Web Crypto: subtle.sign() insists on a hash parameter for HMAC

Issue #9425120 • Assigned to Divya G.


Wladimir P.
Oct 19, 2016
This issue is public.
Found in
  • Microsoft Edge
Standard affected
Web Cryptography API

Found in build #
Reported by 4 people

Sign in to watch or report this issue.

Steps to reproduce

Run the following code on any website:

window.crypto.subtle.importKey("raw", new Uint8Array(16), {name: "HMAC", hash: "SHA-1"}, false, ["sign"])
    .then(key => window.crypto.subtle.sign("HMAC", key, new Uint8Array(16)))
    .then(x => console.log("success"))
    .catch(e => console.error(e));

This prints “success” to console in both Firefox and Chrome. On Edge you get a cryptic error code (80700011) instead. It only works if you specify the hashing algorithm: window.crypto.subtle.sign({name: "HMAC", hash: "SHA-1"}, key, new Uint8Array(16)).

This is a standard violation. Under https://www.w3.org/TR/WebCryptoAPI/#hmac-registration you can see that signing with HMAC isn’t supposed to have parameters - the hashing algorithm is specified when the key is created. Edge on the other hand requires it to be specified twice right now.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Ibrahim O.”

      Changed Assigned To to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Steve B.”

    • seeing the same problem with window.crypto.subtle.verify({RSASSA-PKCS1-V1_5, hash: {name : "SHA-256"}},…
      Edge requires a Hash on verify algorithm even thought the W3C spec says it should be on the key-import algorithm. Chrome and Firefox work correctly without the verify-algorithm hash property.

    • Microsoft Edge Team

      Changed Assigned To from “Steve B.” to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Divya G.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in