[Pki-users] Web Cryptography API

Ricardo Alexander Perez Ricardez rperez at osh.com.mx
Sun Oct 2 16:31:35 UTC 2016 

In some sections of the application I get the message: 

Warning: This version of Firefox no longer supports the crypto web object used to generate and archive keys from the browser. As a result expect limited functionality in this area. 

Doing a little research I found this information : https://www.redhat.com/archives/pki-users/2015-September/msg00012.html 

It means that Firefox's API changed.  The old, custom keygen /
crypto API was deprecated for a long time, then removed, but the
new, standardised Web Crypto API is not supported by Dogtag yet.

Hope that clarifies the situation for you. 
-Fraser Tweedale- 

It was reported On Mon, Sep 07, 2015 at 03:03:03PM +0300, By Aleksey Chudov 
Little more than a year , so I doubt arise as follows : Do you have plans to migrate to Web Cryptography API? 

Could take a look at PKI.js project, have made great strides in this topic: 

https://github.com/PeculiarVentures/PKI.js 

PKIjs is a pure JavaScript library implementing the formats that are used in PKI applications. It is built on WebCrypto ( Web Cryptography API ) and aspires to make it possible to build native web applications that utilize X.509 and the related formats on the web without plug-ins. 
Features of the library 


    * First and ONLY (April 2015) open-source JS library with full support for all "Suite B" algorithms in CMS messages; 
    * First library with support for CMS Enveloped data (encrypt/decrypt) in pure JavaScript + Web Cryptography API; 
    * Fully object-oriented library. Inhiritence is using everywhere inside the lib; 
    * Working with HTML5 data objects (ArrayBuffer, Uint8Array, Promises, Web Cryptography API, etc.); 
    * Has a complete set of helpers for working with types like: 
        * GeneralName; 
        * RelativeDistinguishedName; 
        * Time; 
        * AlgorithmIdentifier; 
        * All types of ASN.1 strings, including "international" like UniversalString, UTF8String and BMPString (with help from ASN1js ); 
        * All extension types of X.509 certificates (BasicConstraints, CertificatePolicies, AuthorityKeyIdentifier etc.); 
        * All "support types" for OCSP requests and responces; 
        * All "support types" for Time-Stamping Protocol (TSP) requests and responces; 
    * Has own certification chain verification engine, built in pure JavaScript, with help from Promises and Web Cryptography API latest standard implementation; 
    * Working with all Web Cryptography API signature algorithms: 
        * RSASSA-PKCS1-v1_5; 
        * RSA-PSS; 
        * ECDSA; 
    * Working with all "Suite B" (and more) encryption algorithms and schemas: 
        * RSASSA-OAEP + AES-KW + AES-CBC/GCM; 
        * ECDH + KDF on SHA-1/256/384/512 + AES-KW + AES-CBC/GCM; 
        * Pre-defined "key encryption key" + AES-KW + AES-CBC/GCM; 
        * Password-based encryption for CMS with PBKDF2 on HMAC on SHA-1/256/384/512 + AES-KW + AES-CBC/GCM; 
    * Working with all major PKI-related types ("minor" types are not mentioned here but there are huge number of such "minor types"): 
        * X.509 certificates: 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creatiion of a new X.509 certificate "from scratch"; 
            * Internal certificate chain validation engine ; 
        * X.509 "certificate revocation lists" (CRLs): 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creation of a new CRL "from scratch"; 
            * Validation of CRL signature; 
            * Search inside CRL for specific revoked certificate. 
        * PKCS#10 certificate request: 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creation of a new PKCS#10 certificate request "from scratch"; 
            * Validation of PKCS#10 signature; 
        * OCSP request: 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creation of a new OCSP request "from scratch". 
        * OCSP response: 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creation of a new OCSP response "from scratch"; 
            * Validation of OCSP response signature. 
        * Time-stamping request: 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creation of a new Time-stamping request "from scratch"; 
            * Validation of Time-stamping request signature; 
        * Time-stamping response: 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creation of a new Time-stamping response "from scratch"; 
            * Validation of Time-stamping response signature 
        * CMS Signed Data: 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creation of a new CMS Signed Data "from scratch"; 
            * Validation of CMS Signed Data signature; 
        * CMS Enveloped Data: 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creation (encryption) with full support for "Suite B" algorithms and more; 
            * Decryption with full support for "Suite B" algorithms and more; 
        * CMS Encrypted Data: 
            * Parsing internal values; 
            * Getting/setting any internal values; 
            * Creation (encryption) with password; 
            * Decryption with password; 
        * PKCS#12: 
            * Parsing internal values; 
            * Making any kind of internal values (SafeContexts/SafeBags) with any kind of parameters; 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161002/4aa9bcd4/attachment.htm>

More information about the Pki-users mailing list