Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test importing spki and pkcs8 keys with algorithm-specific OIDs #307

Open
twiss opened this issue Dec 15, 2021 · 15 comments
Open

Test importing spki and pkcs8 keys with algorithm-specific OIDs #307

twiss opened this issue Dec 15, 2021 · 15 comments

Comments

@twiss
Copy link
Member

twiss commented Dec 15, 2021

We should test importing RSA keys with OID id-RSASSA-PSS or id-RSAES-OAEP, and ECDH keys with OID id-ecDH; both well-formed and malformed cases (e.g. RSA keys with these OIDs with missing or malformed paramers, as in #297).

@panva
Copy link
Member

panva commented Dec 16, 2021

@twiss when you say "test", do you mean adding wpts or testing the existing implementations whether they actually support importing these OIDs? I'm happy to test this in the implementations but my gut tells me the browsers only support rsaEncryption for RSA/RSA-PSS/RSA-OAEP and ecPublicKey for ECDH/ECDSA.

Similar to #305 if we observe these OIDs are commonly not supported, should we suggest updating the language to only mention the two common OIDs? Or make their support optional so that users don't have the expectation of them being supported in every implementation.

@twiss
Copy link
Member Author

twiss commented Dec 16, 2021

I meant the former, but the latter is also a good question. I somewhat assumed that at least some implementations would support it, because I've seen some implementations accept broken keys with the algorithm-specific OIDs (with NULL parameters) in some cases, so I assumed they would accept well-formed keys (with the proper parameters) too. But it would be great if you could test this assumption indeed.

Here are some test cases with broken keys:

