Make deriveBits length parameter optional and nullable#345
Conversation
Allow omitting the `length` parameter from calls to `deriveBits`, defaulting to `null`, and also allow passing `null` explicitly (as the web platform tests already do). The "derive bits" operations already handle `null` as it can also be returned by the "get key length" operations. In the case of ECDH, the operation returns the entire derived key; in the case of HKDF and PBKDF2, the operation returns an error. This is technically speaking a breaking change, since currently passing `null` explicitly should cause it to be converted to `0`, causing an empty `ArrayBuffer` to be returned. However, the only implementation that actually does so (Chromium) is willing to change this. Additionally, returning the entire value (for ECDH) seems more expected and more useful than returning an empty value.
twiss
force-pushed
the
optional-deriveBits-length
branch
from
be453c6 to
2b3bca8
Compare
|
What else is pending to merge this PR ? As far as I understand we have reached an agreement in #322 about the use of ` |
|
@javifernandez since #324 was arguably merged prematurely, I wanted to make doubly sure that we have consensus on this before it's merged :) @annevk, @martinthomson and @saschanaz, it would be great if you could confirm whether you're OK with this solution, as I think you were at one point arguing against changing the WebIDL in #322. Though note that this PR also addresses #329, and that's not possible without changing the WebIDL - but also there we haven't discussed much whether it's worth it, and in scope for the "maintenance" charter. I do personally think this would be a nice change for developer ergonomics, but arguably it's debatable whether that's in scope. Let me know what you think! |
|
I'm not against changing Web IDL, but I still don't see the point in allowing null. The argument being optional already gives you the value space you need. |
|
@annevk It's not so much that I think allowing null is useful for new applications (that indeed can just omit the parameter), it's rather that given the question of what to do if an existing application does pass null, returning the entire value seems safer than returning an empty Uint8Array. It's admittedly unlikely any existing web app does so since only Safari behaves "as expected" (per this PR, not per the current spec) in that case, but perhaps not entirely impossible since the web platform tests do test for it, so someone may have gotten the idea from there (or a loose reading of the current spec), and written a Safari-only application that depends on this, perhaps. Also note that if such code would run today on Chrome, it would silently return an empty value, potentially leading to a security issue. So this change would fix a security issue in such a web app, whereas changing Safari to return the empty value instead of the full value could actually cause a security issue instead (strictly speaking not by fault of Safari, but nevertheless it seems better to be cautious here). |
|
I'm personally not really concerned about that. I'll defer to @martinthomson and @davidben as to whether to accept this PR as-is. |
|
I think have a convenient way to return an untruncated value is good. Better would have been for WebCrypto to not jam Diffie-Hellman and KDFs into the same function, but I don't have a time machine. Thus, I like making it optional to mean default size. However, the discussion in #322 (comment) suggests that Thus, I think idiomatic patterns should win out and we should not have the |
(Wrong argument)
I'm not sure I understand the argument here, passing null for |
Are you concerned about changing Chromium's behavior because you're worried that someone might be relying on passing (IMHO we shouldn't be worried about "the spec's long-standing behavior" because the spec's intention on this point is debatable, as evidenced by the web platform tests.)
Would you be happier if it said
The reason it's an IDL-only change is because the prose saying "if
In general I would agree but I think we should make an exception for security concerns 😅
Are you sure? https://webidl.spec.whatwg.org/#es-overloads only mentions special behavior of |
|
(Me quickly checking with |
|
I'm OK with this outcome. Like @davidben, this is a consequence of deeper structural issues, but the way this works seems fine. I'm not 100% on the outcome for |
|
Right, we could throw for |
Ah, fun. I think we should treat that separately, as it's not related to how to handle the default. I really don't like making 0 silently turn into default, but I feel less strongly about empty vs throw. TBH, I probably would have picked consistently empty over consistently throw, but shrug. I'm not opposed to trying to align that, though as it'd be a breaking change, we should get some metrics for that. Keep in mind that, say, 1-byte or 2-byte output is also insecure, so throwing on zero is not actually meaningfully enforcing any kind of secure use of the algorithm. Indeed for ECDH, truncation at all is a bad idea. The whole output should be passed to a KDF. Given we've already gone down the truncation route, it's just a question of whether you believe "truncate to zero" is a defined operation. If we want to throw, we should instead be seeing whether we can compatibly throw on any truncation at all. |
We've discussed this thoroughly in #322 already, but the WPTs came long after the spec and original Chromium implementation. The spec was also originally written in large part by someone from Chromium. Whether or not the intended semantics were right (like I said, I'm extremely unhappy with how the spec handles ECDH overall), it's quite clear what the spec's intent was. |
|
FWIW, 0 = empty seems obvious but it's a nonsensical thing to ask for, so I'm OK with throwing. A separate PR might be needed there. Edit: I agree with David about truncation for ECDH, at any number of bytes. But I have found many uses for very short KDF outputs. |
Yeah, I'll make a separate PR for that.
Sure, I meant more that it could be a protection mechanism against accidentally getting an empty value instead of the full value. For example, Safari currently returns the full value when returning 0, it might be better to change that to throw rather than returning the empty value (which could theoretically cause a security issue).
Can we not let perfect be the enemy of good? 😅 We already know we can compatibly throw for 0, as Firefox does so, so it would seem reasonable to me to start with that. |
The tradeoff is between trying to enforce some security criteria (which rejecting zero does a bad job of) vs having an extra case of fallibility in the function. The point of my comment isn't striving towards perfection, but that we're sacrificing continuity of semantics for a security check that doesn't actually do much. The continuity doesn't mean much, but measured against a security check that doesn't do much, this is all silly. Since starting to throw would be a spec-incompatible change, and a breaking change for Chromium, we'd need some code to measure things. If we're measuring things anyway, we should also validate whether we can just remove this truncation behavior altogether, as it was wrong to begin with. |
|
(I've created #351 for this)
Again, the security check wouldn't be to protect web applications in general, just any code that happens to rely on WebKit returning the entire value for zero. Rejecting zero does do a good job of protecting against that 🙃
But yes, fair enough. If you do want to do some measurements that would be great, let us know what the outcome is 😊 |
|
Ah fair, yeah zero is a bit special because of this mess. :-) |
|
@martinthomson and @saschanaz could you please explicitly approve this PR, if you do indeed approve of it (with or without #351)? And @davidben I'll repeat this part as it was a genuine question:
And perhaps if everyone else wants to weigh in on that alternative option that'd be great 😊 |
|
I really don't think that = undefined changes anything in this case. |
|
Certainly there's no difference between My preference would be what was already discussed in the issue: That is, we should just do whatever would be idiomatic on the web for an optional parameter. That seems to be plain But if we're really set on ignoring convention for some reason, I can live with |
I think we can do that later, once we manage to solve the lack of interoperability of the deriveOperations in several algorithms, I think returning an empty string when length is 0 is consistent with the spec and what it's already implemented in some engines. If we want to change the spec of a specific algorithm to raise an exception and forbid that case, we may discuss it independently of this PR. |
|
Hi @annevk, would you mind to explicitly approve the change on behalf of Safari now that Chrome and Firefox have ? |
|
Thanks, everyone! |
SHA: c0e1856 Reason: push, by twiss Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…ble (#24426) Updates SubtleCrypto.prototype.deriveBits as per w3c/webcrypto#345 (WPT update in web-platform-tests/wpt#43400)
…ble (denoland#24426) Updates SubtleCrypto.prototype.deriveBits as per w3c/webcrypto#345 (WPT update in web-platform-tests/wpt#43400)
https://bugs.webkit.org/show_bug.cgi?id=276394 Reviewed by Youenn Fablet and Nitin Mahendru. The PR#345 [1] to the WebCryptoAPI spec defines now the 'length' parameter as optional, defaulting to 'null'. This change tries to solve a long-standing interoperability issue in the deriveBits operation. This patch implements the required changes in the IDL so that the 'length' parameter is declared as optional, with 'null' as default value when omitted. The affected algorithms (ECDH, HKDF, PBKDF2 and X25519) are adapted to the parameter's new type. The PR#43400 [2] defined tests for the new behavior of the afected algorithms, which they all pass now. [1] w3c/webcrypto#345 [2] web-platform-tests/wpt#43400 * LayoutTests/crypto/subtle/derive-bits-malformed-parameters-expected.txt: * LayoutTests/crypto/subtle/derive-bits-malformed-parameters.html: * LayoutTests/imported/w3c/web-platform-tests/WebCryptoAPI/derive_bits_keys/derived_bits_length.https.any-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/WebCryptoAPI/derive_bits_keys/derived_bits_length.https.any.worker-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/WebCryptoAPI/idlharness.https.any-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/WebCryptoAPI/idlharness.https.any.worker-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/interfaces/WebCryptoAPI.idl: * Source/WebCore/crypto/CryptoAlgorithm.cpp: (WebCore::CryptoAlgorithm::deriveBits): * Source/WebCore/crypto/CryptoAlgorithm.h: * Source/WebCore/crypto/SubtleCrypto.cpp: (WebCore::SubtleCrypto::deriveKey): (WebCore::SubtleCrypto::deriveBits): * Source/WebCore/crypto/SubtleCrypto.h: * Source/WebCore/crypto/SubtleCrypto.idl: * Source/WebCore/crypto/algorithms/CryptoAlgorithmECDH.cpp: (WebCore::CryptoAlgorithmECDH::deriveBits): * Source/WebCore/crypto/algorithms/CryptoAlgorithmECDH.h: * Source/WebCore/crypto/algorithms/CryptoAlgorithmHKDF.cpp: (WebCore::CryptoAlgorithmHKDF::deriveBits): * Source/WebCore/crypto/algorithms/CryptoAlgorithmHKDF.h: * Source/WebCore/crypto/algorithms/CryptoAlgorithmPBKDF2.cpp: (WebCore::CryptoAlgorithmPBKDF2::deriveBits): * Source/WebCore/crypto/algorithms/CryptoAlgorithmPBKDF2.h: * Source/WebCore/crypto/algorithms/CryptoAlgorithmX25519.cpp: (WebCore::CryptoAlgorithmX25519::deriveBits): * Source/WebCore/crypto/algorithms/CryptoAlgorithmX25519.h: Canonical link: https://commits.webkit.org/281240@main
…,webidl,smaug DONTBUILD The PR#345 [1] of the WebCrypto API specification changed the type of the deriveBits's length argument to become 'optional' and with 'null' as default value. The affected WebCrypto algorithms (HKDF, PBKDF2, ECDH and X25519) will be adapted to handle the case of a null length properly. [1] w3c/webcrypto#345 Differential Revision: https://phabricator.services.mozilla.com/D217532
…,webidl,smaug DONTBUILD The PR#345 [1] of the WebCrypto API specification changed the type of the deriveBits's length argument to become 'optional' and with 'null' as default value. The affected WebCrypto algorithms (HKDF, PBKDF2, ECDH and X25519) will be adapted to handle the case of a null length properly. [1] w3c/webcrypto#345 Differential Revision: https://phabricator.services.mozilla.com/D217532
…,webidl,smaug The PR#345 [1] of the WebCrypto API specification changed the type of the deriveBits's length argument to become 'optional' and with 'null' as default value. The affected WebCrypto algorithms (HKDF, PBKDF2, ECDH and X25519) will be adapted to handle the case of a null length properly. [1] w3c/webcrypto#345 Differential Revision: https://phabricator.services.mozilla.com/D217532
…,webidl,smaug The PR#345 [1] of the WebCrypto API specification changed the type of the deriveBits's length argument to become 'optional' and with 'null' as default value. The affected WebCrypto algorithms (HKDF, PBKDF2, ECDH and X25519) will be adapted to handle the case of a null length properly. [1] w3c/webcrypto#345 Differential Revision: https://phabricator.services.mozilla.com/D217532
…,webidl,smaug DONTBUILD The PR#345 [1] of the WebCrypto API specification changed the type of the deriveBits's length argument to become 'optional' and with 'null' as default value. The affected WebCrypto algorithms (HKDF, PBKDF2, ECDH and X25519) will be adapted to handle the case of a null length properly. [1] w3c/webcrypto#345 Differential Revision: https://phabricator.services.mozilla.com/D217532
…,webidl,smaug The PR#345 [1] of the WebCrypto API specification changed the type of the deriveBits's length argument to become 'optional' and with 'null' as default value. The affected WebCrypto algorithms (HKDF, PBKDF2, ECDH and X25519) will be adapted to handle the case of a null length properly. [1] w3c/webcrypto#345 Differential Revision: https://phabricator.services.mozilla.com/D217532
