Fix logic issues

Author: eacet

packages/pq-key-encoder/ts/README.md

@@ -148,8 +148,13 @@ interface PQJwk {
 ## Notes
 
 - Inputs are validated for correct key size and encoding structure
-- DER encoding uses AlgorithmIdentifier with explicit NULL parameters
+- DER encoding uses AlgorithmIdentifier with absent parameters (per NIST PQ specs); decoder accepts both absent and NULL for interoperability
 - JWK uses non-standard `kty: 'PQC'` for post-quantum keys
+- `fromJWK` returns only private key bytes when both `x` and `d` are present (public key is validated but not returned). To get both keys, parse separately:
+  ```typescript
+  const privateKey = fromJWK(jwk);
+  const publicKey = fromJWK({ kty: jwk.kty, alg: jwk.alg, x: jwk.x });
+  ```
 
 ## License
 

packages/pq-key-encoder/ts/src/asn1/parse.ts

@@ -128,18 +128,39 @@ function parseAlgorithmIdentifier(
   return { oid, bytesRead: algorithm.bytesRead };
 }
 
+// Context-specific tags for optional PKCS#8 fields (RFC 5958 OneAsymmetricKey)
+const TAG_CONTEXT_0 = 0xa0; // [0] Attributes OPTIONAL
+const TAG_CONTEXT_1 = 0xa1; // [1] PublicKey OPTIONAL
+
+/** Skip optional trailing context-specific fields in PKCS#8/OneAsymmetricKey. */
+function scanOptionalTrailingFields(
+  sequence: Uint8Array,
+  offset: number,
+): { hasPublicKey: boolean } {
+  let currentOffset = offset;
+  let hasPublicKey = false;
+  while (currentOffset < sequence.length) {
+    const tlv = readTLV(sequence, currentOffset);
+    if (tlv.tag !== TAG_CONTEXT_0 && tlv.tag !== TAG_CONTEXT_1) {
+      throw new InvalidEncodingError('Unexpected trailing data in key sequence.');
+    }
+    if (tlv.tag === TAG_CONTEXT_1) {
+      hasPublicKey = true;
+    }
+    currentOffset += tlv.bytesRead;
+  }
+  return { hasPublicKey };
+}
+
 /** Parse the key TLV and infer key type from its tag. */
 function parseKeyTlv(
   sequence: Uint8Array,
   offset: number,
-): { keyBytes: Uint8Array; keyType: 'public' | 'private' } {
+): { keyBytes: Uint8Array; keyType: 'public' | 'private'; bytesRead: number } {
   if (offset >= sequence.length) {
     throw new InvalidEncodingError('Missing key data.');
   }
   const keyTlv = readTLV(sequence, offset);
-  if (offset + keyTlv.bytesRead !== sequence.length) {
-    throw new InvalidEncodingError('Unexpected trailing data in key sequence.');
-  }
 
   if (keyTlv.tag === TAG_BIT_STRING) {
     if (keyTlv.value.length === 0) {
@@ -149,10 +170,10 @@ function parseKeyTlv(
     if (unusedBits !== 0) {
       throw new InvalidEncodingError('BIT STRING unused bits must be 0 for key data.');
     }
-    return { keyBytes: keyTlv.value.slice(1), keyType: 'public' };
+    return { keyBytes: keyTlv.value.slice(1), keyType: 'public', bytesRead: keyTlv.bytesRead };
   }
   if (keyTlv.tag === TAG_OCTET_STRING) {
-    return { keyBytes: keyTlv.value, keyType: 'private' };
+    return { keyBytes: keyTlv.value, keyType: 'private', bytesRead: keyTlv.bytesRead };
   }
   throw new InvalidEncodingError('Expected BIT STRING or OCTET STRING for key data.');
 }
@@ -174,22 +195,43 @@ export function parseAlgorithmAndKeyWithType(input: Uint8Array): {
   const sequence = outer.value;
   const first = readTLV(sequence, 0);
   let algorithmOffset = 0;
-  let expectedKeyType: 'public' | 'private' | undefined;
+  let version: number | null = null;
 
   if (first.tag === TAG_INTEGER) {
-    if (first.value.length !== 1 || first.value[0] !== 0x00) {
+    // RFC 5958: version 0 = PKCS#8, version 1 = OneAsymmetricKey with optional publicKey
+    const versionValue = first.value.length === 1 ? first.value[0] : -1;
+    if (versionValue !== 0 && versionValue !== 1) {
       throw new InvalidEncodingError('Unsupported PrivateKeyInfo version.');
     }
     algorithmOffset = first.bytesRead;
-    expectedKeyType = 'private';
+    version = versionValue;
   }
 
