Fixed typo in a few statements of the EC key import operation

[javifernandez]

Replace "sig" with "sign" in a few statements about the allowed values of the "use" JWK field.

---

Preview | Diff

[panva]

"sig" and "enc" are the registered JWK "use" values - https://www.iana.org/assignments/jose/jose.xhtml#web-key-use

[javifernandez]

"sig" and "enc" are the registered JWK "use" values - https://www.iana.org/assignments/jose/jose.xhtml#web-key-use

Indeed, I have just realized. However, we are checking for "sign" in all the importKey test. I assume "sign" is also valid for any of the specified algorithms, but perhaps we should clarify it in the spec somehow.

Do you think it's worth discussing it in a spec issue ? Otherwise, if it's clear already I'm happy to abandon this PR.

[panva]

• we're checking for "sign" in WebCrypto's usages/keyUsages
• we're checking for "sig" in jwk's "use" parameter

Don't we?

[javifernandez]

• we're checking for "sign" in WebCrypto's usages/keyUsages

  • we're checking for "sig" in jwk's "use" parameter

Don't we?

Yeah, I confused the WebCrypto "usages" with the JWK fileds. I don't think the spec needs any change here.

However, we don't have tests in the wpt repo to verify the implementations accept "sig" in the JWK "use" filed. There are just tests to verify clearly invalid values raise a DataError exception. Perhaps we should add some to verify the "sig" is accepted.

[Frosne]

I think the confusion is because of me.

So, our implementation misses the checks for jwk.use field.

WebCryptoAPI:

the use field of jwk is present and is not "sig", then throw a DataError. 

Thus, I interpret it as the private key may have a use field with 'sig' there?

RFC 7517:

The "use" (public key use) parameter identifies the intended use of the public key

Other values MAY be used.  The "use" value is a case-sensitive string.  Use of the "use" member is OPTIONAL, unless the application requires its presence.

[panva]

Thus, I interpret it as the private key may have a use field with 'sig' there?

yes

[Frosne]

So, just to be clear:

We extend the RFC 7517 by re-using the field "use" for private keys. If a private key has a jwk field 'use', it should be treated the same way as in the appropriate public key import.

It does not go to any documentation, but it's a rule for me to use while implementing

[panva]

I see what you're getting at now. The use of the "use" jwk parameter is not exclusive to public key representations.

[Frosne]

Yea, I was trying to follow the RFC interpretation, where 'use' is just not defined for private keys.

[panva]

If we squint real hard the JWK private key also always includes the public key ;)

[Frosne]

The result of today: Reading RFC is dangerous.

[javifernandez]

I think the confusion is because of me.

So, our implementation misses the checks for jwk.use field.

We lack tests to verify valid values of the "use" filed. Perhaps we should add a few.