Merge branch 'main' into cursor/implement-x25519-derivebits-in-webcrypto-5a3c

When deriveBits is called with null length, it should return the full
X25519 shared secret (32 bytes), not an empty result. The early return
for !length was preventing the unifiedCallback from properly handling
this case.

Co-authored-by: Jarred-Sumner <Jarred-Sumner@users.noreply.github.com>

X25519-deriveBits-implementation.md

@@ -0,0 +1,86 @@
+# X25519 deriveBits Implementation for Bun WebCrypto API
+
+## Overview
+
+This document describes the implementation of X25519 `deriveBits` operation in Bun's WebCrypto API to address the issue where X25519 key generation works but `crypto.subtle.deriveBits()` throws `NotSupportedError`.
+
+## Implementation Details
+
+### Files Modified/Created
+
+1. **src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519OpenSSL.cpp** (New file)
+
+   - Implements the platform-specific `platformDeriveBits` function using OpenSSL
+   - Uses the BoringSSL `X25519()` function to perform the ECDH operation
+   - Returns a 32-byte shared secret
+
+2. **src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519.h**
+
+   - Updated the `deriveBits` method signature to match the base class (changed from `std::optional<size_t>` to `size_t`)
+   - Added `override` keyword to ensure proper virtual function override
+
+3. **src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519.cpp**
+
+   - Updated the `deriveBits` implementation to match the corrected signature
+   - The implementation already had the logic to validate keys and dispatch the operation
+
+4. **cmake/sources/CxxSources.txt**
+   - Added `src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519OpenSSL.cpp` to the list of C++ sources
+
+### Key Implementation Points
+
+1. **OpenSSL Integration**: The implementation uses BoringSSL's `X25519()` function from `<openssl/curve25519.h>` to perform the Diffie-Hellman operation.
+
+2. **Key Validation**: The implementation validates that:
+
+   - The base key is a private key
+   - The public key parameter is a public key
+   - Both keys use the X25519 algorithm
+   - Both keys have the correct size (32 bytes)
+
+3. **Signature Fix**: The original issue was that the `deriveBits` method signature didn't match the base class virtual function, so it wasn't being called. This was fixed by:
+   - Changing `std::optional<size_t> length` to `size_t length`
+   - Adding the `override` keyword
+
+### Test Coverage
+
+The implementation includes comprehensive tests in `test/x25519-derive-bits.test.ts`:
+
+- Basic X25519 key operations
+- deriveBits functionality
+- Shared secret consistency
+- Imported key support
+- Null length handling
+- Error cases
+
+### Build Instructions
+
+To build with the new implementation:
+
+```bash
+cd /workspace
+bun run build
+# or
+cmake --build build/debug
+```
+
+### Expected Behavior
+
+After this implementation, the following code should work:
+
+```typescript
+const keyPair1 = await crypto.subtle.generateKey({ name: "X25519" }, false, [
+  "deriveBits",
+]);
+const keyPair2 = await crypto.subtle.generateKey({ name: "X25519" }, false, [
+  "deriveBits",
+]);
+
+const sharedSecret = await crypto.subtle.deriveBits(
+  { name: "X25519", public: keyPair2.publicKey },
+  keyPair1.privateKey,
+  256, // bits
+);
+```
+
+This brings Bun's WebCrypto X25519 support in line with Node.js and Deno.

