Bug 262613
| Summary: | Ed25519 JWK import should ignore the "alg" JWK member | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Filip Skokan <panva.ip> |
| Component: | WebCore Misc. | Assignee: | Javier Fernandez <jfernandez> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | Normal | CC: | ahmad.saleem792, jfernandez, me, nitinmahendru, panva.ip, pascoe, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | InRadar, WPTImpact |
| Version: | Safari 17 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.chromium.org/p/chromium/issues/detail?id=1489245 | ||
Filip Skokan
As per https://github.com/WICG/webcrypto-secure-curves/pull/24 the "alg" JWK member is now ignored during JWK import, and missing during JWK export for Ed25519 keys.
Safari correctly handles the latter but not the former, the "alg" JWK member is not ignored during import.
```
const jwk = {
crv: "Ed25519",
x: "2OGJY9gJ1IfZVJrMrsZ0Ln7rok2KDTsUt-PK6gaJPcw",
kty: "OKP",
alg: "this should now be ignored",
};
crypto.subtle.importKey("jwk", jwk, "Ed25519", true, ["verify"]).then((key) => {
crypto.subtle.exportKey("jwk", key).then((exportedJwk) => {
if (exportedJwk.alg) {
console.log("❌ alg should be missing");
}
});
});
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Filip Skokan
WPT update for the draft spec change https://github.com/web-platform-tests/wpt/pull/42333
Radar WebKit Bug Importer
<rdar://problem/116806236>
Javier Fernandez
I'm working on a patch for this bug.
Javier Fernandez
Pull request: https://github.com/WebKit/WebKit/pull/21006
Javier Fernandez
It seems Chrome reviewers have doubts regarding the decision to remove the 'alg' field from the JWK import operation's logic.
I'd rather wait until there is more consensus before merging the patch.
Javier Fernandez
It seems that FF implementation ignores the "alg" JWK member, as it passes the related tests [1]. It'd be useful to know WebKit's position on this regard, given than apparently Chrome's concerns are debatable, from what I could extract from the conversation in the mentioned Chrome bug.
[1] https://wpt.fyi/results/WebCryptoAPI/import_export/okp_importKey_Ed25519.https.any.html?label=experimental&label=master&aligned
Javier Fernandez
It seems the spec introduced again the "alg" key in the JWK format, see https://github.com/w3c/webcrypto/pull/401
I guess we can close this bug as invalid and perhaps file a new one if the current behavior doesn't match the new possible values of the "alg" member.