Re: WebCrypto AlgorithmIdentifier for ECDSA signing w/SECP256R1 & SHA-256 ? from Ryan Sleevi on 2015-12-17 (public-webcrypto-comments@w3.org from December 2015)

From: Ryan Sleevi <sleevi@google.com>
Date: Thu, 17 Dec 2015 09:13:20 -0800
To: "Hodges, Jeff" <jeff.hodges@paypal.com>
Cc: W3C WebCrypto comments <public-webcrypto-comments@w3.org>, Mark Watson <watsonm@netflix.com>
Message-ID: <CACvaWvZL3qaUczbKEGCGvYQaKCYPOV1fqQx3-ddaZwK1Q33=6Q@mail.gmail.com>

On Thu, Dec 17, 2015 at 7:43 AM, Hodges, Jeff <jeff.hodges@paypal.com>
wrote:

> On 12/16/15, 5:17 PM, "Ryan Sleevi" <sleevi@google.com> wrote:
>
>
>
> On Wed, Dec 16, 2015 at 5:02 PM, Hodges, Jeff <jeff.hodges@paypal.com>
> wrote:
>
>> Hi,
>>
>> how does one specify a WebCrypto AlgorithmIdentifier such that it
>> represents "sign operation using ECDSA key on SECP256R1 curve with SHA-256
>> hash" ?
>>
>> Here's my guess:
>>
>>   // WebCrytpo AlgorithmIdentifier stipulating:
>>   //
>>   //  "sign operation using ECDSA key on SECP256R1 curve with SHA-256
>> hash"
>>   //
>>   // See: http://www.w3.org/TR/WebCryptoAPI/#ecdsa
>>   //
>>   // Note: the private key used to sign MUST have been created using
>>   //       NIST recommended curve P-256, also known as secp256r1, and with
>>   //       a KeyUsage including "sign".
>>   //
>>
>>   var algSign_ECDSA_SECP256R1_SHA256 = {
>>      "name": "ECDSA",
>>      "hash": "SHA-256"
>>   }
>>
>> Is that correct, including the "Note:" in the comment ?
>>
>
> var data = ...;
> return window.crypto.subtle.generateKey({ "name": "ECDSA", "namedCurve":
> "P-384"}, false, ["sign", "verify"]).then(keyPair => {
>   return window.crypto.subtle.sign({ "name": "ECDSA", "hash": { "name":
> "SHA-256" } }, keyPair.privateKey, data).then(signature => {
>     return window.crypto.subtle.verify({ "name": "ECDSA", "hash":
> "SHA-256"}, keyPair.publicKey, signature, data).then(verified => {
>       if (verified) {
>         return { "data": data, "signature": signature };
>       } else {
>         return null;
>       }
>   });
> });
>
> Will return a promise that either resolves to an object with the data and
> signature - if it can generate a key that can sign and then verify the data
> - or null if it can't.
>
> Two different forms of Hash are used as two different forms are acceptable
> for AlgorithmIdentifier.
>
>
>
> Ok, thanks, this answers part of my question wrt AlgorithmIdentifier.  You
> indicate that both of these forms are syntactically correct (yes?):
>
>   var algSign_ECDSA_SECP256R1_SHA256 = {
>      "name": "ECDSA",
>      "hash": "SHA-256"
>   }
>
>   var algSign_ECDSA_SECP256R1_SHA256 = {
>      "name": "ECDSA",
>      "hash": { "name": "SHA-256" }
>   }
>
> However, if the use case we have is specifying in some spec a "sign
> operation using an ECDSA key on curve P-256 (SECP256R1) using a SHA-256
> hash", the code above its not quite compliant because it uses a key on
> "P-384", yes?
>

Er, right, sorry, I typo'd there :) You can s/P-384/P-256/ there

Received on Thursday, 17 December 2015 17:14:31 UTC