Bug 25816 - DH pkcs8 import should return DataError, not OperationError, if SPKI parsing fails.
authorRyan Sleevi <sleevi@google.com>
Mon, 16 Jun 2014 00:00:00 -0700
changeset 182 02122907368e
parent 181 d1693395d37e
child 183 a4cb70fcc0bb
Bug 25816 - DH pkcs8 import should return DataError, not OperationError, if SPKI parsing fails.
spec/Overview-WebCryptoAPI.xml
spec/Overview.html
--- a/spec/Overview-WebCryptoAPI.xml	Mon Jun 16 00:00:00 2014 -0700
+++ b/spec/Overview-WebCryptoAPI.xml	Mon Jun 16 00:00:00 2014 -0700
@@ -14730,9 +14730,8 @@
                     <p>
                       If <var>usages</var> contains a value which is not
                       one of <code>"deriveKey"</code> or <code>"deriveBits"</code>,
-                      
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                      then <a href="#concept-return-an-error">return an error</a> named
+                      <a href="#dfn-DataError"><code>DataError</code></a>.
                     </p>
                   </li>
                   <li>
@@ -14902,31 +14901,27 @@
                   </li>
                   <li>
                     <p>
-                      If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
-                      <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var> is
-                      not <code>"DH"</code>,
-                            then <a href="#concept-return-an-error">return an error</a> named
-                            <a href="#dfn-DataError"><code>DataError</code></a>.
-                    </p>
-                  </li>
-                  <li>
-                    <p>
-                      If the <a href="#dfn-Key-type">type</a> attribute of <var>publicKey</var>
-                      is not
-                      <code>"public"</code>, 
-                            then <a href="#concept-return-an-error">return an error</a> named
-                            <a href="#dfn-DataError"><code>DataError</code></a>.
-                    </p>
-                  </li>
-                  <li>
-                    <p>
-                      If the <a href="#dfn-DhKeyAlgorithm-prime">prime</a> attribute of the
-                      <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var>
-                      is not equal to the <a href="#dfn-DhKeyAlgorithm-prime">prime</a> attribute of the
-                      <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>key</var>,
-                      
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                      If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the <a
+                      href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var> is
+                      not <code>"DH"</code>, then <a href="#concept-return-an-error">return an
+                      error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
+                    </p>
+                  </li>
+                  <li>
+                    <p>
+                      If the <a href="#dfn-Key-type">type</a> attribute of <var>publicKey</var> is
+                      not <code>"public"</code>, then <a href="#concept-return-an-error">return an
+                      error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
+                    </p>
+                  </li>
+                  <li>
+                    <p>
+                      If the <a href="#dfn-DhKeyAlgorithm-prime">prime</a> attribute of the <a
+                      href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var> is
+                      not equal to the <a href="#dfn-DhKeyAlgorithm-prime">prime</a> attribute of
+                      the <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>key</var>,
+                      then <a href="#concept-return-an-error">return an error</a> named <a
+                      href="#dfn-DataError"><code>DataError</code></a>.
                     </p>
                   </li>
                   <li>
@@ -14934,20 +14929,17 @@
                       If the <a href="#dfn-DhKeyAlgorithm-generator">generator</a> attribute of the
                       <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var>
                       is not equal to the <a href="#dfn-DhKeyAlgorithm-generator">generator</a>
-                      attribute of the
-                      <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>key</var>,
-                      
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
-                    </p>
-                  </li>
-                  <li>
-                    <p>
-                      Perform the Diffie-Hellman Phase II algorithm as specified in
-                      Section 8 of [<a href="#PKCS3">PKCS #3</a>]
-                      with <var>key</var> as the DH private value <var>x</var> and the
-                      Diffie-Hellman public value represented by the
-                      <a href="#dfn-DhKeyDeriveParams-public">public</a> member of
+                      attribute of the <a href="#dfn-Key-algorithm">algorithm</a> attribute of
+                      <var>key</var>, then <a href="#concept-return-an-error">return an error</a>
+                      named <a href="#dfn-DataError"><code>DataError</code></a>.
