Closed
Bug 1130876
Opened 9 years ago
Closed 1 year ago
Please provide support for MD5 in WebCrypto
Categories
(Core :: DOM: Web Crypto, enhancement, P3)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: jcranmer, Unassigned)
Details
(Whiteboard: [domsecurity-backlog2])
I realize that MD5 is a broken hash algorithm, but I would still like to see support of it in WebCrypto. I'm currently building a SASL client library for use in email protocols (i.e., IMAP, SMTP, et al), and very many servers still support CRAM-MD5 but not SCRAM-SHA-*. So there's a case to be made that it's still sufficiently widely used to be worth supporting. The main issue I have polyfilling it is that CRAM-MD5 uses an MD5-based HMAC algorithm, so I'd in effect have to polyfill both MD5 and HMAC, since I can't define a custom hash algorithm and have HMAC or PBKDF2 or other algorithms use that one. Here's what CRAM-MD5 looks like, algorithmically, in terms of WebCrypto should an MD5 hash algorithm be added: CramMD5Module.prototype.executeSteps = function*(initChallenge) { var hmacAlgorithm = { name: "HMAC", hash: "MD5", length: 128 }; var result = crypto.subtle.importKey("raw", saslUtils.stringToArrayBuffer(saslUtils.saslPrep(this.pass)), hmacAlgorithm, false, ['sign'] ).then(function (hmacKey) { return crypto.subtle.sign(hmacAlgorithm, hmacKey, saslUtils.base64ToArrayBuffer(initChallenge)); }).then((function (result) { var hexStr = ''; for (var i = 0; i < result.length; i++) hexStr += hexBytes[result[i]]; return saslUtils.stringToBase64UTF8( saslUtils.saslPrep(this.user) + " " + hexStr); }).bind(this)); yield result; };
Comment 1•9 years ago
|
||
Have you considered a polyfill? Adding an *ahem* to the browser platform seems inadvisable. And personally, I have no problem giving people who don't care enough about security to upgrade their software worse performance. I'd be happier to have things not work, actually.
Updated•8 years ago
|
Component: DOM: Security → Security
Updated•8 years ago
|
Component: Security → DOM: Security
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Updated•5 years ago
|
Component: DOM: Security → DOM: Web Crypto
Updated•5 years ago
|
Type: defect → enhancement
Updated•2 years ago
|
Severity: normal → S3
Updated•1 year ago
|
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•