[Webkit-unassigned] [Bug 216750] New: [WebCrypto] RSA-PSS on Mac with CommonCrypto enforces saltLength <= hLen

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Sep 20 12:36:57 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=216750

            Bug ID: 216750
           Summary: [WebCrypto] RSA-PSS on Mac with CommonCrypto enforces
                    saltLength <= hLen
           Product: WebKit
           Version: Safari 13
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Severity: Minor
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jopsen at gmail.com

It seems that [`RSA-PSS` in Safari on Mac][1] using [CommonCrypto][2] which uses [corecrypto][3],
follows [FIPS 186-4, Section 5.5, Step (e)][4], restricting [saltLength] to `0 <= saltLength <= hashLength`.

While the [WebCrypto spec][5] references [RFC3447 Section 8.1][6], which as far as I can see doesn't impose any limits on `saltLength`.
At the same time, both Chrome and Firefox allow arbitrary `saltLength` until some limit at which these fail too.

It is entirely possible that:
 (A) I missed something in [RFC3447 Section 8.1][6], and that it does in fact enforce this limit,
 (B) Firefox and Chrome both have different arbitrary limits on `saltLength`.

It is also possible that this is entirely inconsequential, [RFC 3447 Section 9.1, Notes 4][7] states:
> Typical salt lengths in octets are hLen (the length of the output of the hash function Hash) and 0.

So I suppose it's plausible that nobody would/should ever use saltLength > hLen.
In this case, I suppose it would be preferable to refine the webcrypto spec to impose these limits.

Sorry, if this is just an inconsequential discrepancy, I'm not an expert on RSA-PSS.
(And sorry, if this the wrong place, it's hard to tell if it's Firefox, Chrome, Safari og the webcrypto spec)

[1]: https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/crypto/mac/CryptoAlgorithmRSA_PSSMac.cpp?rev=238754#L56
[2]: https://opensource.apple.com/source/CommonCrypto/CommonCrypto-60165.120.1/lib/CommonRSACryptor.c.auto.html
[3]: https://opensource.apple.com/source/xnu/xnu-4570.41.2/EXTERNAL_HEADERS/corecrypto/ccrsa.h.auto.html
[4]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
[5]: https://w3c.github.io/webcrypto/#rsa-pss-operations
[6]: https://tools.ietf.org/html/rfc3447#section-8.1
[7]: https://tools.ietf.org/html/rfc3447#section-9.1

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200920/c14a2649/attachment-0001.htm>

More information about the webkit-unassigned mailing list