Update the ECDSA sign/verify algorithms to match the cryptographic processing model.
--- a/spec/Overview-WebCryptoAPI.xml Mon Jun 03 13:07:04 2013 -0700
+++ b/spec/Overview-WebCryptoAPI.xml Wed Jun 12 19:17:24 2013 -0700
@@ -2727,12 +2727,6 @@
<div id="ecdsa-operations" class="section">
<h4>Operations</h4>
- <div class="ednote">
- <p>
- Note: The following processing algorithms have not been updated to match the processing algorithm
- described in the <a href="#CryptoOperation-processing-model">CryptoOperation processing model</a>.
- </p>
- </div>
<dl>
<dt>Sign</dt>
<dd>
@@ -2740,57 +2734,85 @@
shall behave as follows:
<ol>
<li>
- Upon invoking <code>init</code>:
- <ol>
- <li>
- If <code><a href="#dfn-CryptoOperation-key">key</a></code> does not describe an
- ECDSA private key, raise an error and <a href="#terminate-the-algorithm">terminate the algorithm</a>.
- </li>
- <li>
- Let <var>M</var> be an empty sequence of bytes.
- </li>
- </ol>
+ <p>
+ If the context object's associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>
+ does not refer to an ECDSA private key, terminate the algorithm with an error.
+ </p>
</li>
<li>
- Upon invoking <code><a href="#dfn-CryptoOperation-method-process">process</a></code>:
- <ol>
- <li>
- Let <var>buffer</var> be the <code>ArrayBufferView</code> to be processed.
- </li>
- <li>
- Convert <var>buffer</var> to a sequence of <code>byteLength</code> bytes from
- the underlying <code>ArrayBuffer</code>, starting at the <code>byteOffset</code>
- of the <code>ArrayBufferView</code>, and append those bytes to <var>M</var>.
- </li>
- <li>
- No output is returned.
- </li>
- </ol>
- </li>
- <li>
- Upon invoking <code><a href="#dfn-CryptoOperation-method-finish">finish</a></code>:
- <ol>
- <li>
- Perform the ECDSA signing process, as specified in <a href="#X9.62">X9.62</a>,
- Section 7.3, with <var>M</var> as the message, with EC domain parameters and
- private key <var>d</var> obtained from the <code><a href="#dfn-CryptoOperation-key">Key</a></code>,
- and with the hash function obtained from the EcdsaParams dictionary.
- </li>
- <li>
- If the operation resulted in an error, raise an error and terminate this
- algorithm.
- </li>
- <li>
- Let <var>r</var> and <var>s</var> be a pair of integers resulting from performing the
- ECDSA signing process.
- </li>
- <li>
- Let <var>output</var> be an <code>ArrayBuffer</code> holding
- the concatenation of <var>r</var> and <var>s</var>, each as a ceil(ceil(log2(n))/8)
- byte sequence, where n (a prime number) is the order of the base point generator.
- </li>
- </ol>
- </li>
+ <p>
+ Upon the first attempt to process data, let <var>hash</var> be an initialized to an
+ instance of the underlying hash algorithm indicated by the <code>"hash"</code>
+ identifier of the context object's associated
+ <code><a href="#dfn-CryptoOperation-Algorithm">algorithm</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>bytes</var> be the sequence of bytes to be processed.
+ </p>
+ </li>
+ <li>
+ <p>
+ Perform the hash algorithm of <var>hash</var>, using <var>bytes</var> as input.
+ </p>
+ </li>
+ <li>
+ <p>
+ If the context object's internal state is not <code>"complete"</code>, return an
+ empty <code>ArrayBuffer</code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>M</var> be the result of finalizing the hash algorithm of <var>hash</var>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>d</var> be the ECDSA private key associated with the context object's
+ associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>params</var> be the EC domain parameters associated with the context
+ object's associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Perform the ECDSA signing process, as specified in <a href="#X9.62">X9.62</a>,
+ Section 7.3, with <var>M</var> as the message, using <var>params</var> as the
+ EC domain parameters, and with <var>d</var> as the private key.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>r</var> and <var>s</var> be the pair of integers resulting from
+ performing the ECDSA signing process.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>result</var> be a new <code>ArrayBuffer</code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Convert <var>r</var> to a bitstring and append the sequence of bytes to <var>result</var>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Convert <var>s</var> to a bitstring and append the sequence of bytes to <var>result</var>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Return <var>result</var>.
