Closed Bug 1804788 Opened 2 years ago Closed 3 months ago

Support for Curve25519 in the WebCrypto API: Ed25519 algorithm

Categories

(Core :: DOM: Web Crypto, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
129 Branch
Tracking Status
firefox129 --- fixed

People

(Reporter: jfernandez, Assigned: anna.weine)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, parity-chrome, parity-safari)

Attachments

(1 file, 6 obsolete files)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0

Steps to reproduce:

Run the WebCryptoAPI tests related to the Ed25219 keys from the WPT test suite:

https://wpt.fyi/results/WebCryptoAPI/generateKey/successes_Ed25519.https.any.html?label=master&label=experimental&aligned&view=subtest&q=ed25519

Actual results:

All the tests fail.

Expected results:

All the tests pass.

It seems Firefox has shown support [1] for implementing Curve25519 safe curve some time ago already. Additionally, Chrome [2] and Safari [3] have already started to implement the Ed25519 and X25519 algorithms.

[1] https://github.com/mozilla/standards-positions/pull/296
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=1370697
[3] https://bugs.webkit.org/show_bug.cgi?id=246145

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Component: DOM: Security → DOM: Web Crypto

Assuming there is enough support for the feature, I have started to work on this.

This bug depends on a complete implementation for Curve25519 support in nss, which as far as I know it's being tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=1325335

Summary: Support for Curve25519: Ed25519 and X25519 algorithms → Support for Curve25519 in the WebCrypto API: Ed25519 and X25519 algorithms

We're eagerly awaiting this for our user contribution work at omnilingo

Assignee: nobody → nkulatova
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9393644 - Attachment description: WIP: Bug 1804788 - Implementing correctness check of Ed25519 public key (pk ? privateKey * bP) → Bug 1804788 - Implementing correctness check of Ed25519 public key (pk ? privateKey * bP)
Attachment #9393644 - Attachment description: Bug 1804788 - Implementing correctness check of Ed25519 public key (pk ? privateKey * bP) → WIP: Bug 1804788 - Implementing correctness check of Ed25519 public key (pk ? privateKey * bP)
Attachment #9393644 - Attachment description: WIP: Bug 1804788 - Implementing correctness check of Ed25519 public key (pk ? privateKey * bP) → Bug 1804788 - Ed25519 enchancement. Part I: Implementing correctness check of Ed25519 public key (pk == privateKey * bP)
Attachment #9394480 - Attachment description: WIP: Bug 1804788 - ED25519 verification enchancement Part 2. Checking pk for small order → Bug 1804788 - ED25519 verification enchancement Part 2. Checking pk for small order
Attachment #9394480 - Attachment description: Bug 1804788 - ED25519 verification enchancement Part 2. Checking pk for small order → WIP: Bug 1804788 - ED25519 verification enchancement Part 2. Checking pk for small order

For tracking purposes, it's best if you use separate bugs for NSS and PSM changes. Can you move the "Ed25519 Enhancement" series to one or more new bugs?

Attachment #9394481 - Attachment description: WIP: Bug 1804788 - Ed25519 Enchancement Part III: check if R has a small order or non-canonical → Bug 1804788 - Ed25519 Enchancement Part III: check if R has a small order or non-canonical

(In reply to John Schanck [:jschanck] from comment #10)

For tracking purposes, it's best if you use separate bugs for NSS and PSM changes. Can you move the "Ed25519 Enhancement" series to one or more new bugs?

Sure!

Depends on: 1889153

Comment on attachment 9394481 [details]
Bug 1804788 - Ed25519 Enchancement Part III: check if R has a small order or non-canonical

Revision D206362 was moved to bug 1889153. Setting attachment 9394481 [details] to obsolete.

Attachment #9394481 - Attachment is obsolete: true

Comment on attachment 9394480 [details]
WIP: Bug 1804788 - ED25519 verification enchancement Part 2. Checking pk for small order

Revision D206361 was moved to bug 1889153. Setting attachment 9394480 [details] to obsolete.

