oauth2.dev

unwrapKey

IESG

Registry Context

`unwrapKey` identifies a key intended to decrypt an encrypted key and validate the decryption, if applicable.

Technical Summary

`unwrapKey` is a case-sensitive JWK `key_ops` value defined by RFC 7517 for decrypting a key and validating the decryption, if applicable.

When Used

Use `unwrapKey` in a JWK `key_ops` array to identify a key intended for key unwrapping.

Normative Requirements

Unspecified actor

MUST NOT
1
  1. RFC 7517 - Section 4.3

    Duplicate key operation values must not be present in a JWK `key_ops` array..

    Condition: When a JWK contains a `key_ops` array.

    “Duplicate key operation values MUST NOT be present in the array.”

MUST
1
  1. RFC 7517 - Section 4.3

    The information conveyed by the JWK `use` and `key_ops` members must be consistent..

    Condition: If both members are used.

    “if both are used, the information they convey MUST be consistent.”

SHOULD NOT
2
  1. RFC 7517 - Section 4.3

    Multiple unrelated key operations should not be specified for a key, and combinations other than the identified related pairs should not be used..

    Condition: When specifying multiple operations in `key_ops`; `wrapKey` with `unwrapKey` is an identified permitted combination.

    “Multiple unrelated key operations SHOULD NOT be specified for a key” and “other combinations SHOULD NOT be used.”

  2. RFC 7517 - Section 4.3

    The JWK `use` and `key_ops` members should not be used together..

    Condition: When describing the intended use or operations of a JWK.

    “The "use" and "key_ops" JWK members SHOULD NOT be used together”

RECOMMENDED
1
  1. RFC 7517 - Section 8.3.1

    A registered key operation name should be short and should not exceed 8 characters without a compelling reason..

    Condition: When requesting registration of a JWK key operation value.

    “it is RECOMMENDED that the name be short -- not to exceed 8 characters without a compelling reason”

OPTIONAL
1
  1. RFC 7517 - Section 4.3

    The JWK `key_ops` member is optional..

    Condition: Unless the application requires its presence.

    “Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.”

Validation Guidance

error

Verify that the value is spelled exactly `unwrapKey`; key operation values are case-sensitive strings.

error

Reject a JWK `key_ops` array containing `unwrapKey` more than once.

warning

Flag combinations of `unwrapKey` with unrelated operations; `wrapKey` with `unwrapKey` is expressly permitted.

warning

Flag a JWK that uses both `use` and `key_ops`.

error

If both `use` and `key_ops` are present, reject inconsistent intended-use information.

Security Notes

RFC 7517 - Section 4.3

Specifying multiple unrelated operations can expose a key to vulnerabilities associated with using the same key with multiple algorithms.

Reference

Details

Entry Id
unwrapKey
Key Operation Value
unwrapKey
Key Operation Description
Decrypt key and validate decryption, if applicable
Change Controller
IESG
Reference
RFC7517 - Section 4.3