+ </p>
+ </li>
</ol>
</dd>
<dt>Verify</dt>
@@ -2799,53 +2821,70 @@
shall behave as follows:
<ol>
<li>
- Upon invoking <code>init</code>:
- <ol>
- <li>
- If <code><a href="#dfn-CryptoOperation-key">key</a></code> does not describe an
- ECDSA public key, raise an error and <a href="#terminate-the-algorithm">terminate the algorithm</a>.
- </li>
- <li>
- Let <var>M'</var> be an empty sequence of bytes.
- </li>
- </ol>
+ <p>
+ If the context object's associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>
+ does not refer to an ECDSA public key, terminate the algorithm with an error.
+ </p>
</li>
<li>
- Upon invoking <code><a href="#dfn-CryptoOperation-method-process">process</a></code>:
- <ol>
- <li>
- Let <var>buffer</var> be the <code>ArrayBufferView</code> to be processed.
- </li>
- <li>
- Convert <var>buffer</var> to a sequence of <code>byteLength</code> bytes from
- the underlying <code>ArrayBuffer</code>, starting at the <code>byteOffset</code>
- of the <code>ArrayBufferView</code>, and append those bytes to <var>M'</var>.
- </li>
- <li>
- No output is returned.
- </li>
- </ol>
- </li>
- <li>
- Upon invoking <code><a href="#dfn-CryptoOperation-method-finish">finish</a></code>:
- <ol>
- <li>
- Perform the ECDSA verifying process, as specified in <a href="#X9.62">X9.62</a>,
- Section 7.4, with <var>M'</var> as the received message, with the EC domain
- parameters and public key <var>Q</var> obtained from the
- <code><a href="#dfn-CryptoOperation-key">Key</a></code>, and with the hash
- function obtained from the EcdsaParams dictionary.
- </li>
- <li>
- If the operation resulted in an error, raise an error and terminate this
- algorithm.
- </li>
- <li>
- Let <var>output</var> be a <code>boolean</code> that indicates whether the
- purported signature is valid (<code>true</code>) or not (<code>false</code>).
- </li>
- </ol>
- </li>
+ <p>
+ Upon the first attempt to process data, let <var>hash</var> be an initialized to an
+ instance of the underlying hash algorithm indicated by the <code>"hash"</code>
+ identifier of the context object's associated
+ <code><a href="#dfn-CryptoOperation-Algorithm">algorithm</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>bytes</var> be the sequence of bytes to be processed.
+ </p>
+ </li>
+ <li>
+ <p>
+ Perform the hash algorithm of <var>hash</var>, using <var>bytes</var> as input.
+ </p>
+ </li>
+ <li>
+ <p>
+ If the context object's internal state is not <code>"complete"</code>, terminate the algorithm.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>M</var> be the result of finalizing the hash algorithm of <var>hash</var>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>Q</var> be the ECDSA public key associated with the context object's
+ associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>params</var> be the EC domain parameters associated with the context
+ object's associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Perform the ECDSA verifying process, as specified in <a href="#X9.62">X9.62</a>,
+ Section 7.4, with <var>M</var> as the received message, using <var>params</var> as the
+ EC domain parameters, and with <var>Q</var> as the public key.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>result</var> be a boolean indicating whether or not the purported
+ signature is valid, with <code>true</code> indicating the signature is valid
+ and <code>false</code> indicating it is invalid.
+ </p>
+ </li>
+ <li>
+ <p>
+ Return <var>result</var>.
