Provide for extension of RSA-OAEP for additional hash algorithms
authorMark Watson <watsonm@netflix.com>
Thu, 11 Sep 2014 09:52:54 -0700
changeset 205 93a00e50f184
parent 204 ee10c81e1141
child 206 9bbed12284ea
Provide for extension of RSA-OAEP for additional hash algorithms
spec/Overview-WebCryptoAPI.xml
spec/Overview.html
--- a/spec/Overview-WebCryptoAPI.xml	Mon Jun 16 00:00:00 2014 -0700
+++ b/spec/Overview-WebCryptoAPI.xml	Thu Sep 11 09:52:54 2014 -0700
@@ -324,6 +324,30 @@
           <a href="#case-sensitive">case-sensitive</a> manner. String literals in this specification
            written in monospace font like <code>"this"</code> do not include the enclosing quotes.
         </p>
+        <div id='extensibility' class='section'>
+          <h3>Extensibility</h3>
+          <p>
+            Vendor-specific proprietary extensions to this specification are strongly discouraged.
+            Authors must not use such extensions, as doing so reduces interoperability and fragments 
+            the user base, allowing only users of specific user agents to access the content in 
+            question.
+          </p>
+          <p>
+            If vendor-specific extensions are needed, the members should be prefixed by 
+            vendor-specific strings to prevent clashes with future versions of this specification. 
+            Extensions must be defined so that the use of extensions neither contradicts nor causes 
+            the non-conformance of functionality defined in the specification.
+          </p>
+          <p>
+            When vendor-neutral extensions to this specification are needed, either this 
+            specification can be updated accordingly, or an extension specification can be written 
+            that overrides the requirements in this specification. When someone applying this 
+            specification to their activities decides that they will recognize the requirements of 
+            such an extension specification, it becomes an
+            <dfn id='dfn-applicable-specification'>applicable specification</dfn> for the purposes 
+            of conformance requirements in this specification.
+          </p>
+        </div>
       </div>
 
       <div id='scope' class='section'>
@@ -6086,9 +6110,17 @@
           <p>
             The <code>"RSA-OAEP"</code> algorithm identifier is used to perform encryption
             and decryption ordering to the RSAES-OAEP algorithm specified in
-            [<cite><a href="#RFC3447">RFC3447</a></cite>], using the mask
+            [<cite><a href="#RFC3447">RFC3447</a></cite>], using the SHA hash functions defined
+            in this specification and using the mask
             generation function MGF1.
           </p>
+          <p>
+            <a href="#dfn-applicable-specification">Other specifications</a>
+            may specify the use of additional hash algorithms with RSAES-OAEP. Such specifications
+            must define
+            <dfn id="dfn-rsa-extended-import-steps">key import steps</dfn> and
+            <dfn id="dfn-rsa-extended-export-steps">key export steps</dfn>.
+          </p>
         </div>
         <div id="rsa-oaep-registration" class="section">
           <h4>Registration</h4>
@@ -6398,6 +6430,34 @@
                   <p>Let <var>keyData</var> be the key data to be imported.</p>
                 </li>
                 <li>
+                  <p>
+                    Perform any <a href="#dfn-rsa-oaep-extended-key-import-steps">key import steps</a>
+                    defined by <a href="#dfn-applicable-specifications">other applicable
+                    specifications</a>, passing <var>keyData</var> and obtaining <var>result</var>.
+                    <dl class="switch">
+                      <dt>
+                        If <var>result</var> is a <a href="#dfn-CryptoKey">CryptoKey</a>
+                        object
+                      </dt>
+                      <dd>
+                        <p>
+                          Return <var>result</var>.
+                        </p>
+                      </dd>
+                      <dt>
+                        If <var>result</var> is an error with a name that is not
+                        <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>
+                      </dt>
+                      <dd>
+                        <p>
+                          <a href="#concept-return-an-error">Return an error</a> with the same name
+                          as <var>result</var>.
+                        </p>
+                      </dd>
+                    </dl>
+                  </p>
+                </li>
+                <li>
                   <dl class="switch">
                     <dt>If <var>format</var> is <code>"spki"</code>:</dt>
                     <dd>
@@ -6874,8 +6934,10 @@
                             <dd>Let <var>hash</var> be the string <code>"SHA-512"</code>.</dd>
                             <dt>Otherwise:</dt>
                             <dd>
-                              <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                              <p>
+                                <a href="#concept-return-an-error">Return an error</a> named
+                                <a href="#dfn-DataError"><code>DataError</code></a>.
+                              </p>
                             </dd>
                           </dl>
                         </li>
@@ -7020,6 +7082,45 @@
                   </p>
                 </li>
                 <li>
+                  <p>
+                    Perform any <a href="#dfn-rsa-oaep-extended-key-export-steps">key export steps</a>
+                    defined by <a href="#dfn-applicable-specifications">other applicable
+                    specifications</a>, passing <var>key</var> and obtaining <var>result</var>.
+                    <dl class="switch">
+                      <dt>
+                        If <var>format</var> is <code>"spki"</code> or <code>"pkcs8"</code> and
+                        <var>result</var> is an <a href="#dfn-ArrayBuffer">ArrayBuffer</a>
+                        object
+                      </dt>
+                      <dd>
+                        <p>
+                          Return <var>result</var>.
+                        </p>
+                      </dd>
+                      <dt>
+                        If <var>format</var> is <code>"jwk"</code> and
+                        <var>result</var> is not an error
+                      </dt>
+                      <dd>
+                        <p>
+                          Return <var>result</var>.
+                        </p>
+                      </dd>
+                      <dt>
+                        If <var>result</var> is an error with a name that is not
+                        <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>
+                      </dt>
+                      <dd>
+                        <p>
+                          <a href="#concept-return-an-error">Return an error</a> with the same name
+                          as <var>result</var>.
