- From: Eric Roman <ericroman@google.com>
- Date: Thu, 2 Jun 2016 11:47:23 -0700
- To: Charles Engelke <w3c@engelke.com>
- Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
- Message-ID: <CAFswn4=JXayYN4oTjZvc5FY2SMkY0Z2+Qe7QL1=8xjcCHocN6g@mail.gmail.com>
On Thu, Jun 2, 2016 at 10:44 AM, Charles Engelke <w3c@engelke.com> wrote: > I think I'm done testing encrypt for the various AES modes, and just > have RSA-OAEP to go. But I'm running into a problem: RSA-OAEP injects > randomness when encrypting, so the only way to check that encryption > worked is to see if the result can be decrypted. > > I see three options: > > - assume that if encrypt doesn't throw and exception, it passes > > - check the result of encrypt by using subtleCrypto decrypt to see if > you get the same plaintext back (note that decrypt can be tested with > sample ciphertext so we can tell if it's working separately) > I think this second option of round-tripping through decrypt is reasonable. We should also do some basic checks on the "shape" of the ciphertext -- namely verify its length, and that repeated encryptions yield randomized ciphertext. > - check the result of encrypt by using an external program to decrypt its > result > > The third option seems to be the best in a perfect world. But it would > require the test framework to have an external program that can do > If you choose to go this route, you can compile a C implementation used for verification (say OpenSSL) down to Javascript using emsripten, and then call into that as part of the javascript test. That said, I think the simplicity of roundtrip testing above is a good place to start. The interesting compatibility cases are surely going to lie in failure cases, not success cases, hence focusing attention there will yield more fruit IMO, and keep the framework simpler. For instance with OAEP encryption there is interesting interaction between the key size, message size, and hash size to test. RSA-OAEP decryption with all the options subtleCrypto is supposed to > to have: any of the four supported hash functions, and with and > without the optional label. OpenSSL, for example, seems to only > support SHA-1 and no label. > I'd appreciate any suggestions on how to proceed (and would also > appreciate pointers on how to extend the framework to use an external > program if that's the needed solution). > > Thanks, > > Charlie > >
Received on Thursday, 2 June 2016 18:47:53 UTC