+ </p>
+ </li>
</ol>
</dd>
<dt>Generate Key</dt>
--- a/spec/Overview.html Mon Jun 03 13:07:04 2013 -0700
+++ b/spec/Overview.html Wed Jun 12 19:17:24 2013 -0700
@@ -33,7 +33,7 @@
<link rel="stylesheet" href="//www.w3.org/StyleSheets/TR/W3C-ED" type="text/css" /></head>
<body>
- <div class="head"><div><a href="http://www.w3.org/"><img src="//www.w3.org/Icons/w3c_home" width="72" height="48" alt="W3C" /></a></div><h1>Web Cryptography API</h1><h2>W3C Editor’s Draft <em>3 June 2013</em></h2><dl><dt>Latest Editor’s Draft:</dt><dd><a href="http://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html">http://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html</a></dd><dt>Latest Published Version:</dt><dd><a href="http://www.w3.org/TR/WebCryptoAPI/">http://www.w3.org/TR/WebCryptoAPI/</a></dd><dt>Previous Version(s):</dt><dd><a href="https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html">https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html</a></dd><dt>Editors:</dt><dd><a href="http://ddahl.com/">David Dahl</a>, Mozilla Corporation <ddahl@mozilla.com></dd><dd><a href="http://www.google.com/">Ryan Sleevi</a>, Google, Inc. <sleevi@google.com></dd><dt>Participate:</dt><dd><p>Send feedback to <a href="mailto:public-webcrypto@w3.org?subject=%5BWebCryptoAPI%5D">public-webcrypto@w3.org</a> (<a href="http://lists.w3.org/Archives/Public/public-webcrypto/">archives</a>), or <a href="https://www.w3.org/Bugs/Public/enter_bug.cgi?product=Web%20Cryptography&component=Web%20Cryptography%20API%20Document">file a bug</a>
+ <div class="head"><div><a href="http://www.w3.org/"><img src="//www.w3.org/Icons/w3c_home" width="72" height="48" alt="W3C" /></a></div><h1>Web Cryptography API</h1><h2>W3C Editor’s Draft <em>12 June 2013</em></h2><dl><dt>Latest Editor’s Draft:</dt><dd><a href="http://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html">http://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html</a></dd><dt>Latest Published Version:</dt><dd><a href="http://www.w3.org/TR/WebCryptoAPI/">http://www.w3.org/TR/WebCryptoAPI/</a></dd><dt>Previous Version(s):</dt><dd><a href="https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html">https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html</a></dd><dt>Editors:</dt><dd><a href="http://ddahl.com/">David Dahl</a>, Mozilla Corporation <ddahl@mozilla.com></dd><dd><a href="http://www.google.com/">Ryan Sleevi</a>, Google, Inc. <sleevi@google.com></dd><dt>Participate:</dt><dd><p>Send feedback to <a href="mailto:public-webcrypto@w3.org?subject=%5BWebCryptoAPI%5D">public-webcrypto@w3.org</a> (<a href="http://lists.w3.org/Archives/Public/public-webcrypto/">archives</a>), or <a href="https://www.w3.org/Bugs/Public/enter_bug.cgi?product=Web%20Cryptography&component=Web%20Cryptography%20API%20Document">file a bug</a>
(see <a href="https://www.w3.org/Bugs/Public/buglist.cgi?product=Web%20Cryptography&component=Web%20Cryptography%20API%20Document&resolution=---">existing bugs</a>).</p></dd></dl><p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © view <a href="http://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="http://www.ercim.org/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.</p></div><hr />
<div class="section">
@@ -49,7 +49,7 @@
communications.
</p>
- <div class="ednote"><div class="ednoteHeader">Editorial note</div><p>There are 21 further editorial notes in the document.</p></div>
+ <div class="ednote"><div class="ednoteHeader">Editorial note</div><p>There are 20 further editorial notes in the document.</p></div>
</div>
<div class="section">
@@ -61,7 +61,7 @@
report can be found in the <a href="http://www.w3.org/TR/">W3C technical
reports index</a> at http://www.w3.org/TR/.
</em></p><p>
- This document is the 3 June 2013 <b>Editor’s Draft</b> of the
+ This document is the 12 June 2013 <b>Editor’s Draft</b> of the
<cite>Web Cryptography API</cite> specification.
