Closed Bug 1518300 Opened 6 years ago Closed 6 years ago

Add JWK/JWE methods to jwcrypto

Categories

(Firefox :: Sync, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
Firefox 66
Tracking Status
firefox66 --- fixed

People

(Reporter: eoger, Assigned: eoger)

References

Details

Attachments

(1 file)

This is a part of bug 1490671 that we would like to land early.
The following patch includes two new generateJWE/decryptJWE methods that allow working on a small subset of the JWE encryption standard.
The other part of the patch is composed of replacing hand-rolled encryption methods by WebCrypto.

Blocks: 1490671

Paul rfkelly recommended me to ni? you: could you nominate someone to review this?

Flags: needinfo?(ptheriault)

We'll discuss this tomorrow in the security review meeting.

Flags: needinfo?(ptheriault)

FWIW, I did have a look at this, but only a brief one. The js looked ok common firefox js flaws perspective, but I haven't verified the crypto at all. Im not familiar with JWE, and I got as far as reading about attacks against ECDH-ES [1] before realising I was out of my depth. We can try to figure out if we have someone more appropriate in the meeting.

[1] https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html

FWIW it's my belief that crypto.subtle.importKey will reject invalid keys and protect against the above attack, but we should definitely confirm this.

Pushed by eoger@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7befa4aa3c7f Refactor CryptoUtils and add JWK/JWE methods to jwcrypto. r=rfkelly,tjr
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 66
Depends on: 1527480
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: