crypto.subtle.wrapKey does not pad key resulting in inability to wrap some keys
Reported by
frederic...@gmail.com,
Oct 21 2016
|
||
Issue description
Chrome Version : 53.0.2785.143 m
have tested this issue:
Safari:
Firefox: FAIL
IE:
What steps will reproduce the problem?
(1) Generate AES-KW key
(2) Generate RSA key pair
(3) Wrap the RSA private key
What is the expected result?
No error, key wrapped successfully
What happens instead?
Depending on the private key generated, it will either succeed every time, or fail every time with the error message "The AES-KW input data length is invalid: not a multiple of 8 bytes"
Here's the code I used to test:
<!DOCTYPE html>
<html>
<head></head>
<body>
<input id="genKey" type="button" value="Genreate new key"/><input id="wrapKey" type="button" value="Wrap Key"/>
<script>
var wrappingKey=null;
var keyToWrap=null;
crypto.subtle.generateKey({ "name": 'AES-KW', "length": 256 }, false, ["wrapKey"]).then(function(key){wrappingKey=key});
document.getElementById('genKey').addEventListener('click',
function(){
crypto.subtle.generateKey({
name: "RSASSA-PKCS1-v1_5",
modulusLength: 512,
publicExponent: new Uint8Array([1, 0, 1]),
hash: {name: "SHA-256"}
},
true,
["sign","verify"]
).then(function(keys){
keyToWrap=keys.privateKey;
console.log('new Key to wrap saved.')
});
}
);
document.getElementById('wrapKey').addEventListener('click',
function(){
crypto.subtle.wrapKey("pkcs8", keyToWrap,wrappingKey,'AES-KW').then(function(){console.log('success')},function(err){console.error(err);});
}
);
</script>
</body>
</html>
,
Dec 9 2016
This behavior is spec compliant, and as pointed out behaves the same in Firefox. There is a nnote about this in the spec (https://w3c.github.io/webcrypto/Overview.html#SubtleCrypto-method-wrapKey) """ The key wrapping operations for some algorithms place constraints on the payload size. For example AES-KW requires the payload to be a multiple of 8 bytes in length and RSA-OAEP places a restriction on the length. For key formats that offer flexibility in serialization of a given key (for example JWK), implementations may choose to adapt the serialization to the constraints of the wrapping algorithm. This is why JSON.stringify is not normatively required, as otherwise it would prohibit implementations from introducing added padding. """ So you are correct that chromium's implementation *could* add padding and be compliant. It is technically possible in the case of JWK keys to introduce no-op padding into the key to make it a multiple of 8 (for instance add whitespace). And some strategies can likely be devised for PKCS8 encoded keys too, albeit less savory. That said, adding our own arbitrary padding scheme in Chromium is not something I would support unless there is a strong use-case for this, as well as a good understanding of the underlying cryptographic implications. Really this is something that needs to be part of the Web Crypto specification, or interoperability will be a problem. My recommendation for now is to use AES-KW only with AES keys in raw format (which will be multiples of 8), and use an alternate wrapping cipher (say AES-GCM) for wrapping everything else.
,
Dec 9 2016
See also: https://www.w3.org/Bugs/Public/show_bug.cgi?id=24457 (Which discusses your issue but in the context of JWK). |
||
►
Sign in to add a comment |
||
Comment 1 by tkent@chromium.org
, Dec 9 2016