   const { oid, bytesRead } = parseAlgorithmIdentifier(sequence, algorithmOffset);
   const keyOffset = algorithmOffset + bytesRead;
-  const { keyBytes, keyType } = parseKeyTlv(sequence, keyOffset);
+  const { keyBytes, keyType, bytesRead: keyBytesRead } = parseKeyTlv(sequence, keyOffset);
+
+  // PKCS#8 private keys must have version INTEGER
+  if (keyType === 'private' && version === null) {
+    throw new InvalidEncodingError('PKCS#8 private key missing version INTEGER.');
+  }
 
-  if (expectedKeyType && keyType !== expectedKeyType) {
-    throw new InvalidEncodingError('Unexpected key type for PrivateKeyInfo.');
+  // SPKI public keys must not have version INTEGER
+  if (keyType === 'public' && version !== null) {
+    throw new InvalidEncodingError('SPKI public key has unexpected version INTEGER.');
+  }
+
+  // Allow optional trailing fields for PKCS#8 (attributes, publicKey)
+  const trailingOffset = keyOffset + keyBytesRead;
+  if (trailingOffset < sequence.length) {
+    if (keyType === 'private') {
+      const { hasPublicKey } = scanOptionalTrailingFields(sequence, trailingOffset);
+      if (hasPublicKey && version !== 1) {
+        throw new InvalidEncodingError('PKCS#8 publicKey requires version 1.');
+      }
+    } else {
+      throw new InvalidEncodingError('Unexpected trailing data in SPKI.');
+    }
   }
 
   return { oid, keyBytes, keyType };

packages/pq-key-encoder/ts/src/pem.ts

@@ -57,7 +57,12 @@ export function fromPEM(pem: string): KeyData {
   const decoded = decodeBase64(body);
 
   if (label === 'PUBLIC KEY' || label === 'PRIVATE KEY') {
-    return fromDER(decoded);
+    const key = fromDER(decoded);
+    const expectedType = label === 'PUBLIC KEY' ? 'public' : 'private';
+    if (key.type !== expectedType) {
+      throw new InvalidEncodingError(`PEM label "${label}" does not match key type "${key.type}".`);
+    }
+    return key;
   }
 
   throw new InvalidEncodingError(`Unsupported PEM label: ${label}.`);

packages/pq-key-encoder/ts/src/pkcs8.ts

@@ -48,6 +48,17 @@ export function normalizePrivateKeyBytes(alg: KeyData['alg'], keyBytes: Uint8Arr
   }
 
   const outer = readTLV(keyBytes);
+
+  // RFC 8410-style: single inner OCTET STRING containing raw key
+  if (
+    outer.tag === TAG_OCTET_STRING &&
+    outer.bytesRead === keyBytes.length &&
+    outer.value.length === expected
+  ) {
+    return outer.value;
+  }
+
+  // OpenSSL-style: SEQUENCE containing seed + expanded key as OCTET STRINGs
   if (outer.tag !== TAG_SEQUENCE || outer.bytesRead !== keyBytes.length) {
     return keyBytes;
   }

packages/pq-key-encoder/ts/tests/asn1/parse.test.ts

@@ -3,13 +3,19 @@ import { encodeLength } from '../../src/asn1/length';
 import { parseAlgorithmAndKey, readTLV } from '../../src/asn1/parse';
 import {
   encodeBitString,
+  encodeInteger,
   encodeNull,
   encodeObjectIdentifier,
   encodeOctetString,
   encodeSequence,
 } from '../../src/asn1/primitives';
 import { InvalidEncodingError } from '../../src/errors';
 
+function encodeContextSpecific(tag: number, value: Uint8Array): Uint8Array {
+  const length = encodeLength(value.length);
+  return Uint8Array.from([tag, ...length, ...value]);
+}
+
 describe('asn1 parse', () => {
   it('reads TLV with short-form length', () => {
     const tlv = new Uint8Array([0x04, 0x03, 0x01, 0x02, 0x03]);
@@ -48,15 +54,96 @@ describe('asn1 parse', () => {
     expect(Array.from(parsed.keyBytes)).toEqual([0xde, 0xad, 0xbe, 0xef]);
   });
 
