Web Crypto: subtle.sign() insists on a hash parameter for HMAC

Issue #9425120 • Assigned to Steve B.


Wladimir P.
Oct 19, 2016
This issue is public.
Found in
  • Microsoft Edge
Standard affected
Web Cryptography API

Found in build #
Reported by 4 people

Sign in to watch or report this issue.

Steps to reproduce

Run the following code on any website:

window.crypto.subtle.importKey("raw", new Uint8Array(16), {name: "HMAC", hash: "SHA-1"}, false, ["sign"])
    .then(key => window.crypto.subtle.sign("HMAC", key, new Uint8Array(16)))
    .then(x => console.log("success"))
    .catch(e => console.error(e));

This prints “success” to console in both Firefox and Chrome. On Edge you get a cryptic error code (80700011) instead. It only works if you specify the hashing algorithm: window.crypto.subtle.sign({name: "HMAC", hash: "SHA-1"}, key, new Uint8Array(16)).

This is a standard violation. Under https://www.w3.org/TR/WebCryptoAPI/#hmac-registration you can see that signing with HMAC isn’t supposed to have parameters - the hashing algorithm is specified when the key is created. Edge on the other hand requires it to be specified twice right now.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Ibrahim O.”

      Changed Assigned To to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Steve B.”

    • seeing the same problem with window.crypto.subtle.verify({RSASSA-PKCS1-V1_5, hash: {name : "SHA-256"}},…
      Edge requires a Hash on verify algorithm even thought the W3C spec says it should be on the key-import algorithm. Chrome and Firefox work correctly without the verify-algorithm hash property.

    You need to sign in to your Microsoft account to add a comment.

    Sign in