diff --git a/extensions/crypto/00_crypto.js b/extensions/crypto/00_crypto.js index a21469a818..449946295c 100644 --- a/extensions/crypto/00_crypto.js +++ b/extensions/crypto/00_crypto.js @@ -80,6 +80,7 @@ "verify": { "RSASSA-PKCS1-v1_5": null, "RSA-PSS": "RsaPssParams", + "HMAC": null, }, "importKey": { "HMAC": "HmacImportParams", @@ -690,6 +691,15 @@ signature, }, data); } + case "HMAC": { + const hash = key[_algorithm].hash.name; + return await core.opAsync("op_crypto_verify_key", { + key: keyData, + algorithm: "HMAC", + hash, + signature, + }, data); + } } throw new TypeError("unreachable"); diff --git a/extensions/crypto/lib.rs b/extensions/crypto/lib.rs index 09f237fa60..d1908120d1 100644 --- a/extensions/crypto/lib.rs +++ b/extensions/crypto/lib.rs @@ -505,6 +505,11 @@ pub async fn op_crypto_verify_key( .verify(padding, &hashed, &*args.signature) .is_ok() } + Algorithm::Hmac => { + let hash: HmacAlgorithm = args.hash.ok_or_else(not_supported)?.into(); + let key = HmacKey::new(hash, &*args.key.data); + ring::hmac::verify(&key, data, &*args.signature).is_ok() + } _ => return Err(type_error("Unsupported algorithm".to_string())), }; diff --git a/tools/wpt/expectation.json b/tools/wpt/expectation.json index b26b8fd527..eeb1bee2b3 100644 --- a/tools/wpt/expectation.json +++ b/tools/wpt/expectation.json @@ -15303,39 +15303,7 @@ "generate wrong key step: HMAC with SHA-1 verifying with wrong algorithm name", "generate wrong key step: HMAC with SHA-256 verifying with wrong algorithm name", "generate wrong key step: HMAC with SHA-384 verifying with wrong algorithm name", - "generate wrong key step: HMAC with SHA-512 verifying with wrong algorithm name", - "HMAC with SHA-1 verification", - "HMAC with SHA-256 verification", - "HMAC with SHA-384 verification", - "HMAC with SHA-512 verification", - "HMAC with SHA-1 verification with altered signature after call", - "HMAC with SHA-256 verification with altered signature after call", - "HMAC with SHA-384 verification with altered signature after call", - "HMAC with SHA-512 verification with altered signature after call", - "HMAC with SHA-1 with altered plaintext after call", - "HMAC with SHA-256 with altered plaintext after call", - "HMAC with SHA-384 with altered plaintext after call", - "HMAC with SHA-512 with altered plaintext after call", - "HMAC with SHA-1 no verify usage", - "HMAC with SHA-256 no verify usage", - "HMAC with SHA-384 no verify usage", - "HMAC with SHA-512 no verify usage", - "HMAC with SHA-1 round trip", - "HMAC with SHA-256 round trip", - "HMAC with SHA-384 round trip", - "HMAC with SHA-512 round trip", - "HMAC with SHA-1 verification failure due to wrong plaintext", - "HMAC with SHA-256 verification failure due to wrong plaintext", - "HMAC with SHA-384 verification failure due to wrong plaintext", - "HMAC with SHA-512 verification failure due to wrong plaintext", - "HMAC with SHA-1 verification failure due to wrong signature", - "HMAC with SHA-256 verification failure due to wrong signature", - "HMAC with SHA-384 verification failure due to wrong signature", - "HMAC with SHA-512 verification failure due to wrong signature", - "HMAC with SHA-1 verification failure due to short signature", - "HMAC with SHA-256 verification failure due to short signature", - "HMAC with SHA-384 verification failure due to short signature", - "HMAC with SHA-512 verification failure due to short signature" + "generate wrong key step: HMAC with SHA-512 verifying with wrong algorithm name" ], "rsa_pkcs.https.any.html": [ "importVectorKeys step: RSASSA-PKCS1-v1_5 with SHA-1 verification",