await Promise.allSettled([
  crypto.subtle.importKey('spki', new Uint8Array([48, 130, 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 10, 5, 0, 3, 130, 1, 15, 0, 48, 130, 1, 10, 2, 130, 1, 1, 0, 176, 94, 197, 119, 0, 9, 176, 157, 182, 83, 98, 110, 116, 159, 12, 68, 229, 187, 156, 15, 25, 135, 178, 126, 31, 180, 227, 189, 109, 93, 237, 54, 143, 201, 48, 81, 82, 126, 125, 170, 91, 26, 51, 131, 42, 207, 218, 45, 139, 86, 113, 173, 7, 195, 230, 106, 74, 13, 7, 210, 77, 226, 85, 95, 99, 96, 55, 227, 182, 25, 10, 119, 85, 68, 101, 98, 38, 75, 127, 208, 219, 52, 93, 232, 228, 132, 6, 88, 246, 254, 105, 71, 162, 179, 241, 162, 99, 186, 13, 71, 241, 86, 47, 142, 125, 233, 255, 92, 94, 37, 168, 146, 108, 106, 242, 129, 127, 80, 231, 54, 33, 135, 197, 72, 220, 52, 147, 91, 68, 96, 164, 78, 103, 87, 244, 62, 20, 145, 202, 72, 111, 161, 145, 99, 122, 90, 106, 63, 42, 4, 196, 226, 67, 134, 213, 221, 250, 238, 145, 46, 243, 143, 59, 115, 168, 3, 21, 145, 58, 60, 210, 5, 154, 251, 199, 36, 70, 67, 224, 167, 165, 112, 204, 249, 88, 22, 40, 40, 233, 107, 216, 255, 176, 244, 230, 177, 232, 52, 7, 22, 105, 114, 155, 178, 201, 140, 145, 84, 96, 139, 66, 94, 69, 7, 166, 87, 245, 167, 92, 210, 218, 118, 187, 196, 170, 135, 120, 53, 119, 72, 39, 190, 46, 196, 38, 187, 189, 203, 67, 51, 81, 201, 214, 65, 126, 164, 70, 152, 168, 172, 119, 93, 213, 138, 208, 227, 2, 3, 1, 0, 1]), { name: 'RSA-PSS', hash: 'SHA-256' }, true, ['verify']),
  crypto.subtle.importKey('pkcs8', new Uint8Array([48, 130, 4, 189, 2, 1, 0, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 10, 5, 0, 4, 130, 4, 167, 48, 130, 4, 163, 2, 1, 0, 2, 130, 1, 1, 0, 176, 94, 197, 119, 0, 9, 176, 157, 182, 83, 98, 110, 116, 159, 12, 68, 229, 187, 156, 15, 25, 135, 178, 126, 31, 180, 227, 189, 109, 93, 237, 54, 143, 201, 48, 81, 82, 126, 125, 170, 91, 26, 51, 131, 42, 207, 218, 45, 139, 86, 113, 173, 7, 195, 230, 106, 74, 13, 7, 210, 77, 226, 85, 95, 99, 96, 55, 227, 182, 25, 10, 119, 85, 68, 101, 98, 38, 75, 127, 208, 219, 52, 93, 232, 228, 132, 6, 88, 246, 254, 105, 71, 162, 179, 241, 162, 99, 186, 13, 71, 241, 86, 47, 142, 125, 233, 255, 92, 94, 37, 168, 146, 108, 106, 242, 129, 127, 80, 231, 54, 33, 135, 197, 72, 220, 52, 147, 91, 68, 96, 164, 78, 103, 87, 244, 62, 20, 145, 202, 72, 111, 161, 145, 99, 122, 90, 106, 63, 42, 4, 196, 226, 67, 134, 213, 221, 250, 238, 145, 46, 243, 143, 59, 115, 168, 3, 21, 145, 58, 60, 210, 5, 154, 251, 199, 36, 70, 67, 224, 167, 165, 112, 204, 249, 88, 22, 40, 40, 233, 107, 216, 255, 176, 244, 230, 177, 232, 52, 7, 22, 105, 114, 155, 178, 201, 140, 145, 84, 96, 139, 66, 94, 69, 7, 166, 87, 245, 167, 92, 210, 218, 118, 187, 196, 170, 135, 120, 53, 119, 72, 39, 190, 46, 196, 38, 187, 189, 203, 67, 51, 81, 201, 214, 65, 126, 164, 70, 152, 168, 172, 119, 93, 213, 138, 208, 227, 2, 3, 1, 0, 1, 2, 