+                        </p>
+                      </dd>
+                    </dl>
+                  </p>
+                </li>
+
+                <li>
                   <dl class="switch">
                     <dt>If <var>format</var> is <code>"spki"</code></dt>
                     <dd>
--- a/spec/Overview.html	Mon Jun 16 00:00:00 2014 -0700
+++ b/spec/Overview.html	Thu Sep 11 09:52:54 2014 -0700
@@ -28,7 +28,7 @@
   <link rel="stylesheet" href="//www.w3.org/StyleSheets/TR/W3C-ED" type="text/css" /></head>
 
   <body>
-    <div class="head"><div><a href="http://www.w3.org/"><img src="//www.w3.org/Icons/w3c_home" width="72" height="48" alt="W3C" /></a></div><h1>Web Cryptography API</h1><h2>W3C Editor’s Draft <em>16 June 2014</em></h2><dl><dt>Latest Editor’s Draft:</dt><dd><a href="http://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html">http://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html</a></dd><dt>Latest Published Version:</dt><dd><a href="http://www.w3.org/TR/WebCryptoAPI/">http://www.w3.org/TR/WebCryptoAPI/</a></dd><dt>Previous Version(s):</dt><dd><a href="https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html">https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html</a></dd><dt>Editors:</dt><dd><a href="http://www.google.com/">Ryan Sleevi</a>, Google, Inc. &lt;[email protected]&gt;</dd><dd><a href="http://www.netflix.com/">Mark Watson</a>, Netflix &lt;[email protected]&gt;</dd><dt>Participate:</dt><dd><p>Send feedback to <a href="mailto:[email protected]?subject=%5BWebCryptoAPI%5D">[email protected]</a> (<a href="http://lists.w3.org/Archives/Public/public-webcrypto/">archives</a>), or <a href="https://www.w3.org/Bugs/Public/enter_bug.cgi?product=Web%20Cryptography&amp;component=Web%20Cryptography%20API%20Document">file a bug</a> 
+    <div class="head"><div><a href="http://www.w3.org/"><img src="//www.w3.org/Icons/w3c_home" width="72" height="48" alt="W3C" /></a></div><h1>Web Cryptography API</h1><h2>W3C Editor’s Draft <em>11 September 2014</em></h2><dl><dt>Latest Editor’s Draft:</dt><dd><a href="http://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html">http://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html</a></dd><dt>Latest Published Version:</dt><dd><a href="http://www.w3.org/TR/WebCryptoAPI/">http://www.w3.org/TR/WebCryptoAPI/</a></dd><dt>Previous Version(s):</dt><dd><a href="https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html">https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html</a></dd><dt>Editors:</dt><dd><a href="http://www.google.com/">Ryan Sleevi</a>, Google, Inc. &lt;[email protected]&gt;</dd><dd><a href="http://www.netflix.com/">Mark Watson</a>, Netflix &lt;[email protected]&gt;</dd><dt>Participate:</dt><dd><p>Send feedback to <a href="mailto:[email protected]?subject=%5BWebCryptoAPI%5D">[email protected]</a> (<a href="http://lists.w3.org/Archives/Public/public-webcrypto/">archives</a>), or <a href="https://www.w3.org/Bugs/Public/enter_bug.cgi?product=Web%20Cryptography&amp;component=Web%20Cryptography%20API%20Document">file a bug</a> 
     (see <a href="https://www.w3.org/Bugs/Public/buglist.cgi?product=Web%20Cryptography&amp;component=Web%20Cryptography%20API%20Document&amp;resolution=---">existing bugs</a>).</p></dd></dl><p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> &copy; view <a href="http://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>&reg;</sup> (<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="http://www.ercim.org/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.</p></div><hr />
 
     <div class="section">
@@ -56,7 +56,7 @@
         report can be found in the <a href="http://www.w3.org/TR/">W3C technical
           reports index</a> at http://www.w3.org/TR/.
       </em></p><p>
-        This document is the 16 June 2014 <b>Editor’s Draft</b> of the
+        This document is the 11 September 2014 <b>Editor’s Draft</b> of the
         <cite>Web Cryptography API</cite> specification.
       
       Please send comments about this document to
@@ -134,7 +134,7 @@
 
     <div id="toc">
       <h2>Table of Contents</h2>
-      <div class="toc"><ul><li><a href="#introduction">1. Introduction</a></li><li><a href="#use-cases">2. Use Cases</a><ul><li><a href="#multifactor-authentication">2.1. Multi-factor Authentication</a></li><li><a href="#protected-document">2.2. Protected Document Exchange</a></li><li><a href="#cloud-storage">2.3. Cloud Storage</a></li><li><a href="#document-signing">2.4. Document Signing</a></li><li><a href="#data-integrity-protection">2.5. Data Integrity Protection</a></li><li><a href="#secure-messaging">2.6. Secure Messaging</a></li><li><a href="#jose">2.7. Javascript Object Signing and Encryption (JOSE)</a></li></ul></li><li><a href="#conformance">3. Conformance</a></li><li><a href="#scope">4. Scope</a><ul><li><a href="#scope-abstraction">4.1. Level of abstraction</a></li><li><a href="#scope-algorithms">4.2. Cryptographic algorithms</a></li><li><a href="#scope-operations">4.3. Operations</a></li><li><a href="#scope-out-of-scope">4.4. Out of scope</a></li></ul></li><li><a href="#concepts">5. Concepts</a><ul><li><a href="#concepts-underlying-implementation">5.1. Underlying