Re: How to handle invalid EC public keys

On Sep 4, 2014 7:11 AM, "Richard Barnes" <rlb@ipv.sx> wrote:
>
> In implementing ECDH and ECDSA, we've come across an issue that is
unclear in the spec.  It's also unclear how to resolve it, so I thought I
would bring it up on the list before filing a bug.
>
> In cases where an EC public key is being imported ("spki", "raw", "jwk"),
it is possible for the importer to provide an elliptic curve point that is
not on the curve.  It seems like there are two options for how WebCrypto
should behave in such a case:
>
> 1. Reject at import, presumably with DataError.
>
> 2. Reject at sign() / deriveBits() time (since these operations cannot be
completed with points not on the curve)
>
> In an ideal world, I would prefer (1), in the spirit of failing fast.
 (Apparently, X9.62 also requires this, at least according to a comment in
the OpenSSL source code.)  However, at least in Firefox/NSS, it is much
simpler to implement (2).
>
> Either way, the spec should say something about what to do in this case.
 Thoughts?
>
> Thanks,
> --Richard
>

All in favor of 1. Fail early, fail often.

Received on Thursday, 4 September 2014 14:32:48 UTC