-  it('extracts OID + key bytes from OCTET STRING', () => {
+  it('extracts OID + key bytes from OCTET STRING (PKCS8)', () => {
     const oid = '1.3.6.1.4.1.2.267.7.6.5';
+    const version = encodeInteger(0);
     const algorithm = encodeSequence([encodeObjectIdentifier(oid), encodeNull()]);
     const keyBytes = new Uint8Array([0x00, 0x11, 0x22, 0x33]);
     const key = encodeOctetString(keyBytes);
-    const pkcs8 = encodeSequence([algorithm, key]);
+    const pkcs8 = encodeSequence([version, algorithm, key]);
 
     const parsed = parseAlgorithmAndKey(pkcs8);
     expect(parsed.oid).toBe(oid);
     expect(Array.from(parsed.keyBytes)).toEqual([0x00, 0x11, 0x22, 0x33]);
   });
+
+  it('accepts OneAsymmetricKey with publicKey when version is 1', () => {
+    const oid = '1.3.6.1.4.1.2.267.7.6.5';
+    const version = encodeInteger(1);
+    const algorithm = encodeSequence([encodeObjectIdentifier(oid), encodeNull()]);
+    const keyBytes = new Uint8Array([0xaa, 0xbb, 0xcc, 0xdd]);
+    const privateKey = encodeOctetString(keyBytes);
+    const publicKey = encodeBitString(new Uint8Array([0x01, 0x02, 0x03]));
+    const publicKeyField = encodeContextSpecific(0xa1, publicKey);
+    const pkcs8 = encodeSequence([version, algorithm, privateKey, publicKeyField]);
+
+    const parsed = parseAlgorithmAndKey(pkcs8);
+    expect(parsed.oid).toBe(oid);
+    expect(Array.from(parsed.keyBytes)).toEqual([0xaa, 0xbb, 0xcc, 0xdd]);
+  });
+
+  it('rejects publicKey field when version is 0', () => {
+    const oid = '1.3.6.1.4.1.2.267.7.6.5';
+    const version = encodeInteger(0);
+    const algorithm = encodeSequence([encodeObjectIdentifier(oid), encodeNull()]);
+    const keyBytes = new Uint8Array([0x10, 0x20, 0x30, 0x40]);
+    const privateKey = encodeOctetString(keyBytes);
+    const publicKey = encodeBitString(new Uint8Array([0x09, 0x08, 0x07]));
+    const publicKeyField = encodeContextSpecific(0xa1, publicKey);
+    const pkcs8 = encodeSequence([version, algorithm, privateKey, publicKeyField]);
+
+    expect(() => parseAlgorithmAndKey(pkcs8)).toThrow(InvalidEncodingError);
+  });
+
+  it('accepts AlgorithmIdentifier with absent parameters', () => {
+    const oid = '1.3.6.1.4.1.2.267.7.4.4';
+    const algorithm = encodeSequence([encodeObjectIdentifier(oid)]); // No NULL
+    const keyBytes = new Uint8Array([0x11, 0x22, 0x33, 0x44]);
+    const key = encodeBitString(keyBytes);
+    const spki = encodeSequence([algorithm, key]);
+
+    const parsed = parseAlgorithmAndKey(spki);
+    expect(parsed.oid).toBe(oid);
+    expect(Array.from(parsed.keyBytes)).toEqual([0x11, 0x22, 0x33, 0x44]);
+  });
+
+  it('accepts AlgorithmIdentifier with explicit NULL parameters', () => {
+    const oid = '1.3.6.1.4.1.2.267.7.4.4';
+    const algorithm = encodeSequence([encodeObjectIdentifier(oid), encodeNull()]);
+    const keyBytes = new Uint8Array([0x55, 0x66, 0x77, 0x88]);
+    const key = encodeBitString(keyBytes);
+    const spki = encodeSequence([algorithm, key]);
+
+    const parsed = parseAlgorithmAndKey(spki);
+    expect(parsed.oid).toBe(oid);
+    expect(Array.from(parsed.keyBytes)).toEqual([0x55, 0x66, 0x77, 0x88]);
+  });
+
+  it('rejects AlgorithmIdentifier with non-NULL parameters', () => {
+    const oid = '1.3.6.1.4.1.2.267.7.4.4';
+    // Use OCTET STRING as unsupported parameter type
+    const badParams = encodeOctetString(new Uint8Array([0x01, 0x02]));
+    const algorithm = encodeSequence([encodeObjectIdentifier(oid), badParams]);
+    const keyBytes = new Uint8Array([0xaa, 0xbb, 0xcc, 0xdd]);
+    const key = encodeBitString(keyBytes);
+    const spki = encodeSequence([algorithm, key]);
+
+    expect(() => parseAlgorithmAndKey(spki)).toThrow(InvalidEncodingError);
+    expect(() => parseAlgorithmAndKey(spki)).toThrow('Unsupported AlgorithmIdentifier parameters');
+  });
+
+  it('rejects AlgorithmIdentifier with trailing data after NULL', () => {
+    const oid = '1.3.6.1.4.1.2.267.7.4.4';
+    // Manually construct AlgorithmIdentifier with NULL + extra bytes
+    const oidEncoded = encodeObjectIdentifier(oid);
+    const nullEncoded = encodeNull();
+    const extraBytes = new Uint8Array([0x00, 0x00]);
+    const algorithmValue = new Uint8Array([...oidEncoded, ...nullEncoded, ...extraBytes]);
+    const algorithm = encodeSequence([algorithmValue]);
+    const keyBytes = new Uint8Array([0x12, 0x34, 0x56, 0x78]);
+    const key = encodeBitString(keyBytes);
+    const spki = encodeSequence([algorithm, key]);
+
+    expect(() => parseAlgorithmAndKey(spki)).toThrow(InvalidEncodingError);
+  });
 });

