crypto: reject raw-public private imports

Reject raw-public object input in createPrivateKey() before it
reaches native raw key import. Cover matching-length raw public
keys across the supported raw-public key types.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Author: panva

lib/internal/crypto/keys.js

@@ -666,6 +666,10 @@ function prepareAsymmetricKey(key, ctx, name = 'key') {
       return { data, format: kKeyFormatJWK };
     } else if (format === 'raw-public' || format === 'raw-private' ||
                format === 'raw-seed') {
+      if ((ctx === kConsumePrivate || ctx === kCreatePrivate) &&
+          format === 'raw-public') {
+        throw new ERR_INVALID_ARG_VALUE(`${name}.format`, format);
+      }
       if (!isArrayBufferView(data) && !isAnyArrayBuffer(data)) {
         throw new ERR_INVALID_ARG_TYPE(
           `${name}.key`,

test/parallel/test-crypto-key-objects-raw.js

@@ -59,6 +59,47 @@ const { hasOpenSSL } = require('../common/crypto');
   }
 }
 
+// Raw public keys cannot be imported as private keys.
+{
+  const rawPublicKeys = [
+    ['ec', 'ec_p256_public.pem', { namedCurve: 'P-256' }],
+    ['ed25519', 'ed25519_public.pem'],
+    ['x25519', 'x25519_public.pem'],
+  ];
+
+  if (!process.features.openssl_is_boringssl) {
+    rawPublicKeys.push(
+      ['ed448', 'ed448_public.pem'],
+      ['x448', 'x448_public.pem'],
+    );
+  } else {
+    common.printSkipMessage('Skipping unsupported ed448/x448 test cases');
+  }
+
+  if (hasOpenSSL(3, 5) || process.features.openssl_is_boringssl) {
+    rawPublicKeys.push(
+      ['ml-dsa-44', 'ml_dsa_44_public.pem'],
+      ['ml-kem-768', 'ml_kem_768_public.pem'],
+    );
+  }
+
+  if (hasOpenSSL(3, 5)) {
+    rawPublicKeys.push(
+      ['slh-dsa-sha2-128f', 'slh_dsa_sha2_128f_public.pem'],
+    );
+  }
+
+  for (const [asymmetricKeyType, fixture, options = {}] of rawPublicKeys) {
+    const publicKey = crypto.createPublicKey(fixtures.readKey(fixture, 'ascii'));
+    assert.throws(() => crypto.createPrivateKey({
+      key: publicKey.export({ format: 'raw-public' }),
+      format: 'raw-public',
+      asymmetricKeyType,
+      ...options,
+    }), { code: 'ERR_INVALID_ARG_VALUE' });
+  }
+}
+
 // Raw seed imports do not support strings.
 if (hasOpenSSL(3, 5)) {
   const privKeyObj = crypto.createPrivateKey(
@@ -113,7 +154,11 @@ if (hasOpenSSL(3, 5)) {
     assert.throws(() => privKeyObj.export({ format: 'raw-private' }),
                   { code: 'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS' });
 
-    for (const format of ['raw-public', 'raw-private', 'raw-seed']) {
+    assert.throws(() => crypto.createPrivateKey({
+      key: Buffer.alloc(32), format: 'raw-public', asymmetricKeyType: 'dh',
+    }), { code: 'ERR_INVALID_ARG_VALUE' });
+
+    for (const format of ['raw-private', 'raw-seed']) {
       assert.throws(() => crypto.createPrivateKey({
         key: Buffer.alloc(32), format, asymmetricKeyType: 'dh',
       }), { code: 'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS' });