fix: implement AES-KW (RFC 3394) for wrapKey/unwrapKey operations

Fixes wrapKey/unwrapKey operations with AES-KW algorithm that were failing
in e2e tests on both iOS and Android.

C++ changes (HybridCipher.cpp):
- Add EVP_CIPHER_CTX_FLAG_WRAP_ALLOW flag for wrap ciphers (required in OpenSSL 3.x)
- Disable padding for AES-KW ciphers
- Add error checking to EVP_CipherUpdate to catch OpenSSL failures

TypeScript changes (subtle.ts):
- Use RFC 3394 default IV (0xa6a6a6a6a6a6a6a6) instead of empty IV
- Fix JWK format padding calculation to account for null terminator
- Add input validation for AES-KW (8-byte alignment, minimum 16 bytes)
- Fix cipher type naming to match Node.js (aes*-wrap)
- Handle null terminator when unwrapping JWK format

All wrapKey/unwrapKey tests now passing.

Author: boorad

example/src/hooks/useTestsList.ts

@@ -19,6 +19,7 @@ import '../tests/keys/public_cipher';
 import '../tests/keys/sign_verify_streaming';
 import '../tests/pbkdf2/pbkdf2_tests';
 import '../tests/random/random_tests';
+import '../tests/subtle/x25519_x448';
 import '../tests/subtle/deriveBits';
 import '../tests/subtle/derive_key';
 import '../tests/subtle/digest';
@@ -28,7 +29,6 @@ import '../tests/subtle/import_export';
 import '../tests/subtle/jwk_rfc7517_tests';
 import '../tests/subtle/sign_verify';
 import '../tests/subtle/wrap_unwrap';
-import '../tests/subtle/x25519_x448';
 
 export const useTestsList = (): [
   TestSuites,

example/src/tests/subtle/import_export.ts

@@ -1483,11 +1483,6 @@ async function testImportSpki(
   expect(key.extractable).to.equal(extractable);
   expect(key.usages).to.deep.equal(publicUsages);
   expect(key.algorithm.name).to.equal(name);
-  console.log('[RSA TEST DEBUG]', {
-    modulusLength: key.algorithm.modulusLength,
-    expected: parseInt(size, 10),
-    algorithm: JSON.stringify(key.algorithm),
-  });
   expect(key.algorithm.modulusLength).to.equal(parseInt(size, 10));
   expect(key.algorithm.publicExponent).to.deep.equal(new Uint8Array([1, 0, 1]));
   expect((key.algorithm.hash as { name: string }).name).to.equal(hash);

packages/react-native-quick-crypto/cpp/cipher/HybridCipher.cpp

@@ -86,6 +86,14 @@ void HybridCipher::init(const std::shared_ptr<ArrayBuffer> cipher_key, const std
     ctx = nullptr;
     throw std::runtime_error("HybridCipher: Failed to set key/IV: " + std::string(err_buf));
   }
+
+  // For AES-KW (wrap ciphers), set the WRAP_ALLOW flag and disable padding
+  std::string cipher_name(cipher_type);
+  if (cipher_name.find("-wrap") != std::string::npos) {
+    // This flag is required for AES-KW in OpenSSL 3.x
+    EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+    EVP_CIPHER_CTX_set_padding(ctx, 0);
+  }
 }
 
 std::shared_ptr<ArrayBuffer> HybridCipher::update(const std::shared_ptr<ArrayBuffer>& data) {
@@ -100,7 +108,15 @@ std::shared_ptr<ArrayBuffer> HybridCipher::update(const std::shared_ptr<ArrayBuf
   uint8_t* out = new uint8_t[out_len];
   // Perform the cipher update operation. The real size of the output is
   // returned in out_len
-  EVP_CipherUpdate(ctx, out, &out_len, native_data->data(), in_len);
+  int ret = EVP_CipherUpdate(ctx, out, &out_len, native_data->data(), in_len);
+
+  if (!ret) {
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    delete[] out;
+    throw std::runtime_error("Cipher update failed: " + std::string(err_buf));
+  }
 
