crypto: fix webcrypto AES-KW keys accepting encrypt/decrypt usages

lib/internal/crypto/aes.js

@@ -230,13 +230,17 @@ async function aesGenerateKey(algorithm, extractable, keyUsages) {
   validateInteger(length, 'algorithm.length');
   validateOneOf(length, 'algorithm.length', kAesKeyLengths);
 
-  const usageSet = new SafeSet(keyUsages);
+  const checkUsages = ['wrapKey', 'unwrapKey'];
+  if (name !== 'AES-KW')
+    ArrayPrototypePush(checkUsages, 'encrypt', 'decrypt');
 
-  if (hasAnyNotIn(usageSet, ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey'])) {
+  const usagesSet = new SafeSet(keyUsages);
+  if (hasAnyNotIn(usagesSet, checkUsages)) {
     throw lazyDOMException(
       'Unsupported key usage for an AES key',
       'SyntaxError');
   }
+
   return new Promise((resolve, reject) => {
     generateKey('aes', { length }, (err, key) => {
       if (err) {
@@ -249,7 +253,7 @@ async function aesGenerateKey(algorithm, extractable, keyUsages) {
       resolve(new InternalCryptoKey(
         key,
         { name, length },
-        ArrayFrom(usageSet),
+        ArrayFrom(usagesSet),
         extractable));
     });
   });

test/parallel/test-webcrypto-keygen.js

@@ -646,3 +646,14 @@ assert.throws(() => new CryptoKey(), { code: 'ERR_ILLEGAL_CONSTRUCTOR' });
 
   Promise.all(tests).then(common.mustCall());
 }
+
+{
+  assert.rejects(
+    subtle.generateKey(
+      { length: 128, name: 'AES-KW' },
+      true,
+      ['unwrapKey', 'wrapKey', 'encrypt']
+    ), {
+      message: 'Unsupported key usage for an AES key'
+    });
+}

test/wpt/status/WebCryptoAPI.json

@@ -48,7 +48,6 @@
   "generateKey/failures_AES-KW.https.any.js": {
     "fail": {
       "unexpected": [
-        "assert_unreached: Operation succeeded, but should not have Reached unreachable code",
         "assert_equals: Bad algorithm property not supported expected \"OperationError\" but got \"TypeError\"",
         "assert_equals: Bad algorithm property not supported expected \"OperationError\" but got \"SyntaxError\""
       ]