Closed Bug 1434898 Opened 8 years ago Closed 7 years ago

DataCloneError storing unextractable ECDSA private key in indexedDB

Categories

(Core :: Storage: IndexedDB, defect, P2)

Product:
Core
Component:
Storage: IndexedDB
Version:
60 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1133698

People

(Reporter: matt, Assigned: janv)

References

Details

Attachments

(2 files)

priv.html
3.68 KB, text/html
Details
keystore-indexeddb.html
4.17 KB, text/html
Details
Attached file priv.html
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6 Steps to reproduce: The attached testcase generates an ECDSA crypto.subtle unextractable private key and stores it in indexedDB. See generateAndPut() function. (I'm using idb-keyval as a simple indexedDB wrapper, I don't think that's relevant) Actual results: RSA keys work fine, ECDSA keys fail with "DataCloneError: The object could not be cloned" Expected results: Storing ECDSA works OK, the same as RSA. If I change the key to be extractable (true generateKey argument) the indexedDB put() succeeds. P-521 fails too. It succeeds in Chrome 65 and Safari 11.0.3.
Component: Untriaged → DOM: IndexedDB
Product: Firefox → Core
Assignee: nobody → jvarga
Priority: -- → P2
:janv, want to confirm if this is an issue or not?
Flags: needinfo?(jvarga)
I just wanted to report the same bug. This is indeed an issue. It should be possible to store non-exportable keys in the indexedDB.
The code fails here: https://searchfox.org/mozilla-central/rev/2466b82b729765fb0a3ab62f812c1a96a7362478/dom/crypto/CryptoKey.cpp#1226 It seems crypto code doesn't support exporting ECDSA keys. David, can you take a look ?
Flags: needinfo?(jvarga) → needinfo?(dkeeler)
Looks like bug 1133698.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → DUPLICATE
I don't think it is a duplicate. Issue 1133698 is about exporting a key. This issue is about saving a unextractable key (which should never be exported) in an indexedDB
Because of our architecture, to store a webcrypto object in indexeddb, it essentially always has to be exportable from NSS (our cryptography backend). The webcrypto layer is what enforces the "extractable" bit. In other words, we need to implement bug 1133698 for this to work as expected.

Hello!

I hope you are doing great!

Are there any updates about this?

We are not supporting Firefox for one of our products because of this issue :/

Thanks!

As of Firefox 89, I have confirmed that it is possible to export an ECDH private key marked as "extractable" at generation in the "jwk" format. (Though the original issue was filed regarding ECDSA keys, I've observed the exact same problem with ECDH keys, so I'm presuming a common underlying problem.)

This seems to imply that the underlying limitation in NSS mentioned by Dana Keeler is no longer the limiting factor here, since I can export the key in some format. (It also seems to imply that underlying NSS extraction limitations aren't whats keeping bug 1133698 open anymore either, since although PKCS8 export still doesn't work I am able to export in JWK.)

However, I still get a data clone error when trying to store the ECDH private key in IndexedDB. That seems to indicate to me that even though bug 1133698 is still open, it does not seem to be what's causing the remaining problem here.

Could someone more knowledgeable than myself review this issue again, and if my observations and inference are correct re-open this issue to resolve the remaining data-clone problem that remains despite ECC private key export now working?

Thank you!

Flags: needinfo?(dkeeler)

Joel - please open a new bug with example code of what you've encountered that should work but doesn't.

Flags: needinfo?(dkeeler)

Hi Dana :D Fission.codes, Mirror.xyz and localForage are all hitting this some version of this issue.

Can you advise on the right way to narrow down what the problem is, so that we can file the bug in the right way so it doesn't get closed?

https://github.com/fission-suite/keystore-idb/issues/1

https://github.com/localForage/localForage/issues/844#issuecomment-556553007

https://twitter.com/strangechances/status/1446285765810352128

Based on at least one of those comments, sounds like Chrome works fine but Safari might have a similar problem so I'll poke about Webkit as well to see if we can work towards full web platform compat!

Flags: needinfo?(dkeeler)

Hi Dietrich :)
So this is still broken in Firefox 93? (just released this week, I think)
If so, the best way to narrow this down is to find a reduced test case that illustrates the issue (the attachment in comment 0 appears to work for me). Once I have something relatively small and self-contained it'll be much easier to see what the problem is.

Flags: needinfo?(dkeeler)

Updated the testcase to cover ECDH, which was the problem reported in comment #8, and also to cover extractable and not extractable for RSA, ECDSA and ECDH.

Works in latest release and nightly versions of Firefox, and latest release version of Safari!

So never mind - looks like this working. I'm going to share on those various issues and if they report issues will bring it back around again :)

Great - thanks!

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: