coolaj86
/
rasha.js
2
1
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity

Support "passphrase" option in crytpo.generateKeyPair #3

New Issue
Open
opened 2019-04-25 16:41:57 +00:00 by Ghost · 5 comments
Ghost commented 2019-04-25 16:41:57 +00:00
Copy Link

It would be nice to be able to provide a passphrase, and have that used in the creation of the private key. This is per the options available on crypto's generateKeyPair.

It would be nice to be able to provide a passphrase, and have that used in the creation of the private key. This is per the options available on crypto's generateKeyPair.
coolaj86 commented 2019-04-25 16:51:41 +00:00
Owner
Copy Link

👍 Agreed.

Would you mind pasting an example of how this works in node, for reference, and also check to see if and how this could be supported in the browser?

I'm planning to get Rasha and Eckles ported to the browser this weekend and I'm hoping to keep the APIs consistent.

This could be added PEM-only at first - which means that the x509/asn1 code would need to be updated to support it - and I believe there's something in the JOSE spec that dictates how it's done for JWK as well.

:thumbsup: Agreed. Would you mind pasting an example of how this works in node, for reference, and also check to see if and how this could be supported in the browser? I'm planning to get Rasha and Eckles ported to the browser this weekend and I'm hoping to keep the APIs consistent. This could be added PEM-only at first - which means that the x509/asn1 code would need to be updated to support it - and I believe there's something in the JOSE spec that dictates how it's done for JWK as well.
Ghost commented 2019-04-25 17:01:06 +00:00
Author
Copy Link

This is just copy-pasted from the Crypto docs:

const { generateKeyPair } = require('crypto');
generateKeyPair('rsa', {
  modulusLength: 4096,
  publicKeyEncoding: {
    type: 'spki',
    format: 'pem'
  },
  privateKeyEncoding: {
    type: 'pkcs8',
    format: 'pem',
    cipher: 'aes-256-cbc',
    passphrase: 'top secret'
  }
}, (err, publicKey, privateKey) => {
  // Handle errors and use the generated key pair.
});

Since in lib/rasha.js:57 crypto's generateKeyPair is being called, it should be possible to just pass in passphrase as part of the privateKeyEncoding parameter.

As for whether it's available in the browser, I'm looking right now.

This is just copy-pasted from the Crypto docs: ``` const { generateKeyPair } = require('crypto'); generateKeyPair('rsa', { modulusLength: 4096, publicKeyEncoding: { type: 'spki', format: 'pem' }, privateKeyEncoding: { type: 'pkcs8', format: 'pem', cipher: 'aes-256-cbc', passphrase: 'top secret' } }, (err, publicKey, privateKey) => { // Handle errors and use the generated key pair. }); ``` Since in lib/rasha.js:57 crypto's generateKeyPair is being called, it should be possible to just pass in `passphrase` as part of the `privateKeyEncoding` parameter. As for whether it's available in the browser, I'm looking right now.
Ghost commented 2019-04-25 17:08:43 +00:00
Author
Copy Link

Crypto in the browser is new to me, but this seems like it may be related: https://stackoverflow.com/a/38425525

Crypto in the browser is new to me, but this seems like it may be related: https://stackoverflow.com/a/38425525
coolaj86 commented 2019-04-25 18:25:00 +00:00
Owner
Copy Link

Passing it in would seem simple enough, but Rasha is intended to do signing with jwk and jose, so the change would affect multiple layers of the code.

I'll do a little more to check if WebCrypto supports it, but from that post it looks like not. Though they're talking about 3DES, which was broken wide open years ago and offers no security benefit in today's world. There's probably an AES version that might work in WebCrypto.

This isn't a priority for me, but I'm very willing to work with you to help get it implemented, documented and tested, and I'm okay if we have to document that it works for a, b and c calls in the API, but not x, y, and z.

Passing it in would seem simple enough, but Rasha is intended to do signing with jwk and jose, so the change would affect multiple layers of the code. I'll do a little more to check if WebCrypto supports it, but from that post it looks like not. Though they're talking about 3DES, which was broken wide open years ago and offers no security benefit in today's world. There's probably an AES version that might work in WebCrypto. This isn't a priority for me, but I'm very willing to work with you to help get it implemented, documented and tested, and I'm okay if we have to document that it works for `a`, `b` and `c` calls in the API, but not `x`, `y`, and `z`.
coolaj86 commented 2019-04-25 18:29:23 +00:00
Owner
Copy Link

In other words: I'm actively maintaining this and I have a policy of "move to approve" when it comes to PRs, so I'm not going to ask you to do 11,000 things, be super nit-picky, and then ignore your commits for 2 whole years...

(I've had some bad experiences in open source...)

In other words: I'm actively maintaining this and I have a policy of "move to approve" when it comes to PRs, so I'm not going to ask you to do 11,000 things, be super nit-picky, and then ignore your commits for 2 whole years... (I've had some bad experiences in open source...)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
v1.3.0
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.0
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.8.2
v0.8.1
v0.8.0
v0.7.1
v0.7.0
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/rasha.js#3
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?