This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 25466 - ECDSA and ECDH importKey do not perform consistency checks of the namedCurve
Summary: ECDSA and ECDH importKey do not perform consistency checks of the namedCurve
Status: RESOLVED FIXED
Alias: None
Product: Web Cryptography
Classification: Unclassified
Component: Web Cryptography API Document (show other bugs)
Version: unspecified
Hardware: PC Windows NT
: P2 normal
Target Milestone: ---
Assignee: Ryan Sleevi
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-25 22:03 UTC by Ryan Sleevi
Modified: 2014-06-16 23:16 UTC (History)
1 user (show)

See Also:

Attachments

Description Ryan Sleevi 2014-04-25 22:03:57 UTC 
The parameters for importing an ECDSA or ECDH key do not perform consistency checks between the callers' specified NamedCurve in the EcKeyImportParams and the named curve extracted from the imported key (eg: the "crv" parameter in JWK, or the OID in the namedCurve parameters in the case of SPKI/PKCS#8).

A mismatch between the two parameters should cause an import failure. That is, if the EcKeyImportParams specified

{ namedCurve: "P-256" }

then attempting to import a JWK with the parameters
{ kty: "EC",
  crv: "P-521",
  x: ...,
  y: ... }

Should fail. Alternatively, the import parameters should not include the named curve at all - which would prohibit 'raw' import of ECDH keys. The former is preferable, as it matches the handling of RSA keys and their associated parameters.