crypto: fix crash of encrypted private key export without cipher

PR-URL: #27041
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>

Author: panva

lib/internal/crypto/keys.js

@@ -186,14 +186,18 @@ function parseKeyEncoding(enc, keyType, isPublic, objName) {
   if (isPublic !== true) {
     ({ cipher, passphrase } = enc);
 
-    if (!isInput && cipher != null) {
-      if (typeof cipher !== 'string')
+    if (!isInput) {
+      if (cipher != null) {
+        if (typeof cipher !== 'string')
+          throw new ERR_INVALID_OPT_VALUE(option('cipher', objName), cipher);
+        if (format === kKeyFormatDER &&
+            (type === kKeyEncodingPKCS1 ||
+             type === kKeyEncodingSEC1)) {
+          throw new ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS(
+            encodingNames[type], 'does not support encryption');
+        }
+      } else if (passphrase !== undefined) {
         throw new ERR_INVALID_OPT_VALUE(option('cipher', objName), cipher);
-      if (format === kKeyFormatDER &&
-          (type === kKeyEncodingPKCS1 ||
-           type === kKeyEncodingSEC1)) {
-        throw new ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS(
-          encodingNames[type], 'does not support encryption');
       }
     }
 

test/parallel/test-crypto-key-objects.js

@@ -244,3 +244,17 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
   assert.strictEqual(privateKey.asymmetricKeyType, 'dsa');
   assert.strictEqual(privateKey.symmetricKeySize, undefined);
 }
+
+{
+  // Exporting an encrypted private key requires a cipher
+  const privateKey = createPrivateKey(privatePem);
+  common.expectsError(() => {
+    privateKey.export({
+      format: 'pem', type: 'pkcs8', passphrase: 'super-secret'
+    });
+  }, {
+    type: TypeError,
+    code: 'ERR_INVALID_OPT_VALUE',
+    message: 'The value "undefined" is invalid for option "cipher"'
+  });
+}