[Bug 27601] New: Inconsistent enforcement of JWK's "use" versus "key_ops" during public key import

https://www.w3.org/Bugs/Public/show_bug.cgi?id=27601

            Bug ID: 27601
           Summary: Inconsistent enforcement of JWK's "use" versus
                    "key_ops" during public key import
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: ericroman@google.com
                CC: public-webcrypto@w3.org

Consider the case of importing an RSA-PSS public key using JWK.

WebCrypto callers can request usages of either ['verify' or []  (no usages)

If empty usages are specified then it is possible to import the following JWK:


 {
   "kty": "RSA",
   "key_ops": ["encrypt", "decrypt", "wrapKey", "unwrapKey"],
   ...
 }

The above key is for an encryption algorithm, but it is allowed to be imported
for a signing algorithm because the requested usages, [], were a subset of the
usages granted to the key.

OK fine.

However, it is NOT possible to import the following:


 {
   "kty": "RSA",
   "use": "enc",
   ...
 }

Conceptually these represent the same kind of key, however WebCrypto enforces
"use" differently from "key_ops". "use" in this case is required to be an exact
match of "sig".

The same situation applies to ECDH keys.

I believe the key_ops behavior is the correct one, and "use" should work the
same way. I feel this way because JWK allows pairing unrelated usages in
key_ops (although discourages it) [1]. So it stands to reason that such a key
should be importable into WebCrypto.


[1] Section 4.3 of JWK spec says: "Multiple unrelated key operations SHOULD NOT
be specified"   .....  SHOULD NOT != MUST NOT

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Saturday, 13 December 2014 01:34:10 UTC