130, 1, 0, 72, 158, 237, 61, 223, 149, 29, 213, 2, 162, 248, 239, 180, 51, 93, 16, 237, 107, 63, 137, 244, 32, 44, 189, 195, 254, 110, 155, 171, 241, 181, 223, 246, 122, 135, 219, 164, 85, 19, 23, 87, 37, 197, 186, 39, 161, 168, 27, 130, 185, 24, 91, 127, 204, 9, 15, 16, 232, 166, 164, 208, 142, 246, 74, 45, 152, 11, 203, 70, 74, 175, 69, 141, 165, 120, 253, 93, 249, 78, 106, 200, 39, 154, 215, 111, 104, 113, 88, 166, 115, 1, 20, 143, 8, 250, 224, 187, 161, 123, 32, 121, 93, 220, 125, 22, 153, 136, 29, 23, 98, 248, 51, 58, 83, 27, 1, 121, 83, 237, 176, 27, 68, 85, 86, 119, 221, 106, 34, 198, 81, 222, 242, 79, 42, 137, 210, 151, 126, 44, 200, 40, 253, 135, 122, 108, 186, 100, 58, 150, 227, 121, 181, 105, 61, 127, 227, 245, 136, 222, 83, 19, 144, 23, 98, 166, 164, 174, 100, 162, 243, 28, 56, 243, 26, 63, 197, 182, 137, 249, 150, 219, 232, 204, 161, 86, 66, 169, 29, 179, 101, 216, 46, 244, 3, 113, 53, 51, 30, 165, 23, 48, 106, 103, 122, 18, 171, 134, 243, 73, 32, 195, 159, 253, 88, 171, 44, 16, 222, 56, 246, 87, 29, 69, 98, 146, 98, 79, 141, 145, 49, 223, 144, 233, 245, 24, 38, 21, 253, 45, 3, 56, 163, 249, 70, 98, 166, 171, 117, 152, 243, 237, 139, 121, 145, 151, 169, 2, 129, 129, 0, 216, 228, 237, 147, 206, 117, 1, 50, 70, 30, 77, 53, 231, 14, 43, 201, 187, 214, 147, 179, 209, 110, 126, 101, 67, 134, 171, 222, 100, 222, 62, 166, 236, 170, 63, 157, 200, 249, 134, 81, 217, 32, 85, 38, 154, 119, 37, 11, 19, 201, 252, 46, 145, 253, 136, 134, 173, 85, 136, 217, 213, 125, 229, 144, 166, 71, 160, 64, 173, 244, 202, 119, 48, 129, 236, 145, 161, 166, 43, 143, 125, 8, 202, 193, 26, 217, 27, 140, 159, 98, 205, 167, 238, 176, 124, 83, 75, 113, 169, 80, 50, 183, 41, 236, 191, 168, 36, 80, 59, 90, 56, 37, 47, 72, 17, 45, 9, 57, 89, 46, 133, 120, 220, 186, 49, 9, 118, 45, 2, 129, 129, 0, 208, 43, 101, 123, 142, 130, 107, 251, 100, 49, 54, 37, 113, 88, 125, 59, 133, 19, 15, 89, 230, 100, 245, 33, 135, 123, 86, 187, 202, 49, 241, 220, 163, 237, 85, 34, 253, 32, 76, 136, 161, 254, 91, 49, 75, 232, 77, 92, 245, 69, 68, 171, 145, 184, 224, 68, 58, 250, 195, 86, 14, 35, 44, 241, 193, 254, 190, 203, 108, 169, 61, 97, 234, 10, 239, 89, 173, 49, 81, 105, 140, 173, 74, 243, 223, 187, 167, 22, 23, 154, 230, 88, 119, 86, 115, 129, 244, 218, 137, 26, 74, 171, 242, 19, 85, 97, 154, 111, 24, 30, 254, 4, 67, 42, 254, 205, 171, 82, 37, 158, 254, 104, 47, 53, 26, 21, 93, 79, 2, 129, 128, 11, 51, 223, 213, 135, 143, 97, 141, 112, 51, 182, 119, 55, 68, 243, 28, 11, 88, 172, 238, 87, 189, 230, 71, 98, 178, 125, 4, 18, 159, 172, 10, 193, 36, 149, 254, 151, 87, 212, 9, 60, 54, 192, 79, 43, 33, 70, 71, 137, 49, 32, 150, 99, 49, 254, 48, 62, 153, 177, 100, 214, 243, 22, 189, 94, 233, 74, 44, 173, 15, 124, 185, 165, 70, 192, 170, 80, 248, 29, 61, 223, 14, 106, 50, 137, 41, 119, 147, 206, 211, 178, 157, 158, 229, 