Cryptographic Implementation</a></li><li><a href="#concepts-key-storage">5.2. Key Storage</a></li></ul></li><li><a href="#security">6. Security considerations</a><ul><li><a href="#security-implementers">6.1. Security considerations for implementers</a></li><li><a href="#security-developers">6.2. Security considerations for authors</a></li><li><a href="#security-users">6.3. Security considerations for users</a></li></ul></li><li><a href="#privacy">7. Privacy considerations</a></li><li><a href="#dependencies">8. Dependencies</a></li><li><a href="#terminology">9. Terminology</a></li><li><a href="#RandomSource-interface">10. RandomSource interface</a><ul><li><a href="#RandomSource-description">10.1. Description</a></li><li><a href="#RandomSource-interface-methods">10.2. Methods and Parameters</a><ul><li><a href="#RandomSource-method-getRandomValues">10.2.1. The getRandomValues method</a></li></ul></li></ul></li><li><a href="#algorithm-dictionary">11. Algorithm dictionary</a><ul><li><a href="#algorithm-dictionary-members">11.1. Algorithm Dictionary Members</a></li></ul></li><li><a href="#key-algorithm-dictionary">12. KeyAlgorithm dictionary</a><ul><li><a href="#key-algorithm-dictionary-description">12.1. Description</a></li><li><a href="#key-algorithm-dictionary-members">12.2. KeyAlgorithm dictionary members</a></li></ul></li><li><a href="#cryptokey-interface">13. CryptoKey interface</a><ul><li><a href="#cryptokey-interface-description">13.1. Description</a></li><li><a href="#cryptokey-interface-types">13.2. Key interface data types</a></li><li><a href="#cryptokey-interface-internal-slots">13.3. CryptoKey internal slots</a></li><li><a href="#cryptokey-interface-members">13.4. CryptoKey interface members</a></li><li><a href="#cryptokey-interface-clone">13.5. Structured clone algorithm</a></li></ul></li><li><a href="#crypto-interface">14. Crypto interface</a></li><li><a href="#subtlecrypto-interface">15. SubtleCrypto interface</a><ul><li><a href="#subtlecrypto-interface-description">15.1. Description</a></li><li><a href="#subtlecrypto-interface-datatypes">15.2. Data Types</a></li><li><a href="#subtlecrypto-interface-methods">15.3. Methods and Parameters</a><ul><li><a href="#SubtleCrypto-method-encrypt">15.3.1. The encrypt method</a></li><li><a href="#SubtleCrypto-method-decrypt">15.3.2. The decrypt method</a></li><li><a href="#SubtleCrypto-method-sign">15.3.3. The sign method</a></li><li><a href="#SubtleCrypto-method-verify">15.3.4. The verify method</a></li><li><a href="#SubtleCrypto-method-digest">15.3.5. The digest method</a></li><li><a href="#SubtleCrypto-method-generateKey">15.3.6. The generateKey method</a></li><li><a href="#SubtleCrypto-method-deriveKey">15.3.7. The deriveKey method</a></li><li><a href="#SubtleCrypto-method-deriveBits">15.3.8. The deriveBits method</a></li><li><a href="#SubtleCrypto-method-importKey">15.3.9. The importKey method</a></li><li><a href="#SubtleCrypto-method-exportKey">15.3.10. The exportKey method</a></li><li><a href="#SubtleCrypto-method-wrapKey">15.3.11. The wrapKey method</a></li><li><a href="#SubtleCrypto-method-unwrapKey">15.3.12. The unwrapKey method</a></li></ul></li><li><a href="#SubtleCrypto-Exceptions">15.4. Exceptions</a></li></ul></li><li><a href="#JsonWebKey-dictionary">16. JsonWebKey dictionary</a></li><li><a href="#WorkerCrypto-interface">17. WorkerCrypto interface</a><ul><li><a href="#WorkerCrypto-description">17.1. Description</a></li></ul></li><li><a href="#big-integer">18. BigInteger</a></li><li><a href="#keypair">19. CryptoKeyPair dictionary</a></li><li><a href="#algorithms">20. Algorithms</a><ul><li><a href="#algorithm-overview">20.1. Overview</a></li><li><a href="#algorithm-concepts">20.2. Concepts</a><ul><li><a href="#algorithm-concepts-naming">20.2.1. Naming</a></li><li><a href="#algorithm-concepts-operations">20.2.2. Supported Operations</a></li><li><a href="#algorithm-concepts-normalization">20.2.3. Normalization</a></li></ul></li><li><a href="#algorithm-conventions">20.3. Specification Conventions</a></li><li><a href="#algorithm-normalizing">20.4. Algorithm Normalization</a><ul><li><a href="#algorithm-normalizing-description">20.4.1. Description</a></li><li><a href="#algorithm-normalizing-internal">20.4.2. Internal State Objects</a></li><li><a href="#algorithm-normalizing-define-an-algorithm">20.4.3. Defining an Algorithm</a></li><li><a href="#algorithm-normalizing-define-an-alias">20.4.4. Defining an Alias</a></li><li><a href="#algorithm-normalizing-normalize-an-algorithm">20.4.5. Normalizing an algorithm</a></li></ul></li><li><a href="#algorithm-recommendations">20.5. Recommendations</a><ul><li><a href="#algorithm-recommendations-authors">20.5.1. For Authors</a></li><li><a href="#algorithm-recommendations-implementers">20.5.2. For Implementers</a></li></ul></li></ul></li><li><a href="#algorithm-overview">21. Algorithm Overview</a></li><li><a href="#rsassa-pkcs1">22. RSASSA-PKCS1-v1_5</a><ul><li><a href="#rsassa-pkcs1-description">22.1. Description</a></li><li><a href="#rsassa-pkcs1-registration">22.2. Registration</a></li><li><a href="#RsaHashedKeyGenParams-dictionary">22.3. RsaHashedKeyGenParams dictionary</a></li><li><a