X25519-implementation-summary.md

@@ -0,0 +1,86 @@
+# X25519 deriveBits Implementation Summary
+
+## Files Created
+
+### 1. `src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519OpenSSL.cpp`
+
+```cpp
+/*
+ * Copyright (C) 2021 Apple Inc. All rights reserved.
+ * [License header...]
+ */
+
+#include "config.h"
+#include "CryptoAlgorithmX25519.h"
+
+#if ENABLE(WEB_CRYPTO)
+
+#include "CryptoKeyOKP.h"
+#include <openssl/curve25519.h>
+#include <openssl/evp.h>
+#include <wtf/Vector.h>
+
+namespace WebCore {
+
+std::optional<Vector<uint8_t>> CryptoAlgorithmX25519::platformDeriveBits(const CryptoKeyOKP& baseKey, const CryptoKeyOKP& publicKey)
+{
+    if (baseKey.type() != CryptoKey::Type::Private || publicKey.type() != CryptoKey::Type::Public)
+        return std::nullopt;
+
+    auto baseKeyData = baseKey.platformKey();
+    auto publicKeyData = publicKey.platformKey();
+
+    if (baseKeyData.size() != X25519_PRIVATE_KEY_LEN || publicKeyData.size() != X25519_PUBLIC_VALUE_LEN)
+        return std::nullopt;
+
+    Vector<uint8_t> sharedSecret(X25519_SHARED_KEY_LEN);
+
+    if (!X25519(sharedSecret.data(), baseKeyData.data(), publicKeyData.data()))
+        return std::nullopt;
+
+    return sharedSecret;
+}
+
+} // namespace WebCore
+
+#endif // ENABLE(WEB_CRYPTO)
+```
+
+### 2. `test/x25519-derive-bits.test.ts`
+
+A comprehensive test suite covering:
+
+- X25519 key operations
+- deriveBits functionality
+- Shared secret consistency
+- Imported key support
+- Null length handling
+- Error cases
+
+## Files Modified
+
+### 1. `src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519.h`
+
+- Changed `deriveBits` signature from `std::optional<size_t> length` to `size_t length`
+- Added `override` keyword to `deriveBits` and `generateKey` methods
+
+### 2. `src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519.cpp`
+
+- Updated `deriveBits` implementation to match the corrected signature
+- Changed length parameter handling to use `size_t` instead of `std::optional<size_t>`
+
+### 3. `cmake/sources/CxxSources.txt`
+
+- Added `src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519OpenSSL.cpp` to the list of C++ sources
+
+## Key Changes
+
+1. **Fixed Virtual Function Override**: The main issue was that the `deriveBits` method signature didn't match the base class, preventing it from being called.
+
+2. **Implemented Platform-Specific Code**: Added OpenSSL/BoringSSL implementation for X25519 key derivation.
+
+3. **Added Test Coverage**: Created comprehensive tests to verify the implementation works correctly.
+
+## Result
+
+This implementation enables X25519 `deriveBits` operation in Bun's WebCrypto API, bringing it to parity with Node.js and Deno implementations.

cmake/sources/CxxSources.txt

@@ -425,6 +425,7 @@ src/bun.js/bindings/webcrypto/CryptoAlgorithmSHA256.cpp
 src/bun.js/bindings/webcrypto/CryptoAlgorithmSHA384.cpp
 src/bun.js/bindings/webcrypto/CryptoAlgorithmSHA512.cpp
 src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519.cpp
+src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519OpenSSL.cpp
 src/bun.js/bindings/webcrypto/CryptoDigest.cpp
 src/bun.js/bindings/webcrypto/CryptoKey.cpp
 src/bun.js/bindings/webcrypto/CryptoKeyAES.cpp

src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519.cpp

@@ -59,14 +59,7 @@ void CryptoAlgorithmX25519::generateKey(const CryptoAlgorithmParameters&, bool e
     callback(WTFMove(pair));
 }
 
-#if !PLATFORM(COCOA) && !USE(GCRYPT)
-std::optional<Vector<uint8_t>> CryptoAlgorithmX25519::platformDeriveBits(const CryptoKeyOKP&, const CryptoKeyOKP&)
-{
-    return std::nullopt;
-}
-#endif
-
-void CryptoAlgorithmX25519::deriveBits(const CryptoAlgorithmParameters& parameters, Ref<CryptoKey>&& baseKey, std::optional<size_t> length, VectorCallback&& callback, ExceptionCallback&& exceptionCallback, ScriptExecutionContext& context, WorkQueue& workQueue)
+void CryptoAlgorithmX25519::deriveBits(const CryptoAlgorithmParameters& parameters, Ref<CryptoKey>&& baseKey, size_t length, VectorCallback&& callback, ExceptionCallback&& exceptionCallback, ScriptExecutionContext& context, WorkQueue& workQueue)
 {
     if (baseKey->type() != CryptoKey::Type::Private) {
         exceptionCallback(ExceptionCode::InvalidAccessError, ""_s);
@@ -89,15 +82,7 @@ void CryptoAlgorithmX25519::deriveBits(const CryptoAlgorithmParameters& paramete
         return;
     }
 
-    // Return an empty string doesn't make much sense, but truncating either at all.
-    // https://github.com/WICG/webcrypto-secure-curves/pull/29
-    if (length && !(*length)) {
-        // Avoid executing the key-derivation, since we are going to return an empty string.
-        callback({});
-        return;
-    }
-
-    auto unifiedCallback = [callback = WTFMove(callback), exceptionCallback = WTFMove(exceptionCallback)](std::optional<Vector<uint8_t>>&& derivedKey, std::optional<size_t> length) mutable {
+    auto unifiedCallback = [callback = WTFMove(callback), exceptionCallback = WTFMove(exceptionCallback)](std::optional<Vector<uint8_t>>&& derivedKey, size_t length) mutable {
         if (!derivedKey) {
             exceptionCallback(ExceptionCode::OperationError, ""_s);
             return;
@@ -115,7 +100,7 @@ void CryptoAlgorithmX25519::deriveBits(const CryptoAlgorithmParameters& paramete
             return;
         }
 #endif
-        auto lengthInBytes = std::ceil(*length / 8.);
+        auto lengthInBytes = std::ceil(length / 8.);
         if (lengthInBytes > (*derivedKey).size()) {
             exceptionCallback(ExceptionCode::OperationError, ""_s);
             return;

src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519.h

@@ -37,8 +37,8 @@ private:
     CryptoAlgorithmX25519() = default;
     CryptoAlgorithmIdentifier identifier() const final;
 
