Please verify from Jim Schaad on 2015-11-24 (public-webcrypto@w3.org from November 2015)

From: Jim Schaad <ietf@augustcellars.com>
Date: Mon, 23 Nov 2015 18:06:31 -0800
To: <public-webcrypto@w3.org>
Message-ID: <03b301d1265c$bd145c90$373d15b0$@augustcellars.com>

In doing a deep read of the document, I want to verify that the following is
intended.

I have modified the example in section 33.1 by removing the "sign" usage
from the set of usages in the generateKey line.

*  A zero-length sequence will pass Web IDL as it is legal
* Section 14.3.6 does not appear to check any of the usages for generateKey
* Section 20.8 says only throw an exception if some usage other than "sign"
or "verify" exists.  This is not the case so it will pas step 1 of Generate
Key
* Step 18 of Generate Key will set [[usages]] to [] (intersection of [] and
["sign"]
-- This means that the generateKey will be successful.

* The sign method will fail due to step 9 of the sign method 14.3.3

This is a bit surprising to me because it is the sign method that fails and
not the generate method.

I think that it would be impossible to export and import the private key as
a jwk and fix the problem without modifying the jwk string.  This is also
true for the public key as well since the "verify" usage will not be present
in the jwk.  This is not an issue for the pkcs8 and spki formats as they do
not keep the usages in the structure.

Jim



// Algorithm Object
var algorithmKeyGen = {
  name: "RSASSA-PKCS1-v1_5",
  // RsaHashedKeyGenParams
  modulusLength: 2048,
  publicExponent: new Uint8Array([0x01, 0x00, 0x01]),  // Equivalent to
65537
  hash: {
    name: "SHA-256"
  }
};

var algorithmSign = {
  name: "RSASSA-PKCS1-v1_5"
};

window.crypto.subtle.generateKey(algorithmKeyGen, false, []).then(
  function(key) {
    var dataPart1 = convertPlainTextToArrayBufferView("hello,");
    var dataPart2 = convertPlainTextToArrayBufferView(" world!");
    // TODO: create example utility function that converts text ->
ArrayBufferView

    return window.crypto.subtle.sign(algorithmSign, key.privateKey,
[dataPart1, dataPar2]);
  },
  console.error.bind(console, "Unable to generate a key")
).then(
  console.log.bind(console, "The signature is: "),
  console.error.bind(console, "Unable to sign")
);

Received on Tuesday, 24 November 2015 02:09:51 UTC