href="#RsaHashedKeyAlgorithm-dictionary">22.4. RsaHashedKeyAlgorithm dictionary</a></li><li><a href="#RsaHashedImportParams-dictionary">22.5. RsaHashedImportParams dictionary</a></li><li><a href="#rsassa-pkcs1-operations">22.6. Operations</a></li></ul></li><li><a href="#rsa-pss">23. RSA-PSS</a><ul><li><a href="#rsa-pss-description">23.1. Description</a></li><li><a href="#rsa-pss-registration">23.2. Registration</a></li><li><a href="#RsaPssParams-dictionary">23.3. RsaPssParams dictionary</a></li><li><a href="#rsa-pss-operations">23.4. Operations</a></li></ul></li><li><a href="#rsa-oaep">24. RSA-OAEP</a><ul><li><a href="#rsa-oaep-description">24.1. Description</a></li><li><a href="#rsa-oaep-registration">24.2. Registration</a></li><li><a href="#rsa-oaep-params">24.3. RsaOaepParams dictionary</a></li><li><a href="#rsa-oaep-operations">24.4. Operations</a></li></ul></li><li><a href="#ecdsa">25. ECDSA</a><ul><li><a href="#ecdsa-description">25.1. Description</a></li><li><a href="#ecdsa-registration">25.2. Registration</a></li><li><a href="#EcdsaParams-dictionary">25.3. EcdsaParams dictionary</a></li><li><a href="#EcKeyGenParams-dictionary">25.4. EcKeyGenParams dictionary</a></li><li><a href="#EcKeyAlgorithm-dictionary">25.5. EcKeyAlgorithm dictionary</a></li><li><a href="#EcKeyImportParams-dictionary">25.6. EcKeyImportParams dictionary</a></li><li><a href="#ecdsa-operations">25.7. Operations</a></li></ul></li><li><a href="#ecdh">26. ECDH</a><ul><li><a href="#ecdh-description">26.1. Description</a></li><li><a href="#ecdh-registration">26.2. Registration</a></li><li><a href="#dh-EcdhKeyDeriveParams">26.3. EcdhKeyDeriveParams dictionary</a></li><li><a href="#ecdh-operations">26.4. Operations</a></li></ul></li><li><a href="#aes-ctr">27. AES-CTR</a><ul><li><a href="#aes-ctr-description">27.1. Description</a></li><li><a href="#aes-ctr-registration">27.2. Registration</a></li><li><a href="#aes-ctr-params">27.3. AesCtrParams dictionary</a></li><li><a href="#AesKeyAlgorithm-dictionary">27.4. </a></li><li><a href="#aes-keygen-params">27.5. AesKeyGenParams dictionary</a></li><li><a href="#aes-derivedkey-params">27.6. AesDerivedKeyParams dictionary</a></li><li><a href="#aes-ctr-operations">27.7. Operations</a></li></ul></li><li><a href="#aes-cbc">28. AES-CBC</a><ul><li><a href="#aes-cbc-description">28.1. Description</a></li><li><a href="#aes-cbc-registration">28.2. Registration</a></li><li><a href="#aes-cbc-params">28.3. AesCbcParams dictionary</a></li><li><a href="#aes-cbc-operations">28.4. Operations</a></li></ul></li><li><a href="#aes-cmac">29. AES-CMAC</a><ul><li><a href="#aes-cmac-description">29.1. Description</a></li><li><a href="#aes-cmac-registration">29.2. Registration</a></li><li><a href="#aes-cmac-params">29.3. AesCmacParams dictionary</a></li><li><a href="#aes-cmac-operations">29.4. Operations</a></li></ul></li><li><a href="#aes-gcm">30. AES-GCM</a><ul><li><a href="#aes-gcm-description">30.1. Description</a></li><li><a href="#aes-gcm-registration">30.2. Registration</a></li><li><a href="#aes-gcm-params">30.3. AesGcmParams dictionary</a></li><li><a href="#aes-gcm-operations">30.4. Operations</a></li></ul></li><li><a href="#aes-cfb">31. AES-CFB</a><ul><li><a href="#aes-cfb-description">31.1. Description</a></li><li><a href="#aes-cfb-registration">31.2. Registration</a></li><li><a href="#aes-cfb-params">31.3. AesCfbParams dictionary</a></li><li><a href="#aes-cfb-operations">31.4. Operations</a></li></ul></li><li><a href="#aes-kw">32. AES-KW</a><ul><li><a href="#aes-kw-description">32.1. Description</a></li><li><a href="#aes-kw-registration">32.2. Registration</a></li><li><a href="#aes-kw-operations">32.3. Operations</a></li></ul></li><li><a href="#hmac">33. HMAC</a><ul><li><a href="#hmac-description">33.1. Description</a></li><li><a href="#hmac-registration">33.2. Registration</a></li><li><a href="#hmac-importparams">33.3. HmacImportParams dictionary</a></li><li><a href="#HmacKeyAlgorithm-dictionary">33.4. HmacKeyAlgorithm dictionary</a></li><li><a href="#hmac-keygen-params">33.5. HmacKeyGenParams dictionary</a></li><li><a href="#hmac-derivedkey-params">33.6. HmacDerivedKeyParams dictionary</a></li><li><a href="#hmac-operations">33.7. Operations</a></li></ul></li><li><a href="#dh">34. Diffie-Hellman</a><ul><li><a href="#dh-description">34.1. Description</a></li><li><a href="#dh-registration">34.2. Registration</a></li><li><a href="#dh-DhKeyGenParams">34.3. DhKeyGenParams dictionary</a></li><li><a href="#dh-DhKeyAlgorithm">34.4. DhKeyAlgorithm dictionary</a></li><li><a href="#dh-DhKeyDeriveParams">34.5. DhKeyDeriveParams dictionary</a></li><li><a href="#dh-DhImportKeyParams">34.6. DhImportKeyParams dictionary</a></li><li><a href="#dh-operations">34.7. Operations</a></li></ul></li><li><a href="#sha">35. SHA</a><ul><li><a href="#sha-description">35.1. Description</a></li><li><a href="#sha-registration">35.2. Registration</a></li><li><a href="#sha-operations">35.3. Operations</a></li></ul></li><li><a href="#concatkdf">36. Concat KDF</a><ul><li><a href="#concatkdf-description">36.1. Description</a></li><li><a href="#concatkdf-registration">36.2. Registration</a></li><li><a href="#concat-params">36.3. ConcatParams