Add JWK/JWE methods to jwcrypto
Categories
(Firefox :: Sync, enhancement)
Tracking
()
Tracking | Status | |
---|---|---|
firefox66 | --- | fixed |
People
(Reporter: eoger, Assigned: eoger)
References
Details
Attachments
(1 file)
This is a part of bug 1490671 that we would like to land early.
The following patch includes two new generateJWE/decryptJWE methods that allow working on a small subset of the JWE encryption standard.
The other part of the patch is composed of replacing hand-rolled encryption methods by WebCrypto.
Assignee | ||
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Paul rfkelly recommended me to ni? you: could you nominate someone to review this?
Assignee | ||
Comment 3•6 years ago
|
||
We'll discuss this tomorrow in the security review meeting.
FWIW, I did have a look at this, but only a brief one. The js looked ok common firefox js flaws perspective, but I haven't verified the crypto at all. Im not familiar with JWE, and I got as far as reading about attacks against ECDH-ES [1] before realising I was out of my depth. We can try to figure out if we have someone more appropriate in the meeting.
[1] https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html
Comment 5•6 years ago
|
||
FWIW it's my belief that crypto.subtle.importKey
will reject invalid keys and protect against the above attack, but we should definitely confirm this.
Comment 7•6 years ago
|
||
bugherder |
Description
•