Add support for EC keys #3

pehmo1 · 2021-08-06T00:08:00Z

pehmo1 commented

2021-08-06 00:08:00 +00:00

Didn't find replacement for forge.pki.certificateToAsn1() and forge.asn1.toDer().

lauri commented

2021-08-06 05:04:38 +00:00

What are formatPEM.js and pkcs12chain, where are they from, why aren't they installed via npm and are you sure pki.js or asn1js doesn't already provide this? Whenever you pull in external files please add them in separate commit and add into commit description where they came from and why they were added
HASH_ALG, RSA_SIGN_ALG, EC_SIGN_ALG, KEY_SIZE should all really go away and they should be pulled from /api/bootstrap instead. Looks like at least hash algorithm is missing, please add it under certificate.authority dict. There's more hardcoded stuff that should really be pulled from /api/bootstrap https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L250
All the P12 stuff should really happen inside case 'p12':
Please remove all messy inline conversions and use external function for converting between PEM/DER/whatever (base64 convert, line length limit and also ASCII armor text): https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L135 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L231 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L274 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L324 etc. Create own functions if you're sure pki.js or asn1js doesn't include what you need
crypto.generateKey is the only long running function call, I don't see reason to complicate code with sequence here?

PKI terminologiy is a mess, to clarify:

DER format is the ASN1 structure encoded to bytes
BER is subset of DER, to simplify things consider them equivalent
PEM is the same DER piece encoded in base64 and surrounded by ----- BEGIN ... ----- and ----- END ... -----
PKCS 12 = PKCS#12 = P12 = PFX which is format to store key+cert bundles. It's really painful to work with because it lacks support everywhere but it's the only method to supply key+cert to StrongSwan client on Android/iOS

Did you test downloading StrongSwan profile (.sswan)? It should contain sensible JSON and the local.p12 attribute should contain P12 bundle that you should be able to parse with openssl pkcs12. For more info see https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientProfiles

* What are `formatPEM.js` and `pkcs12chain`, where are they from, why aren't they installed via `npm` and are you sure `pki.js` or `asn1js` doesn't already provide this? Whenever you pull in external files please add them in separate commit and add into commit description where they came from and why they were added * `HASH_ALG`, `RSA_SIGN_ALG`, `EC_SIGN_ALG`, `KEY_SIZE` should all really go away and they should be pulled from `/api/bootstrap` instead. Looks like at least hash algorithm is missing, please add it under `certificate.authority` dict. There's more hardcoded stuff that should really be pulled from `/api/bootstrap` https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L250 * All the [P12 stuff](https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L236) should really happen inside `case 'p12':` * Please remove all messy inline conversions and use external function for converting between PEM/DER/whatever (base64 convert, line length limit and also ASCII armor text): https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L135 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L231 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L274 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L324 etc. Create own functions if you're sure `pki.js` or `asn1js` doesn't include what you need * `crypto.generateKey` is the only long running function call, I don't see reason to complicate code with `sequence` here? PKI terminologiy is a mess, to clarify: * DER format is the ASN1 structure encoded to bytes * BER is subset of DER, to simplify things consider them equivalent * PEM is the same DER piece encoded in base64 and surrounded by `----- BEGIN ... -----` and `----- END ... -----` * PKCS 12 = PKCS#12 = P12 = PFX which is format to store key+cert bundles. It's really painful to work with because it lacks support everywhere but it's the only method to supply key+cert to StrongSwan client on Android/iOS Did you test downloading StrongSwan profile (.sswan)? It should contain sensible JSON and the `local.p12` attribute should contain P12 bundle that you should be able to parse with `openssl pkcs12`. For more info see https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientProfiles

pehmo1 force-pushed ec-key-support from be409827f5 to baa6acbf77

2021-08-12 20:14:25 +00:00

Compare

pehmo1 added 1 commit 2021-08-12 20:23:04 +00:00

Remove forge from Dockerfile 863db37ccb

pehmo1 added 1 commit 2021-08-16 16:23:07 +00:00

Make util.js functions generic e2077a89cf

Also moved crypto to window.cryptoEngine for easy access in util.js

pehmo1 commented

2021-08-17 10:52:40 +00:00

What are formatPEM.js and pkcs12chain, where are they from, why aren't they installed via npm and are you sure pki.js or asn1js doesn't already provide this? Whenever you pull in external files please add them in separate commit and add into commit description where they came from and why they were added

formatPEM.js formats a string into PEM format (64 chars per line), comes from f4768689ba/examples/examples_common.js.
pkcs12chain.js wraps boilerplate for generating a PFX instance with a cert chain, comes from https://github.com/PeculiarVentures/PKI.js/issues/104.

HASH_ALG, RSA_SIGN_ALG, EC_SIGN_ALG, KEY_SIZE should all really go away and they should be pulled from /api/bootstrap instead. Looks like at least hash algorithm is missing, please add it under certificate.authority dict. There's more hardcoded stuff that should really be pulled from /api/bootstrap https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L250

Fixed

All the P12 stuff should really happen inside case 'p12':

Fixed

Please remove all messy inline conversions and use external function for converting between PEM/DER/whatever (base64 convert, line length limit and also ASCII armor text): https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L135 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L231 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L274 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L324 etc. Create own functions if you're sure pki.js or asn1js doesn't include what you need

Fixed

crypto.generateKey is the only long running function call, I don't see reason to complicate code with sequence here?

Fixed

> What are formatPEM.js and pkcs12chain, where are they from, why aren't they installed via npm and are you sure pki.js or asn1js doesn't already provide this? Whenever you pull in external files please add them in separate commit and add into commit description where they came from and why they were added * formatPEM.js formats a string into PEM format (64 chars per line), comes from https://github.com/PeculiarVentures/PKI.js/blob/f4768689ba4f4ea0a65fda25f9af6eb4d72c3a45/examples/examples_common.js. pkcs12chain.js wraps boilerplate for generating a PFX instance with a cert chain, comes from https://github.com/PeculiarVentures/PKI.js/issues/104. > HASH_ALG, RSA_SIGN_ALG, EC_SIGN_ALG, KEY_SIZE should all really go away and they should be pulled from /api/bootstrap instead. Looks like at least hash algorithm is missing, please add it under certificate.authority dict. There's more hardcoded stuff that should really be pulled from /api/bootstrap https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L250 * Fixed > All the P12 stuff should really happen inside case 'p12': * Fixed > Please remove all messy inline conversions and use external function for converting between PEM/DER/whatever (base64 convert, line length limit and also ASCII armor text): https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L135 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L231 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L274 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L324 etc. Create own functions if you're sure pki.js or asn1js doesn't include what you need * Fixed > crypto.generateKey is the only long running function call, I don't see reason to complicate code with sequence here? * Fixed

marva commented

2021-08-17 17:02:11 +00:00

Change

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

to

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

then its working with EC to

Change ``` -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- ``` to ``` -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- then its working with EC to

pehmo1 added 1 commit 2021-08-17 19:40:59 +00:00

Make pkijsToPem return generic private key PEM 4ee487073d

pehmo1 added 1 commit 2021-08-19 11:49:22 +00:00

Get all crypto values from authority 613da4d0b5

lauri merged commit b40bd2ed25 into master

2021-08-19 16:59:21 +00:00

lauri referenced this issue from a commit

2021-08-19 16:59:21 +00:00

Merge pull request 'Add support for EC keys' (#3) from ec-key-support into master

Sign in to join this conversation.

No reviewers

No Label