124, 182, 108, 170, 37, 61, 160, 48, 247, 184, 99, 185, 210, 142, 86, 82, 117, 157, 238, 16, 65, 218, 218, 164, 28, 168, 27, 122, 191, 163, 218, 78, 139, 205, 2, 129, 128, 96, 55, 238, 204, 81, 110, 143, 34, 191, 136, 207, 146, 54, 245, 195, 204, 195, 17, 176, 66, 201, 111, 88, 174, 138, 196, 195, 174, 65, 35, 28, 187, 243, 57, 59, 228, 212, 67, 29, 156, 249, 227, 107, 155, 57, 142, 194, 83, 121, 58, 239, 38, 174, 80, 89, 184, 175, 218, 64, 119, 130, 73, 87, 248, 214, 198, 60, 194, 34, 19, 135, 191, 190, 66, 23, 167, 199, 153, 200, 27, 149, 94, 116, 10, 141, 27, 91, 123, 166, 165, 126, 90, 221, 174, 35, 237, 169, 147, 105, 83, 177, 184, 16, 72, 71, 106, 185, 203, 39, 199, 11, 122, 68, 225, 150, 172, 209, 199, 66, 132, 94, 235, 33, 6, 214, 107, 145, 153, 2, 129, 129, 0, 174, 40, 94, 12, 190, 3, 157, 254, 92, 138, 182, 205, 88, 120, 153, 192, 63, 182, 171, 11, 235, 30, 115, 54, 106, 216, 95, 65, 72, 189, 38, 11, 202, 201, 249, 110, 75, 55, 68, 20, 80, 186, 248, 150, 23, 5, 195, 5, 5, 15, 179, 161, 8, 83, 86, 187, 28, 228, 41, 103, 76, 48, 53, 122, 97, 19, 40, 214, 170, 60, 160, 51, 104, 72, 46, 22, 210, 110, 27, 119, 247, 133, 226, 112, 39, 146, 167, 41, 156, 54, 73, 6, 26, 198, 102, 67, 83, 244, 20, 47, 216, 74, 121, 47, 13, 118, 186, 146, 201, 19, 14, 218, 153, 207, 72, 233, 254, 140, 191, 111, 15, 25, 99, 13, 39, 8, 71, 175]), { name: 'RSA-PSS', hash: 'SHA-256' }, true, ['sign']),
  crypto.subtle.importKey('spki', new Uint8Array([48, 130, 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 7, 5, 0, 3, 130, 1, 15, 0, 48, 130, 1, 10, 2, 130, 1, 1, 0, 221, 98, 33, 140, 115, 83, 88, 147, 196, 47, 75, 241, 134, 248, 177, 116, 220, 9, 5, 200, 152, 33, 155, 252, 81, 129, 205, 44, 117, 27, 255, 129, 183, 81, 40, 200, 183, 68, 89, 4, 105, 232, 220, 212, 74, 205, 61, 6, 209, 166, 186, 72, 123, 236, 191, 144, 179, 68, 155, 152, 253, 7, 155, 51, 166, 183, 3, 17, 114, 79, 26, 47, 63, 177, 174, 226, 238, 254, 203, 134, 120, 79, 83, 122, 67, 98, 221, 38, 38, 188, 184, 49, 179, 225, 45, 86, 3, 47, 97, 85, 23, 98, 199, 18, 105, 187, 233, 230, 5, 147, 72, 226, 41, 144, 174, 198, 105, 107, 135, 239, 19, 62, 116, 17, 196, 143, 240, 151, 119, 132, 230, 149, 206, 63, 195, 234, 71, 71, 83, 33, 219, 68, 226, 53, 133, 152, 18, 44, 76, 42, 229, 1, 230, 147, 133, 74, 227, 109, 147, 196, 71, 35, 234, 18, 153, 50, 80, 79, 205, 65, 184, 12, 202, 25, 238, 182, 231, 152, 4, 97, 42, 193, 15, 164, 78, 8, 144, 24, 70, 78, 201, 34, 14, 1, 123, 220, 191, 225, 53, 184, 48, 95, 14, 206, 17, 0, 45, 198, 237, 246, 7, 92, 248, 86, 62, 36, 247, 95, 202, 121, 168, 100, 107, 76, 175, 228, 115, 91, 27, 80, 137, 244, 131, 200, 135, 52, 225, 239, 50, 135, 238, 223, 57, 75, 78, 31, 8, 84, 9, 225, 27, 180, 54, 242, 160, 35, 2, 3, 1, 0, 1]), { name: 'RSA-OAEP', hash: 'SHA-256' }, true, ['encrypt']),