+                    </p>
+                  </li>
+                  <li>
+                    <p>
+                      Perform the Diffie-Hellman Phase II algorithm as specified in Section 8 of [<a
+                      href="#PKCS3">PKCS #3</a>] with <var>key</var> as the DH private value
+                      <var>x</var> and the Diffie-Hellman public value represented by the <a
+                      href="#dfn-DhKeyDeriveParams-public">public</a> member of
                       <var>normalizedAlgorithm</var> as the other's public value <var>PV'</var>.
                     </p>
                     <dl class="switch">
@@ -15104,27 +15096,27 @@
                       </li>
                       <li>
                         <p>
-                          If an error occurred while parsing, 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          If an error occurred while parsing, then <a
+                          href="#concept-return-an-error">return an error</a> named <a
+                          href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
                         <p>
                           If the <code>algorithm</code> object identifier field of the
                           <code>algorithm</code> AlgorithmIdentifier field of <var>spki</var> is not
-                          equivalent to the <code>dhKeyAgreement</code> OID defined in Section 9
-                          of [<a href="#PKCS3">PKCS #3</a>], 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          equivalent to the <code>dhKeyAgreement</code> OID defined in Section 9 of
+                          [<a href="#PKCS3">PKCS #3</a>], then <a
+                          href="#concept-return-an-error">return an error</a> named <a
+                          href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
                         <p>
                           If the <code>parameters</code> field of the <code>algorithm</code>
-                          AlgorithmIdentifier field of <var>spki</var> is absent, 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          AlgorithmIdentifier field of <var>spki</var> is absent, then <a
+                          href="#concept-return-an-error">return an error</a> named <a
+                          href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
@@ -15136,10 +15128,9 @@
                       <li>
                         <p>
                           If <var>params</var> is not an instance of the <code>DHParameter</code>
-                          ASN.1 type defined in Section 9 of <a href="#PKCS3">PKCS #3</a>,
-                          
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          ASN.1 type defined in Section 9 of <a href="#PKCS3">PKCS #3</a>, then <a
+                          href="#concept-return-an-error">return an error</a> named <a
+                          href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
@@ -15218,11 +15209,10 @@
                     <ol>
                       <li>
                         <p>
-                          If <var>usages</var> contains a value which is not
-                          one of <code>"deriveKey"</code> or <code>"deriveBits"</code>,
-                          
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          If <var>usages</var> contains a value which is not one of
+                          <code>"deriveKey"</code> or <code>"deriveBits"</code>, then <a
+                          href="#concept-return-an-error">return an error</a> named <a
+                          href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
@@ -15234,29 +15224,28 @@
                       </li>
                       <li>
                         <p>
-                          If an error occurred while parsing, 
-                      then <a href="#concept-return-an-error">return an error</a> named
-                      <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                          If an error occurred while parsing, then <a
+                          href="#concept-return-an-error">return an error</a> named <a
+                          href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
                         <p>
                           If the <code>algorithm</code> object identifier field of the
                           <code>algorithm</code> AlgorithmIdentifier field of
-                          <var>privateKeyInfo</var> is not
-                          equivalent to the <code>dhKeyAgreement</code> OID defined in Section 9
-                          of [<a href="#PKCS3">PKCS #3</a>], 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          <var>privateKeyInfo</var> is not equivalent to the
+                          <code>dhKeyAgreement</code> OID defined in Section 9 of [<a
+                          href="#PKCS3">PKCS #3</a>], then <a href="#concept-return-an-error">return
+                          an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
                         <p>
                           If the <code>parameters</code> field of the
                           <code>privateKeyAlgorithm</code> PrivateKeyAlgorithmIdentifier field of
-                          <var>privateKeyInfo</var> is absent, 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          <var>privateKeyInfo</var> is absent, then <a
+                          href="#concept-return-an-error">return an error</a> named <a
+                          href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
@@ -15269,10 +15258,9 @@
                       <li>
                         <p>
                           If <var>params</var> is not an instance of the <code>DHParameter</code>
-                          ASN.1 type defined in Section 9 of <a href="#PKCS3">PKCS #3</a>,
-                          
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          ASN.1 type defined in Section 9 of <a href="#PKCS3">PKCS #3</a>, then <a
+                          href="#concept-return-an-error">return an error</a> named <a
+                          href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
--- a/spec/Overview.html	Mon Jun 16 00:00:00 2014 -0700
+++ b/spec/Overview.html	Mon Jun 16 00:00:00 2014 -0700
@@ -14506,9 +14506,8 @@
                     <p>
                       If <var>usages</var> contains a value which is not
                       one of <code>"deriveKey"</code> or <code>"deriveBits"</code>,
-                      
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                      then <a href="#concept-return-an-error">return an error</a> named
+                      <a href="#dfn-DataError"><code>DataError</code></a>.
                     </p>
                   </li>
                   <li>
@@ -14677,31 +14676,24 @@
                   </li>
                   <li>
                     <p>
-                      If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
-                      <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var> is
-                      not <code>"DH"</code>,
-                            then <a href="#concept-return-an-error">return an error</a> named
-                            <a href="#dfn-DataError"><code>DataError</code></a>.
-                    </p>
-                  </li>
-                  <li>
-                    <p>
-                      If the <a href="#dfn-Key-type">type</a> attribute of <var>publicKey</var>
-                      is not
-                      <code>"public"</code>, 
-                            then <a href="#concept-return-an-error">return an error</a> named
-                            <a href="#dfn-DataError"><code>DataError</code></a>.
-                    </p>
-                  </li>
-                  <li>
-                    <p>
-                      If the <a href="#dfn-DhKeyAlgorithm-prime">prime</a> attribute of the
-                      <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var>
-                      is not equal to the <a href="#dfn-DhKeyAlgorithm-prime">prime</a> attribute of the
-                      <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>key</var>,
-                      
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                      If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var> is
+                      not <code>"DH"</code>, then <a href="#concept-return-an-error">return an
+                      error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
+                    </p>
+                  </li>
+                  <li>
+                    <p>
+                      If the <a href="#dfn-Key-type">type</a> attribute of <var>publicKey</var> is
+                      not <code>"public"</code>, then <a href="#concept-return-an-error">return an
+                      error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
+                    </p>
+                  </li>
+                  <li>
+                    <p>
+                      If the <a href="#dfn-DhKeyAlgorithm-prime">prime</a> attribute of the <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var> is
+                      not equal to the <a href="#dfn-DhKeyAlgorithm-prime">prime</a> attribute of
+                      the <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>key</var>,
+                      then <a href="#concept-return-an-error">return an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                     </p>
                   </li>
                   <li>
@@ -14709,20 +14701,15 @@
                       If the <a href="#dfn-DhKeyAlgorithm-generator">generator</a> attribute of the
                       <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>publicKey</var>
                       is not equal to the <a href="#dfn-DhKeyAlgorithm-generator">generator</a>
-                      attribute of the
-                      <a href="#dfn-Key-algorithm">algorithm</a> attribute of <var>key</var>,
-                      
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
-                    </p>
-                  </li>
-                  <li>
-                    <p>
-                      Perform the Diffie-Hellman Phase II algorithm as specified in
-                      Section 8 of [<a href="#PKCS3">PKCS #3</a>]
-                      with <var>key</var> as the DH private value <var>x</var> and the
-                      Diffie-Hellman public value represented by the
-                      <a href="#dfn-DhKeyDeriveParams-public">public</a> member of
+                      attribute of the <a href="#dfn-Key-algorithm">algorithm</a> attribute of
+                      <var>key</var>, then <a href="#concept-return-an-error">return an error</a>
+                      named <a href="#dfn-DataError"><code>DataError</code></a>.
