[Bug 25466] New: ECDSA and ECDH importKey do not perform consistency checks of the namedCurve from bugzilla@jessica.w3.org on 2014-04-25 (public-webcrypto@w3.org from April 2014)

From: <bugzilla@jessica.w3.org>
Date: Fri, 25 Apr 2014 22:03:57 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25466-7213@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25466

            Bug ID: 25466
           Summary: ECDSA and ECDH importKey do not perform consistency
                    checks of the namedCurve
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: sleevi@google.com
                CC: public-webcrypto@w3.org

The parameters for importing an ECDSA or ECDH key do not perform consistency
checks between the callers' specified NamedCurve in the EcKeyImportParams and
the named curve extracted from the imported key (eg: the "crv" parameter in
JWK, or the OID in the namedCurve parameters in the case of SPKI/PKCS#8).

A mismatch between the two parameters should cause an import failure. That is,
if the EcKeyImportParams specified

{ namedCurve: "P-256" }

then attempting to import a JWK with the parameters
{ kty: "EC",
  crv: "P-521",
  x: ...,
  y: ... }

Should fail. Alternatively, the import parameters should not include the named
curve at all - which would prohibit 'raw' import of ECDH keys. The former is
preferable, as it matches the handling of RSA keys and their associated
parameters.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Friday, 25 April 2014 22:03:58 UTC