-
Notifications
You must be signed in to change notification settings - Fork 22.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SubtleCrypto.deriveBits() with PBKDF2 and output length > 2048 bits #1671
Comments
Any updates? 👀 @chrisdavidmills |
@twiss, The example code in the issue description seems to confirm that the assertions in the issue description are true — but can you please confirm? I mean specifically the following:
If that is in fact a requirement that implementations are required to enforce, should it be specified — or at last mentioned — in the WebCrypto spec itself? Or is it instead in fact the case that that requirement is normatively defined in RFC 2898, and so the WebCrypto spec should not try to also normatively (re)define it?
Can you confirm that “ |
Hey 👋
Yeah, this is required here: https://w3c.github.io/webcrypto/#pbkdf2-operations
This is indeed not a requirement, and Chrome and Safari allow this. However, I can't actually find this requirement mentioned on MDN - I think this issue was meant to be a bug report in Firefox? So I assume this is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1469482. |
I’ve opened #5529 with a fix that documents the requirements for the length parameter. @juanelas, @Gu7z — since per #1671 (comment) throwing for input > 256 bytes is not conformant with the spec requirements, if Firefox is throwing in that case, then the appropriate place to raise an issue for getting that (browser-specific) problem documented is in the https://github.com/mdn/browser-compat-data/issues issue tracker. |
Summary
What is the problem?
SubtleCrypto.deriveBits() with PBKDF2:
Length
argument must be a multiple of 8. This is congruent with the RFC but should be documentedLength
argument does not accept an input > 256 bytes. This constraint is not defined in the original PBKDF2 and should be considered to be removed.Steps To Reproduce (STR)
How can we reproduce the problem?
Just run the following html in firefox:
Actual behavior
crypto.subtle.deriveBits(params, passwordKey, 8 * 384) produces error since 384 > 256
Expected behavior
To just derive 384 bytes (3072 bits)
Additional context
Sometimes you need an arbitrary output length for the PBKDF2 function, such as when using it to compute scrypt that you need to output p * 128 * r (with r usually 8 and p between 1 and 16).
The text was updated successfully, but these errors were encountered: