Bug 25094: Add a length parameter to the HmacKeyParams. This also aligns the HmacImportParams with the HmacKeyGenParams
BREAKING CHANGE: Implementations that have already allowed HMAC keys to be imported will not have recorded the length. The length
of the keys can be derived from imported keys, since only byte-length multiples are supported. However, for keys that were
generated, if the length was not byte-aligned, this can create backwards-compat issues.
--- a/spec/Overview-WebCryptoAPI.xml Mon Jun 16 00:00:00 2014 -0700
+++ b/spec/Overview-WebCryptoAPI.xml Mon Jun 16 00:00:00 2014 -0700
@@ -13737,15 +13737,20 @@
dictionary <dfn id="dfn-HmacImportParams">HmacImportParams</dfn> : <a href="#dfn-Algorithm">Algorithm</a> {
<span class="comment">// The inner hash function to use.</span>
AlgorithmIdentifier <dfn id="dfn-HmacImportParams-hash">hash</dfn>;
+ <span class="comment">// The length (in bits) of the key.</span>
+ [EnforceRange] unsigned long <dfn id="dfn-HmacImportParams-length">length</dfn>;
};
</x:codeblock>
</div>
<div id="hmac-keyalgorithm" class="section">
<h4>HmacKeyAlgorithm interface</h4>
<x:codeblock language="idl">
+[NoInterfaceObject]
interface <dfn id="dfn-HmacKeyAlgorithm">HmacKeyAlgorithm</dfn> : <a href="#dfn-KeyAlgorithm">KeyAlgorithm</a> {
<span class="comment">// The inner hash function to use.</span>
readonly attribute KeyAlgorithm <dfn id="dfn-HmacKeyAlgorithm-hash">hash</dfn>;
+ <span class="comment">// The length (in bits) of the key.</span>
+ readonly attribute unsigned long <dfn id="dfn-HmacKeyAlgorithm-length">length</dfn>;
};
</x:codeblock>
</div>
@@ -13955,8 +13960,8 @@
<p>
If <var>usages</var> contains an entry which is not
<code>"sign"</code> or <code>"verify"</code>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
@@ -13975,14 +13980,6 @@
</p>
</li>
<li>
- <p>
- If the length in bits of <var>data</var> is zero
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
- </p>
- </li>
- <li>
<dl class="switch">
<dt>
If the <a href="#dfn-HmacImportParams-hash">hash</a> member of
@@ -14018,16 +14015,16 @@
<p>
If the <code>"kty"</code> field of <var>jwk</var> is not
<code>"oct"</code>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
<p>
If <var>jwk</var> does not meet the requirements of
Section 6.4 of <a href="#jwa">JSON Web Algorithms</a>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
@@ -14041,7 +14038,7 @@
<dt>
If the <a href="#dfn-HmacImportParams-hash">hash</a> member of
<var>normalizedAlgorithm</var> is present and has a
- <a href="#dfn-Algorithm-name">name</a> member:
+ <a href="#dfn-Algorithm-name">name</a> member:
</dt>
<dd>
<ol>
@@ -14063,8 +14060,8 @@
<dd>
If the <code>"alg"</code> field of <var>jwk</var> is present
and is not <code>"HS1"</code>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</dd>
<dt>
If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
@@ -14074,9 +14071,8 @@
<dd>
If the <code>"alg"</code> field of <var>jwk</var> is present
and is not <code>"HS256"</code>,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</dd>
<dt>
If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
@@ -14086,9 +14082,8 @@
<dd>
If the <code>"alg"</code> field of <var>jwk</var> is present
and is not <code>"HS384"</code>,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</dd>
<dt>
If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
@@ -14098,9 +14093,8 @@
<dd>
If the <code>"alg"</code> field of <var>jwk</var> is present
and is not <code>"HS512"</code>,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</dd>
<dt>Otherwise:</dt>
<dd>
@@ -14117,9 +14111,8 @@
<li>
<p>
If the <code>alg</code> field of <var>jwk</var> is not present,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
@@ -14171,8 +14164,8 @@
<p>
If the <code>"use"</code> field of <var>jwk</var> is present, and is
not <code>"sign"</code>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
@@ -14181,18 +14174,16 @@
is invalid according to the requirements of
<a href="#jwk">JSON Web Key</a> or
does not contain all of the specified <var>usages</var> values,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
<p>
If the <code>"ext"</code> field of <var>jwk</var> is present and
has the value false and <var>extractable</var> is true,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
</ol>
@@ -14206,8 +14197,58 @@
</li>
<li>
<p>
+ Let <var>length</var> be equivalent to the length, in octets, of
+ <var>data</var>, multiplied by 8.
+ </p>
+ </li>
+ <li>
+ <p>
+ If <var>length</var> is zero
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
+ </p>
+ </li>
+ <li>
+ <dl class="switch">
+ <dt>
+ If the <a href="#dfn-HmacImportParams-length">length</a> member of
+ <var>normalizedAlgorithm</var> is present:
+ </dt>
+ <dd>
+ <dl class="switch">
+ <dt>
+ If the <a href="#dfn-HmacImportParams-length">length</a> member of
+ <var>normalizedAlgorithm</var> is greater than <var>length</var>:
+ </dt>
+ <dd>
+ <a href="#concept-return-an-error">Return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
+ </dd>
+ <dt>
+ If the <a href="#dfn-HmacImportParams-length">length</a> member of
+ <var>normalizedAlgorithm</var>, is less than or equal to
+ <var>length</var> minus eight:
+ </dt>
+ <dd>
+ <a href="#concept-return-an-error">Return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
+ </dd>
+ <dt>
+ Otherwise:
+ </dt>
+ <dd>
+ Set <var>length</var> equal to the <a href="#dfn-HmacImportParams-length">
+ length</a> member of <var>normalizedAlgorithm</var>.
+ </dd>
+ </dl>
+ </dd>
+ </dl>
+ </li>
+ <li>
+ <p>
Let <var>key</var> be a new <code><a href="#dfn-Key">Key</a></code>
- object representing an HMAC key with value <var>data</var>.
+ object representing an HMAC key with the first <var>length</var>
+ bits of <var>data</var>.
</p>
</li>
<li>
@@ -14224,6 +14265,12 @@
</li>
<li>
<p>
+ Set the <a href="#dfn-HmacKeyAlgorithm-length">length</a> attribute of
+ <var>algorithm</var> to <var>length</var>.
+ </p>
+ </li>
+ <li>
+ <p>
Set the <a href="#dfn-HmacKeyAlgorithm-hash">hash</a> attribute of
<var>algorithm</var> to <var>hash</var>.
</p>
--- a/spec/Overview.html Mon Jun 16 00:00:00 2014 -0700
+++ b/spec/Overview.html Mon Jun 16 00:00:00 2014 -0700
@@ -13567,15 +13567,20 @@
dictionary <dfn id="dfn-HmacImportParams">HmacImportParams</dfn> : <a href="#dfn-Algorithm">Algorithm</a> {
<span class="comment">// The inner hash function to use.</span>
AlgorithmIdentifier <dfn id="dfn-HmacImportParams-hash">hash</dfn>;
+ <span class="comment">// The length (in bits) of the key.</span>
+ [EnforceRange] unsigned long <dfn id="dfn-HmacImportParams-length">length</dfn>;
};
</code></pre></div></div>
</div>
<div id="hmac-keyalgorithm" class="section">
<h4>18.16.4. HmacKeyAlgorithm interface</h4>
<div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+[NoInterfaceObject]
interface <dfn id="dfn-HmacKeyAlgorithm">HmacKeyAlgorithm</dfn> : <a href="#dfn-KeyAlgorithm">KeyAlgorithm</a> {
<span class="comment">// The inner hash function to use.</span>
readonly attribute KeyAlgorithm <dfn id="dfn-HmacKeyAlgorithm-hash">hash</dfn>;
+ <span class="comment">// The length (in bits) of the key.</span>
+ readonly attribute unsigned long <dfn id="dfn-HmacKeyAlgorithm-length">length</dfn>;
};
</code></pre></div></div>
</div>
@@ -13785,8 +13790,8 @@
<p>
If <var>usages</var> contains an entry which is not
<code>"sign"</code> or <code>"verify"</code>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
@@ -13805,14 +13810,6 @@
</p>
</li>
<li>
- <p>
- If the length in bits of <var>data</var> is zero
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
- </p>
- </li>
- <li>
<dl class="switch">
<dt>
If the <a href="#dfn-HmacImportParams-hash">hash</a> member of
@@ -13848,16 +13845,16 @@
<p>
If the <code>"kty"</code> field of <var>jwk</var> is not
<code>"oct"</code>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
<p>
If <var>jwk</var> does not meet the requirements of
Section 6.4 of <a href="#jwa">JSON Web Algorithms</a>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
@@ -13871,7 +13868,7 @@
<dt>
If the <a href="#dfn-HmacImportParams-hash">hash</a> member of
<var>normalizedAlgorithm</var> is present and has a
- <a href="#dfn-Algorithm-name">name</a> member:
+ <a href="#dfn-Algorithm-name">name</a> member:
</dt>
<dd>
<ol>
@@ -13893,8 +13890,8 @@
<dd>
If the <code>"alg"</code> field of <var>jwk</var> is present
and is not <code>"HS1"</code>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</dd>
<dt>
If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
@@ -13904,9 +13901,8 @@
<dd>
If the <code>"alg"</code> field of <var>jwk</var> is present
and is not <code>"HS256"</code>,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</dd>
<dt>
If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
@@ -13916,9 +13912,8 @@
<dd>
If the <code>"alg"</code> field of <var>jwk</var> is present
and is not <code>"HS384"</code>,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</dd>
<dt>
If the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
@@ -13928,9 +13923,8 @@
<dd>
If the <code>"alg"</code> field of <var>jwk</var> is present
and is not <code>"HS512"</code>,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</dd>
<dt>Otherwise:</dt>
<dd>
@@ -13947,9 +13941,8 @@
<li>
<p>
If the <code>alg</code> field of <var>jwk</var> is not present,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
@@ -14001,8 +13994,8 @@
<p>
If the <code>"use"</code> field of <var>jwk</var> is present, and is
not <code>"sign"</code>,
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
@@ -14011,18 +14004,16 @@
is invalid according to the requirements of
<a href="#jwk">JSON Web Key</a> or
does not contain all of the specified <var>usages</var> values,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
<li>
<p>
If the <code>"ext"</code> field of <var>jwk</var> is present and
has the value false and <var>extractable</var> is true,
-
- then <a href="#concept-return-an-error">return an error</a> named
- <a href="#dfn-DataError"><code>DataError</code></a>.
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
</p>
</li>
</ol>
@@ -14036,8 +14027,58 @@
</li>
<li>
<p>
+ Let <var>length</var> be equivalent to the length, in octets, of
+ <var>data</var>, multiplied by 8.
+ </p>
+ </li>
+ <li>
+ <p>
+ If <var>length</var> is zero
+ then <a href="#concept-return-an-error">return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
+ </p>
+ </li>
+ <li>
+ <dl class="switch">
+ <dt>
+ If the <a href="#dfn-HmacImportParams-length">length</a> member of
+ <var>normalizedAlgorithm</var> is present:
+ </dt>
+ <dd>
+ <dl class="switch">
+ <dt>
+ If the <a href="#dfn-HmacImportParams-length">length</a> member of
+ <var>normalizedAlgorithm</var> is greater than <var>length</var>:
+ </dt>
+ <dd>
+ <a href="#concept-return-an-error">Return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
+ </dd>
+ <dt>
+ If the <a href="#dfn-HmacImportParams-length">length</a> member of
+ <var>normalizedAlgorithm</var>, is less than or equal to
+ <var>length</var> minus eight:
+ </dt>
+ <dd>
+ <a href="#concept-return-an-error">Return an error</a> named
+ <a href="#dfn-DataError"><code>DataError</code></a>.
+ </dd>
+ <dt>
+ Otherwise:
+ </dt>
+ <dd>
+ Set <var>length</var> equal to the <a href="#dfn-HmacImportParams-length">
+ length</a> member of <var>normalizedAlgorithm</var>.
+ </dd>
+ </dl>
+ </dd>
+ </dl>
+ </li>
+ <li>
+ <p>
Let <var>key</var> be a new <code><a href="#dfn-Key">Key</a></code>
- object representing an HMAC key with value <var>data</var>.
+ object representing an HMAC key with the first <var>length</var>
+ bits of <var>data</var>.
</p>
</li>
<li>
@@ -14054,6 +14095,12 @@
</li>
<li>
<p>
+ Set the <a href="#dfn-HmacKeyAlgorithm-length">length</a> attribute of
+ <var>algorithm</var> to <var>length</var>.
+ </p>
+ </li>
+ <li>
+ <p>
Set the <a href="#dfn-HmacKeyAlgorithm-hash">hash</a> attribute of
<var>algorithm</var> to <var>hash</var>.
</p>