2015-09-03

Using WebCrypto API to generate a KeyPair

The other day, I was using my chromebook and I needed to generate a keypair to get access to a new ssh server. I googled for a solution, but surprisingly I couldn't find one. Though I was pretty sure that the WebCrypto API would allow me to do easily, it turned out it's not as easy as I thought and it took me a couple days to actually figure out how to use the webcrypto API to achieve this specific goal, though this was mostly due to my blissful ignorance of ASN.1 encoding, JWK, base64url and openssh weird public key format.

Of course the first point of reference should be the the actual W3C spec. But this document is a bit too abstract and I found it hard to actually use the API from the spec.

Then I found a WebCrypto live table that tells me if my current browser actually support the API. Since some of those use native libraries, the Chrome on ChromeOS would have different support as the Chrome on other OSes.

We also need to keep in mind that the WebCrypto api is only available from secure locations. Luckily the file url is counted as a secure location, so it makes it easy to experiment from there. And surge.sh does host under https so that will be my provider of choice to host the end result.

On an OS with support for openssh we have the nifty utility ssh-keygen which allows to generate a keypair that can be used with ssh - which is exactly what we need.

So we have to figure out which algorithm to use, then use it with the appropriate parameters, then find a way to expose the public key and the private key. Ideally save the private key to a file and copy the public key.

The WebCrypto api is based on promises for the async work, so you will need to be vaguely familiar with promises to be able to read the code.

I am forever grateful to Converting OpenSSH public Keys for explaining the format used by OpenSSH public keys.

I also had to use a lot of google-fu to find out how to ASN.1 encode the JWK produced for the private key by the WebCrypto API in format that will be accepted by openSSH. Thanks to Lapo Luchini for putting together the awesome ASN.1 online decoder that allowed me debug my code and find out that ASN.1 doesn't like integer that starts with the high bit set (you have to prefix them with 0x00 in this case).

Please note that it is usually a very bad idea to put private keys in a browser, as most thing that are displayed on a web page can be stolen and a private key is probably the worst thing you could think putting on a web page.

But now, equipped with those two string representation of my key pair, I can setup my ssh connection straight from my Chromebook without having to use another OS. I am using the ssh chrome extension.

Live demo at https://js-keygen.surge.sh
Code at https://github.com/PatrickRoumanoff/js-keygen

6 comments:

Anonymous said...

Awesome blog. I would love to see true life prepared to walk, so please share more informative updates. Great work keeps it up. DCAPE-100 exam braindumps

Anonymous said...

Hey people! If some of you really necessity some assistance with essya adn homewrok you can ask this guys for help! So dont be shy adn check this personal statement writing company out! Appreciate your day adn pleased new year! Like it!

Hudsonchris said...

Elegance in accessories can be done by using Goldsmith Voucher Codes! If you are someone who is looking for something unique and timeless, then this could be the perfect place for you; they have a huge collection of fine jewelry, timepieces and other accessories. Coming across Goldsmith Voucher Codes will give you an opportunity to check their wide range at low price rates. Whether it is an engagement ring or necklace or bracelet or even luxury watch – everything has been made with perfection at Goldsmith’s shop so that each piece carries its own unique story on its surface! These Voucher Codes should come in handy while making your purchase decision; just imagine how much money you could save if only you used them during your shopping spree? You can either decorate yourself with these vouchers or find the perfect gift and save some cash.

Rose C said...

Good poost

What Does A Divorce Cost in New York said...

The WebCrypto API's generateKeyPair() method provides a secure and efficient way to generate public and private key pairs for cryptographic operations, such as encryption, signing, and authentication. Its asynchronous nature ensures non-blocking performance, and it supports several key algorithms like RSA, ECC, and Ed25519, enhancing security in modern web applications.

cristiano said...

This weekend, I enjoyed a relaxing time with family and friends. I caught up on some much-needed rest, tried a new recipe, and spent time outdoors. I also made progress on a personal project and reflected on the past week, feeling recharged and ready for the new one ahead. Draft, review, and negotiate contracts with attention to detail. Represent clients zealously in court or alternative dispute resolution settings, ensuring their voices are heard.
divorce attorney new jersey
chapter 7 lawyers near me