You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The above key is for an encryption algorithm, but it is allowed to be imported for a signing algorithm because the requested usages, [], were a subset of the usages granted to the key.
OK fine.
However, it is NOT possible to import the following:
{
"kty": "RSA",
"use": "enc",
...
}
Conceptually these represent the same kind of key, however WebCrypto enforces use differently from key_ops. use in this case is required to be an exact match of sig.
The same situation applies to ECDH keys.
I believe the key_ops behavior is the correct one, and use should work the same way. I feel this way because JWK allows pairing unrelated usages in key_ops (although discourages it) [1]. So it stands to reason that such a key should be importable into WebCrypto.
[1] Section 4.3 of JWK spec says: "Multiple unrelated key operations SHOULD NOT be specified" ..... SHOULD NOT != MUST NOT
The text was updated successfully, but these errors were encountered:
This issue applies to all algorithms. It is always possible to import a key with empty usages. The only thing you can do with this is export it again. The question is, for a key with JWK use specified, do you need to use an algorithm of the appropriate type (signature, encryption etc.) or just one which supports the right kind of key. Since you are not able to actually perform an operation with this key, it seems sufficient that the algorithm you use support that kind of key.
So, I suggest that we ignore the use value when usages is empty.
Bug 27601 :
Consider the case of importing an RSA-PSS public key using JWK.
WebCrypto callers can request usages of either
['verify']
or[]
(no usages)If empty usages are specified then it is possible to import the following JWK:
The above key is for an encryption algorithm, but it is allowed to be imported for a signing algorithm because the requested usages, [], were a subset of the usages granted to the key.
OK fine.
However, it is NOT possible to import the following:
Conceptually these represent the same kind of key, however WebCrypto enforces
use
differently fromkey_ops
.use
in this case is required to be an exact match ofsig
.The same situation applies to ECDH keys.
I believe the key_ops behavior is the correct one, and
use
should work the same way. I feel this way because JWK allows pairing unrelated usages inkey_ops
(although discourages it) [1]. So it stands to reason that such a key should be importable into WebCrypto.[1] Section 4.3 of JWK spec says: "Multiple unrelated key operations SHOULD NOT be specified" ..... SHOULD NOT != MUST NOT
The text was updated successfully, but these errors were encountered: