Closed
Bug 1048931
Opened 10 years ago
Closed 3 years ago
Add PKCS8 import/export for ECDH keys to WebCrypto API
Categories
(Core :: DOM: Web Crypto, defect, P3)
Core
DOM: Web Crypto
Tracking
()
RESOLVED
DUPLICATE
of bug 1133698
People
(Reporter: ttaubert, Unassigned)
References
(Depends on 1 open bug, Blocks 2 open bugs)
Details
(Whiteboard: [domsecurity-backlog2])
ECDH currently only supports JWK and SPKI import and export. We need to build a ECDH-PKCS8 template ourselves, NSS doesn't have it unfortunately. This bug should also add some tests for structured cloning.
I do have a patch that implements PKCS8 already but hit some problems with structured cloning that I need to investigate more.
Comment 1•9 years ago
|
||
Tim, would you mind sharing your patch? I can have a look at it and maybe look to land it in NSS if it makes sense to do so.
Flags: needinfo?(ttaubert)
Reporter | ||
Comment 2•9 years ago
|
||
Sorry for the late response, I'll try to get those patches running again very soon. I'll hand it off if I shouldn't find the time to complete.
Flags: needinfo?(ttaubert)
Reporter | ||
Comment 3•9 years ago
|
||
Picked this up on the weekend again. I have a patch that's 95% done, just needs a few tests and functionality for corner cases. Probably requires a few NSS changes too.
Comment 4•9 years ago
|
||
A solution to this is greatly appreciated as storing an ECDH key in indexedDB is currently broken: DataCloneError: The object could not be cloned.
@tim you touched this in your fist comment and I believe it is this very issue.
Comment 5•9 years ago
|
||
Stefan, the best available workaround is to ensure that the key is exportable (yes, yuck) and export it to JWK, then store that. That's what we are doing right now.
Reporter | ||
Comment 6•9 years ago
|
||
(In reply to Stefan Sechelmann from comment #4)
> A solution to this is greatly appreciated as storing an ECDH key in
> indexedDB is currently broken: DataCloneError: The object could not be
> cloned.
> @tim you touched this in your fist comment and I believe it is this very
> issue.
Yes, we use PKCS#8/SPKI internally for structured cloning. Martin's workaround is probably the best suggestion for now.
I'm unfortunately stuck waiting for bug 1245252 and dependencies to correctly implement the last bits here, the patch is really almost done but I need some prerequisites landing first.
Depends on: 1245252
Reporter | ||
Updated•9 years ago
|
Status: NEW → ASSIGNED
Updated•8 years ago
|
Component: Security → DOM: Security
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Reporter | ||
Updated•8 years ago
|
Assignee: ttaubert → nobody
Status: ASSIGNED → NEW
Comment 8•7 years ago
|
||
I wish to use PKCS#8/SPKI to create pem keys and send to openssl in php, and for later storage in db.
A solution to this is greatly appreciated as jwk to pem i cumbersome to implement, and am reluctant to use 3. party plugins/classes.
Comment 9•7 years ago
|
||
Storing ECDH and ECDSA keys in IndexedDB is apparently possible since 55.0. Thanks for fixing this, did you find a way to do this without PKCS8 import/export?
Comment 10•7 years ago
|
||
Unfortunately I was a little fast with this. Only ECDH and ECDSA _public_ keys can be structured cloned as of 55.0. Private keys still throw the StructuredCloneError.
@tim Why is this? Does this mean we can expect this to work also for private keys any time soon?
Reporter | ||
Comment 11•7 years ago
|
||
Well, for private keys we filed this bug here. For serialization we export public keys to SPKI, and private keys to PKCS8. As the latter isn't yet implemented for ECDH keys you can't store them, or rather the StructuredClone algorithm fails.
We have no one working on this at the moment, and no plans to do so. We should have most of the internal things ready since I landed bug 1295121, but we the WebCrypto API integration will need more work.
I'll happily look at patches if anyone would like to contribute :)
Comment 13•6 years ago
|
||
Touching the workaround for this again in our app now. We generate device keys that have to be extractable because of this. Any noteworthy progress here?
Comment 14•6 years ago
|
||
Are there any updates on this? Since I don’t want to make the ecdsa keys extractable, I plan to not support Firefox for now, because in chrome it seems to work just fine.
Comment 15•6 years ago
|
||
It would be great to learn who is in charge now that Tim has other things to do. Any updates?
Updated•6 years ago
|
Component: DOM: Security → DOM: Web Crypto
Comment 16•5 years ago
|
||
Given that the original issue with the patch seemed to lie with structured cloning and since it's not really a thing anymore, could it be applied now?
Comment 17•4 years ago
|
||
Hello!
I hope you are doing great!
Are there any updates about this?
We are not supporting Firefox for one of our products because of this issue :/
Thanks!
Comment 18•3 years ago
|
||
Storing ECDSA/ECDH keys in a IndexedDB should work now. (See https://jsfiddle.net/1jfu46xd/)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Comment 19•3 years ago
|
||
🎉 Thank you very much! Now I can go and remove those workarounds.
You need to log in
before you can comment on or make changes to this bug.
Description
•