   // Create and return a new buffer of exact size needed
   return std::make_shared<NativeArrayBuffer>(out, out_len, [=]() { delete[] out; });

packages/react-native-quick-crypto/src/subtle.ts

@@ -380,23 +380,46 @@ async function aesKwCipher(
   key: CryptoKey,
   data: ArrayBuffer,
 ): Promise<ArrayBuffer> {
+  const isWrap = mode === CipherOrWrapMode.kWebCryptoCipherEncrypt;
+
+  // AES-KW requires input to be a multiple of 8 bytes (64 bits)
+  if (data.byteLength % 8 !== 0) {
+    throw lazyDOMException(
+      `AES-KW input length must be a multiple of 8 bytes, got ${data.byteLength}`,
+      'OperationError',
+    );
+  }
+
+  // AES-KW requires at least 16 bytes of input (128 bits)
+  if (isWrap && data.byteLength < 16) {
+    throw lazyDOMException(
+      `AES-KW input must be at least 16 bytes, got ${data.byteLength}`,
+      'OperationError',
+    );
+  }
+
   // Get cipher type based on key length
   const keyLength = (key.algorithm as { length: number }).length;
-  const isWrap = mode === CipherOrWrapMode.kWebCryptoCipherEncrypt;
-  const cipherType = isWrap
-    ? `id-aes${keyLength}-wrap`
-    : `id-aes${keyLength}-wrap`;
+  // Use aes*-wrap for both operations (matching Node.js)
+  const cipherType = `aes${keyLength}-wrap`;
+
+  // Export key material
+  const exportedKey = key.keyObject.export();
+  const cipherKey = bufferLikeToArrayBuffer(exportedKey);
+
+  // AES-KW uses a default IV as specified in RFC 3394
+  const defaultWrapIV = new Uint8Array([
+    0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6,
+  ]);
 
-  // AES-KW uses the same cipher for both wrap and unwrap,
-  // but Node.js distinguishes with different cipher names
   const factory =
     NitroModules.createHybridObject<CipherFactory>('CipherFactory');
 
   const cipher = factory.createCipher({
     isCipher: isWrap,
     cipherType,
-    cipherKey: bufferLikeToArrayBuffer(key.keyObject.export()),
-    iv: new ArrayBuffer(0), // AES-KW doesn't use IV
+    cipherKey,
+    iv: defaultWrapIV.buffer, // RFC 3394 default IV for AES-KW
   });
 
   // Process data
@@ -1625,7 +1648,20 @@ export class Subtle {
     if (format === 'jwk') {
       const jwkString = JSON.stringify(exported);
       const buffer = SBuffer.from(jwkString, 'utf8');
-      keyData = bufferLikeToArrayBuffer(buffer);
+
+      // For AES-KW, pad to multiple of 8 bytes (accounting for null terminator)
+      if (wrapAlgorithm.name === 'AES-KW') {
+        const length = buffer.length;
+        // Add 1 for null terminator, then pad to multiple of 8
+        const paddedLength = Math.ceil((length + 1) / 8) * 8;
+        const paddedBuffer = SBuffer.alloc(paddedLength);
+        buffer.copy(paddedBuffer);
+        // Null terminator for JSON string (remaining bytes are already zeros from alloc)
+        paddedBuffer.writeUInt8(0, length);
+        keyData = bufferLikeToArrayBuffer(paddedBuffer);
+      } else {
+        keyData = bufferLikeToArrayBuffer(buffer);
+      }
     } else {
       keyData = exported as ArrayBuffer;
     }
@@ -1670,7 +1706,20 @@ export class Subtle {
     let keyData: BufferLike | JWK;
     if (format === 'jwk') {
       const buffer = SBuffer.from(decrypted);
-      const jwkString = buffer.toString('utf8');
+      // For AES-KW, the data may be padded - find the null terminator
+      let jwkString: string;
+      if (unwrapAlgorithm.name === 'AES-KW') {
+        // Find the null terminator (if present) to get the original string
+        const nullIndex = buffer.indexOf(0);
+        if (nullIndex !== -1) {
+          jwkString = buffer.toString('utf8', 0, nullIndex);
+        } else {
+          // No null terminator, try to parse the whole buffer
+          jwkString = buffer.toString('utf8').trim();
+        }
+      } else {
+        jwkString = buffer.toString('utf8');
+      }
       keyData = JSON.parse(jwkString) as JWK;
     } else {
       keyData = decrypted;