[Bug 27448] New: HmacImportParams having a non-required hash is inconsistent with other algorithms from bugzilla@jessica.w3.org on 2014-11-26 (public-webcrypto@w3.org from November 2014)

From: <bugzilla@jessica.w3.org>
Date: Wed, 26 Nov 2014 19:24:09 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-27448-7213@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=27448

            Bug ID: 27448
           Summary: HmacImportParams having a non-required hash is
                    inconsistent with other algorithms
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: ericroman@google.com
                CC: public-webcrypto@w3.org

HmacImportParams has an optional "hash" attribute. This is inconsistent with
how import works for other algorithms, whereby algorithm parameters need to be
fully specified during import.

In particular, HMAC import from JWK allows the "hash" attribute on the import
algorithm to be unspecified, and it is filled in using the JWK's "alg" (if one
was specified).

By contrast when importing an RSA key the "hash" attribute is required, even
though it could similarly be inferred from the JWK's "alg". Another example is
the namedCurve attribute when importing EC keys. WebCrypto requires it to be
specified even though it could similarly be inferred from the JWK's "crv"
member.

I believe HmacImportParams should make "hash" required to match other
algorithms. This also means one less failure case for HMAC's "get key length"
operation (since if length is unspecified then at least the hash is guaranteed
to be present).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Wednesday, 26 November 2014 19:24:11 UTC