crypto: allow zero-length IKM in HKDF

Author: panva

doc/api/crypto.md

@@ -4209,6 +4209,9 @@ web-compatible code use [`crypto.webcrypto.getRandomValues()`][] instead.
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/44201
+    description: The input keying material can now be zero-length.
   - version: v18.0.0
     pr-url: https://github.com/nodejs/node/pull/41678
     description: Passing an invalid callback to the `callback` argument
@@ -4218,7 +4221,7 @@ changes:
 
 * `digest` {string} The digest algorithm to use.
 * `ikm` {string|ArrayBuffer|Buffer|TypedArray|DataView|KeyObject} The input
-  keying material. It must be at least one byte in length.
+  keying material. Must be provided but can be zero-length.
 * `salt` {string|ArrayBuffer|Buffer|TypedArray|DataView} The salt value. Must
   be provided but can be zero-length.
 * `info` {string|ArrayBuffer|Buffer|TypedArray|DataView} Additional info value.
@@ -4268,11 +4271,15 @@ hkdf('sha512', 'key', 'salt', 'info', 64, (err, derivedKey) => {
 
 <!-- YAML
 added: v15.0.0
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/44201
+    description: The input keying material can now be zero-length.
 -->
 
 * `digest` {string} The digest algorithm to use.
 * `ikm` {string|ArrayBuffer|Buffer|TypedArray|DataView|KeyObject} The input
-  keying material. It must be at least one byte in length.
+  keying material. Must be provided but can be zero-length.
 * `salt` {string|ArrayBuffer|Buffer|TypedArray|DataView} The salt value. Must
   be provided but can be zero-length.
 * `info` {string|ArrayBuffer|Buffer|TypedArray|DataView} Additional info value.

lib/internal/crypto/hkdf.js

@@ -80,9 +80,8 @@ function prepareKey(key) {
   if (isKeyObject(key))
     return key;
 
-  // TODO(@jasnell): createSecretKey should allow using an ArrayBuffer
   if (isAnyArrayBuffer(key))
-    return createSecretKey(new Uint8Array(key));
+    return createSecretKey(key);
 
   key = toBuf(key);
 

lib/internal/crypto/webcrypto.js

@@ -494,9 +494,6 @@ async function importGenericSecretKey(
 
       const checkLength = keyData.byteLength * 8;
 
-      if (checkLength === 0 || length === 0)
-        throw lazyDOMException('Zero-length key is not supported', 'DataError');
-
       // The Web Crypto spec allows for key lengths that are not multiples of
       // 8. We don't. Our check here is stricter than that defined by the spec
       // in that we require that algorithm.length match keyData.length * 8 if

src/crypto/crypto_hkdf.cc

@@ -103,20 +103,58 @@ bool HKDFTraits::DeriveBits(
   EVPKeyCtxPointer ctx =
       EVPKeyCtxPointer(EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, nullptr));
   if (!ctx || !EVP_PKEY_derive_init(ctx.get()) ||
-      !EVP_PKEY_CTX_hkdf_mode(ctx.get(),
-                              EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) ||
       !EVP_PKEY_CTX_set_hkdf_md(ctx.get(), params.digest) ||
-      !EVP_PKEY_CTX_set1_hkdf_salt(
-          ctx.get(), params.salt.data<unsigned char>(), params.salt.size()) ||
-      !EVP_PKEY_CTX_set1_hkdf_key(
-          ctx.get(),
-          reinterpret_cast<const unsigned char*>(params.key->GetSymmetricKey()),
-          params.key->GetSymmetricKeySize()) ||
       !EVP_PKEY_CTX_add1_hkdf_info(
           ctx.get(), params.info.data<unsigned char>(), params.info.size())) {
     return false;
   }
 
+  // TODO(panva): Once support for OpenSSL 1.1.1 is dropped the whole
+  // of HKDFTraits::DeriveBits can be refactored to use
+  // EVP_KDF which does handle zero length key.
+  if (params.key->GetSymmetricKeySize() != 0) {
+    if (!EVP_PKEY_CTX_hkdf_mode(ctx.get(),
+                                EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) ||
+        !EVP_PKEY_CTX_set1_hkdf_salt(
+            ctx.get(), params.salt.data<unsigned char>(), params.salt.size()) ||
+        !EVP_PKEY_CTX_set1_hkdf_key(ctx.get(),
+                                    reinterpret_cast<const unsigned char*>(
+                                        params.key->GetSymmetricKey()),
+                                    params.key->GetSymmetricKeySize())) {
+      return false;
+    }
+  } else {
+    // Workaround for EVP_PKEY_derive HKDF not handling zero length keys.
+    unsigned char temp_key[EVP_MAX_MD_SIZE];
+    unsigned int len = sizeof(temp_key);
+    if (params.salt.size() != 0) {
+      if (HMAC(params.digest,
+               params.salt.data(),
+               params.salt.size(),
+               nullptr,
+               0,
+               temp_key,
+               &len) == nullptr) {
+        return false;
+      }
+    } else {
+      char salt[EVP_MAX_MD_SIZE] = {0};
+      if (HMAC(params.digest,
+               salt,
+               EVP_MD_size(params.digest),
+               nullptr,
+               0,
+               temp_key,
+               &len) == nullptr) {
+        return false;
+      }
+    }
+    if (!EVP_PKEY_CTX_hkdf_mode(ctx.get(), EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) ||
+        !EVP_PKEY_CTX_set1_hkdf_key(ctx.get(), temp_key, len)) {
+      return false;
+    }
+  }
+
   size_t length = params.length;
   ByteSource::Builder buf(length);
   if (EVP_PKEY_derive(ctx.get(), buf.data<unsigned char>(), &length) <= 0)

test/parallel/test-crypto-key-objects.js

@@ -859,6 +859,10 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
   assert(!first.privateKey.equals(second.publicKey));
 }
 
+{
+  assert.doesNotThrow(() => createSecretKey(new ArrayBuffer(0)));
+}
+
 {
   const first = createSecretKey(Buffer.alloc(0));
   const second = createSecretKey(Buffer.alloc(0));