  crypto.subtle.importKey('pkcs8', new Uint8Array([48, 130, 4, 190, 2, 1, 0, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 7, 5, 0, 4, 130, 4, 168, 48, 130, 4, 164, 2, 1, 0, 2, 130, 1, 1, 0, 221, 98, 33, 140, 115, 83, 88, 147, 196, 47, 75, 241, 134, 248, 177, 116, 220, 9, 5, 200, 152, 33, 155, 252, 81, 129, 205, 44, 117, 27, 255, 129, 183, 81, 40, 200, 183, 68, 89, 4, 105, 232, 220, 212, 74, 205, 61, 6, 209, 166, 186, 72, 123, 236, 191, 144, 179, 68, 155, 152, 253, 7, 155, 51, 166, 183, 3, 17, 114, 79, 26, 47, 63, 177, 174, 226, 238, 254, 203, 134, 120, 79, 83, 122, 67, 98, 221, 38, 38, 188, 184, 49, 179, 225, 45, 86, 3, 47, 97, 85, 23, 98, 199, 18, 105, 187, 233, 230, 5, 147, 72, 226, 41, 144, 174, 198, 105, 107, 135, 239, 19, 62, 116, 17, 196, 143, 240, 151, 119, 132, 230, 149, 206, 63, 195, 234, 71, 71, 83, 33, 219, 68, 226, 53, 133, 152, 18, 44, 76, 42, 229, 1, 230, 147, 133, 74, 227, 109, 147, 196, 71, 35, 234, 18, 153, 50, 80, 79, 205, 65, 184, 12, 202, 25, 238, 182, 231, 152, 4, 97, 42, 193, 15, 164, 78, 8, 144, 24, 70, 78, 201, 34, 14, 1, 123, 220, 191, 225, 53, 184, 48, 95, 14, 206, 17, 0, 45, 198, 237, 246, 7, 92, 248, 86, 62, 36, 247, 95, 202, 121, 168, 100, 107, 76, 175, 228, 115, 91, 27, 80, 137, 244, 131, 200, 135, 52, 225, 239, 50, 135, 238, 223, 57, 75, 78, 31, 8, 84, 9, 225, 27, 180, 54, 242, 160, 35, 2, 3, 1, 0, 1, 2, 130, 1, 0, 87, 224, 1, 237, 28, 65, 243, 33, 4, 120, 185, 174, 111, 162, 251, 221, 165, 17, 183, 199, 254, 11, 41, 61, 168, 164, 219, 106, 80, 58, 2, 219, 220, 134, 76, 168, 15, 135, 3, 198, 170, 187, 146, 28, 122, 108, 169, 82, 177, 153, 122, 204, 22, 212, 204, 221, 133, 43, 48, 144, 51, 175, 247, 61, 51, 105, 229, 191, 225, 29, 225, 8, 236, 65, 125, 103, 250, 242, 12, 155, 157, 217, 239, 10, 211, 0, 197, 67, 197, 144, 151, 148, 179, 16, 40, 204, 193, 138, 231, 25, 189, 164, 169, 220, 119, 55, 238, 10, 46, 32, 94, 135, 215, 115, 228, 204, 65, 64, 59, 190, 252, 102, 135, 240, 29, 147, 253, 45, 133, 18, 123, 27, 171, 149, 217, 147, 162, 150, 55, 211, 247, 138, 176, 49, 154, 86, 188, 226, 134, 25, 133, 234, 40, 154, 146, 203, 50, 4, 84, 31, 122, 189, 0, 69, 135, 225, 20, 0, 183, 37, 191, 67, 78, 118, 202, 207, 157, 157, 198, 108, 137, 231, 147, 134, 75, 145, 130, 192, 225, 56, 43, 153, 32, 197, 221, 59, 233, 89, 163, 212, 27, 242, 179, 15, 189, 77, 82, 78, 100, 180, 142, 245, 237, 194, 174, 241, 87, 25, 175, 32, 56, 231, 152, 214, 217, 197, 56, 243, 70, 60, 77, 176, 29, 57, 43, 243, 78, 209, 104, 157, 248, 39, 63, 80, 56, 47, 149, 109, 12, 203, 159, 116, 163, 92, 96, 81, 2, 129, 129, 0, 253, 234, 23, 27, 184, 139, 77, 92, 246, 52, 151, 145, 48, 239, 89, 159, 119, 223, 130, 81, 104, 72, 209, 105, 237, 109, 162, 188, 184, 33, 80, 213, 85, 47, 113, 84, 185, 115, 5, 45, 155, 125, 88, 105, 213, 55, 92, 89, 155, 246, 182, 76, 94, 205, 184, 0, 127, 149, 215, 