crypto: reject unintended raw key format string input

panva · panva · commit 256619602f85 · 2026-05-07T16:38:23.000+02:00
Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #62974 Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
diff --git a/lib/internal/crypto/keys.js b/lib/internal/crypto/keys.js
@@ -765,7 +765,7 @@ function getKeyObjectHandleFromJwk(key, ctx) {
 
 
 function getKeyObjectHandleFromRaw(options, data, format) {
-  if (!isStringOrBuffer(data)) {
+  if (!isArrayBufferView(data) && !isAnyArrayBuffer(data)) {
     throw new ERR_INVALID_ARG_TYPE(
       'key.key',
       ['ArrayBuffer', 'Buffer', 'TypedArray', 'DataView'],
diff --git a/test/parallel/test-crypto-key-objects-raw.js b/test/parallel/test-crypto-key-objects-raw.js
@@ -32,6 +32,50 @@ const { hasOpenSSL } = require('../common/crypto');
   }
 }
 
+// Raw key imports do not support strings.
+{
+  const pubKeyObj = crypto.createPublicKey(
+    fixtures.readKey('ed25519_public.pem', 'ascii'));
+  const privKeyObj = crypto.createPrivateKey(
+    fixtures.readKey('ed25519_private.pem', 'ascii'));
+
+  const rawPub = pubKeyObj.export({ format: 'raw-public' });
+  const rawPriv = privKeyObj.export({ format: 'raw-private' });
+
+  for (const encoding of ['hex', 'base64', 'utf8', 'latin1', 'ascii']) {
+    assert.throws(() => crypto.createPublicKey({
+      key: rawPub.toString(encoding),
+      encoding,
+      format: 'raw-public',
+      asymmetricKeyType: 'ed25519',
+    }), { code: 'ERR_INVALID_ARG_TYPE' });
+
+    assert.throws(() => crypto.createPrivateKey({
+      key: rawPriv.toString(encoding),
+      encoding,
+      format: 'raw-private',
+      asymmetricKeyType: 'ed25519',
+    }), { code: 'ERR_INVALID_ARG_TYPE' });
+  }
+}
+
+// Raw seed imports do not support strings.
+if (hasOpenSSL(3, 5)) {
+  const privKeyObj = crypto.createPrivateKey(
+    fixtures.readKey('ml_dsa_44_private.pem', 'ascii'));
+
+  const rawSeed = privKeyObj.export({ format: 'raw-seed' });
+
+  for (const encoding of ['hex', 'base64']) {
+    assert.throws(() => crypto.createPrivateKey({
+      key: rawSeed.toString(encoding),
+      encoding,
+      format: 'raw-seed',
+      asymmetricKeyType: 'ml-dsa-44',
+    }), { code: 'ERR_INVALID_ARG_TYPE' });
+  }
+}
+
 // Key types that don't support raw-* formats
 {
   for (const [type, pub, priv] of [
