Consider signatures with invalid or small-order elements invalid

When verifying an Ed25519 or Ed448 signature, if the public key or the first half of the signature (`R`) is an invalid or small-order element, return false.
WICG · Jun 21, 2023 · d4c0252 · d4c0252
1 parent 0874265
commit d4c0252
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/index.html b/index.html
@@ -1867,6 +1867,19 @@ <h4>Operations</h4>
                 |key| is not {{KeyType/"public"}}, then [= exception/throw =] an {{InvalidAccessError}}.
               </p>
             </li>
+            <li>
+              <p>
+                If the key data of |key| represents an invalid point or a small-order element
+                on the Elliptic Curve of Ed25519, return `false`.
+              </p>
+            </li>
+            <li>
+              <p>
+                If the point R, encoded in the first half of |signature|,
+                represents an invalid point or a small-order element
+                on the Elliptic Curve of Ed25519, return `false`.
+              </p>
+            </li>
             <li>
               <p>
                 Perform the Ed25519 verification steps, as specified in [[RFC8032]],
@@ -2760,6 +2773,19 @@ <h4>Operations</h4>
                 then [= exception/throw =] an {{OperationError}}.
               </p>
             </li>
+            <li>
+              <p>
+                If the key data of |key| represents an invalid point or a small-order element
+                on the Elliptic Curve of Ed448, return `false`.
+              </p>
+            </li>
+            <li>
+              <p>
+                If the point R, encoded in the first half of |signature|,
+                represents an invalid point or a small-order element
+                on the Elliptic Curve of Ed448, return `false`.
+              </p>
+            </li>
             <li>
               <p>
                 Perform the Ed448 verification steps, as specified in [[RFC8032]],