- From: <bugzilla@jessica.w3.org>
- Date: Sat, 13 Dec 2014 01:34:08 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=27601
Bug ID: 27601
Summary: Inconsistent enforcement of JWK's "use" versus
"key_ops" during public key import
Product: Web Cryptography
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Web Cryptography API Document
Assignee: sleevi@google.com
Reporter: ericroman@google.com
CC: public-webcrypto@w3.org
Consider the case of importing an RSA-PSS public key using JWK.
WebCrypto callers can request usages of either ['verify' or [] (no usages)
If empty usages are specified then it is possible to import the following JWK:
{
"kty": "RSA",
"key_ops": ["encrypt", "decrypt", "wrapKey", "unwrapKey"],
...
}
The above key is for an encryption algorithm, but it is allowed to be imported
for a signing algorithm because the requested usages, [], were a subset of the
usages granted to the key.
OK fine.
However, it is NOT possible to import the following:
{
"kty": "RSA",
"use": "enc",
...
}
Conceptually these represent the same kind of key, however WebCrypto enforces
"use" differently from "key_ops". "use" in this case is required to be an exact
match of "sig".
The same situation applies to ECDH keys.
I believe the key_ops behavior is the correct one, and "use" should work the
same way. I feel this way because JWK allows pairing unrelated usages in
key_ops (although discourages it) [1]. So it stands to reason that such a key
should be importable into WebCrypto.
[1] Section 4.3 of JWK spec says: "Multiple unrelated key operations SHOULD NOT
be specified" ..... SHOULD NOT != MUST NOT
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Saturday, 13 December 2014 01:34:10 UTC