Keep the JsonWebKey dictionary types in line with other dictionary
types in the codebase by putting them in the Crypto namespace
rather than under Web::Bindings.
For private key JWK imports, after decoding both d and x, derive
the public key from d and verify it matches x. A private key that
doesn't correspond to the provided public key doesn't "contain the
private key" as required by RFC 8037 Section 2.
After base64url-decoding the x and d fields during JWK import,
verify the decoded byte length matches the expected key size for
the curve (32 for Ed25519/X25519, 57 for Ed448, 56 for X448).
A truncated value does not "contain the public/private key" as
required by RFC 8037 Section 2.
Ed448 public keys are 57 bytes (456 bits), not 56 bytes (448 bits).
The curve is named "Ed448" after its 448-bit prime field, but per
RFC 8032 Section 5.2.5, the parameter b=456 and both private and
public keys are 57 bytes. This caused importKey to reject valid raw
Ed448 public keys with a DataError.
Note: The spec incorrectly says "not 448" for this check.
See https://github.com/w3c/webcrypto/pull/425#discussion_r3070135408
Add a LibCrypto::Authentication::KMAC helper over OpenSSL.
Add keygen/import/export logic into WebCrypto.
Register KMAC128/KMAC256 operations with SubtleCrypto.
Implement AES-OCB AEAD using OpenSSL and expose it through
the WebCrypto API, including key management and AEAD parameters.
Add WPT:
/encrypt_decrypt/aes_ocb.tentative.https.any.html
The WebCrypto specification does not require the "alg" member
to be present when importing a symmetric JWK, as long as the
key material itself is valid.
Add tests covering JWK import without an "alg" field.
This fixes the following WPT:
WebCryptoAPI/import_export/ChaCha20-Poly1305_importKey
The key_ops vector is pre-sized with ensure_capacity(), so
bounds-checked append() is unnecessary here.
Switch to unchecked_append() to avoid redundant checks.
This change was suggested in a previous pull request #7563.
Add some typo and wrong comment.
Implement ChaCha20-Poly1305 AEAD using OpenSSL and expose it through
the WebCrypto API, including key management and AEAD parameters.
Add WPT:
/encrypt_decrypt/chacha20_poly1305.tentative.https.any.worker.html
AK/Random is already the same as SecureRandom. See PR for more details.
ProcessPrng is used on Windows for compatibility w/ sandboxing measures
See e.g. https://crbug.com/40277768
Introduce a new SHAKE hash wrapper in LibCrypto backed by OpenSSL.
Wire cSHAKE128 and cSHAKE256 into WebCrypto.
Note that cSHAKE with non-empty functionName or customization is
currently rejected due to OpenSSL EVP limitations.
This fixes WPT:
WebCryptoAPI/digest/cshake.tentative.https.any.html
