Add support for EC keys #3

Merged
lauri merged 6 commits from ec-key-support into master 2021-08-19 16:59:21 +00:00
Contributor

Didn't find replacement for forge.pki.certificateToAsn1() and forge.asn1.toDer().

Didn't find replacement for forge.pki.certificateToAsn1() and forge.asn1.toDer().
Owner

PKI terminologiy is a mess, to clarify:

  • DER format is the ASN1 structure encoded to bytes
  • BER is subset of DER, to simplify things consider them equivalent
  • PEM is the same DER piece encoded in base64 and surrounded by ----- BEGIN ... ----- and ----- END ... -----
  • PKCS 12 = PKCS#12 = P12 = PFX which is format to store key+cert bundles. It's really painful to work with because it lacks support everywhere but it's the only method to supply key+cert to StrongSwan client on Android/iOS

Did you test downloading StrongSwan profile (.sswan)? It should contain sensible JSON and the local.p12 attribute should contain P12 bundle that you should be able to parse with openssl pkcs12. For more info see https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientProfiles

* What are `formatPEM.js` and `pkcs12chain`, where are they from, why aren't they installed via `npm` and are you sure `pki.js` or `asn1js` doesn't already provide this? Whenever you pull in external files please add them in separate commit and add into commit description where they came from and why they were added * `HASH_ALG`, `RSA_SIGN_ALG`, `EC_SIGN_ALG`, `KEY_SIZE` should all really go away and they should be pulled from `/api/bootstrap` instead. Looks like at least hash algorithm is missing, please add it under `certificate.authority` dict. There's more hardcoded stuff that should really be pulled from `/api/bootstrap` https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L250 * All the [P12 stuff](https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L236) should really happen inside `case 'p12':` * Please remove all messy inline conversions and use external function for converting between PEM/DER/whatever (base64 convert, line length limit and also ASCII armor text): https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L135 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L231 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L274 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L324 etc. Create own functions if you're sure `pki.js` or `asn1js` doesn't include what you need * `crypto.generateKey` is the only long running function call, I don't see reason to complicate code with `sequence` here? PKI terminologiy is a mess, to clarify: * DER format is the ASN1 structure encoded to bytes * BER is subset of DER, to simplify things consider them equivalent * PEM is the same DER piece encoded in base64 and surrounded by `----- BEGIN ... -----` and `----- END ... -----` * PKCS 12 = PKCS#12 = P12 = PFX which is format to store key+cert bundles. It's really painful to work with because it lacks support everywhere but it's the only method to supply key+cert to StrongSwan client on Android/iOS Did you test downloading StrongSwan profile (.sswan)? It should contain sensible JSON and the `local.p12` attribute should contain P12 bundle that you should be able to parse with `openssl pkcs12`. For more info see https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientProfiles
pehmo1 force-pushed ec-key-support from be409827f5 to baa6acbf77 2021-08-12 20:14:25 +00:00 Compare
pehmo1 added 1 commit 2021-08-12 20:23:04 +00:00
pehmo1 added 1 commit 2021-08-16 16:23:07 +00:00
Also moved crypto to window.cryptoEngine for easy access in util.js
Author
Contributor

What are formatPEM.js and pkcs12chain, where are they from, why aren't they installed via npm and are you sure pki.js or asn1js doesn't already provide this? Whenever you pull in external files please add them in separate commit and add into commit description where they came from and why they were added

HASH_ALG, RSA_SIGN_ALG, EC_SIGN_ALG, KEY_SIZE should all really go away and they should be pulled from /api/bootstrap instead. Looks like at least hash algorithm is missing, please add it under certificate.authority dict. There's more hardcoded stuff that should really be pulled from /api/bootstrap https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L250

  • Fixed

All the P12 stuff should really happen inside case 'p12':

  • Fixed

Please remove all messy inline conversions and use external function for converting between PEM/DER/whatever (base64 convert, line length limit and also ASCII armor text): https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L135 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L231 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L274 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L324 etc. Create own functions if you're sure pki.js or asn1js doesn't include what you need

  • Fixed

crypto.generateKey is the only long running function call, I don't see reason to complicate code with sequence here?

  • Fixed
> What are formatPEM.js and pkcs12chain, where are they from, why aren't they installed via npm and are you sure pki.js or asn1js doesn't already provide this? Whenever you pull in external files please add them in separate commit and add into commit description where they came from and why they were added * formatPEM.js formats a string into PEM format (64 chars per line), comes from https://github.com/PeculiarVentures/PKI.js/blob/f4768689ba4f4ea0a65fda25f9af6eb4d72c3a45/examples/examples_common.js. pkcs12chain.js wraps boilerplate for generating a PFX instance with a cert chain, comes from https://github.com/PeculiarVentures/PKI.js/issues/104. > HASH_ALG, RSA_SIGN_ALG, EC_SIGN_ALG, KEY_SIZE should all really go away and they should be pulled from /api/bootstrap instead. Looks like at least hash algorithm is missing, please add it under certificate.authority dict. There's more hardcoded stuff that should really be pulled from /api/bootstrap https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L250 * Fixed > All the P12 stuff should really happen inside case 'p12': * Fixed > Please remove all messy inline conversions and use external function for converting between PEM/DER/whatever (base64 convert, line length limit and also ASCII armor text): https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L135 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L231 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L274 https://git.k-space.ee/pinecrypt/frontend/src/branch/master/static/js/certidude.js#L324 etc. Create own functions if you're sure pki.js or asn1js doesn't include what you need * Fixed > crypto.generateKey is the only long running function call, I don't see reason to complicate code with sequence here? * Fixed
Owner

Change

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

to

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

then its working with EC to
Change ``` -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- ``` to ``` -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- then its working with EC to
pehmo1 added 1 commit 2021-08-17 19:40:59 +00:00
pehmo1 added 1 commit 2021-08-19 11:49:22 +00:00
lauri merged commit b40bd2ed25 into master 2021-08-19 16:59:21 +00:00
Sign in to join this conversation.
No reviewers
No Label
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: pinecrypt/pinecrypt-gateway-frontend#3
No description provided.