问题描述
标题说明了一切。我想知道如何使用WebCrypto API生成RSA密钥对,如何使用密码来保护它,以便将其存储在数据库中。您可以生成一个带WebCrypto的RSA密钥对并将其导出为jwk(Json Web Key),pkcs#8(私有)或spki(public)。请参阅,示例代码如下:
要以受保护的方式将密钥导出到外部系统,您可以使用以下标准:
-
PKCS#8:在允许使用密码加密,但WebCryptography exportKey不支持加密。它提供了PrivateKeyInfo
-
PKCS#12: PKCS#12是密钥库交换格式。它可以包含私钥,带有公钥和证书链的证书。内容使用密码加密3DES。文件通常包含扩展名.pfx或.p12
不幸的是 WebCrypto不支持导出普通文件加密格式,例如 PKCS#8 - 加密或 PKCS#12 。您可以使用第三方库(例如
$ b)以其中一种格式导出密钥$ b
示例代码
WebCrypto RSASSA-PKCS1-v1_5 - generateKey
window.crypto.subtle.generateKey(
{
name:RSASSA-PKCS1-v1_5,
modulusLength:2048, //可以是1024,2048或4096
publicExponent:new Uint8Array([0x01,0x00,0x01]),
hash:{name:SHA-256},//可以是SHA -1,SHA-256,SHA-384或SHA-512
},
true,//密钥是否可提取(即可以在exportKey中使用)
[sign,verify] //可以是sign和verify的任意组合
)
.then(function(key){
//返回密钥对象
console.log(key);
console.log(key.publicKey);
console.log(key.privateKey);
})
.catch(function(err){
console.error(错误);
});
WebCrypto RSASSA-PKCS1-v1_5 - exportKey
window.crypto.subtle.exportKey(
pkcs8,//可以是jwk(公共或私人),spki (仅限公开)或pkcs8(仅限私人)
privateKey //可以是publicKey或privateKey,只要extractable为true
)
.then(function(keydata){
//返回导出的密钥数据
console.log(keydata);
})
.catch(function(err){
console.error(err) ;
});
Forge -
//需要:wrap webcrypto pkcs#8伪造privateKey(参见doc)
//加密PrivateKeyInfo并输出EncryptedPrivateKeyInfo
var encryptedPrivateKeyInfo = pki.encryptPrivateKeyInfo(
privateKeyInfo,'password',{
算法:'aes256',//'aes128','aes192','aes256','3des'
});
//将EncryptedPrivateKeyInfo转换为PEM
var pem = pki.encryptedPrivateKeyToPem(encryptedPrivateKeyInfo);
Forge -
//需要:将webcrypto pkcs#8包装成伪造privateKey(参见doc)
//生成可由Chrome / Firefox
//导入的p12(需要使用Triple DES而不是AES)
var p12Asn1 = forge.pkcs12.toPkcs12Asn1(privateKey,certChain ,密码,{algorithm:'3des'});
// base64-encode p12
var p12Der = forge.asn1.toDer(p12Asn1).getBytes();
var p12b64 = forge.util.encode64(p12Der);
title says it all. I was wondering how do I generate RSA key pair using WebCrypto API and how do I secure it with a passphrase so I can store it in a database.
You can generate an RSA key pair with WebCrypto and export it as jwk (Json Web Key), pkcs#8 (private) or spki (public). See SubtleCrypto.exportKey() and the example code bellow
To export the key to an external system in a protected way you could use an standard like:
PKCS#8: The PKCS#8 private key format defined at IETF Public Key-Cryptographic Standard Encryption #8. allow encryption with a passphrase, but WebCryptography exportKey does not support it. It provides PrivateKeyInfo
PKCS#12: PKCS#12 is a keystore exchange format. It can contain private keys, certificates with the public key and the certification chain. The content is 3DES encrypted with a passphrase. Files are usually found with extension .pfx or .p12
Unfortunately WebCrypto does not support exporting in a common format with encryption such as PKCS#8 - encrypted or PKCS#12. You could export the keys in one of these formats using a third party library like forge
Example code
WebCrypto RSASSA-PKCS1-v1_5 - generateKey
window.crypto.subtle.generateKey(
{
name: "RSASSA-PKCS1-v1_5",
modulusLength: 2048, //can be 1024, 2048, or 4096
publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
hash: {name: "SHA-256"}, //can be "SHA-1", "SHA-256", "SHA-384", or "SHA-512"
},
true, //whether the key is extractable (i.e. can be used in exportKey)
["sign", "verify"] //can be any combination of "sign" and "verify"
)
.then(function(key){
//returns a keypair object
console.log(key);
console.log(key.publicKey);
console.log(key.privateKey);
})
.catch(function(err){
console.error(err);
});
WebCrypto RSASSA-PKCS1-v1_5 - exportKey
window.crypto.subtle.exportKey(
"pkcs8", //can be "jwk" (public or private), "spki" (public only), or "pkcs8" (private only)
privateKey //can be a publicKey or privateKey, as long as extractable was true
)
.then(function(keydata){
//returns the exported key data
console.log(keydata);
})
.catch(function(err){
console.error(err);
});
Forge -PKCS#8
//needed: wrap webcrypto pkcs#8 to forge privateKey (see doc)
// encrypts a PrivateKeyInfo and outputs an EncryptedPrivateKeyInfo
var encryptedPrivateKeyInfo = pki.encryptPrivateKeyInfo(
privateKeyInfo, 'password', {
algorithm: 'aes256', // 'aes128', 'aes192', 'aes256', '3des'
});
// converts an EncryptedPrivateKeyInfo to PEMvar pem = pki.encryptedPrivateKeyToPem(encryptedPrivateKeyInfo);
Forge - PKCS#12
//needed: wrap webcrypto pkcs#8 to forge privateKey (see doc)
// generate a p12 that can be imported by Chrome/Firefox
// (requires the use of Triple DES instead of AES)
var p12Asn1 = forge.pkcs12.toPkcs12Asn1(privateKey, certChain, password, {algorithm: '3des'});
// base64-encode p12
var p12Der = forge.asn1.toDer(p12Asn1).getBytes();
var p12b64 = forge.util.encode64(p12Der);
这篇关于使用WebCrypto API生成RSA密钥对,并使用密码保护它的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!