Skip to content

Fix HMAC JWK import length handling#303

Open
harrshita123 wants to merge 4 commits into
google:masterfrom
harrshita123:codex/hmac-jwk-length
Open

Fix HMAC JWK import length handling#303
harrshita123 wants to merge 4 commits into
google:masterfrom
harrshita123:codex/hmac-jwk-length

Conversation

@harrshita123

@harrshita123 harrshita123 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Fixes #302.

What changed

  • Pass length through HMAC JWK import.
  • Apply length after decoding jwk.k, matching Web Crypto HMAC import steps.
  • Keep raw and JWK import behavior consistent for non-byte-aligned lengths.
  • Add regression coverage for raw/JWK parity and invalid HMAC key length.

Testing

  • /Users/apple/flutter/bin/dart run lib/src/testing/regression/issue_302_hmac_jwk_length.dart
  • /Users/apple/flutter/bin/dart test test/webcrypto_test.dart
  • /Users/apple/flutter/bin/dart analyze

Comment thread lib/src/webcrypto/webcrypto.hmac.dart Outdated
Comment thread lib/src/testing/regression/issue_302_hmac_jwk_length.dart
@harrshita123
harrshita123 force-pushed the codex/hmac-jwk-length branch from 8e351d9 to 554da8c Compare July 8, 2026 09:08
@harrshita123
harrshita123 force-pushed the codex/hmac-jwk-length branch from 554da8c to b22f865 Compare July 8, 2026 09:10
@harrshita123
harrshita123 deleted the codex/hmac-jwk-length branch July 8, 2026 09:21
@harrshita123
harrshita123 restored the codex/hmac-jwk-length branch July 8, 2026 09:24
@harrshita123 harrshita123 reopened this Jul 8, 2026
@harrshita123

Copy link
Copy Markdown
Contributor Author

Sorry, I accidentally clicked the close button. I have reopened the PR.

Keep both the upstream js_interop import and the HMAC JWK base64Url import in the JS implementation.
@harrshita123
harrshita123 force-pushed the codex/hmac-jwk-length branch from c8c9ea2 to c4479da Compare July 8, 2026 16:55
@harrshita123

Copy link
Copy Markdown
Contributor Author

@jonasfj I resolved all conflicts.

@HamdaanAliQuatil HamdaanAliQuatil left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked this against the normative HMAC import steps and left the details in #302. Unlike hash or curve, length is applied after the JWK has been decoded: the imported key consists of the first length bits.

That means the current validation-only implementation, particularly the test rejecting non-zero discarded bits, would encode behavior that differs from Web Crypto. I think we should settle the expected behavior in #302 before merging this.

@harrshita123

Copy link
Copy Markdown
Contributor Author

Thanks for the clarification and for checking the HMAC import steps against the Web Crypto spec.

I updated the PR so JWK import now follows the same behavior as raw import: it decodes jwk.k first, then applies length by using the first length bits. I also removed the validation-only behavior that rejected non-zero discarded bits, since that would not match the spec.

The regression test now covers the raw/JWK parity case for { k: "_-A" } with length: 9, and the focused regression test, dart analyze, and test/webcrypto_test.dart are passing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

HmacSecretKey.importJsonWebKey ignores length

3 participants