227480 – [WebCrypto] WebKit accepts elliptic curve key whose point is not on the curve

NEW 227480

[WebCrypto] WebKit accepts elliptic curve key whose point is not on the curve

https://bugs.webkit.org/show_bug.cgi?id=227480

Summary [WebCrypto] WebKit accepts elliptic curve key whose point is not on the curve

Yoshiaki Jitsukawa

Reported 2021-06-29 02:48:49 PDT

It might be an implementation-defined behavior but WebKit doesn't throw when importing an elliptic curve key whose point (x, y) is not on the curve. For example, on Chrome, a DOM exception is thrown with the following code, while not on Safari: var jwkKey = { kty: "EC", use: "enc", ext: true, crv: "P-384", x: "1bHwFrsaPRjYq-zFOyLXK8Ugv3EqbVF075ct7ouTl_pwyhjeBu03JHjKTsyVbNWK", y: "1bHwFrsaPRjYq-zFOyLXK8Ugv3EqbVF075ct7ouTl_pwyhjeBu03JHjKTsyVbNWK", // (x, y) is not on the P-384 curve // y: "OPQLbvRDpocNk4FRQLUVRBbqiauWcnUn7cAC2uSOH6GpSLoTo6B-4LtHq0ydd-iu", // x and this y is on the curve }; var extractable = true; crypto.subtle.importKey("jwk", jwkKey, { name: "ECDH", namedCurve: "P-384" }, extractable, [ ]).then(function(result) { publicKey = result; });

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-07-06 02:49:17 PDT

<rdar://problem/80201774>

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2021-06-29 02:48 PDT

Modified

2021-07-06 02:49 PDT History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks