David,

Here are my review comments on https://wiki.mozilla.org/DOMCryptInternalAPI:

1. I don't understand the difference between the two methods that
generate key pairs:
    PKGenerateKeyPair
    SigGenerateKeyPair

2. PKEncrypt just need a public key, not a key pair.

3. I suggest not assigning 0 to any algorithm enumerator.  This allows
the use of 0 as an invalid value. We can't use -1 because the type is
unsigned long.

So ALGORITHM_RSA should be 1 and ALGORITHM_DSA should be 2.

4. Like PKDecrypt, Sign just needs aKeyID, which represents a private key.

5. Verify should take a public key.

6. The second arguments of Sign and Verify should have the same name
(because the refer to the same thing) and the name should not imply it
is encrypted (such as aPlaintext and aClearBytes).  You can use
'message' as the argument name.

7. When verifying a MAC, the byte comparison must be constant time to
avoid leaking timing info.  Leaking timing info of MAC verification
could be problematic in some situations.  This issue is described in
https://groups.google.com/group/keyczar-discuss/browse_thread/thread/5571eca0948b2a13

So I suggest adding a verify() method to the CryptoHmac interface, so
that we can implement the verify() method with constant time byte
comparison.

Wan-Teh Chang
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to