/NoKey

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Doesn't work on Safari #9

Open
Zinggi opened this Issue Apr 30, 2018 · 9 comments

Comments

Assignees
No one assigned
Labels
Projects
  
Bugs in Board
Milestone
No milestone
4 participants
@Zinggi @ChristophP @passiomatic @jdmnd
@Zinggi
Owner

Zinggi commented Apr 30, 2018

The web app crashes on Safari.
I don't know why and I don't have a mac to investigate.

@Zinggi Zinggi created this issue from a note in Board (Bugs) Apr 30, 2018

@ChristophP

This comment has been minimized.

Show comment
Hide comment
@ChristophP

ChristophP Jun 12, 2018

This is what Safari complains about:
image

ChristophP commented Jun 12, 2018

This is what Safari complains about:
image
@Zinggi

This comment has been minimized.

Show comment
Hide comment
@Zinggi

Zinggi Jun 13, 2018

Owner

Ok, so Safari seems to have problems with either RSA-PSS or RSA-OAEP or both (https://github.com/Zinggi/NoKey/blob/master/web/js/setup.js#L77).
There might also be more problems down the line.

There is a polyfill that could potentially fix this, but I think using a polyfill for crypto has serious drawbacks: a big performance penalty, possibly faulty or insecure implementation and increased bundle size.
This quote also doesn't inspire a lot of confidence: "We have done no security review or take a position on the security of these third-party libraries. YOU HAVE BEEN WARNED."

So I'm not sure what should be done...
Owner

Zinggi commented Jun 13, 2018

Ok, so Safari seems to have problems with either RSA-PSS or RSA-OAEP or both (https://github.com/Zinggi/NoKey/blob/master/web/js/setup.js#L77).
There might also be more problems down the line.

There is a polyfill that could potentially fix this, but I think using a polyfill for crypto has serious drawbacks: a big performance penalty, possibly faulty or insecure implementation and increased bundle size.
This quote also doesn't inspire a lot of confidence: "We have done no security review or take a position on the security of these third-party libraries. YOU HAVE BEEN WARNED."

So I'm not sure what should be done...
@passiomatic

This comment has been minimized.

Show comment
Hide comment
@passiomatic

passiomatic Jun 20, 2018

I might be missing something but following this post I can use webkitSubtle with Safari 11.1 to generate promise after the generateKey in the console like you did in your code.

> if (window.crypto && !window.crypto.subtle && window.crypto.webkitSubtle) {
    window.crypto.subtle = window.crypto.webkitSubtle;
}
< undefined
> window.crypto.subtle
< SubtleCrypto {encrypt: function, decrypt: function, sign: function, verify: function, digest: function, …}
> window.crypto.subtle.generateKey({
            name: "RSA-OAEP",
            modulusLength: 2048,
            publicExponent: new Uint8Array([0x03]),
            hash: { name: "SHA-256" }
}, true, ["encrypt", "decrypt"]);
< Promise {status: "pending"}

passiomatic commented Jun 20, 2018

I might be missing something but following this post I can use webkitSubtle with Safari 11.1 to generate promise after the generateKey in the console like you did in your code.

> if (window.crypto && !window.crypto.subtle && window.crypto.webkitSubtle) {
    window.crypto.subtle = window.crypto.webkitSubtle;
}
< undefined
> window.crypto.subtle
< SubtleCrypto {encrypt: function, decrypt: function, sign: function, verify: function, digest: function, …}
> window.crypto.subtle.generateKey({
            name: "RSA-OAEP",
            modulusLength: 2048,
            publicExponent: new Uint8Array([0x03]),
            hash: { name: "SHA-256" }
}, true, ["encrypt", "decrypt"]);
< Promise {status: "pending"}
@Zinggi

This comment has been minimized.