dictionary</a></li><li><a href="#concat-operations">36.4. Operations</a></li></ul></li><li><a href="#hkdf-ctr">37. HKDF-CTR</a><ul><li><a href="#hkdf-ctr-description">37.1. Description</a></li><li><a href="#hkdf-ctr-registration">37.2. Registration</a></li><li><a href="#hkdf-ctr-params">37.3. HkdfCtrParams dictionary</a></li><li><a href="#hkdf2-ctr-operations">37.4. Operations</a></li></ul></li><li><a href="#pbkdf2">38. PBKDF2</a><ul><li><a href="#pbkdf2-description">38.1. Description</a></li><li><a href="#pbkdf2-registration">38.2. Registration</a></li><li><a href="#pbkdf2-params">38.3. Pbkdf2Params dictionary</a></li><li><a href="#pbkdf2-operations">38.4. Operations</a></li></ul></li><li><a href="#examples-section">39. JavaScript Example Code</a><ul><li><a href="#examples-signing">39.1. Generate a signing key pair, sign some data</a></li><li><a href="#examples-symmetric-encryption">39.2. Symmetric Encryption</a></li></ul></li><li><a href="#iana-section">40. IANA Considerations</a><ul><li><a href="#iana-section-jws-jwa">40.1. JSON Web Signature and Encryption Algorithms Registration</a></li><li><a href="#iana-section-jwk">40.2. JSON Web Key Parameters Registration</a></li></ul></li><li><a href="#acknowledgements-section">41. Acknowledgements</a></li><li><a href="#references">42. References</a><ul><li><a href="#normative-references">42.1. Normative References</a></li><li><a href="#informative-references">42.2. Informative References</a></li></ul></li></ul><ul><li><a href="#jwk-mapping">A. Mapping between JSON Web Key / JSON Web Algorithm</a><ul><li><a href="#jwk-mapping-alg">A.1. Algorithm mappings</a></li><li><a href="#jwk-mapping-usage">A.2. Usage mapping</a></li></ul></li><li><a href="#spki-mapping">B. Mapping between Algorithm and SubjectPublicKeyInfo</a></li><li><a href="#pkcs8-mapping">C. Mapping between Algorithm and PKCS#8 PrivateKeyInfo</a></li></ul></div>
+      <div class="toc"><ul><li><a href="#introduction">1. Introduction</a></li><li><a href="#use-cases">2. Use Cases</a><ul><li><a href="#multifactor-authentication">2.1. Multi-factor Authentication</a></li><li><a href="#protected-document">2.2. Protected Document Exchange</a></li><li><a href="#cloud-storage">2.3. Cloud Storage</a></li><li><a href="#document-signing">2.4. Document Signing</a></li><li><a href="#data-integrity-protection">2.5. Data Integrity Protection</a></li><li><a href="#secure-messaging">2.6. Secure Messaging</a></li><li><a href="#jose">2.7. Javascript Object Signing and Encryption (JOSE)</a></li></ul></li><li><a href="#conformance">3. Conformance</a><ul><li><a href="#extensibility">3.1. Extensibility</a></li></ul></li><li><a href="#scope">4. Scope</a><ul><li><a href="#scope-abstraction">4.1. Level of abstraction</a></li><li><a href="#scope-algorithms">4.2. Cryptographic algorithms</a></li><li><a href="#scope-operations">4.3. Operations</a></li><li><a href="#scope-out-of-scope">4.4. Out of scope</a></li></ul></li><li><a href="#concepts">5. Concepts</a><ul><li><a href="#concepts-underlying-implementation">5.1. Underlying Cryptographic Implementation</a></li><li><a href="#concepts-key-storage">5.2. Key Storage</a></li></ul></li><li><a href="#security">6. Security considerations</a><ul><li><a href="#security-implementers">6.1. Security considerations for implementers</a></li><li><a href="#security-developers">6.2. Security considerations for authors</a></li><li><a href="#security-users">6.3. Security considerations for users</a></li></ul></li><li><a href="#privacy">7. Privacy considerations</a></li><li><a href="#dependencies">8. Dependencies</a></li><li><a href="#terminology">9. Terminology</a></li><li><a href="#RandomSource-interface">10. RandomSource interface</a><ul><li><a href="#RandomSource-description">10.1. Description</a></li><li><a href="#RandomSource-interface-methods">10.2. Methods and Parameters</a><ul><li><a href="#RandomSource-method-getRandomValues">10.2.1. The getRandomValues method</a></li></ul></li></ul></li><li><a href="#algorithm-dictionary">11. Algorithm dictionary</a><ul><li><a href="#algorithm-dictionary-members">11.1. Algorithm Dictionary Members</a></li></ul></li><li><a href="#key-algorithm-dictionary">12. KeyAlgorithm dictionary</a><ul><li><a href="#key-algorithm-dictionary-description">12.1. Description</a></li><li><a href="#key-algorithm-dictionary-members">12.2. KeyAlgorithm dictionary members</a></li></ul></li><li><a href="#cryptokey-interface">13. CryptoKey interface</a><ul><li><a href="#cryptokey-interface-description">13.1. Description</a></li><li><a href="#cryptokey-interface-types">13.2. Key interface data types</a></li><li><a href="#cryptokey-interface-internal-slots">13.3. CryptoKey internal slots</a></li><li><a href="#cryptokey-interface-members">13.4. CryptoKey interface members</a></li><li><a href="#cryptokey-interface-clone">13.5. Structured clone algorithm</a></li></ul></li><li><a href="#crypto-interface">14. Crypto interface</a></li><li><a href="#subtlecrypto-interface">15. SubtleCrypto interface</a><ul><li><a href="#subtlecrypto-interface-description">15.1. Description</a></li><li><a href="#subtlecrypto-interface-datatypes">15.2. Data Types</a></li><li><a