Please send comments about this document to
@@ -2736,12 +2736,6 @@
<div id="ecdsa-operations" class="section">
<h4>18.7.5. Operations</h4>
- <div class="ednote"><div class="ednoteHeader">Editorial note</div>
- <p>
- Note: The following processing algorithms have not been updated to match the processing algorithm
- described in the <a href="#CryptoOperation-processing-model">CryptoOperation processing model</a>.
- </p>
- </div>
<dl>
<dt>Sign</dt>
<dd>
@@ -2749,57 +2743,85 @@
shall behave as follows:
<ol>
<li>
- Upon invoking <code>init</code>:
- <ol>
- <li>
- If <code><a href="#dfn-CryptoOperation-key">key</a></code> does not describe an
- ECDSA private key, raise an error and <a href="#terminate-the-algorithm">terminate the algorithm</a>.
- </li>
- <li>
- Let <var>M</var> be an empty sequence of bytes.
- </li>
- </ol>
+ <p>
+ If the context object's associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>
+ does not refer to an ECDSA private key, terminate the algorithm with an error.
+ </p>
</li>
<li>
- Upon invoking <code><a href="#dfn-CryptoOperation-method-process">process</a></code>:
- <ol>
- <li>
- Let <var>buffer</var> be the <code>ArrayBufferView</code> to be processed.
- </li>
- <li>
- Convert <var>buffer</var> to a sequence of <code>byteLength</code> bytes from
- the underlying <code>ArrayBuffer</code>, starting at the <code>byteOffset</code>
- of the <code>ArrayBufferView</code>, and append those bytes to <var>M</var>.
- </li>
- <li>
- No output is returned.
- </li>
- </ol>
- </li>
- <li>
- Upon invoking <code><a href="#dfn-CryptoOperation-method-finish">finish</a></code>:
- <ol>
- <li>
- Perform the ECDSA signing process, as specified in <a href="#X9.62">X9.62</a>,
- Section 7.3, with <var>M</var> as the message, with EC domain parameters and
- private key <var>d</var> obtained from the <code><a href="#dfn-CryptoOperation-key">Key</a></code>,
- and with the hash function obtained from the EcdsaParams dictionary.
- </li>
- <li>
- If the operation resulted in an error, raise an error and terminate this
- algorithm.
- </li>
- <li>
- Let <var>r</var> and <var>s</var> be a pair of integers resulting from performing the
- ECDSA signing process.
- </li>
- <li>
- Let <var>output</var> be an <code>ArrayBuffer</code> holding
- the concatenation of <var>r</var> and <var>s</var>, each as a ceil(ceil(log2(n))/8)
- byte sequence, where n (a prime number) is the order of the base point generator.
- </li>
- </ol>
- </li>
+ <p>
+ Upon the first attempt to process data, let <var>hash</var> be an initialized to an
+ instance of the underlying hash algorithm indicated by the <code>"hash"</code>
+ identifier of the context object's associated
+ <code><a href="#dfn-CryptoOperation-Algorithm">algorithm</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>bytes</var> be the sequence of bytes to be processed.
+ </p>
+ </li>
+ <li>
+ <p>
+ Perform the hash algorithm of <var>hash</var>, using <var>bytes</var> as input.
+ </p>
+ </li>
+ <li>
+ <p>
+ If the context object's internal state is not <code>"complete"</code>, return an
+ empty <code>ArrayBuffer</code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>M</var> be the result of finalizing the hash algorithm of <var>hash</var>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>d</var> be the ECDSA private key associated with the context object's
+ associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>params</var> be the EC domain parameters associated with the context
+ object's associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Perform the ECDSA signing process, as specified in <a href="#X9.62">X9.62</a>,
+ Section 7.3, with <var>M</var> as the message, using <var>params</var> as the
+ EC domain parameters, and with <var>d</var> as the private key.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>r</var> and <var>s</var> be the pair of integers resulting from
+ performing the ECDSA signing process.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>result</var> be a new <code>ArrayBuffer</code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Convert <var>r</var> to a bitstring and append the sequence of bytes to <var>result</var>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Convert <var>s</var> to a bitstring and append the sequence of bytes to <var>result</var>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Return <var>result</var>.
