[Bug 26741] Reject invalid EC public keys from bugzilla@jessica.w3.org on 2014-10-07 (public-webcrypto@w3.org from October 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 07 Oct 2014 02:38:17 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-26741-7213-XuueWBvv8m@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26741

--- Comment #4 from Ryan Sleevi <sleevi@google.com> ---
NSS historically did not validate public keys on import, but would instead
defer until their cryptographic use (which, due to API layering, was the
_actual_ time that import into the cryptographic module was performed). In this
case, the error would surface during the operational usage.

BoringSSL and OpenSSL both validate on input.

However, Richard recently fixed NSS (IIRC) to validate the public key on
import. Richard, can you confirm?

Note that I have no clue for Safari's case, as they have a few different ECC
implementations last I checked.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Tuesday, 7 October 2014 02:38:19 UTC