Web Crypto API. - Githubissues

nginx / njs

A subset of JavaScript language to use in nginx

http://nginx.org/en/docs/njs/

BSD 2-Clause "Simplified" License

1.02k stars 147 forks source link

Web Crypto API. #251

Closed fishioon closed 2 years ago

fishioon commented 4 years ago

WebCrypto API.

SubtleCrypto.importKey()
SubtleCrypto.deriveKey()
SubtleCrypto.encrypt()
SubtleCrypto.decrypt()
SubtleCrypto.sign()
SubtleCrypto.verify()
SubtleCrypto.digest()

Sarniak1991 commented 4 years ago

Would be nice to see RSA verify in crypto :)

crasyangel commented 4 years ago

@xeioex any process?

xeioex commented 4 years ago

@crasyangel we are in the process of adding node.js-like Buffer() object to work with binary data. After Buffer is done we plan to return to crypto features. Currently njs has byte-strings which is non-standard extension of ordinary String object.

xeioex commented 3 years ago

@crasyangel, @drsm, @jirutka Feel free to test https://gist.github.com/xeioex/2d17327f13ca519750b4f5d6cf224e85 According to WebCrypto API

The following methods were implemented:
    crypto.getRandomValues()
    crypto.subtle.importKey()
        format: raw, pkcs8, spki
        algorithm: AES-CBC, AES-CTR, AES-GCM,
            ECDSA, HKDF, HMAC, PBKDF2,
            RSASSA-PKCS1-v1_5, RSA-OAEP, RSA-PSS
    crypto.subtle.decrypt()
    crypto.subtle.encrypt()
        algorithm: AES-CBC, AES-CTR, AES-GCM,
            RSA-OAEP
    crypto.subtle.deriveBits()
    crypto.subtle.deriveKey()
        algorithm: HKDF, PBKDF2
    crypto.subtle.digest()
        algorithm: SHA-1, SHA-256, SHA-384, SHA-512
    crypto.subtle.sign()
    crypto.subtle.verify()
        algorithm: ECDSA, HMAC, RSASSA-PKCS1-v1_5, RSA-PSS

see test/webcrypto/ for examples see test/webcrypto/README.rst for howtos

drsm commented 3 years ago

@xeioex

just found a typo. everything else looks fine for me. thanks!

drsm commented 3 years ago

BTW, it would be nice to test this against WPT, like they do it in nodejs

gallarda commented 3 years ago

Will this WebCrypto API work with a Hardware Security Module (HSM)??

Assuming that nginx is already configured to use ssl_engine pkcs11;

xeioex commented 2 years ago

@xeioex

Will this WebCrypto API work with a Hardware Security Module (HSM)??

njs module is linked against main nginx OpenSSL library. ssl_engine registers the specified engine globally, for all library APIs. I do not have experience with OpenSSL engines, but it looks like it is going to work as well for WebCrypto API calls.

crasyangel commented 2 years ago

@xeioex https://gist.github.com/crasyangel/4b3a4724e1c12b37af871031973c4c15 aes/derive/digest/rsa/sign tests all passed. Note: formats changed a little

xeioex commented 2 years ago

Commited in https://github.com/nginx/njs/commit/7b2b7612dc4ee6370b93462602a9892f97d155b9, will be released in 0.7.0.