…32819) Fixes #12343 ### Problem `crypto.subtle.deriveBits(algorithm, baseKey, 0)` returns the entire ECDH / X25519 shared secret instead of zero bits: ```js const kp = await crypto.subtle.generateKey({ name: "ECDH", namedCurve: "P-256" }, false, ["deriveBits"]); const bits = await crypto.subtle.deriveBits({ name: "ECDH", public: kp.publicKey }, kp.privateKey, 0); bits.byteLength; // Bun: 32 (the whole secret) Node / spec: 0 ``` The spec declares the argument as `optional unsigned long? length = null` (changed in w3c/webcrypto#345, which #12343 tracks). Bun's binding converts it as a required non-nullable `unsigned long`, so `null` collapses to `0`, and the algorithm implementations then use `length == 0` as the "return everything" sentinel. Any wrapper that computes `length` dynamically and can reach `0` silently receives the raw shared secret. The same sentinel causes three more divergences (all cross-checked against Node v26): | call | Bun | Node / spec | |---|---|---| | `deriveBits(ecdh, key, 0)` | full 32-byte secret | empty `ArrayBuffer` | | `deriveBits(ecdh, key)` (length omitted) | `TypeError: Not enough arguments` | full secret | | `deriveBits(hkdf, key, 0)`, `deriveBits(pbkdf2, key, 0)` | `OperationError` | empty `ArrayBuffer` | | `deriveBits(ecdh, key, n)` with `n % 8 != 0` | last byte not masked | unused trailing bits zeroed | The last row is also security-relevant: a non-byte-aligned length returns more secret bits than requested. With a fixed P-256 pair, `deriveBits(..., 255)` gives `...6574a17b` on Bun and `...6574a17a` on Node (`0x7b & 0xfe`). ### Fix Backport the current WebKit signatures so the length stays nullable end to end: `SubtleCrypto::deriveBits` and `CryptoAlgorithm::deriveBits` take `std::optional<size_t>`, and `getKeyLength` returns `ExceptionOr<std::optional<size_t>>` (HKDF and PBKDF2 report "no inherent length" as `nullopt` instead of `0`). The binding converts the argument with `IDLNullable<IDLUnsignedLong>`, so `null`, `undefined`, and an omitted argument all become `nullopt` while `0` stays `0`. `deriveBits.length` changes from 3 to 2 accordingly. The ECDH and X25519 truncation now goes through one shared helper, `CryptoAlgorithm::extractDerivedBits`, which also zeroes the unused trailing bits of the final byte (`last &= 0xFF << (8 - length % 8)`). Upstream WebKit still omits that step; Node applies it (`masks[mod]` in `lib/internal/crypto/diffiehellman.js`) and the spec's "the first length bits of secret" requires it. `deriveKey` behavior is unchanged: `getKeyLength` returning `0` for HKDF/PBKDF2 already meant "derive the whole secret", it now says so with `nullopt`. ### Verification - `test/js/web/crypto/web-crypto.test.ts` gains a `SubtleCrypto.deriveBits length` block over a fixed P-256 pair. Every expected value was produced by Node v26 against the same keys: null/undefined/omitted/0/256/257, the masked outputs for 1/3/9/17/33/255 bits, HKDF/PBKDF2 with 0/null/7/16, PBKDF2 with a zero iteration count at lengths 0 and 256, and a `deriveKey` round trip through a length-less derived key type. - `test/js/bun/crypto/x25519-derive-bits.test.ts`: the existing `"zero length returns full output"` test asserted the old behavior; it now asserts zero bytes. New tests cover an omitted length and trailing-bit masking against the RFC 7748 vector. All of the new assertions fail on `main`. `test/js/deno/crypto/webcrypto.test.ts`, `test/regression/issue/24399.test.ts`, `test/js/bun/crypto/wpt-webcrypto.generateKey.test.ts`, and the eight active `test-webcrypto-*.js` Node compat tests still pass.
7 participants
Fixes #322, fixes #329. This is marked as a draft since there is not yet consensus in those issues that this is the solution we should go with, but having a concrete proposal might help move the process along.
This change allows omitting the
lengthparameter from calls toderiveBits, defaulting tonull, and also allows passingnullexplicitly (as the web platform tests already do).The "derive bits" operations already handle
nullas it can also be returned by the "get key length" operations.In the case of ECDH, the operation returns the entire derived key; in the case of HKDF and PBKDF2, the operation returns an error.
This is technically speaking a breaking change, since currently passing
nullexplicitly should cause it to be converted to0, causing an emptyArrayBufferto be returned. However, the only implementation that actually does so (Chromium) is willing to change this. Additionally, returning the entire value (for ECDH) seems more expected and more useful than returning an empty value.Preview | Diff