Re: Encrypted Private Key

Regarding the specific question about exporting an encrypted private key:

No, Web Crypto does not directly support exporting or importing
EncryptedPrivateKeyInfo.

Buy yes, you can implement it on top of WebCrypto without too much effort.

I am assuming you want a password base encryption scheme like PBES2. The
export case, I believe, will involve these steps:

(1) Call crypto.subtle.deriveKey() using "pbkdf2" and your password
(2) Call crypto.subtle.wrapKey() on the key you want to export, using
"pkcs8" as the export format, an AES cipher of your choice, and the
wrapping key from above.

You now have the encryptedData field for constructing an
EncryptedPrivateKeyInfo, and are mostly done.

>From stack overflow it sounds like you made it this far, and then maybe
tried to import this blob of data into OpenSSL:

> I've probably overlooked something or did something wrong but when I
wrapped
> key using WebCrypto I couldn't unwrap the key using OpenSSL.

There is still a step to do, namely wrap the encryptedData into a
EncryptedPrivateKeyInfo structure.

Which basically means you need to serialize the PBES2 algorithm
identifier/params, and then combine that with the encryptedData into a
SEQUENCE. This can probably be done manually with a few lines of code, or
you can use asn1js library to help building up the encoded algorithm
DER/BER.

A few other notes:

* Going the opposite direction (importing an EncryptedPrivateKeyInfo) is
harder using WebCrypto. In particular the encrypted key data for
EncryptedPrivateKeyInfo is I believe permitted to be BER, however
WebCrypto's "pkcs8" format is restricted to DER (even though
implementations might accept BER here).

* In the stack overflow example there is mention of using 3DES. WebCrypto
doesn't support that, you will need to use AES instead.

* If you don't need to use an EncryptedPrivateKeyInfo things may be
simpler. For instance you can just pass around the encryptedData -- what
crypto.subtle.wrapKey() / crypto.subtle.unwrapKey() operate on -- then
communicate the wrapping algorithm through another means and save yourself
the effort of having to serialize/parse that ASN.1

On Tue, Aug 16, 2016 at 12:03 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2016-08-16 20:33, Peter Bielak, Executive Manager wrote:
>
>>
>> Hello guys!
>> thank you all for collaboration.
>>
>> Yes there is a trust issue but I think the trust can be based on the
>> following:
>> if the key is only generated and decrypted on client and every single
>> piece of information
>> is also decrypted, encrypted on client users can see the JavaScript code
>> and you
>> never know which user will be the kind of a person who always dig in the
>> source core, searches bugs,
>> security issues has thousands of followers and immediately reporting that
>> to news, TV and all over which would probably
>> destroy company's reputation and nobody would trust you once you did
>> something like this, but server side cannot
>> be seen and checked by people.
>>
>
> Peter,
> We are on the same page here :-)
>
>
>> I really like WebCrypto and I would like to use it this way, I don't know
>> maybe my idea
>> is stupid.
>>
>
> I wouldn't say that it is stupid, only that it departs from the Web model
> which
> is provider-centric.  That is, I would rather authenticate users and do
> all the
> encryption/decryption on the server which relieve users from memorizing yet
> another password and dealing with encryption keys altogether.
>
> Regards,
> Anders
>
>
>
>
>> Thanks again for your suggestions and ideas!
>>
>
>
>