packages/pq-key-encoder/ts/tests/pem.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, it } from 'bun:test';
+import { InvalidEncodingError } from '../src/errors';
 import * as api from '../src/index';
 import { toPKCS8 } from '../src/pkcs8';
 import { toSPKI } from '../src/spki';
@@ -94,4 +95,14 @@ describe('pem', () => {
       bytes: key,
     });
   });
+
+  it('rejects PEM when label does not match key type', () => {
+    const key = makeKey(1632, 5);
+    const pkcs8 = toPKCS8({ alg: 'ML-KEM-512', type: 'private', bytes: key });
+    const encoded = encodeBase64(pkcs8);
+    const pem = ['-----BEGIN PUBLIC KEY-----', encoded, '-----END PUBLIC KEY-----'].join('\n');
+
+    const { fromPEM } = api as unknown as PemApi;
+    expect(() => fromPEM(pem)).toThrow(InvalidEncodingError);
+  });
 });

packages/pq-key-encoder/ts/tests/pkcs8.test.ts

@@ -86,4 +86,23 @@ describe('pkcs8', () => {
       bytes: rawKey,
     });
   });
+
+  it('extracts raw key from RFC 8410-style inner OCTET STRING', () => {
+    // RFC 8410 style: privateKey = OCTET STRING { OCTET STRING { raw_bytes } }
+    const rawKey = makeKey(1632, 9);
+    const algorithm = encodeAlgorithmIdentifier('ML-KEM-512');
+    // Double-wrapped: outer OCTET STRING contains DER of inner OCTET STRING
+    const innerOctetString = encodeOctetString(rawKey);
+    const pkcs8 = encodeSequence([
+      encodeInteger(0),
+      algorithm,
+      encodeOctetString(innerOctetString),
+    ]);
+
+    expect(fromPKCS8(pkcs8)).toEqual({
+      alg: 'ML-KEM-512',
+      type: 'private',
+      bytes: rawKey,
+    });
+  });
 });

packages/pq-key-encoder/ts/tests/validation.test.ts

@@ -1,6 +1,7 @@
 import { describe, expect, it } from 'bun:test';
 import {
   encodeBitString,
+  encodeInteger,
   encodeNull,
   encodeObjectIdentifier,
   encodeOctetString,
@@ -56,9 +57,10 @@ function makeSpki(oid: string, keyBytes: Uint8Array): Uint8Array {
 }
 
 function makePkcs8(oid: string, keyBytes: Uint8Array): Uint8Array {
+  const version = encodeInteger(0);
   const algorithm = encodeSequence([encodeObjectIdentifier(oid), encodeNull()]);
   const privateKey = encodeOctetString(keyBytes);
-  return encodeSequence([algorithm, privateKey]);
+  return encodeSequence([version, algorithm, privateKey]);
 }
 
 describe('validation', () => {