(14 Kommentare) (0 Reaktionen) (1 zugewiesene Person)Go (30.564 Stars) (1.537 Forks)batch import

area: webcryptogood first issuehelp wanted

Beschreibung

What?

While implementing support of RSA grafana/xk6-webcrypto#85 we've found that standard Golang's SDK doesn't provide support of the saltLength: 0, instead it always tries to generate salt with the maximum length.

This led us for the patch to WebPlatfrom tests: https://github.com/grafana/xk6-webcrypto/blob/main/webcrypto/tests/wpt-patches/WebCryptoAPI__sign_verify__rsa.js.patch

Since some use cases could actually try to use the lengths of salt 0 we need to issue a log warning user that the actual behavior of our implementation is different.

edit(@mstoykov): After some discussion the idea is currently to throw an exception instead of just log a warning.

Why?

It improves UX and makes implementation predictable.

Contributor Guide

Tech Stack: gojavascript
Domain: backendsecurity
Issue Type: feature
Schwierigkeit: 3
Geschätzte Zeit: 1-3 hours
Aktivitätsstatus: active
Klarheit: mostly clear
Voraussetzungen: GoWebCrypto APIRSA PSS
Einsteigerfreundlichkeit: 40
Research-Richtung: The issue requires modifying the RSA PSS sign/verify implementation in Go to throw an exception when saltLength is 0. Review the discussion in the issue comments, especially the linked patch in xk6 webcrypto repository. The change should be in the file handling WebCrypto operations, likely in the xk6 webcrypto submodule or a similar location. Ensure the exception matches the WebCrypto specification.