fix: properly restrict EC curves in generate(Sync)

lib/help/key_utils.js

@@ -2,12 +2,7 @@ const base64url = require('./base64url')
 const errors = require('../errors')
 const asn1 = require('./asn1')
 
-const EC_CURVES = new Set([
- 'P-256',
- 'P-256K',
- 'P-384',
- 'P-521'
-])
+const EC_CURVES = new Set(['P-256', 'P-256K', 'P-384', 'P-521'])
 
 const oidHexToCurve = new Map([
  ['06082a8648ce3d030107', 'P-256'],

lib/jwk/key/ec.js

@@ -3,6 +3,7 @@ const { promisify } = require('util')
 
 const { THUMBPRINT_MATERIAL, PUBLIC_MEMBERS, PRIVATE_MEMBERS, JWK_MEMBERS } = require('../../help/symbols')
 const errors = require('../../errors')
+const EC_CURVES = new Set(['P-256', 'P-256K', 'P-384', 'P-521'])
 
 const Key = require('./base')
 
@@ -99,6 +100,10 @@ class ECKey extends Key {
  }
 
  static async generate (crv = 'P-256', privat = true) {
+ if (!EC_CURVES.has(crv)) {
+ throw new errors.JOSENotSupported(`unsupported EC key curve: ${crv}`)
+ }
+
  if (crv === 'P-256K') {
  crv = 'secp256k1'
  }
@@ -108,6 +113,10 @@ class ECKey extends Key {
  }
 
  static generateSync (crv = 'P-256', privat = true) {
+ if (!EC_CURVES.has(crv)) {
+ throw new errors.JOSENotSupported(`unsupported EC key curve: ${crv}`)
+ }
+
  if (crv === 'P-256K') {
  crv = 'secp256k1'
  }

test/jwk/generate.test.js

@@ -126,6 +126,18 @@ test('fails to generate unsupported kty', async t => {
  }, { instanceOf: errors.JOSENotSupported, message: 'unsupported key type: OKP' })
 })
 
+test('fails to generateSync unsupported EC crv', t => {
+ t.throws(() => {
+ generateSync('EC', 'foo')
+ }, { instanceOf: errors.JOSENotSupported, message: 'unsupported EC key curve: foo' })
+})
+
+test('fails to generate unsupported EC crv', async t => {
+ await t.throwsAsync(() => {
+ return generate('EC', 'foo')
+ }, { instanceOf: errors.JOSENotSupported, message: 'unsupported EC key curve: foo' })
+})
+
 test('fails to generateSync RSA with invalid bit lengths', t => {
  t.throws(() => {
  generateSync('RSA', 2048 + 1)