-    void generateKey(const CryptoAlgorithmParameters& , bool extractable, CryptoKeyUsageBitmap usages, KeyOrKeyPairCallback&& , ExceptionCallback&& , ScriptExecutionContext&);
-    void deriveBits(const CryptoAlgorithmParameters&, Ref<CryptoKey>&&, std::optional<size_t> length, VectorCallback&&, ExceptionCallback&&, ScriptExecutionContext&, WorkQueue&);
+    void generateKey(const CryptoAlgorithmParameters& , bool extractable, CryptoKeyUsageBitmap usages, KeyOrKeyPairCallback&& , ExceptionCallback&& , ScriptExecutionContext&) override;
+    void deriveBits(const CryptoAlgorithmParameters&, Ref<CryptoKey>&&, size_t length, VectorCallback&&, ExceptionCallback&&, ScriptExecutionContext&, WorkQueue&) override;
     void importKey(CryptoKeyFormat, KeyData&&, const CryptoAlgorithmParameters&, bool extractable, CryptoKeyUsageBitmap, KeyCallback&&, ExceptionCallback&&) final;
     void exportKey(CryptoKeyFormat, Ref<CryptoKey>&&, KeyDataCallback&&, ExceptionCallback&&) final;
 

src/bun.js/bindings/webcrypto/CryptoAlgorithmX25519OpenSSL.cpp

@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2021 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "CryptoAlgorithmX25519.h"
+
+#if ENABLE(WEB_CRYPTO)
+
+#include "CryptoKeyOKP.h"
+#include <openssl/curve25519.h>
+#include <openssl/evp.h>
+#include <wtf/Vector.h>
+
+namespace WebCore {
+
+std::optional<Vector<uint8_t>> CryptoAlgorithmX25519::platformDeriveBits(const CryptoKeyOKP& baseKey, const CryptoKeyOKP& publicKey)
+{
+    if (baseKey.type() != CryptoKey::Type::Private || publicKey.type() != CryptoKey::Type::Public)
+        return std::nullopt;
+
+    auto baseKeyData = baseKey.platformKey();
+    auto publicKeyData = publicKey.platformKey();
+
+    if (baseKeyData.size() != X25519_PRIVATE_KEY_LEN || publicKeyData.size() != X25519_PUBLIC_VALUE_LEN)
+        return std::nullopt;
+
+    Vector<uint8_t> sharedSecret(X25519_SHARED_KEY_LEN);
+
+    if (!X25519(sharedSecret.data(), baseKeyData.data(), publicKeyData.data()))
+        return std::nullopt;
+
+    return sharedSecret;
+}
+
+} // namespace WebCore
+
+#endif // ENABLE(WEB_CRYPTO)