+ </p>
+ </li>
</ol>
</dd>
<dt>Verify</dt>
@@ -2808,53 +2830,70 @@
shall behave as follows:
<ol>
<li>
- Upon invoking <code>init</code>:
- <ol>
- <li>
- If <code><a href="#dfn-CryptoOperation-key">key</a></code> does not describe an
- ECDSA public key, raise an error and <a href="#terminate-the-algorithm">terminate the algorithm</a>.
- </li>
- <li>
- Let <var>M'</var> be an empty sequence of bytes.
- </li>
- </ol>
+ <p>
+ If the context object's associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>
+ does not refer to an ECDSA public key, terminate the algorithm with an error.
+ </p>
</li>
<li>
- Upon invoking <code><a href="#dfn-CryptoOperation-method-process">process</a></code>:
- <ol>
- <li>
- Let <var>buffer</var> be the <code>ArrayBufferView</code> to be processed.
- </li>
- <li>
- Convert <var>buffer</var> to a sequence of <code>byteLength</code> bytes from
- the underlying <code>ArrayBuffer</code>, starting at the <code>byteOffset</code>
- of the <code>ArrayBufferView</code>, and append those bytes to <var>M'</var>.
- </li>
- <li>
- No output is returned.
- </li>
- </ol>
- </li>
- <li>
- Upon invoking <code><a href="#dfn-CryptoOperation-method-finish">finish</a></code>:
- <ol>
- <li>
- Perform the ECDSA verifying process, as specified in <a href="#X9.62">X9.62</a>,
- Section 7.4, with <var>M'</var> as the received message, with the EC domain
- parameters and public key <var>Q</var> obtained from the
- <code><a href="#dfn-CryptoOperation-key">Key</a></code>, and with the hash
- function obtained from the EcdsaParams dictionary.
- </li>
- <li>
- If the operation resulted in an error, raise an error and terminate this
- algorithm.
- </li>
- <li>
- Let <var>output</var> be a <code>boolean</code> that indicates whether the
- purported signature is valid (<code>true</code>) or not (<code>false</code>).
- </li>
- </ol>
- </li>
+ <p>
+ Upon the first attempt to process data, let <var>hash</var> be an initialized to an
+ instance of the underlying hash algorithm indicated by the <code>"hash"</code>
+ identifier of the context object's associated
+ <code><a href="#dfn-CryptoOperation-Algorithm">algorithm</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>bytes</var> be the sequence of bytes to be processed.
+ </p>
+ </li>
+ <li>
+ <p>
+ Perform the hash algorithm of <var>hash</var>, using <var>bytes</var> as input.
+ </p>
+ </li>
+ <li>
+ <p>
+ If the context object's internal state is not <code>"complete"</code>, terminate the algorithm.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>M</var> be the result of finalizing the hash algorithm of <var>hash</var>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>Q</var> be the ECDSA public key associated with the context object's
+ associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>params</var> be the EC domain parameters associated with the context
+ object's associated <code><a href="#dfn-CryptoOperation-key">Key</a></code>.
+ </p>
+ </li>
+ <li>
+ <p>
+ Perform the ECDSA verifying process, as specified in <a href="#X9.62">X9.62</a>,
+ Section 7.4, with <var>M</var> as the received message, using <var>params</var> as the
+ EC domain parameters, and with <var>Q</var> as the public key.
+ </p>
+ </li>
+ <li>
+ <p>
+ Let <var>result</var> be a boolean indicating whether or not the purported
+ signature is valid, with <code>true</code> indicating the signature is valid
+ and <code>false</code> indicating it is invalid.
+ </p>
+ </li>
+ <li>
+ <p>
+ Return <var>result</var>.
+ </p>
+ </li>
</ol>
</dd>
<dt>Generate Key</dt>