Closed weva-io closed 4 years ago
paragonie-scott
commented
4 years ago https://github.com/paragonie/sodium-plus/commit/9d500c589b79cad850478ac427e6124267c6d73b
This was an oversight in the API design. CryptographyKey.from() was a catch-all, but didn't return a child object.
This will be fixed in v0.5.0.
paragonie-scott
commented
4 years ago Okay, v0.5.0 is out now. You'll want to use X25519PublicKey.from('...', 'hex') going forward.
weva-io
commented
4 years ago thanks a bunch Scott, no error in the console!
onurkose
commented
4 years ago I am using this approach in the opposite way;
This is sodium-plus.js side;
const selfKeyPair = await sodium.crypto_box_keypair(),
selfPublicKey = await sodium.crypto_box_publickey(selfKeyPair),
selfSecretKey = await sodium.crypto_box_secretkey(selfKeyPair),
selfPublicKeyASCII = await sodium.sodium_bin2hex(selfPublicKey.getBuffer());Then I pass selfPublicKeyASCII to PHP via http headers and use it inside a middleware to encrypt response body:
public function encryptContent($request, $content) {
$publicKey = $request->header('Public-Key');
$rawPublicKey = hex2bin($publicKey);
$rawContent = sodium_crypto_box_seal($content, $rawPublicKey);
return bin2hex($rawContent);
}But when I try to decrypt on js side with this:
async function decryptTextBody (text) {
let decrypted;
try {
decrypted = await sodium.crypto_box_seal_open(text, selfPublicKey, selfSecretKey)
} catch (error) {
console.warn(error)
}
return decrypted.toString('utf-8')
}I receive Error: incorrect key pair for the given ciphertext error.
I also checked the encrypted php return value and js input data and they are exactly the same. I couldn't figure out where I am missing?
weva-io
commented
4 years ago Based on the provided code snippets, I am assuming that the text string you are passing to the decryptTextBody JS function is hexadecimal. You should convert it to binary before calling sodium.crypto_box_seal_open.
Other considerations/ suggestions (for your PHP code):
sodium_bin2hex() and sodium_hex2bin() as they are designed to be resistant to side-channel attacks.sodium_memzero() to wipe out sensitive data from memory when you are done.More info about utilities and helpers here.
onurkose
commented
4 years ago Thank you very much. Now it works perfectly.
I originally posted this on S/O yesterday, but figured it is probably more appropiate and straightforward to ask here.
I would like to achieve an anonymous public-key encryption in a web browser using
sodium-plus.jswith keys generated in PHP sodium like this:The keys generated with this method work fine in PHP with the
sodium_crypto_box_sealandsodium_crypto_box_seal_openmethods, but however, I am unable to make it work on the frontend. My approach:This returns TypeError: Argument 2 must be an instance of X25519PublicKey in the console.
Notes:
sodium.crypto_box_keypair()on the frontend works.CryptographyKey.from()instead ofX25519PublicKey.from()– did not work.getPublicKey()function returns an object witbuffer: Uint8Array(32) [ … ], while the public-key derived fromsodium.crypto_box_keypair()returns an object withbuffer: Uint8Array(32) [ … ], keyType: "x25519", publicKey: true.Concept is based on: