Add JWK/JWE methods to jwcrypto

RESOLVED FIXED in Firefox 66

Status

()

enhancement
RESOLVED FIXED
5 months ago
4 months ago

People

(Reporter: eoger, Assigned: eoger)

Tracking

unspecified
Firefox 66
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox66 fixed)

Details

Attachments

(1 attachment)

Assignee

Description

5 months ago

This is a part of bug 1490671 that we would like to land early.
The following patch includes two new generateJWE/decryptJWE methods that allow working on a small subset of the JWE encryption standard.
The other part of the patch is composed of replacing hand-rolled encryption methods by WebCrypto.

Assignee

Updated

5 months ago
Blocks: 1490671
Assignee

Comment 2

5 months ago

Paul rfkelly recommended me to ni? you: could you nominate someone to review this?

Flags: needinfo?(ptheriault)
Assignee

Comment 3

5 months ago

We'll discuss this tomorrow in the security review meeting.

Flags: needinfo?(ptheriault)

FWIW, I did have a look at this, but only a brief one. The js looked ok common firefox js flaws perspective, but I haven't verified the crypto at all. Im not familiar with JWE, and I got as far as reading about attacks against ECDH-ES [1] before realising I was out of my depth. We can try to figure out if we have someone more appropriate in the meeting.

[1] https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html

FWIW it's my belief that crypto.subtle.importKey will reject invalid keys and protect against the above attack, but we should definitely confirm this.

Comment 6

5 months ago
Pushed by eoger@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7befa4aa3c7f
Refactor CryptoUtils and add JWK/JWE methods to jwcrypto. r=rfkelly,tjr

Comment 7

5 months ago
bugherder
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 66
Depends on: 1527480
You need to log in before you can comment on or make changes to this bug.