coolaj86
/
rasha.js
2
1
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity
Labels Milestones
New Issue

Support "passphrase" option in crytpo.generateKeyPair #3

Open
by Ghost opened 5 years ago · 5 comments
Ghost commented 5 years ago

It would be nice to be able to provide a passphrase, and have that used in the creation of the private key. This is per the options available on crypto's generateKeyPair.

It would be nice to be able to provide a passphrase, and have that used in the creation of the private key. This is per the options available on crypto's generateKeyPair.
coolaj86 commented 5 years ago
Owner

👍 Agreed.

Would you mind pasting an example of how this works in node, for reference, and also check to see if and how this could be supported in the browser?

I'm planning to get Rasha and Eckles ported to the browser this weekend and I'm hoping to keep the APIs consistent.

This could be added PEM-only at first - which means that the x509/asn1 code would need to be updated to support it - and I believe there's something in the JOSE spec that dictates how it's done for JWK as well.

:thumbsup: Agreed. Would you mind pasting an example of how this works in node, for reference, and also check to see if and how this could be supported in the browser? I'm planning to get Rasha and Eckles ported to the browser this weekend and I'm hoping to keep the APIs consistent. This could be added PEM-only at first - which means that the x509/asn1 code would need to be updated to support it - and I believe there's something in the JOSE spec that dictates how it's done for JWK as well.
Ghost commented 5 years ago

This is just copy-pasted from the Crypto docs:

const { generateKeyPair } = require('crypto');
generateKeyPair('rsa', {
  modulusLength: 4096,
  publicKeyEncoding: {
    type: 'spki',
    format: 'pem'
  },
  privateKeyEncoding: {
    type: 'pkcs8',
    format: 'pem',
    cipher: 'aes-256-cbc',
    passphrase: 'top secret'
  }
}, (err, publicKey, privateKey) => {
  // Handle errors and use the generated key pair.
});

Since in lib/rasha.js:57 crypto's generateKeyPair is being called, it should be possible to just pass in passphrase as part of the privateKeyEncoding parameter.

As for whether it's available in the browser, I'm looking right now.

This is just copy-pasted from the Crypto docs: ``` const { generateKeyPair } = require('crypto'); generateKeyPair('rsa', { modulusLength: 4096, publicKeyEncoding: { type: 'spki', format: 'pem' }, privateKeyEncoding: { type: 'pkcs8', format: 'pem', cipher: 'aes-256-cbc', passphrase: 'top secret' } }, (err, publicKey, privateKey) => { // Handle errors and use the generated key pair. }); ``` Since in lib/rasha.js:57 crypto's generateKeyPair is being called, it should be possible to just pass in `passphrase` as part of the `privateKeyEncoding` parameter. As for whether it's available in the browser, I'm looking right now.
Ghost commented 5 years ago

Crypto in the browser is new to me, but this seems like it may be related: https://stackoverflow.com/a/38425525

Crypto in the browser is new to me, but this seems like it may be related: https://stackoverflow.com/a/38425525
coolaj86 commented 5 years ago
Owner

Passing it in would seem simple enough, but Rasha is intended to do signing with jwk and jose, so the change would affect multiple layers of the code.

I'll do a little more to check if WebCrypto supports it, but from that post it looks like not. Though they're talking about 3DES, which was broken wide open years ago and offers no security benefit in today's world. There's probably an AES version that might work in WebCrypto.

This isn't a priority for me, but I'm very willing to work with you to help get it implemented, documented and tested, and I'm okay if we have to document that it works for a, b and c calls in the API, but not x, y, and z.

Passing it in would seem simple enough, but Rasha is intended to do signing with jwk and jose, so the change would affect multiple layers of the code. I'll do a little more to check if WebCrypto supports it, but from that post it looks like not. Though they're talking about 3DES, which was broken wide open years ago and offers no security benefit in today's world. There's probably an AES version that might work in WebCrypto. This isn't a priority for me, but I'm very willing to work with you to help get it implemented, documented and tested, and I'm okay if we have to document that it works for `a`, `b` and `c` calls in the API, but not `x`, `y`, and `z`.
coolaj86 commented 5 years ago
Owner

In other words: I'm actively maintaining this and I have a policy of "move to approve" when it comes to PRs, so I'm not going to ask you to do 11,000 things, be super nit-picky, and then ignore your commits for 2 whole years...

(I've had some bad experiences in open source...)

In other words: I'm actively maintaining this and I have a policy of "move to approve" when it comes to PRs, so I'm not going to ask you to do 11,000 things, be super nit-picky, and then ignore your commits for 2 whole years... (I've had some bad experiences in open source...)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
Labels
Apply labels
Clear labels
No items
No Label
Milestone
Set milestone
Clear milestone
No items
No Milestone
Assignees
Assign users
Clear assignees
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch '%!s(MISSING)'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes