Closed Bug 1864262 Opened 1 year ago Closed 4 months ago

ECDH JWK imports should not be checking the JWK "alg" parameter

Categories

(Core :: DOM: Web Crypto, defect, P5)

Product:
Core
Component:
DOM: Web Crypto
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1905120

People

(Reporter: panva.ip, Unassigned)

Details

Steps to reproduce:

const publicJwk = {
kty: 'EC',
crv: 'P-256',
alg: 'THIS CAN BE ANYTHING',
x: 'Ze2loSV3wrroKUN_4zhwGhCqo3Xhu1td4QjeQ5wIVR0',
y: 'HlLtdXARY_f55A3fnzQbPcm6hgr34Mp8p-nuzQCE0Zw',
}

await crypto.subtle.importKey('jwk', publicJwk, { name: 'ECDH', namedCurve: 'P-256' }, true, [])

Actual results:

importKey is rejected with "Data provided to an operation does not meet requirements"

Expected results:

The key should successfully import, ECDH JWK key import steps do not have a step for checking the JWK alg. This is a problem for when ECDH is used as a step in fully specified JOSE Algorithms such as the upcoming HPKE-Base-P256-SHA256-AES128GCM and other HPKE based algorithms, or even the existing ones such as ECDH-ES or ECDH-ES+A128KW

Component: Untriaged → DOM: Security
Product: Firefox → Core
Component: DOM: Security → Security: PSM
Component: Security: PSM → DOM: Web Crypto

The severity field is not set for this bug.
:keeler, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(dkeeler)
Severity: -- → S4
Flags: needinfo?(dkeeler)
Priority: -- → P5
Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
Duplicate of bug: 1905120
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.