Show comment
Hide comment
@Zinggi

Zinggi Jun 20, 2018

Owner

You probably have to run the promise, before you see the error.
Try:

window.crypto.subtle.generateKey({
            name: "RSA-OAEP",
            modulusLength: 2048,
            publicExponent: new Uint8Array([0x03]),
            hash: { name: "SHA-256" }
}, true, ["encrypt", "decrypt"]).then(
    (key) => { console.log(key) }
).catch(
    (e) => { console.log("error", e); }
);
Owner

Zinggi commented Jun 20, 2018

You probably have to run the promise, before you see the error.
Try:

window.crypto.subtle.generateKey({
            name: "RSA-OAEP",
            modulusLength: 2048,
            publicExponent: new Uint8Array([0x03]),
            hash: { name: "SHA-256" }
}, true, ["encrypt", "decrypt"]).then(
    (key) => { console.log(key) }
).catch(
    (e) => { console.log("error", e); }
);
@passiomatic

This comment has been minimized.

Show comment
Hide comment
@passiomatic

passiomatic Jun 20, 2018

It seems to work:

Promise = $2
result: undefined
status: "resolved"

And when I inspect the object:

[Log] Object

privateKey: CryptoKey {type: "private", extractable: true, algorithm: Object, usages: ["decrypt"]}
publicKey: CryptoKey {type: "public", extractable: true, algorithm: Object, usages: ["encrypt"]}

passiomatic commented Jun 20, 2018
edited
Edited 1 time
  • @passiomatic passiomatic edited Jun 20, 2018 (most recent)
  • @passiomatic passiomatic created Jun 20, 2018

It seems to work:

Promise = $2
result: undefined
status: "resolved"

And when I inspect the object:

[Log] Object

privateKey: CryptoKey {type: "private", extractable: true, algorithm: Object, usages: ["decrypt"]}
publicKey: CryptoKey {type: "public", extractable: true, algorithm: Object, usages: ["encrypt"]}
@Zinggi

This comment has been minimized.

Show comment
Hide comment
@Zinggi

Zinggi Jun 20, 2018

Owner

Interesting, can you also try RSA-PSS?
If that also works, maybe they fixed it? Are you still getting the same error here?
Owner

Zinggi commented Jun 20, 2018

Interesting, can you also try RSA-PSS?
If that also works, maybe they fixed it? Are you still getting the same error here?
@passiomatic

This comment has been minimized.

Show comment
Hide comment
@passiomatic

passiomatic Jun 20, 2018

Unfortunately RSA-PSS gives an error. ;( For the record RSA-PSS is not listed in the algo value here: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey

passiomatic commented Jun 20, 2018

Unfortunately RSA-PSS gives an error. ;( For the record RSA-PSS is not listed in the algo value here: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey
@jdmnd

This comment has been minimized.

Show comment
Hide comment
@jdmnd

jdmnd Jun 20, 2018

This issue appears to be related to publicExponent.
Using the exponent suggested here (65,537) appears to fix the issue for some reason.

The following code works on Safari 11.1:

crypto.subtle.generateKey({
            name: "RSA-PSS",
            modulusLength: 2048,
            publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
            hash: { name: "SHA-256" },
        }, true, ["sign", "verify"]).then(console.log)

Output:
screen shot 2018-06-20 at 18 15 58

jdmnd commented Jun 20, 2018

This issue appears to be related to publicExponent.
Using the exponent suggested here (65,537) appears to fix the issue for some reason.

The following code works on Safari 11.1:

crypto.subtle.generateKey({
            name: "RSA-PSS",
            modulusLength: 2048,
            publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
            hash: { name: "SHA-256" },
        }, true, ["sign", "verify"]).then(console.log)

Output:
screen shot 2018-06-20 at 18 15 58
@Zinggi

This comment has been minimized.

Show comment
Hide comment
@Zinggi

Zinggi Jun 21, 2018

Owner

Very strange...
Now I'd need someone to build it locally to try out if this little change would make it work or if there is some other problem then.
I'd also need to know if it's only generateKey that has trouble with that particular exponent or if importing and verifying would also cause problems with that exponent.
Owner

Zinggi commented Jun 21, 2018

Very strange...
Now I'd need someone to build it locally to try out if this little change would make it work or if there is some other problem then.
I'd also need to know if it's only generateKey that has trouble with that particular exponent or if importing and verifying would also cause problems with that exponent.

@Zinggi Zinggi added the help wanted label Jun 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment