Re: RSA JWK import from Eric Roman on 2016-08-19 (public-webcrypto@w3.org from August 2016)

From: Eric Roman <ericroman@google.com>
Date: Fri, 19 Aug 2016 12:38:02 -0700
To: Charles Engelke <w3c@engelke.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CAFswn4njUbrDrd7kWp=yT0FLaJ1K81U1_ijUFTHR4Yf35Pxzmw@mail.gmail.com>

Correct, Chrome does not support importing RSA keys without all of those
RSA key parameters specified [1]

There wasn't good support in the crypto library implementations for this --
neither NSS nor OpenSSL had satisfying solutions out of the box and at the
time we decided it wasn't worthwhile rolling our own calculations to infer
these parameters (code complexity, and more runtime cost) [2]

Also, when we were implementing, we based off of draft 18 of JWA [3]. My
interpretation of this version of JWA is that it gave implementations some
leeway in not accepting partially-specified RSA keys, based on this
sentence from Section 6.3.2:

   The consumer of a JWK MAY choose
   to accept an RSA private key that does not contain a complete set of
   the private key parameters other than "d", including JWKs in which
   "d" is the only RSA private key parameter included.

If it "MAY" choose to accept partial keys, then one presumes it may also
choose to reject them. Hence our decision in [2] was defensibly spec
compliant.

You are correct though, that the current wording in RFC 7518 does not have
such wording anymore. Nor can I find adequate justification in it to reject
the keys that Firefox/Chrome currently rejects. I haven't been following
that spec's evolution so can't comment further if that was the intent.

>From an implementation side I don't think we are going to support such
keys. So I agree with Charles that figuring out possible spec-side changes
to normalize this reality would be great.

>From a compatibility standpoint, lacking support for importing RSA keys
without those other parameters is in practice (I believe) a minor one. The
spec says producers SHOULD include them, and that seems to be true of all
the producers I have come across -- certainly Firefox and Chrome include
those when outputting JWKs.

Perhaps JWA would be willing to change that SHOULD to a MUST, and then
consumers needn't concern themselves with their absence.

[1]
https://chromium.googlesource.com/chromium/src/+/0bb976e4a86cd456a35d861e7fb7f9e9a729a1a5/components/webcrypto/algorithms/rsa.cc#81

[2] https://bugs.chromium.org/p/chromium/issues/detail?id=374927

[3] https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18

On Tue, Aug 16, 2016 at 10:30 AM, Charles Engelke <w3c@engelke.com> wrote:

> As I read the WebCryptoAPI spec and RFC 7518 to which it refers, importKey
> for private RSA keys in JWK format requires only the basic parameters kty,
> n, e, and d. The RFC says that the JWK format SHOULD (but is not REQUIRED
> to) include the other parameters p, q, dp, dq, qi and in some cases oth.
>
> Based on my tests, both Chrome and Firefox (on Linux anyway) require that
> all the parameters, not just the ones the RFC says must be required, be
> included to use importKey.
>
> Am I misreading the spec, or are Chrome and Firefox both requiring more
> than the spec does? And if they are, do we want to change the spec to have
> the more restrictive language in it?
>
> Charlie
>

Received on Friday, 19 August 2016 19:38:59 UTC