115, 155, 162, 169, 226, 248, 32, 155, 87, 72, 196, 217, 163, 140, 106, 185, 105, 48, 154, 31, 198, 38, 91, 51, 154, 163, 65, 177, 92, 28, 66, 213, 43, 101, 16, 233, 187, 224, 116, 141, 120, 2, 102, 132, 62, 188, 203, 21, 70, 167, 132, 230, 230, 114, 66, 64, 206, 124, 137, 225, 118, 42, 156, 145, 114, 106, 209, 72, 167, 2, 129, 129, 0, 223, 51, 163, 28, 226, 147, 154, 86, 163, 168, 185, 16, 78, 181, 149, 56, 12, 107, 41, 82, 18, 170, 131, 210, 103, 51, 110, 146, 196, 68, 210, 5, 115, 217, 122, 99, 197, 8, 125, 173, 160, 196, 114, 193, 189, 208, 140, 232, 153, 46, 153, 127, 155, 40, 145, 58, 213, 71, 147, 102, 206, 173, 246, 206, 179, 1, 231, 34, 248, 229, 121, 185, 71, 183, 205, 104, 166, 224, 213, 67, 115, 141, 245, 104, 248, 100, 160, 189, 218, 121, 37, 39, 34, 173, 15, 119, 101, 44, 193, 176, 2, 249, 35, 124, 0, 165, 16, 7, 110, 210, 16, 30, 147, 125, 179, 160, 99, 114, 26, 62, 149, 252, 113, 136, 194, 247, 224, 37, 2, 129, 128, 100, 246, 78, 199, 244, 2, 87, 249, 173, 224, 77, 160, 42, 208, 17, 87, 234, 103, 82, 63, 34, 115, 73, 233, 143, 193, 247, 98, 136, 232, 158, 102, 165, 95, 158, 245, 172, 99, 194, 220, 86, 166, 105, 160, 115, 106, 118, 235, 30, 171, 227, 226, 204, 19, 138, 165, 144, 21, 185, 188, 187, 86, 219, 172, 103, 51, 55, 241, 101, 250, 247, 251, 35, 27, 80, 172, 53, 234, 34, 214, 60, 108, 41, 65, 196, 198, 155, 74, 95, 230, 103, 50, 193, 22, 15, 138, 103, 254, 144, 61, 246, 222, 98, 153, 59, 162, 152, 204, 38, 82, 31, 41, 228, 166, 217, 116, 1, 107, 37, 222, 65, 165, 77, 228, 43, 251, 25, 163, 2, 129, 129, 0, 133, 58, 158, 95, 108, 131, 108, 121, 208, 192, 178, 142, 160, 92, 213, 16, 26, 161, 144, 141, 147, 228, 194, 64, 194, 39, 58, 22, 83, 31, 61, 57, 209, 247, 251, 141, 56, 28, 36, 96, 146, 121, 16, 130, 194, 217, 140, 114, 126, 149, 9, 60, 217, 17, 178, 246, 170, 62, 74, 38, 240, 177, 120, 131, 210, 232, 12, 222, 156, 48, 229, 162, 137, 195, 149, 209, 164, 226, 201, 137, 180, 157, 4, 226, 190, 121, 218, 84, 216, 230, 189, 29, 138, 30, 65, 0, 36, 157, 61, 147, 225, 130, 115, 2, 222, 163, 168, 88, 183, 118, 157, 246, 146, 85, 82, 246, 38, 198, 2, 18, 95, 150, 202, 242, 54, 102, 157, 29, 2, 129, 129, 0, 169, 126, 79, 164, 70, 238, 179, 136, 129, 238, 109, 233, 196, 68, 212, 221, 124, 182, 210, 19, 215, 225, 34, 169, 44, 245, 178, 223, 151, 9, 51, 222, 47, 2, 42, 38, 156, 205, 255, 237, 224, 37, 151, 32, 27, 69, 129, 199, 195, 248, 155, 85, 211, 144, 139, 87, 238, 70, 109, 95, 138, 162, 196, 90, 244, 103, 23, 158, 250, 218, 234, 156, 219, 24, 42, 221, 8, 116, 209, 0, 151, 223, 55, 122, 197, 36, 106, 230, 17, 233, 89, 81, 206, 131, 17, 196, 192, 109, 156, 195, 138, 98, 92, 93, 167, 199, 80, 204, 248, 125, 159, 218, 183, 26, 123, 128, 100, 189, 193, 59, 245, 242, 165, 223, 188, 109, 108, 160]), { name: 'RSA-OAEP', hash: 'SHA-256' }, true, ['decrypt']),
]);

