crypto: support loading private keys through STORE loaders#63949
Open
panva wants to merge 1 commit into
Open
Conversation
Collaborator
|
Review requested:
|
43f0d74 to
96c5081
Compare
ddd7eaf to
35bb771
Compare
jasnell
previously approved these changes
Jun 19, 2026
I changed the feature shape quite a bit. Dismissing a stale review.
jasnell
approved these changes
Jul 4, 2026
This comment was marked as resolved.
This comment was marked as resolved.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #63949 +/- ##
==========================================
- Coverage 90.25% 90.22% -0.04%
==========================================
Files 741 743 +2
Lines 241192 241603 +411
Branches 45421 45537 +116
==========================================
+ Hits 217691 217975 +284
- Misses 15085 15154 +69
- Partials 8416 8474 +58
🚀 New features to boost your workflow:
|
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as resolved.
This comment was marked as resolved.
Accept WHATWG URL objects in private-key inputs and load referenced keys through OpenSSL STORE loaders. Pass optional property queries and passphrases while preserving provider-owned EVP_PKEY objects for ordinary KeyObject and CryptoKey operations. Signed-off-by: Filip Skokan <panva.ip@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allow
crypto.createPrivateKey()and APIs that consume private keys, such ascrypto.sign(),crypto.privateDecrypt(),crypto.diffieHellman(), andcrypto.decapsulate(), to load private keys through configured OpenSSL STORE loaders using WHATWGURLobjects.This supports direct URL input:
It also supports object input with an optional passphrase or PIN and OpenSSL property query:
The provider implementing the STORE loader must already be loaded in Node.js' default OpenSSL library context, for example through OpenSSL configuration. This API does not load providers.
passphraseis forwarded to the loader as its passphrase or PIN.propertiesis an OpenSSL property query used to select the STORE loader; it is not appended to the URL and is distinct from provider-specific URI parameters.Why URL?
A
URLdistinguishes an external key reference from existing key material. Strings, buffers, typed arrays, and formatted objects retain their existing PEM, DER, JWK, and raw-key semantics. This avoids adding STORE loading to the key import/exportformatnamespace.URL input is accepted only in private-key contexts. A public key can be derived by first loading the private key and passing the resulting
KeyObjecttocrypto.createPublicKey().The resulting provider-backed key is an ordinary
KeyObjectand interoperates with existing private-key operations, key metadata, public-key derivation, andtoCryptoKey()where supported by the key algorithm and provider. Provider policy continues to control permitted operations and private-key exportability.The native STORE-loading path is available with OpenSSL >= 3.
Permission model
STORE loading adds the global
crypto.storepermission, enabled with--allow-crypto-storeand exposed through the runtime permission APIs:This permission grants broad authority to configured STORE loaders. Loaders may access files, devices, tokens, or the network, and that access is not constrained by the
fs.read,fs.write, ornetpermission scopes.This broad capability matches OpenSSL's behavior: STORE loaders perform their own I/O, and OpenSSL may try its file loader before another loader for opaque URIs.
When STORE access is denied, Node.js redacts the URI from the permission error resource and permission diagnostics.
Passphrases and errors
Credentials should be supplied through
passphraserather than embedded in the URI.If OpenSSL requests a passphrase and none was provided, Node.js throws
ERR_MISSING_PASSPHRASE, matching existing encrypted private-key import behavior. Incorrect passphrases and provider failures continue to surface as OpenSSL errors.Node.js redacts URIs from its own permission-denial errors. Errors reported by OpenSSL or a provider after loading begins may still include the URI.