- From: <bugzilla@jessica.w3.org>
- Date: Fri, 16 May 2014 18:45:23 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25741
Bug ID: 25741
Summary: RSA-OAEP is under-specified when the parameters define
an operation not supported by the key size
Product: Web Cryptography
Version: unspecified
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Web Cryptography API Document
Assignee: sleevi@google.com
Reporter: sleevi@google.com
CC: public-webcrypto@w3.org
With RSA-OAEP, the maximum message size is equivalent to:
modulus length - 1 (leading 0x00 octet) - hash size (masked seed) - hash size
(lHash portion of the maskedDB) - 1 (at least one octet for the padding string,
equal to 0x01)
The result of this is that it's possible to specify a set of parameters during
an operation that are not supportable by the key.
For example, using a 1024-bit key with SHA-512 as the hash algorithm is not
possible, because the minimum size of an OAEP encoded message is 1040 bits.
The question is whether this should be presented as a DataError (implying
implementations may need to do validation prior to the underlying
implementation) or left as an OperationError.
The spec is unclear on this. In the case of AES-KW, for example, a DataError is
raised if plaintext is not a multiple of 64 bits. With RSA-ES, however, which
also has a maximum message size (modulus length - 11), no spec-specific
behaviour is defined, therefore an OperationError is expected.
At least one user agent (Chrome) implemented behaviour that treated RSA-ES
message failures as a DataError, assuming the AES-KW behaviour, so the spec
should be explicit either way for interoperability.
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Friday, 16 May 2014 18:45:26 UTC