+                    </p>
+                  </li>
+                  <li>
+                    <p>
+                      Perform the Diffie-Hellman Phase II algorithm as specified in Section 8 of [<a href="#PKCS3">PKCS #3</a>] with <var>key</var> as the DH private value
+                      <var>x</var> and the Diffie-Hellman public value represented by the <a href="#dfn-DhKeyDeriveParams-public">public</a> member of
                       <var>normalizedAlgorithm</var> as the other's public value <var>PV'</var>.
                     </p>
                     <dl class="switch">
@@ -14872,27 +14859,21 @@
                       </li>
                       <li>
                         <p>
-                          If an error occurred while parsing, 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          If an error occurred while parsing, then <a href="#concept-return-an-error">return an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
                         <p>
                           If the <code>algorithm</code> object identifier field of the
                           <code>algorithm</code> AlgorithmIdentifier field of <var>spki</var> is not
-                          equivalent to the <code>dhKeyAgreement</code> OID defined in Section 9
-                          of [<a href="#PKCS3">PKCS #3</a>], 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          equivalent to the <code>dhKeyAgreement</code> OID defined in Section 9 of
+                          [<a href="#PKCS3">PKCS #3</a>], then <a href="#concept-return-an-error">return an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
                         <p>
                           If the <code>parameters</code> field of the <code>algorithm</code>
-                          AlgorithmIdentifier field of <var>spki</var> is absent, 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          AlgorithmIdentifier field of <var>spki</var> is absent, then <a href="#concept-return-an-error">return an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
@@ -14904,10 +14885,7 @@
                       <li>
                         <p>
                           If <var>params</var> is not an instance of the <code>DHParameter</code>
-                          ASN.1 type defined in Section 9 of <a href="#PKCS3">PKCS #3</a>,
-                          
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          ASN.1 type defined in Section 9 of <a href="#PKCS3">PKCS #3</a>, then <a href="#concept-return-an-error">return an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
@@ -14985,11 +14963,8 @@
                     <ol>
                       <li>
                         <p>
-                          If <var>usages</var> contains a value which is not
-                          one of <code>"deriveKey"</code> or <code>"deriveBits"</code>,
-                          
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          If <var>usages</var> contains a value which is not one of
+                          <code>"deriveKey"</code> or <code>"deriveBits"</code>, then <a href="#concept-return-an-error">return an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
@@ -15001,29 +14976,23 @@
                       </li>
                       <li>
                         <p>
-                          If an error occurred while parsing, 
-                      then <a href="#concept-return-an-error">return an error</a> named
-                      <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                          If an error occurred while parsing, then <a href="#concept-return-an-error">return an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
                         <p>
                           If the <code>algorithm</code> object identifier field of the
                           <code>algorithm</code> AlgorithmIdentifier field of
-                          <var>privateKeyInfo</var> is not
-                          equivalent to the <code>dhKeyAgreement</code> OID defined in Section 9
-                          of [<a href="#PKCS3">PKCS #3</a>], 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          <var>privateKeyInfo</var> is not equivalent to the
+                          <code>dhKeyAgreement</code> OID defined in Section 9 of [<a href="#PKCS3">PKCS #3</a>], then <a href="#concept-return-an-error">return
+                          an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
                         <p>
                           If the <code>parameters</code> field of the
                           <code>privateKeyAlgorithm</code> PrivateKeyAlgorithmIdentifier field of
-                          <var>privateKeyInfo</var> is absent, 
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          <var>privateKeyInfo</var> is absent, then <a href="#concept-return-an-error">return an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>
@@ -15036,10 +15005,7 @@
                       <li>
                         <p>
                           If <var>params</var> is not an instance of the <code>DHParameter</code>
-                          ASN.1 type defined in Section 9 of <a href="#PKCS3">PKCS #3</a>,
-                          
-                              then <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                          ASN.1 type defined in Section 9 of <a href="#PKCS3">PKCS #3</a>, then <a href="#concept-return-an-error">return an error</a> named <a href="#dfn-DataError"><code>DataError</code></a>.
                         </p>
                       </li>
                       <li>