw-secret') {
+        return key[kKeyObject][kHandle].export().buffer;
+      }
+      return undefined;
     default:
       return undefined;
   }
@@ -504,6 +516,9 @@ async function exportKeyJWK(key) {
       parameters.alg = require('internal/crypto/aes')
         .getAlgorithmName(key.algorithm.name, key.algorithm.length);
       break;
+    case 'ChaCha20-Poly1305':
+      parameters.alg = 'C20P';
+      break;
     case 'HMAC': {
       const alg = normalizeHashName(
         key.algorithm.hash.name,
@@ -563,7 +578,7 @@ async function exportKey(format, key) {
     }
     case 'raw-secret': {
       if (key.type === 'secret') {
-        result = await exportKeyRawSecret(key);
+        result = await exportKeyRawSecret(key, format);
       }
       break;
     }
@@ -581,7 +596,7 @@ async function exportKey(format, key) {
     }
     case 'raw': {
       if (key.type === 'secret') {
-        result = await exportKeyRawSecret(key);
+        result = await exportKeyRawSecret(key, format);
       } else if (key.type === 'public') {
         result = await exportKeyRawPublic(key, format);
       }
@@ -687,6 +702,10 @@ async function importKey(
       result = require('internal/crypto/aes')
         .aesImportKey(algorithm, format, keyData, extractable, keyUsages);
       break;
+    case 'ChaCha20-Poly1305':
+      result = require('internal/crypto/chacha20_poly1305')
+        .c20pImportKey(algorithm, format, keyData, extractable, keyUsages);
+      break;
     case 'HKDF':
       // Fall through
     case 'PBKDF2':
@@ -975,6 +994,9 @@ async function cipherOrWrap(mode, algorithm, key, data, op) {
     case 'AES-GCM':
       return require('internal/crypto/aes')
         .aesCipher(mode, key, data, algorithm);
+    case 'ChaCha20-Poly1305':
+      return require('internal/crypto/chacha20_poly1305')
+        .c20pCipher(mode, key, data, algorithm);
     case 'AES-KW':
       if (op === 'wrapKey' || op === 'unwrapKey') {
         return require('internal/crypto/aes')