Safari accepts all of them, Firefox accepts the first one and rejects the others with DataError, Chrome rejects all of them with DataError (as it should).

@panva
Copy link
Member

panva commented Dec 16, 2021

@twiss do you have valid keys for the different OIDs too?

@twiss
Copy link
Member Author

twiss commented Dec 16, 2021

No, I don't, but I can try to find or make some

@panva
Copy link
Member

panva commented Dec 16, 2021

I have id-RSASSA-PSS as well as id-ecDH, just need id-RSAES-OAEP

@twiss
Copy link
Member Author

twiss commented Dec 16, 2021

OK. Could you post the ones you have, maybe? It might be easier to modify a PSS key to an OAEP one rather than create it from scratch (I can't find any example keys so far)

@panva
Copy link
Member

panva commented Dec 16, 2021

@panva
Copy link
Member

panva commented Dec 16, 2021

Using the above script

Firefox latest

spki id-RSASSA-PSS import ✅ success
pkcs8 id-RSASSA-PSS import ❌ fail DataError
spki id-ecDH import ❌ fail DataError
pkcs8 id-ecDH import ❌ fail DataError

Chromium latest (Chrome, Edge, Opera, ...)

spki id-RSASSA-PSS import ❌ fail DataError
pkcs8 id-RSASSA-PSS import ❌ fail DataError
spki id-ecDH import ❌ fail DataError
pkcs8 id-ecDH import ❌ fail DataError

https://www.chromium.org/blink/webcrypto

When importing/exporting "spki" and "pkcs8" formats, the only OIDs supported by Chromiumare those recognized by OpenSSL/BoringSSL.
Importing ECDH keys does not accept id-ecDH. The OID must instead be id-ecPublicKey (This can cause problems importing keys generated by Firefox; use "raw" EC keys as a workaround; Chromium in this case is not spec compliant)
Importing RSA-PSS keys does not accept id-RSASSA-PSS. The OID must instead be rsaEncryption
Importing RSA-OAEP keys does not accept id-RSAES-OAEP. The OID must instead be rsaEncryption.
Exporting ECDH keys uses OID id-ecPublicKey, whereas the WebCrypto spec says to use id-ecDH.
Exporting RSA-PSS keys uses OID rsaEncryption, whereas the WebCrypto spec says to use RSA-PSS.
Exporting RSA-OAEP keys uses OID rsaEncryption, whereas the WebCrypto spec says to use id-RSAES-OAEP.

Safari latest

spki id-RSASSA-PSS import ❌ fail DataError
pkcs8 id-RSASSA-PSS import ❌ fail DataError
spki id-ecDH import ❌ fail DataError
pkcs8 id-ecDH import ❌ fail DataError

Node.js latest (experimental impl)

spki id-RSASSA-PSS import ✅ success
pkcs8 id-RSASSA-PSS import ✅ success
spki id-ecDH import ❌ fail Error
pkcs8 id-ecDH import ❌ fail Error

https://github.com/nodejs/node/issues/39959

Deno latest (WIP master as of now)

spki id-RSASSA-PSS import ✅ success
pkcs8 id-RSASSA-PSS import ✅ success
spki id-ecDH import ❌ fail NotSupportedError
pkcs8 id-ecDH import ❌ fail NotSupportedError

@panva
Copy link
Member

panva commented Dec 16, 2021

At least in Node.js if an import succeeds, export would use the same OID for that key. What comes in is what comes out. That is technically not conform with the current language but also not conform with "after #305".

@twiss
Copy link
Member Author

twiss commented Dec 16, 2021

Thanks for the keys, and tests! Here are some RSA-OAEP keys with OID id-RSAES-OAEP and valid (I think) RSAES-OAEP-params; adapted from the RSA-PSS keys. However, none of the browsers accept them. Though, Firefox does accept the public key (for all RSA algorithms, including RSA-OAEP) if I change the OID to id-RSASSA-PSS (and also accepts them if the hashes in the parameters don't match). So, my theory is that

  • Firefox considers id-RSASSA-PSS as a "synonym" to rsaEncryption for public keys, and ignores the parameters
  • Safari considers id-RSASSA-PSS and id-RSAES-OAEP as synonyms to rsaEncryption for public and private keys, but requires the parameters to be NULL

At least in Node.js if an import succeeds, export would use the same OID for that key. What comes in is what comes out. That is technically not conform with the current language but also not conform with "after #305".

I think that's reasonable behavior, but at the same time it's probably not reasonable to put that in the spec, as it would require us (and implementations) to store the way the key was originally encoded, which seems otherwise pointless.

So, given all of the above I agree it would be reasonable to drop importing id-RSASSA-PSS, id-RSAES-OAEP and id-ecDH keys, and have only one possible representation in the spec. The latter two are already not supported anywhere, the only breaking change (I think) would be Firefox which (accidentally?) allows importing valid id-RSASSA-PSS public keys - but even Firefox doesn't actually implement the full steps to import, and doesn't check the RSASSA-PSS-params - so they might also be happier with dropping this entirely. Perhaps @dveditz do you have an opinion?

@panva
Copy link
Member

panva commented Dec 16, 2021

I think that's reasonable behavior, but at the same time it's probably not reasonable to put that in the spec, as it would require us (and implementations) to store the way the key was originally encoded, which seems otherwise pointless.

I wasn't thinking of putting this behaviour in the spec. I was merely making sure this pattern is pointed out.

The Node.js implementation is still marked as experimental and as such we're able to make breaking changes rather quickly.