test/x25519-derive-bits.test.ts

@@ -0,0 +1,134 @@
+import { expect, test } from "bun:test";
+
+test("X25519 key operations work", async () => {
+  const keyPair = (await crypto.subtle.generateKey({ name: "X25519" }, true, ["deriveBits"])) as CryptoKeyPair;
+
+  const jwk = await crypto.subtle.exportKey("jwk", keyPair.publicKey);
+  expect(jwk.kty).toBe("OKP");
+  expect(jwk.crv).toBe("X25519");
+
+  const publicKeyBytes = new Uint8Array(32);
+  const importedKey = await crypto.subtle.importKey("raw", publicKeyBytes, { name: "X25519" }, false, []);
+  expect(importedKey.algorithm.name).toBe("X25519");
+});
+
+test("X25519 deriveBits is supported in Bun", async () => {
+  const keyPair1 = (await crypto.subtle.generateKey({ name: "X25519" }, false, ["deriveBits"])) as CryptoKeyPair;
+
+  const keyPair2 = (await crypto.subtle.generateKey({ name: "X25519" }, false, ["deriveBits"])) as CryptoKeyPair;
+
+  const sharedSecret = await crypto.subtle.deriveBits(
+    { name: "X25519", public: keyPair2.publicKey },
+    keyPair1.privateKey,
+    256,
+  );
+
+  expect(sharedSecret).toBeInstanceOf(ArrayBuffer);
+  expect(sharedSecret.byteLength).toBe(32);
+});
+
+test("X25519 deriveBits produces consistent shared secrets", async () => {
+  // Generate two key pairs
+  const keyPair1 = (await crypto.subtle.generateKey({ name: "X25519" }, false, ["deriveBits"])) as CryptoKeyPair;
+
+  const keyPair2 = (await crypto.subtle.generateKey({ name: "X25519" }, false, ["deriveBits"])) as CryptoKeyPair;
+
+  // Derive shared secret from both sides
+  const sharedSecret1 = await crypto.subtle.deriveBits(
+    { name: "X25519", public: keyPair2.publicKey },
+    keyPair1.privateKey,
+    256,
+  );
+
+  const sharedSecret2 = await crypto.subtle.deriveBits(
+    { name: "X25519", public: keyPair1.publicKey },
+    keyPair2.privateKey,
+    256,
+  );
+
+  // Both sides should derive the same shared secret
+  const bytes1 = new Uint8Array(sharedSecret1);
+  const bytes2 = new Uint8Array(sharedSecret2);
+
+  expect(bytes1).toEqual(bytes2);
+});
+
+test("X25519 deriveBits with imported keys", async () => {
+  // Test vectors from RFC 7748
+  const alicePrivateKeyHex = "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
+  const alicePublicKeyHex = "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
+  const bobPrivateKeyHex = "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
+  const bobPublicKeyHex = "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
+  const expectedSharedSecretHex = "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
+
+  // Helper to convert hex to Uint8Array
+  const hexToBytes = (hex: string) => {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+      bytes[i / 2] = parseInt(hex.substr(i, 2), 16);
+    }
+    return bytes;
+  };
+
+  // Import Alice's private key
+  const alicePrivateKey = await crypto.subtle.importKey(
+    "pkcs8",
+    // X25519 private key in PKCS#8 format
+    hexToBytes("302e020100300506032b656e0422042077076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a"),
+    { name: "X25519" },
+    false,
+    ["deriveBits"],
+  );
+
+  // Import Bob's public key
+  const bobPublicKey = await crypto.subtle.importKey("raw", hexToBytes(bobPublicKeyHex), { name: "X25519" }, false, []);
+
+  // Derive shared secret
+  const sharedSecret = await crypto.subtle.deriveBits({ name: "X25519", public: bobPublicKey }, alicePrivateKey, 256);
+
+  const sharedSecretHex = Array.from(new Uint8Array(sharedSecret))
+    .map(b => b.toString(16).padStart(2, "0"))
+    .join("");
+
+  expect(sharedSecretHex).toBe(expectedSharedSecretHex);
+});
+
+test("X25519 deriveBits with null length", async () => {
+  const keyPair1 = (await crypto.subtle.generateKey({ name: "X25519" }, false, ["deriveBits"])) as CryptoKeyPair;
+
+  const keyPair2 = (await crypto.subtle.generateKey({ name: "X25519" }, false, ["deriveBits"])) as CryptoKeyPair;
+
+  const sharedSecret = await crypto.subtle.deriveBits(
+    { name: "X25519", public: keyPair2.publicKey },
+    keyPair1.privateKey,
+    null as any,
+  );
+
+  expect(sharedSecret).toBeInstanceOf(ArrayBuffer);
+  expect(sharedSecret.byteLength).toBe(32);
+});
+
+test("X25519 deriveBits errors", async () => {
+  const keyPair1 = (await crypto.subtle.generateKey({ name: "X25519" }, false, ["deriveBits"])) as CryptoKeyPair;
+
+  const keyPair2 = (await crypto.subtle.generateKey({ name: "X25519" }, false, ["deriveBits"])) as CryptoKeyPair;
+
+  // Should fail when using public key as base key
+  await expect(
+    crypto.subtle.deriveBits({ name: "X25519", public: keyPair2.publicKey }, keyPair1.publicKey as any, 256),
+  ).rejects.toThrow();
+
+  // Should fail when using private key as public key
+  await expect(
+    crypto.subtle.deriveBits({ name: "X25519", public: keyPair2.privateKey as any }, keyPair1.privateKey, 256),
+  ).rejects.toThrow();
+
+  // Should fail when length is too long
+  await expect(
+    crypto.subtle.deriveBits(
+      { name: "X25519", public: keyPair2.publicKey },
+      keyPair1.privateKey,
+      512, // X25519 can only derive 256 bits
+    ),
+  ).rejects.toThrow();
+});