href="#subtlecrypto-interface-methods">15.3. Methods and Parameters</a><ul><li><a href="#SubtleCrypto-method-encrypt">15.3.1. The encrypt method</a></li><li><a href="#SubtleCrypto-method-decrypt">15.3.2. The decrypt method</a></li><li><a href="#SubtleCrypto-method-sign">15.3.3. The sign method</a></li><li><a href="#SubtleCrypto-method-verify">15.3.4. The verify method</a></li><li><a href="#SubtleCrypto-method-digest">15.3.5. The digest method</a></li><li><a href="#SubtleCrypto-method-generateKey">15.3.6. The generateKey method</a></li><li><a href="#SubtleCrypto-method-deriveKey">15.3.7. The deriveKey method</a></li><li><a href="#SubtleCrypto-method-deriveBits">15.3.8. The deriveBits method</a></li><li><a href="#SubtleCrypto-method-importKey">15.3.9. The importKey method</a></li><li><a href="#SubtleCrypto-method-exportKey">15.3.10. The exportKey method</a></li><li><a href="#SubtleCrypto-method-wrapKey">15.3.11. The wrapKey method</a></li><li><a href="#SubtleCrypto-method-unwrapKey">15.3.12. The unwrapKey method</a></li></ul></li><li><a href="#SubtleCrypto-Exceptions">15.4. Exceptions</a></li></ul></li><li><a href="#JsonWebKey-dictionary">16. JsonWebKey dictionary</a></li><li><a href="#WorkerCrypto-interface">17. WorkerCrypto interface</a><ul><li><a href="#WorkerCrypto-description">17.1. Description</a></li></ul></li><li><a href="#big-integer">18. BigInteger</a></li><li><a href="#keypair">19. CryptoKeyPair dictionary</a></li><li><a href="#algorithms">20. Algorithms</a><ul><li><a href="#algorithm-overview">20.1. Overview</a></li><li><a href="#algorithm-concepts">20.2. Concepts</a><ul><li><a href="#algorithm-concepts-naming">20.2.1. Naming</a></li><li><a href="#algorithm-concepts-operations">20.2.2. Supported Operations</a></li><li><a href="#algorithm-concepts-normalization">20.2.3. Normalization</a></li></ul></li><li><a href="#algorithm-conventions">20.3. Specification Conventions</a></li><li><a href="#algorithm-normalizing">20.4. Algorithm Normalization</a><ul><li><a href="#algorithm-normalizing-description">20.4.1. Description</a></li><li><a href="#algorithm-normalizing-internal">20.4.2. Internal State Objects</a></li><li><a href="#algorithm-normalizing-define-an-algorithm">20.4.3. Defining an Algorithm</a></li><li><a href="#algorithm-normalizing-define-an-alias">20.4.4. Defining an Alias</a></li><li><a href="#algorithm-normalizing-normalize-an-algorithm">20.4.5. Normalizing an algorithm</a></li></ul></li><li><a href="#algorithm-recommendations">20.5. Recommendations</a><ul><li><a href="#algorithm-recommendations-authors">20.5.1. For Authors</a></li><li><a href="#algorithm-recommendations-implementers">20.5.2. For Implementers</a></li></ul></li></ul></li><li><a href="#algorithm-overview">21. Algorithm Overview</a></li><li><a href="#rsassa-pkcs1">22. RSASSA-PKCS1-v1_5</a><ul><li><a href="#rsassa-pkcs1-description">22.1. Description</a></li><li><a href="#rsassa-pkcs1-registration">22.2. Registration</a></li><li><a href="#RsaHashedKeyGenParams-dictionary">22.3. RsaHashedKeyGenParams dictionary</a></li><li><a href="#RsaHashedKeyAlgorithm-dictionary">22.4. RsaHashedKeyAlgorithm dictionary</a></li><li><a href="#RsaHashedImportParams-dictionary">22.5. RsaHashedImportParams dictionary</a></li><li><a href="#rsassa-pkcs1-operations">22.6. Operations</a></li></ul></li><li><a href="#rsa-pss">23. RSA-PSS</a><ul><li><a href="#rsa-pss-description">23.1. Description</a></li><li><a href="#rsa-pss-registration">23.2. Registration</a></li><li><a href="#RsaPssParams-dictionary">23.3. RsaPssParams dictionary</a></li><li><a href="#rsa-pss-operations">23.4. Operations</a></li></ul></li><li><a href="#rsa-oaep">24. RSA-OAEP</a><ul><li><a href="#rsa-oaep-description">24.1. Description</a></li><li><a href="#rsa-oaep-registration">24.2. Registration</a></li><li><a href="#rsa-oaep-params">24.3. RsaOaepParams dictionary</a></li><li><a href="#rsa-oaep-operations">24.4. Operations</a></li></ul></li><li><a href="#ecdsa">25. ECDSA</a><ul><li><a href="#ecdsa-description">25.1. Description</a></li><li><a href="#ecdsa-registration">25.2. Registration</a></li><li><a href="#EcdsaParams-dictionary">25.3. EcdsaParams dictionary</a></li><li><a href="#EcKeyGenParams-dictionary">25.4. EcKeyGenParams dictionary</a></li><li><a href="#EcKeyAlgorithm-dictionary">25.5. EcKeyAlgorithm dictionary</a></li><li><a href="#EcKeyImportParams-dictionary">25.6. EcKeyImportParams dictionary</a></li><li><a href="#ecdsa-operations">25.7. Operations</a></li></ul></li><li><a href="#ecdh">26. ECDH</a><ul><li><a href="#ecdh-description">26.1. Description</a></li><li><a href="#ecdh-registration">26.2. Registration</a></li><li><a href="#dh-EcdhKeyDeriveParams">26.3. EcdhKeyDeriveParams dictionary</a></li><li><a href="#ecdh-operations">26.4. Operations</a></li></ul></li><li><a href="#aes-ctr">27. AES-CTR</a><ul><li><a href="#aes-ctr-description">27.1. Description</a></li><li><a href="#aes-ctr-registration">27.2. Registration</a></li><li><a href="#aes-ctr-params">27.3. AesCtrParams dictionary</a></li><li><a href="#AesKeyAlgorithm-dictionary">27.4. </a></li><li><a href="#aes-keygen-params">27.5. AesKeyGenParams dictionary</a></li><li><a href="#aes-derivedkey-params">27.6. AesDerivedKeyParams