Open Bug 1048931 Opened 6 years ago Updated 4 months ago

Add PKCS8 import/export for ECDH keys to WebCrypto API

Categories

(Core :: DOM: Web Crypto, defect, P3)

defect

Tracking

()

People

(Reporter: ttaubert, Unassigned)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-backlog2])

ECDH currently only supports JWK and SPKI import and export. We need to build a ECDH-PKCS8 template ourselves, NSS doesn't have it unfortunately. This bug should also add some tests for structured cloning.

I do have a patch that implements PKCS8 already but hit some problems with structured cloning that I need to investigate more.
Blocks: 1159216
Tim, would you mind sharing your patch?  I can have a look at it and maybe look to land it in NSS if it makes sense to do so.
Flags: needinfo?(ttaubert)
Sorry for the late response, I'll try to get those patches running again very soon. I'll hand it off if I shouldn't find the time to complete.
Flags: needinfo?(ttaubert)
Picked this up on the weekend again. I have a patch that's 95% done, just needs a few tests and functionality for corner cases. Probably requires a few NSS changes too.
A solution to this is greatly appreciated as storing an ECDH key in indexedDB is currently broken: DataCloneError: The object could not be cloned.
@tim you touched this in your fist comment and I believe it is this very issue.
Stefan, the best available workaround is to ensure that the key is exportable (yes, yuck) and export it to JWK, then store that.  That's what we are doing right now.
(In reply to Stefan Sechelmann from comment #4)
> A solution to this is greatly appreciated as storing an ECDH key in
> indexedDB is currently broken: DataCloneError: The object could not be
> cloned.
> @tim you touched this in your fist comment and I believe it is this very
> issue.

Yes, we use PKCS#8/SPKI internally for structured cloning. Martin's workaround is probably the best suggestion for now.

I'm unfortunately stuck waiting for bug 1245252 and dependencies to correctly implement the last bits here, the patch is really almost done but I need some prerequisites landing first.
Depends on: 1245252
Status: NEW → ASSIGNED
Component: Security → DOM: Security
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Assignee: ttaubert → nobody
Status: ASSIGNED → NEW
Duplicate of this bug: 1379493
I wish to use PKCS#8/SPKI to create pem keys and send to openssl in php, and for later storage in db.

A solution to this is greatly appreciated as jwk to pem i cumbersome to implement, and am reluctant to use 3. party plugins/classes.
Storing ECDH and ECDSA keys in IndexedDB is apparently possible since 55.0. Thanks for fixing this, did you find a way to do this without PKCS8 import/export?
Unfortunately I was a little fast with this. Only ECDH and ECDSA _public_ keys can be structured cloned as of 55.0. Private keys still throw the StructuredCloneError.
@tim Why is this? Does this mean we can expect this to work also for private keys any time soon?
Well, for private keys we filed this bug here. For serialization we export public keys to SPKI, and private keys to PKCS8. As the latter isn't yet implemented for ECDH keys you can't store them, or rather the StructuredClone algorithm fails.

We have no one working on this at the moment, and no plans to do so. We should have most of the internal things ready since I landed bug 1295121, but we the WebCrypto API integration will need more work.

I'll happily look at patches if anyone would like to contribute :)
Duplicate of this bug: 1428894
Touching the workaround for this again in our app now. We generate device keys that have to be extractable because of this. Any noteworthy progress here?
Are there any updates on this? Since I don’t want to make the ecdsa keys extractable, I plan to not support Firefox for now, because in chrome it seems to work just fine.
It would be great to learn who is in charge now that Tim has other things to do. Any updates?
Component: DOM: Security → DOM: Web Crypto

Given that the original issue with the patch seemed to lie with structured cloning and since it's not really a thing anymore, could it be applied now?

You need to log in before you can comment on or make changes to this bug.