feat: create and verify a self signed x.509 certificate in tests #2
Conversation
berendsliedrecht
commented
Jun 13, 2024
•
berendsliedrecht
commented
- SHA1 provider using @noble/hashes
- Export a p256 key (needed for the certificate)
- Test that creates a self signed certificate
- Added export and import methods for jwk only for now (secret+public)
- Test to create a x509 certificate with askar and nodejs and validate with the opposite (they use the same key so nodejs should validate askar and vice versa)
Signed-off-by: Berend Sliedrecht <sliedrecht@berend.io>
berendsliedrecht
force-pushed
the
create-self-signed-certificate-test
branch
from
c78b336
to
0d917ae
Compare
| public usages = [] | ||
|
|
||
| public override async onDigest(algorithm: HashAlgorithm, data: ArrayBuffer): Promise<ArrayBuffer> { | ||
| switch (algorithm.name.toUpperCase()) { |
There was a problem hiding this comment.
Can't we do hashes with Askar?
There was a problem hiding this comment.
Askar does not expose a hashing method over ffi.
| return key | ||
| } | ||
|
|
||
| public async onExportKey(format: KeyFormat, key: core.CryptoKey): Promise<JsonWebKey | ArrayBuffer> { |
There was a problem hiding this comment.
Should exportKey return the public key?
Is there options that dictate whether to return public/private?
There was a problem hiding this comment.
I am not too sure, I followed the WebCrypto API and the implementation from @peculiar/webcrypto. Maybe it has to do with whether it is extractable or not to also ectract the private values, or it never extracts the private values.
There was a problem hiding this comment.
Yeah with JWK it makes sense, but with returning a buffer it doesn't make sense for me to just return the public key bytes.
Maybe you can check by creating a key with extractable true and false and seeing the output in the browser?
There was a problem hiding this comment.
a CryptoKey instance holds the property keyType and extractable. So a single cryptokey will either be public/private and extractable=true/false.
For JWK it extracts everything (including d for ecc if it is a private key) and for others it returns the specific format (raw = public, spki = public and pkcs8 = private).
So basically, it depends on the format requested and for JWK it depends on the internal key (whether it is private or public)
tests/x509.test.ts
Outdated
| const crypto = new Crypto() | ||
| x509.cryptoProvider.set(crypto) | ||
|
|
||
| const alg = { | ||
| name: 'ECDSA', | ||
| namedCurve: 'P-256', | ||
| hash: { name: 'SHA-256' }, | ||
| } | ||
|
|
||
| const keys = await crypto.subtle.generateKey(alg, false, ['sign', 'verify']) | ||
|
|
||
| const cert = await x509.X509CertificateGenerator.createSelfSigned({ | ||
| name: 'C=NL, O=Animo Solutions', | ||
| signingAlgorithm: alg, | ||
| keys, | ||
| extensions: [ | ||
| await x509.SubjectKeyIdentifierExtension.create(keys.publicKey), | ||
| new x509.SubjectAlternativeNameExtension([ | ||
| { type: 'dns', value: 'paradym.id' }, | ||
| { type: 'dns', value: 'wallet.paradym.id' }, | ||
| ]), | ||
| ], | ||
| }) | ||
|
|
||
| assert(cert.toString('pem').startsWith('-----BEGIN CERTIFICATE-----')) | ||
| assert(cert.toString('pem').endsWith('-----END CERTIFICATE-----')) |
There was a problem hiding this comment.
Can you generate a key based on a seed in Node.JS crypto and Askar and then check if the Node.JS Crypt API gives the same result as the Askar crypto implementation?
There was a problem hiding this comment.
When I implemented it, I could not find anyting but ill take a look again. Should be useful.
| @@ -1,5 +1,6 @@ | |||
| import * as core from 'webcrypto-core' | |||
| import { type Key as AskarKey, KeyAlgs } from '@hyperledger/aries-askar-shared' | |||
| import type { KeyType, KeyUsage } from './types' | |||
|
|
|||
| const keyStorage = new WeakMap<core.CryptoKey, AskarKey>() | |||
There was a problem hiding this comment.
Why do we need this? Can't we fetch the askar key based on e.g. the public key? This will be empty every time your start the server, so I don't understand the purpose of it.
|
Signed-off-by: Berend Sliedrecht <sliedrecht@berend.io>
berendsliedrecht
force-pushed
the
create-self-signed-certificate-test
branch
from
4556c36
to
bfe16a1
Compare
|
@TimoGlastra added the tests and some minor fixes, can you rereview? |
berendsliedrecht
changed the title