dictionary</a></li><li><a href="#aes-ctr-operations">27.7. Operations</a></li></ul></li><li><a href="#aes-cbc">28. AES-CBC</a><ul><li><a href="#aes-cbc-description">28.1. Description</a></li><li><a href="#aes-cbc-registration">28.2. Registration</a></li><li><a href="#aes-cbc-params">28.3. AesCbcParams dictionary</a></li><li><a href="#aes-cbc-operations">28.4. Operations</a></li></ul></li><li><a href="#aes-cmac">29. AES-CMAC</a><ul><li><a href="#aes-cmac-description">29.1. Description</a></li><li><a href="#aes-cmac-registration">29.2. Registration</a></li><li><a href="#aes-cmac-params">29.3. AesCmacParams dictionary</a></li><li><a href="#aes-cmac-operations">29.4. Operations</a></li></ul></li><li><a href="#aes-gcm">30. AES-GCM</a><ul><li><a href="#aes-gcm-description">30.1. Description</a></li><li><a href="#aes-gcm-registration">30.2. Registration</a></li><li><a href="#aes-gcm-params">30.3. AesGcmParams dictionary</a></li><li><a href="#aes-gcm-operations">30.4. Operations</a></li></ul></li><li><a href="#aes-cfb">31. AES-CFB</a><ul><li><a href="#aes-cfb-description">31.1. Description</a></li><li><a href="#aes-cfb-registration">31.2. Registration</a></li><li><a href="#aes-cfb-params">31.3. AesCfbParams dictionary</a></li><li><a href="#aes-cfb-operations">31.4. Operations</a></li></ul></li><li><a href="#aes-kw">32. AES-KW</a><ul><li><a href="#aes-kw-description">32.1. Description</a></li><li><a href="#aes-kw-registration">32.2. Registration</a></li><li><a href="#aes-kw-operations">32.3. Operations</a></li></ul></li><li><a href="#hmac">33. HMAC</a><ul><li><a href="#hmac-description">33.1. Description</a></li><li><a href="#hmac-registration">33.2. Registration</a></li><li><a href="#hmac-importparams">33.3. HmacImportParams dictionary</a></li><li><a href="#HmacKeyAlgorithm-dictionary">33.4. HmacKeyAlgorithm dictionary</a></li><li><a href="#hmac-keygen-params">33.5. HmacKeyGenParams dictionary</a></li><li><a href="#hmac-derivedkey-params">33.6. HmacDerivedKeyParams dictionary</a></li><li><a href="#hmac-operations">33.7. Operations</a></li></ul></li><li><a href="#dh">34. Diffie-Hellman</a><ul><li><a href="#dh-description">34.1. Description</a></li><li><a href="#dh-registration">34.2. Registration</a></li><li><a href="#dh-DhKeyGenParams">34.3. DhKeyGenParams dictionary</a></li><li><a href="#dh-DhKeyAlgorithm">34.4. DhKeyAlgorithm dictionary</a></li><li><a href="#dh-DhKeyDeriveParams">34.5. DhKeyDeriveParams dictionary</a></li><li><a href="#dh-DhImportKeyParams">34.6. DhImportKeyParams dictionary</a></li><li><a href="#dh-operations">34.7. Operations</a></li></ul></li><li><a href="#sha">35. SHA</a><ul><li><a href="#sha-description">35.1. Description</a></li><li><a href="#sha-registration">35.2. Registration</a></li><li><a href="#sha-operations">35.3. Operations</a></li></ul></li><li><a href="#concatkdf">36. Concat KDF</a><ul><li><a href="#concatkdf-description">36.1. Description</a></li><li><a href="#concatkdf-registration">36.2. Registration</a></li><li><a href="#concat-params">36.3. ConcatParams dictionary</a></li><li><a href="#concat-operations">36.4. Operations</a></li></ul></li><li><a href="#hkdf-ctr">37. HKDF-CTR</a><ul><li><a href="#hkdf-ctr-description">37.1. Description</a></li><li><a href="#hkdf-ctr-registration">37.2. Registration</a></li><li><a href="#hkdf-ctr-params">37.3. HkdfCtrParams dictionary</a></li><li><a href="#hkdf2-ctr-operations">37.4. Operations</a></li></ul></li><li><a href="#pbkdf2">38. PBKDF2</a><ul><li><a href="#pbkdf2-description">38.1. Description</a></li><li><a href="#pbkdf2-registration">38.2. Registration</a></li><li><a href="#pbkdf2-params">38.3. Pbkdf2Params dictionary</a></li><li><a href="#pbkdf2-operations">38.4. Operations</a></li></ul></li><li><a href="#examples-section">39. JavaScript Example Code</a><ul><li><a href="#examples-signing">39.1. Generate a signing key pair, sign some data</a></li><li><a href="#examples-symmetric-encryption">39.2. Symmetric Encryption</a></li></ul></li><li><a href="#iana-section">40. IANA Considerations</a><ul><li><a href="#iana-section-jws-jwa">40.1. JSON Web Signature and Encryption Algorithms Registration</a></li><li><a href="#iana-section-jwk">40.2. JSON Web Key Parameters Registration</a></li></ul></li><li><a href="#acknowledgements-section">41. Acknowledgements</a></li><li><a href="#references">42. References</a><ul><li><a href="#normative-references">42.1. Normative References</a></li><li><a href="#informative-references">42.2. Informative References</a></li></ul></li></ul><ul><li><a href="#jwk-mapping">A. Mapping between JSON Web Key / JSON Web Algorithm</a><ul><li><a href="#jwk-mapping-alg">A.1. Algorithm mappings</a></li><li><a href="#jwk-mapping-usage">A.2. Usage mapping</a></li></ul></li><li><a href="#spki-mapping">B. Mapping between Algorithm and SubjectPublicKeyInfo</a></li><li><a href="#pkcs8-mapping">C. Mapping between Algorithm and PKCS#8 PrivateKeyInfo</a></li></ul></div>
     </div>
 
     <div id="sections">
@@ -332,6 +332,30 @@
           <a href="#case-sensitive">case-sensitive</a> manner. String literals in this specification
            written in monospace font like <code>"this"</code> do not include the enclosing quotes.
         </p>
+        <div id="extensibility" class="section">
+          <h3>3.1. Extensibility</h3>
+          <p>
+            Vendor-specific proprietary extensions to this specification are strongly discouraged.
+            Authors must not use such extensions, as doing so reduces interoperability and fragments 
+            the user base, allowing only users of specific user agents to access the content in 
+            question.
+          </p>
+          <p>
+            If vendor-specific extensions are needed, the members should be prefixed by 
+            vendor-specific strings to prevent clashes with future versions of this specification. 
+            Extensions must be defined so that the use of extensions neither contradicts nor causes 
+            the non-conformance of functionality defined in the specification.
+          </p>
+          <p>
+            When vendor-neutral extensions to this specification are needed, either this 
+            specification can be updated accordingly, or an extension specification can be written 
+            that overrides the requirements in this specification. When someone applying this 
+            specification to their activities decides that they will recognize the requirements of 
+            such an extension specification, it becomes an
+            <dfn id="dfn-applicable-specification">applicable specification</dfn> for the purposes 
+            of conformance requirements in this specification.
+          </p>
+        </div>
       </div>
 
       <div id="scope" class="section">
@@ -5903,9 +5927,17 @@
           <p>
             The <code>"RSA-OAEP"</code> algorithm identifier is used to perform encryption
             and decryption ordering to the RSAES-OAEP algorithm specified in
-            [<cite><a href="#RFC3447">RFC3447</a></cite>], using the mask
+            [<cite><a href="#RFC3447">RFC3447</a></cite>], using the SHA hash functions defined
+            in this specification and using the mask
             generation function MGF1.
           </p>
+          <p>
+            <a href="#dfn-applicable-specification">Other specifications</a>
+            may specify the use of additional hash algorithms with RSAES-OAEP. Such specifications
+            must define
+            <dfn id="dfn-rsa-extended-import-steps">key import steps</dfn> and
+            <dfn id="dfn-rsa-extended-export-steps">key export steps</dfn>.
+          </p>
         </div>
         <div id="rsa-oaep-registration" class="section">
           <h4>24.2. Registration</h4>
@@ -6206,6 +6238,34 @@
                   <p>Let <var>keyData</var> be the key data to be imported.</p>
                 </li>
                 <li>
+                  <p>
+                    Perform any <a href="#dfn-rsa-oaep-extended-key-import-steps">key import steps</a>
+                    defined by <a href="#dfn-applicable-specifications">other applicable
+                    specifications</a>, passing <var>keyData</var> and obtaining <var>result</var>.
+                    <dl class="switch">
+                      <dt>
+                        If <var>result</var> is a <a href="#dfn-CryptoKey">CryptoKey</a>
+                        object
+                      </dt>
+                      <dd>
+                        <p>
+                          Return <var>result</var>.
+                        </p>
+                      </dd>
+                      <dt>
+                        If <var>result</var> is an error with a name that is not
+                        <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>
+                      </dt>
+                      <dd>
+                        <p>
+                          <a href="#concept-return-an-error">Return an error</a> with the same name
+                          as <var>result</var>.
+                        </p>
+                      </dd>
+                    </dl>
+                  </p>
+                </li>
+                <li>
                   <dl class="switch">
                     <dt>If <var>format</var> is <code>"spki"</code>:</dt>
                     <dd>
@@ -6655,8 +6715,10 @@
                             <dd>Let <var>hash</var> be the string <code>"SHA-512"</code>.</dd>
                             <dt>Otherwise:</dt>
                             <dd>
-                              <a href="#concept-return-an-error">return an error</a> named
-                              <a href="#dfn-DataError"><code>DataError</code></a>.
+                              <p>
+                                <a href="#concept-return-an-error">Return an error</a> named
+                                <a href="#dfn-DataError"><code>DataError</code></a>.
+                              </p>
                             </dd>
                           </dl>
                         </li>
@@ -6790,6 +6852,45 @@
                   </p>
                 </li>
                 <li>
+                  <p>
+                    Perform any <a href="#dfn-rsa-oaep-extended-key-export-steps">key export steps</a>
+                    defined by <a href="#dfn-applicable-specifications">other applicable
+                    specifications</a>, passing <var>key</var> and obtaining <var>result</var>.
+                    <dl class="switch">
+                      <dt>
+                        If <var>format</var> is <code>"spki"</code> or <code>"pkcs8"</code> and
+                        <var>result</var> is an <a href="#dfn-ArrayBuffer">ArrayBuffer</a>
+                        object
+                      </dt>
+                      <dd>
+                        <p>
+                          Return <var>result</var>.
+                        </p>
+                      </dd>
+                      <dt>
+                        If <var>format</var> is <code>"jwk"</code> and
+                        <var>result</var> is not an error
+                      </dt>
+                      <dd>
+                        <p>
+                          Return <var>result</var>.
+                        </p>
+                      </dd>
+                      <dt>
+                        If <var>result</var> is an error with a name that is not
+                        <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>
+                      </dt>
+                      <dd>
+                        <p>
+                          <a href="#concept-return-an-error">Return an error</a> with the same name
+                          as <var>result</var>.
+                        </p>
+                      </dd>
+                    </dl>
+                  </p>
+                </li>
+
+                <li>
                   <dl class="switch">
                     <dt>If <var>format</var> is <code>"spki"</code></dt>
                     <dd>