So, given all of the above I agree it would be reasonable to drop importing id-RSASSA-PSS, id-RSAES-OAEP and id-ecDH keys, and have only one possible representation in the spec.

I agree. But it is worth pointing out that these key representations are correct in that they don't allow use of that key for other purposes. At the same time the ease of JWK export and subsequent dropping alg, use, key_ops, etc makes this a moot point if the key is exportable. It is also relatively easy to change the OID, drop the params and treat keys as rsaEncryption applicable to all RSA algorithms when importing anyway.

@panva
Copy link
Member

panva commented Dec 16, 2021

@jasnell does the CF Workers implementation also only support rsaEncryption and ecPublicKey OIDs?

@twiss
Copy link
Member Author

twiss commented Dec 16, 2021

I wasn't thinking of putting this behaviour in the spec. I was merely making sure this pattern is pointed out.

Yeah, I understand, and thanks for pointing it out. I was mostly trying to say that having two possible representations in the spec causes some complexity here indeed (and forcing the implementation to re-serialize, or not, is perhaps not desirable).

I agree. But it is worth pointing out that these key representations are correct in that they don't allow use of that key for other purposes. At the same time the ease of JWK export and subsequent dropping alg, use, key_ops, etc makes this a moot point if the key is exportable. It is also relatively easy to change the OID, drop the params and treat keys as rsaEncryption applicable to all RSA algorithms when importing anyway.

Yeah. The only situation where it might matter is when the key is encrypted using AES-KW, for example, and can't easily be changed. In that case I also agree the algorithm-specific OIDs are better, and it would've been nicer if all implementations used and supported them from the start. But at this point, I'm not sure if it's worth the effort to convince them to do so (and exporting the algorithm-specific OIDs would cause breakage, for now).

@jasnell
Copy link

jasnell commented Dec 16, 2021

@panva ... I don't know off the top of my head but I've made a note to check :-)

@twiss
Copy link
Member Author

twiss commented Mar 22, 2022

Just an update to this, I've also tested importing RSASSA-PKCS1-v1_5 keys with sha1WithRSAEncryption, sha256WithRSAEncryption, sha384WithRSAEncryption or sha512WithRSAEncryption OIDs instead of rsaEncryption. The results are:

  • Chrome, Firefox and Node.js reject the keys
  • Safari accepts the keys, but doesn't check that the hash in the OID matches the hash in the algorithm identifier, and blindly uses the latter
  • Deno accepts the keys and correctly checks that the hash matches

Since they're only correctly implemented in one implementation, and can't be relied upon to work (let alone enforce the usage specified in the OID) on the web in general, I would propose that we drop them as well.

@lucacasonato, @kcheney1 and @dveditz, would you be OK with dropping support for importing these OIDs (and id-RSASSA-PSS, id-RSAES-OAEP and id-ecDH) from the spec (and only support rsaEncryption and id-ecPublicKey, as most implementations do)?

The main downside is that then you can't import a spki or pkcs1 key that's tightly bound to the algorithm and hash it can be used with (this might be relevant if you store encrypted keys for signing and encrypting on an untrusted server, for example, and the server can swap them without detection), but this is already the reality today, and jwk keys can be used instead (we can add a note in the spec to that effect). The checks for importing jwk keys are implemented correctly everywhere I tested, except for one case (when importing ECC keys in Firefox, the crv in the jwk key is not checked against the namedCurve in the algorithm identifier, and the former is used. I'll open an issue for that. Edit: https://bugzilla.mozilla.org/show_bug.cgi?id=1760806).

nodejs-github-bot pushed a commit to nodejs/node that referenced this issue May 25, 2022
bengl pushed a commit to nodejs/node that referenced this issue May 30, 2022
targos pushed a commit to nodejs/node that referenced this issue Jul 12, 2022
targos pushed a commit to nodejs/node that referenced this issue Jul 31, 2022
littledivy pushed a commit to denoland/deno that referenced this issue Oct 4, 2022
This PR updates RSA key import/export to a state which is interoperable
with other implementations.

For RSA the only OID in and out is `rsaEncryption`.
For EC the only OID in and out is `id-ecpublickey` (fixed in #16152).

see w3c/webcrypto#307 (comment)
see w3c/webcrypto#307
see w3c/webcrypto#305
see nodejs/node#42816
guangwong pushed a commit to noslate-project/node that referenced this issue Oct 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants