Closed Bug 1906602 Opened 1 year ago Closed 1 year ago

WebCrypto: Key derivation improvement - checking the length to be modulo 8

Categories

(Core :: DOM: Web Crypto, enhancement)

Product:
Core
Component:
DOM: Web Crypto
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox130 --- fixed

People

(Reporter: anna.weine, Assigned: anna.weine)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-needed, parity-chrome, parity-safari)

Attachments

(1 file)

Bug 1906602 - WebCrypto: removing % 8 check from ECDH and adding to HKDF
48 bytes, text/x-phabricator-request
Details | Review
No description provided.
Attachment #9411495 - Attachment description: WIP: Bug 1906602 - WebCrypto: removing % 8 check from ECDH and adding to HKDF → Bug 1906602 - WebCrypto: removing % 8 check from ECDH and adding to HKDF
Pushed by nkulatova@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/20c7da53c4f1 WebCrypto: removing % 8 check from ECDH and adding to HKDF r=keeler

https://hg.mozilla.org/mozilla-central/rev/20c7da53c4f1

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox130: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch

Hi Anna,
Based on the text, it sounds like when you're calling SubtleCrypto.deriveBits(), if you're using HKDF the length of bits derived must be a multiple of 8 or the method will throw an OperationError exception.
Previously you would be fine with any non-null length, but you had to use a multiple of 8 for the length with ECDH.

  1. Is that about right?
  2. This change doesn't affect deriveKeys() - correct?

If so, then I think no change is needed. If you look at the docs for length and the error (linked above). They say that you should use a multiple of 8 for compatibility, without specifying the exact algorithm affected.

To me that is helpful for developers -unless there is a specific reason not to use 8.
Because otherwise they'll have to carefully check what algorithm to use AND the browser version to know what is safe.

  1. Does that seem reasonable? Or should we be stating the limitations on each browser and algorithm? If we need to, can you tell me what the spec requires for each vs what we do?

This is being looked at as part of https://github.com/mdn/content/issues/35280

Flags: needinfo?(anna.weine)

Note that MDN docs work for X25519 has mostly been done in https://github.com/mdn/content/issues/35280. I don't think anything needs to be done for this issue (see comment ^^^^) but leaving this open while waiting a response.

Hi,

  1. It's right!

HKDF requirement of the length to be non-null comes from https://w3c.github.io/webcrypto/#hkdf-operations (Look for 31.4 Operation). It states If length is null or zero, or is not a multiple of 8, then throw an OperationError. It was removed from the requirement for ECDH.

  1. it does not affect deriveKeys.

  2. I think it's ok to leave it like this (with the 'should use a multiple of 8', with specifically the word 'should') for exactly the reason you mentioned.
    I will try to further investigate where the %8 requirement is coming from and if it's indeed crucial :)

Flags: needinfo?(anna.weine)

Thank you!

Blocks: 1916995
No longer blocks: 1916995
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: