coolaj86
/
rasha.js
2
1
Rozštěpit 0
Zdrojový kód Issues 4 Pull Requests Releases Wiki Aktivita
Labels Milestones
New Issue

Support "passphrase" option in crytpo.generateKeyPair #3

otevřený
od Ghost otevřen před 5 roky · 5 komentářů
Ghost okomentoval před 5 roky

It would be nice to be able to provide a passphrase, and have that used in the creation of the private key. This is per the options available on crypto's generateKeyPair.

It would be nice to be able to provide a passphrase, and have that used in the creation of the private key. This is per the options available on crypto's generateKeyPair.
coolaj86 okomentoval před 5 roky
Vlastník

👍 Agreed.

Would you mind pasting an example of how this works in node, for reference, and also check to see if and how this could be supported in the browser?

I'm planning to get Rasha and Eckles ported to the browser this weekend and I'm hoping to keep the APIs consistent.

This could be added PEM-only at first - which means that the x509/asn1 code would need to be updated to support it - and I believe there's something in the JOSE spec that dictates how it's done for JWK as well.

:thumbsup: Agreed. Would you mind pasting an example of how this works in node, for reference, and also check to see if and how this could be supported in the browser? I'm planning to get Rasha and Eckles ported to the browser this weekend and I'm hoping to keep the APIs consistent. This could be added PEM-only at first - which means that the x509/asn1 code would need to be updated to support it - and I believe there's something in the JOSE spec that dictates how it's done for JWK as well.
Ghost okomentoval před 5 roky

This is just copy-pasted from the Crypto docs:

const { generateKeyPair } = require('crypto');
generateKeyPair('rsa', {
  modulusLength: 4096,
  publicKeyEncoding: {
    type: 'spki',
    format: 'pem'
  },
  privateKeyEncoding: {
    type: 'pkcs8',
    format: 'pem',
    cipher: 'aes-256-cbc',
    passphrase: 'top secret'
  }
}, (err, publicKey, privateKey) => {
  // Handle errors and use the generated key pair.
});

Since in lib/rasha.js:57 crypto's generateKeyPair is being called, it should be possible to just pass in passphrase as part of the privateKeyEncoding parameter.

As for whether it's available in the browser, I'm looking right now.

This is just copy-pasted from the Crypto docs: ``` const { generateKeyPair } = require('crypto'); generateKeyPair('rsa', { modulusLength: 4096, publicKeyEncoding: { type: 'spki', format: 'pem' }, privateKeyEncoding: { type: 'pkcs8', format: 'pem', cipher: 'aes-256-cbc', passphrase: 'top secret' } }, (err, publicKey, privateKey) => { // Handle errors and use the generated key pair. }); ``` Since in lib/rasha.js:57 crypto's generateKeyPair is being called, it should be possible to just pass in `passphrase` as part of the `privateKeyEncoding` parameter. As for whether it's available in the browser, I'm looking right now.
Ghost okomentoval před 5 roky

Crypto in the browser is new to me, but this seems like it may be related: https://stackoverflow.com/a/38425525

Crypto in the browser is new to me, but this seems like it may be related: https://stackoverflow.com/a/38425525
coolaj86 okomentoval před 5 roky
Vlastník

Passing it in would seem simple enough, but Rasha is intended to do signing with jwk and jose, so the change would affect multiple layers of the code.

I'll do a little more to check if WebCrypto supports it, but from that post it looks like not. Though they're talking about 3DES, which was broken wide open years ago and offers no security benefit in today's world. There's probably an AES version that might work in WebCrypto.

This isn't a priority for me, but I'm very willing to work with you to help get it implemented, documented and tested, and I'm okay if we have to document that it works for a, b and c calls in the API, but not x, y, and z.

Passing it in would seem simple enough, but Rasha is intended to do signing with jwk and jose, so the change would affect multiple layers of the code. I'll do a little more to check if WebCrypto supports it, but from that post it looks like not. Though they're talking about 3DES, which was broken wide open years ago and offers no security benefit in today's world. There's probably an AES version that might work in WebCrypto. This isn't a priority for me, but I'm very willing to work with you to help get it implemented, documented and tested, and I'm okay if we have to document that it works for `a`, `b` and `c` calls in the API, but not `x`, `y`, and `z`.
coolaj86 okomentoval před 5 roky
Vlastník

In other words: I'm actively maintaining this and I have a policy of "move to approve" when it comes to PRs, so I'm not going to ask you to do 11,000 things, be super nit-picky, and then ignore your commits for 2 whole years...

(I've had some bad experiences in open source...)

In other words: I'm actively maintaining this and I have a policy of "move to approve" when it comes to PRs, so I'm not going to ask you to do 11,000 things, be super nit-picky, and then ignore your commits for 2 whole years... (I've had some bad experiences in open source...)
Přihlaste se pro zapojení do konverzace.
No Branch/Tag Specified
Branches Tags
master
Labels
Apply labels
Clear labels
No items
No Label
Milestone
Set milestone
Clear milestone
No items
No Milestone
Assignees
Assign users
Clear assignees
No Assignees
2 účastníků
Oznámení
Termín dokončení

Žádný termín dokončení.

Závislosti

Tento úkol momentálně nemá žádné závislosti.

Zapsat Náhled
Načítá se…
Zrušit
Uložit
Není zde žádný obsah.
Smazat větev „%!s(MISSING)“

Smazání větve je trvalé. NEMŮŽE být vráceno zpět. Pokračovat?

Ne
Ano