27404 – Should check the publicKey's algorithm.name for ECDH's deriveBits()?

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 27404 - Should check the publicKey's algorithm.name for ECDH's deriveBits()?

Summary: Should check the publicKey's algorithm.name for ECDH's deriveBits()?

Status:	RESOLVED MOVED

Alias:	None

Product:	Web Cryptography
Classification:	Unclassified
Component:	Web Cryptography API Document (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ryan Sleevi
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-11-21 22:20 UTC by Eric Roman
Modified:	2016-05-23 22:56 UTC (History)
CC List:	5 users (show)

See Also:

Attachments

Description Eric Roman 2014-11-21 22:20:36 UTC

ECDH's deriveBits() tests that:
   * baseKey.algorithm.name == "ECDH"
   * publicKey.type == "public"
   * publicKey.algorithm.namedCurve == baseKey.algorithm.namedCurve

However it does not test that:
   * publicKey.algorithm.name == baseKey.algorithm.name


Not sure if this is intentional, but that would mean passing some other public EC key (say for ECDSA) is allowed by the spec.

Whereas the rest of WebCrypto is fairly particular about restricting key usage cross-algorithm.

Comment 1 jimsch 2016-03-04 02:05:16 UTC

I agree that this check should be added

Comment 2 virginie.galindo 2016-05-23 21:01:39 UTC

The bug has been transferred to github https://github.com/w3c/webcrypto/issues/25 with the directive to implement the suggested change by Eric and backed by Jim.

Comment 3 Mark Watson 2016-05-23 22:56:14 UTC

Moved to https://github.com/w3c/webcrypto/issues/33