Attachment #9394480 - Attachment is obsolete: true

Comment on attachment 9393644 [details]
Bug 1804788 - Ed25519 enchancement. Part I: Implementing correctness check of Ed25519 public key (pk == privateKey * bP)

Revision D205933 was moved to bug 1889153. Setting attachment 9393644 [details] to obsolete.

Attachment #9393644 - Attachment is obsolete: true
No longer depends on: 1889153
Attachment #9393644 - Attachment description: Bug 1804788 - Ed25519 enchancement. Part I: Implementing correctness check of Ed25519 public key (pk == privateKey * bP) → WIP: Bug 1804788 - Ed25519 enchancement. Part I: Implementing correctness check of Ed25519 public key (pk == privateKey * bP)
Attachment #9393644 - Attachment is obsolete: false
Attachment #9393644 - Attachment description: WIP: Bug 1804788 - Ed25519 enchancement. Part I: Implementing correctness check of Ed25519 public key (pk == privateKey * bP) → Bug 1804788 - Ed25519 enchancement. Part I: Implementing correctness check of Ed25519 public key (pk == privateKey * bP)

Comment on attachment 9393644 [details]
Bug 1804788 - Ed25519 enchancement. Part I: Implementing correctness check of Ed25519 public key (pk == privateKey * bP)

Revision D205933 was moved to bug 1889153. Setting attachment 9393644 [details] to obsolete.

Attachment #9393644 - Attachment is obsolete: true
Severity: -- → N/A
Priority: -- → P1
Version: Firefox 107 → unspecified
Blocks: 1894027
No longer blocks: 1894027
Attachment #9393291 - Attachment description: WIP: Bug 1804788 - Enable Ed25519 in WebCrypto → Bug 1804788 - Enable Ed25519 in WebCrypto
Attachment #9393291 - Attachment description: Bug 1804788 - Enable Ed25519 in WebCrypto → WIP: Bug 1804788 - Enable Ed25519 in WebCrypto
Attachment #9401931 - Attachment description: WIP: Bug 1804788 - WebCrypto: Enable Generate X25519 → WIP: Bug 1804788 - WebCrypto: Enable X25519 algorithm in subtle.generateKey
Attachment #9393291 - Attachment description: WIP: Bug 1804788 - Enable Ed25519 in WebCrypto → Bug 1804788 - Enable Ed25519 in WebCrypto
Attachment #9401931 - Attachment description: WIP: Bug 1804788 - WebCrypto: Enable X25519 algorithm in subtle.generateKey → WIP: Bug 1804788 - WebCrypto: Enable X25519 algorithm
Attachment #9393291 - Attachment description: Bug 1804788 - Enable Ed25519 in WebCrypto → WIP: Bug 1804788 - Enable Ed25519 in WebCrypto
Attachment #9393291 - Attachment description: WIP: Bug 1804788 - Enable Ed25519 in WebCrypto → Bug 1804788 - Enable Ed25519 in WebCrypto
Attachment #9393291 - Attachment description: Bug 1804788 - Enable Ed25519 in WebCrypto → WIP: Bug 1804788 - Enable Ed25519 in WebCrypto
Attachment #9406697 - Attachment description: WIP: Bug 1804788 - X25519 → Bug 1804788 - WebCrypto: Enable X25519 algorithm
Attachment #9406697 - Attachment description: Bug 1804788 - WebCrypto: Enable X25519 algorithm → WIP: Bug 1804788 - X25519
Attachment #9393291 - Attachment description: WIP: Bug 1804788 - Enable Ed25519 in WebCrypto → Bug 1804788 - Enable Ed25519 in WebCrypto
Attachment #9406697 - Attachment description: WIP: Bug 1804788 - X25519 → Bug 1804788 - WebCrypto: Enable X25519 algorithm
Attachment #9406697 - Attachment description: Bug 1804788 - WebCrypto: Enable X25519 algorithm → WIP: Bug 1804788 - WebCrypto: Enable X25519 algorithm
Pushed by nkulatova@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/daa7aa3b1b93 Enable Ed25519 in WebCrypto r=glandium,jschanck,keeler

