feat(extensions/crypto): implement verify() for HMAC (#11387)

denoland · Aug 4, 2021 · 87de8e8 · 87de8e8
1 parent 2ac031d
commit 87de8e8
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 33 deletions.
diff --git a/extensions/crypto/00_crypto.js b/extensions/crypto/00_crypto.js
@@ -80,6 +80,7 @@
     "verify": {
       "RSASSA-PKCS1-v1_5": null,
       "RSA-PSS": "RsaPssParams",
+      "HMAC": null,
     },
     "importKey": {
       "HMAC": "HmacImportParams",
@@ -690,6 +691,15 @@
             signature,
           }, data);
         }
+        case "HMAC": {
+          const hash = key[_algorithm].hash.name;
+          return await core.opAsync("op_crypto_verify_key", {
+            key: keyData,
+            algorithm: "HMAC",
+            hash,
+            signature,
+          }, data);
+        }
       }
 
       throw new TypeError("unreachable");

diff --git a/extensions/crypto/lib.rs b/extensions/crypto/lib.rs
@@ -505,6 +505,11 @@ pub async fn op_crypto_verify_key(
         .verify(padding, &hashed, &*args.signature)
         .is_ok()
     }
+    Algorithm::Hmac => {
+      let hash: HmacAlgorithm = args.hash.ok_or_else(not_supported)?.into();
+      let key = HmacKey::new(hash, &*args.key.data);
+      ring::hmac::verify(&key, data, &*args.signature).is_ok()
+    }
     _ => return Err(type_error("Unsupported algorithm".to_string())),
   };
 

diff --git a/tools/wpt/expectation.json b/tools/wpt/expectation.json
@@ -15303,39 +15303,7 @@
         "generate wrong key step: HMAC with SHA-1 verifying with wrong algorithm name",
         "generate wrong key step: HMAC with SHA-256 verifying with wrong algorithm name",
         "generate wrong key step: HMAC with SHA-384 verifying with wrong algorithm name",
-        "generate wrong key step: HMAC with SHA-512 verifying with wrong algorithm name",
-        "HMAC with SHA-1 verification",
-        "HMAC with SHA-256 verification",
-        "HMAC with SHA-384 verification",
-        "HMAC with SHA-512 verification",
-        "HMAC with SHA-1 verification with altered signature after call",
-        "HMAC with SHA-256 verification with altered signature after call",
-        "HMAC with SHA-384 verification with altered signature after call",
-        "HMAC with SHA-512 verification with altered signature after call",
-        "HMAC with SHA-1 with altered plaintext after call",
-        "HMAC with SHA-256 with altered plaintext after call",
-        "HMAC with SHA-384 with altered plaintext after call",
-        "HMAC with SHA-512 with altered plaintext after call",
-        "HMAC with SHA-1 no verify usage",
-        "HMAC with SHA-256 no verify usage",
-        "HMAC with SHA-384 no verify usage",
-        "HMAC with SHA-512 no verify usage",
-        "HMAC with SHA-1 round trip",
-        "HMAC with SHA-256 round trip",
-        "HMAC with SHA-384 round trip",
-        "HMAC with SHA-512 round trip",
-        "HMAC with SHA-1 verification failure due to wrong plaintext",
-        "HMAC with SHA-256 verification failure due to wrong plaintext",
-        "HMAC with SHA-384 verification failure due to wrong plaintext",
-        "HMAC with SHA-512 verification failure due to wrong plaintext",
-        "HMAC with SHA-1 verification failure due to wrong signature",
-        "HMAC with SHA-256 verification failure due to wrong signature",
-        "HMAC with SHA-384 verification failure due to wrong signature",
-        "HMAC with SHA-512 verification failure due to wrong signature",
-        "HMAC with SHA-1 verification failure due to short signature",
-        "HMAC with SHA-256 verification failure due to short signature",
-        "HMAC with SHA-384 verification failure due to short signature",
-        "HMAC with SHA-512 verification failure due to short signature"
+        "generate wrong key step: HMAC with SHA-512 verifying with wrong algorithm name"
       ],
       "rsa_pkcs.https.any.html": [
         "importVectorKeys step: RSASSA-PKCS1-v1_5 with SHA-1 verification",