web-platform-tests · twiss · Feb 19, 2024 · Dec 18, 2023
diff --git a/WebCryptoAPI/derive_bits_keys/cfrg_curves_bits.js b/WebCryptoAPI/derive_bits_keys/cfrg_curves_bits.js
@@ -6,8 +6,6 @@ function define_tests() {
   // Verify the derive functions perform checks against the all-zero value results,
   // ensuring small-order points are rejected.
   // https://www.rfc-editor.org/rfc/rfc7748#section-6.1
-  // TODO: The spec states that the check must be done on use, but there is discussion about doing it on import.
-  // https://github.com/WICG/webcrypto-secure-curves/pull/13
   Object.keys(kSmallOrderPoint).forEach(function(algorithmName) {
       kSmallOrderPoint[algorithmName].forEach(function(test) {
           promise_test(async() => {
@@ -23,8 +21,8 @@ function define_tests() {
                                                  false, [])
                   derived = await subtle.deriveBits({name: algorithmName, public: publicKey}, privateKey, 8 * sizes[algorithmName]);
               } catch (err) {
-                  assert_false(privateKey === undefined, "Private key should be valid.");
-                  assert_false(publicKey === undefined, "Public key should be valid.");
+                  assert_true(privateKey !== undefined, "Private key should be valid.");
+                  assert_true(publicKey !== undefined, "Public key should be valid.");
                   assert_equals(err.name, "OperationError", "Should throw correct error, not " + err.name + ": " + err.message + ".");
               }
               assert_equals(derived, undefined, "Operation succeeded, but should not have.");

diff --git a/WebCryptoAPI/sign_verify/eddsa.js b/WebCryptoAPI/sign_verify/eddsa.js
@@ -366,6 +366,28 @@ function run_test() {
       }, "Sign and verify using generated " + vector.algorithmName + " keys.");
   });
 
+  // When verifying an Ed25519 or Ed448 signature, if the public key or the first half of the signature (R) is
+  // an invalid or small-order element, return false.
+  Object.keys(kSmallOrderTestCases).forEach(function (algorithmName) {
+      var algorithm = {name: algorithmName};
+      kSmallOrderTestCases[algorithmName].forEach(function(test) {
+          // Test low-order public keys
+          promise_test(async() => {
+              let isVerified = true;
+              let publicKey;
+              try {
+                  publicKey = await subtle.importKey("raw", test.keyData,
+                                                 algorithm,
+                                                 false, ["verify"])
+                  isVerified = await subtle.verify(algorithmName, publicKey, test.signature, test.message);
+              } catch (err) {
+                  assert_equals(isVerified, test.verified, "Signature verification result.");
+                  assert_unreached("The operation shouldn't fail, but it thown this error: " + err.name + ": " + err.message + ".");
+              }
+              assert_false(isVerified, "Signature verification result.");
+          }, algorithmName + " Verification checks with small-order key of order - Test " + test.id);
+      });
+  });
 
   // A test vector has all needed fields for signing and verifying, EXCEPT that the
   // key field may be null. This function replaces that null with the Correct