W3C home > Mailing lists > Public > public-webcrypto@w3.org > June 2016

Re: Testing encrypt with RSA-OAEP

From: Eric Roman <ericroman@google.com>
Date: Thu, 2 Jun 2016 11:47:23 -0700
Message-ID: <CAFswn4=JXayYN4oTjZvc5FY2SMkY0Z2+Qe7QL1=8xjcCHocN6g@mail.gmail.com>
To: Charles Engelke <w3c@engelke.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Thu, Jun 2, 2016 at 10:44 AM, Charles Engelke <w3c@engelke.com> wrote:

> I think I'm done testing encrypt for the various AES modes, and just
> have RSA-OAEP to go. But I'm running into a problem: RSA-OAEP injects
> randomness when encrypting, so the only way to check that encryption
> worked is to see if the result can be decrypted.
> I see three options:
> - assume that if encrypt doesn't throw and exception, it passes
> - check the result of encrypt by using subtleCrypto decrypt to see if
> you get the same plaintext back (note that decrypt can be tested with
> sample ciphertext so we can tell if it's working separately)

I think this second option of round-tripping through decrypt is reasonable.

We should also do some basic checks on the "shape" of the ciphertext --
namely verify its length, and that repeated encryptions yield randomized

> - check the result of encrypt by using an external program to decrypt its
> result
> The third option seems to be the best in a perfect world. But it would
> require the test framework to have an external program that can do

If you choose to go this route, you can compile a C implementation used for
verification (say OpenSSL) down to Javascript using emsripten, and then
call into that as part of the javascript test.

That said, I think the simplicity of roundtrip testing above is a good
place to start.

The interesting compatibility cases are surely going to lie in failure
cases, not success cases, hence focusing attention there will yield more
fruit IMO, and keep the framework simpler.

For instance with OAEP encryption there is interesting interaction between
the key size, message size, and hash size to test.

RSA-OAEP decryption with all the options subtleCrypto is supposed to
> to have: any of the four supported hash functions, and with and
> without the optional label. OpenSSL, for example, seems to only
> support SHA-1 and no label.

> I'd appreciate any suggestions on how to proceed (and would also
> appreciate pointers on how to extend the framework to use an external
> program if that's the needed solution).
> Thanks,
> Charlie
Received on Thursday, 2 June 2016 18:47:53 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 2 June 2016 18:47:53 UTC