Reject imported EC and RSA keys with trailing bytes

lib/src/impl_ffi/impl_ffi.ec_common.dart

@@ -89,8 +89,14 @@ void _validateEllipticCurveKey(_EvpPKey key, EllipticCurve curve) {
 
 _EvpPKey _importPkcs8EcPrivateKey(List<int> keyData, EllipticCurve curve) {
   return _Scope.sync((scope) {
-    final k = ssl.EVP_parse_private_key(scope.createCBS(keyData));
-    _checkData(k.address != 0, fallback: 'unable to parse key');
+    final cbs = scope.createCBS(keyData);
+    final k = ssl.EVP_parse_private_key(cbs);
+
+    _checkData(
+      k.address != 0 && cbs.ref.len == 0,
+      fallback: 'unable to parse key',
+    );
+
     final key = _EvpPKey.wrap(k);
     _validateEllipticCurveKey(key, curve);
     return key;
@@ -99,13 +105,15 @@ _EvpPKey _importPkcs8EcPrivateKey(List<int> keyData, EllipticCurve curve) {
 
 _EvpPKey _importSpkiEcPublicKey(List<int> keyData, EllipticCurve curve) {
   return _Scope.sync((scope) {
-    // TODO: When calling EVP_parse_public_key it might wise to check that CBS_len(cbs) == 0 is true afterwards
-    // otherwise it might be that all of the contents of the key was not consumed and we should throw
-    // a FormatException. Notice that this the case for private/public keys, and RSA keys.
-    final k = ssl.EVP_parse_public_key(scope.createCBS(keyData));
-    _checkData(k.address != 0, fallback: 'unable to parse key');
-    final key = _EvpPKey.wrap(k);
+    final cbs = scope.createCBS(keyData);
+    final k = ssl.EVP_parse_public_key(cbs);
 
+    _checkData(
+      k.address != 0 && cbs.ref.len == 0,
+      fallback: 'unable to parse key',
+    );
+
+    final key = _EvpPKey.wrap(k);
     _validateEllipticCurveKey(key, curve);
 
     return key;

lib/src/impl_ffi/impl_ffi.rsa_common.dart

@@ -16,8 +16,14 @@ part of 'impl_ffi.dart';
 
 _EvpPKey _importPkcs8RsaPrivateKey(List<int> keyData) {
   return _Scope.sync((scope) {
-    final k = ssl.EVP_parse_private_key(scope.createCBS(keyData));
-    _checkData(k.address != 0, fallback: 'unable to parse key');
+    final cbs = scope.createCBS(keyData);
+    final k = ssl.EVP_parse_private_key(cbs);
+
+    _checkData(
+      k.address != 0 && cbs.ref.len == 0,
+      fallback: 'unable to parse key',
+    );
+
     final key = _EvpPKey.wrap(k);
 
     _checkData(
@@ -37,8 +43,14 @@ _EvpPKey _importPkcs8RsaPrivateKey(List<int> keyData) {
 
 _EvpPKey _importSpkiRsaPublicKey(List<int> keyData) {
   return _Scope.sync((scope) {
-    final k = ssl.EVP_parse_public_key(scope.createCBS(keyData));
-    _checkData(k.address != 0, fallback: 'unable to parse key');
+    final cbs = scope.createCBS(keyData);
+    final k = ssl.EVP_parse_public_key(cbs);
+
+    _checkData(
+      k.address != 0 && cbs.ref.len == 0,
+      fallback: 'unable to parse key',
+    );
+
     final key = _EvpPKey.wrap(k);
 
     _checkData(

lib/src/testing/regression/issue_60_trailing_bytes.dart

@@ -0,0 +1,84 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import 'dart:typed_data';
+import 'package:webcrypto/webcrypto.dart';
+import '../utils/utils.dart';
+
+void main() => tests().runTests();
+
+/// Tests for issue #60, exported for use in `../testing.dart`.
+List<({String name, Future<void> Function() test})> tests() {
+  final tests = <({String name, Future<void> Function() test})>[];
+  void test(String name, Future<void> Function() testFn) =>
+      tests.add((name: name, test: testFn));
+
+  test('Ecdsa: importPkcs8Key with trailing bytes throws FormatException', () async {
+    final kp = await EcdsaPrivateKey.generateKey(EllipticCurve.p256);
+    final validKey = await kp.privateKey.exportPkcs8Key();
+    final invalidKey = Uint8List.fromList([...validKey, 0]);
+
+    bool threw = false;
+    try {
+      await EcdsaPrivateKey.importPkcs8Key(invalidKey, EllipticCurve.p256);
+    } on FormatException {
+      threw = true;
+    }
+    check(threw, 'Expected FormatException when importing EC private key with trailing bytes');
+  });
+
+  test('Ecdsa: importSpkiKey with trailing bytes throws FormatException', () async {
+    final kp = await EcdsaPrivateKey.generateKey(EllipticCurve.p256);
+    final validKey = await kp.publicKey.exportSpkiKey();
+    final invalidKey = Uint8List.fromList([...validKey, 0]);
+
+    bool threw = false;
+    try {
+      await EcdsaPublicKey.importSpkiKey(invalidKey, EllipticCurve.p256);
+    } on FormatException {
+      threw = true;
+    }
+    check(threw, 'Expected FormatException when importing EC public key with trailing bytes');
+  });
+
+  test('RsaPss: importPkcs8Key with trailing bytes throws FormatException', () async {
+    final kp = await RsaPssPrivateKey.generateKey(2048, BigInt.from(65537), Hash.sha256);
+    final validKey = await kp.privateKey.exportPkcs8Key();
+    final invalidKey = Uint8List.fromList([...validKey, 0]);
+
+    bool threw = false;
+    try {
+      await RsaPssPrivateKey.importPkcs8Key(invalidKey, Hash.sha256);
+    } on FormatException {
+      threw = true;
+    }
+    check(threw, 'Expected FormatException when importing RSA private key with trailing bytes');
+  });
+
+  test('RsaPss: importSpkiKey with trailing bytes throws FormatException', () async {
+    final kp = await RsaPssPrivateKey.generateKey(2048, BigInt.from(65537), Hash.sha256);
+    final validKey = await kp.publicKey.exportSpkiKey();
+    final invalidKey = Uint8List.fromList([...validKey, 0]);
+
+    bool threw = false;
+    try {
+      await RsaPssPublicKey.importSpkiKey(invalidKey, Hash.sha256);
+    } on FormatException {
+      threw = true;
+    }
+    check(threw, 'Expected FormatException when importing RSA public key with trailing bytes');
+  });
+
+  return tests;
+}

lib/src/testing/testing.dart

@@ -30,6 +30,7 @@ import 'webcrypto/rsassapkcs1v15.dart' as rsassapkcs1v15;
 // Other test files, that don't use TestRunner
 import 'webcrypto/random.dart' as random;
 import 'webcrypto/digest.dart' as digest;
+import 'regression/issue_60_trailing_bytes.dart' as issue_60_trailing_bytes;
 
 /// Test runners from all test files except `digest.dart` and
 /// `random.dart`, which do not use [TestRunner].
@@ -58,6 +59,7 @@ void runAllTests(
     for (final r in _testRunners) ...r.tests(),
     ...random.tests(),
     ...digest.tests(),
+    ...issue_60_trailing_bytes.tests(),
   ];
 
   for (final (:name, :test) in allTests) {