[Bug 27717] New: Require RSA key import to validate the key parameters from bugzilla@jessica.w3.org on 2014-12-30 (public-webcrypto@w3.org from December 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 30 Dec 2014 20:59:46 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-27717-7213@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=27717

            Bug ID: 27717
           Summary: Require RSA key import to validate the key parameters
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: ericroman@google.com
                CC: public-webcrypto@w3.org

The RSA key import does not appear to mandate any validity tests on the key
data. (for instance require that n = pq).

I recommend adding a step that validates the key parameters, and throws a
DataError if they are not legitimate.

This would match up with EC key import, which minimally requires the public key
to be a point on the curve, and throws a DataError if not.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Tuesday, 30 December 2014 20:59:48 UTC