- From: Charles Engelke <w3c@engelke.com>
- Date: Thu, 2 Jun 2016 14:56:35 -0400
- To: Eric Roman <ericroman@google.com>
- Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Thanks for both suggestions. Unless I hear objections, I'm going to go with testing via roundtripping in the browser, plus the extra checks Eric has mentioned. That avoid opening a whole can of worms with external programs or trying to compile OpenSSL into JavaScript. I'll also be writing decrypt tests, which won't have this kind of problem. That will help assure that roundtripping is a valid way to check. Charlie On Thu, Jun 2, 2016 at 2:47 PM, Eric Roman <ericroman@google.com> wrote: > On Thu, Jun 2, 2016 at 10:44 AM, Charles Engelke <w3c@engelke.com> wrote: >> >> I think I'm done testing encrypt for the various AES modes, and just >> have RSA-OAEP to go. But I'm running into a problem: RSA-OAEP injects >> randomness when encrypting, so the only way to check that encryption >> worked is to see if the result can be decrypted. >> >> I see three options: >> >> - assume that if encrypt doesn't throw and exception, it passes >> >> - check the result of encrypt by using subtleCrypto decrypt to see if >> you get the same plaintext back (note that decrypt can be tested with >> sample ciphertext so we can tell if it's working separately) > > > I think this second option of round-tripping through decrypt is reasonable. > > We should also do some basic checks on the "shape" of the ciphertext -- > namely verify its length, and that repeated encryptions yield randomized > ciphertext. > >> >> - check the result of encrypt by using an external program to decrypt its >> result >> >> The third option seems to be the best in a perfect world. But it would >> require the test framework to have an external program that can do > > > If you choose to go this route, you can compile a C implementation used for > verification (say OpenSSL) down to Javascript using emsripten, and then call > into that as part of the javascript test. > > That said, I think the simplicity of roundtrip testing above is a good place > to start. > > The interesting compatibility cases are surely going to lie in failure > cases, not success cases, hence focusing attention there will yield more > fruit IMO, and keep the framework simpler. > > For instance with OAEP encryption there is interesting interaction between > the key size, message size, and hash size to test. > >> RSA-OAEP decryption with all the options subtleCrypto is supposed to >> to have: any of the four supported hash functions, and with and >> without the optional label. OpenSSL, for example, seems to only >> support SHA-1 and no label. >> >> >> I'd appreciate any suggestions on how to proceed (and would also >> appreciate pointers on how to extend the framework to use an external >> program if that's the needed solution). >> >> Thanks, >> >> Charlie >> >
Received on Thursday, 2 June 2016 18:57:04 UTC