Backed out for causing bustage on WebCryptoTask.cpp

Backout link

Push with failures

Failure log

Flags: needinfo?(nkulatova)
Pushed by nkulatova@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/12c83ca4e8da Enable Ed25519 in WebCrypto r=glandium,jschanck,keeler
Keywords: dev-doc-needed
Flags: needinfo?(nkulatova)
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
Summary: Support for Curve25519 in the WebCrypto API: Ed25519 and X25519 algorithms → Support for Curve25519 in the WebCrypto API: Ed25519 algorithms
Summary: Support for Curve25519 in the WebCrypto API: Ed25519 algorithms → Support for Curve25519 in the WebCrypto API: Ed25519 algorithm

Reopened for unpublished patches.

Status: RESOLVED → REOPENED
Keywords: leave-open
Resolution: FIXED → ---
Attachment #9401931 - Attachment is obsolete: true
Attachment #9409648 - Attachment description: WIP: Bug 1804788 - WebCrypto: Extending telemetry for to support Ed25519 → Bug 1804788 - WebCrypto: Extending telemetry for to support Ed25519
Attachment #9406697 - Attachment description: WIP: Bug 1804788 - WebCrypto: Enable X25519 algorithm → Bug 1804788 - WebCrypto: Enable X25519 algorithm

Comment on attachment 9406697 [details]
Bug 1804788 - WebCrypto: Enable X25519 algorithm

Revision D213261 was moved to bug 1904836. Setting attachment 9406697 [details] to obsolete.

Attachment #9406697 - Attachment is obsolete: true

Comment on attachment 9409648 [details]
Bug 1804788 - WebCrypto: Extending telemetry for to support Ed25519

Revision D214931 was moved to bug 1905617. Setting attachment 9409648 [details] to obsolete.

Attachment #9409648 - Attachment is obsolete: true
Status: REOPENED → RESOLVED
Closed: 3 months ago3 months ago
Resolution: --- → FIXED

FF129 Docs work for this can be tracked in https://github.com/mdn/content/issues/34708

Can I confirm that from this issue we

  • we support Ed25519 as an algorithm in SubtleCrypto for generateKey, sign, verify, importKey, exportKey,
  • we support X25519 as an algorithm in generateKey, importKey, exportKey,deriveKey,deriveBits`
  • you can use X25519 or Ed25519 as the algorithm in deriveKey() but the derived key cant be that algorithm?

How can we use generateKey() with X25519? It seems to not like any of the usages I try.

Flags: needinfo?(anna.weine)

Hello,

  1. I confirm that we support Ed25519 as an algorithm for generateKey, sign/verify, importKey/exportKey. Maybe intentionally, you're missing wrap/unwrap keys (see here: https://wpt.fyi/results/WebCryptoAPI/wrapKey_unwrapKey/wrapKey_unwrapKey.https.any.html?label=experimental&label=master&aligned)

  2. We do not support X25519, but we hope to start supporting starting from the next Nightly release.

  3. DeriveKey takes ECDH or KDF (HKDF/PBKDF2) algorithms (see here: https://www.w3.org/TR/WebCryptoAPI/#algorithm-overview). Ed2519 can not be used as an algorithm in deriveKey, but x25519 can. The reason why it's not in the list is that they update the specification with the algorithms now.

I am happy to help if you have any other questions!

Flags: needinfo?(anna.weine)
Attachment #9406697 - Attachment is obsolete: false
Pushed by nkulatova@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e952618564ca WebCrypto: Enable X25519 algorithm r=keeler,jschanck

Comment on attachment 9406697 [details]
Bug 1804788 - WebCrypto: Enable X25519 algorithm

Revision D213261 was moved to bug 1904836. Setting attachment 9406697 [details] to obsolete.

Attachment #9406697 - Attachment is obsolete: true
Blocks: web-crypto
See Also: → 1904836
Blocks: 1904836
See Also: 1904836
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: