crypto: add keyObject.params for asymmetric keys

[tniessen]

This API exposes key parameters. It is conceptually different from the previously discussed keyObject.fields property since it does not give access to information that could compromise the security of the key, and the obtained information cannot be used to uniquely identify a key.

The intended purpose is to determine "security properties" of keys, e.g. to generate a new key pair with the same parameters, or to decide whether a key is secure enough.

I have not implemented the publicExponent property yet, mostly because I am not sure whether to use a number or a BigInt. In practice, most (all?) public exponents will fit into 32 bits and thus easily into Number.MAX_SAFE_INTEGER, and generateKeyPair currently only accepts safe integers, too. However, in theory, public exponents can be almost arbitrarily long, even though it can introduce efficiency and security concerns. I would like to hear opinions from @nodejs/crypto (or others).

Refs: nodejs/webcrypto#16

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

[panva]

@tniessen

I'm wondering about why this approach would be preferred over working out .fields export and subsequent import roundtrip, which solves more use cases, such as easier and dependency-free JWK import.

It is conceptually different from the previously discussed keyObject.fields property since it does not give access to information that could compromise the security of the key, and the obtained information cannot be used to uniquely identify a key.

Given that all keys have an .export() which may be parsed to get that info, how would .fields expose anything that's not exposed already?

[bnoordhuis]

I have not implemented the publicExponent property yet, mostly because I am not sure whether to use a number or a BigInt.

The precedence here is tlssocket.getPeerCertificate() which returns it as a hex string.

[bnoordhuis]

Suggestion: add the string to PER_ISOLATE_STRING_PROPERTIES in env.h. Ditto the other strings.

[tniessen]

I'm wondering about why this approach would be preferred over working out .fields export and subsequent import roundtrip, which solves more use cases, such as easier and dependency-free JWK import.

I think it is possible to see .fields and .params as related, but disjoint sets of properties. For example, where .params has a modulusLength property, .fields could have a modulus property, but modulusLength is not really a field of the key.

.fields seems to be far more difficult to design and will most likely also be difficult to use. And so far, I didn't find many use cases for .fields that would not be solved by .params, apart from your specific JWK use case.

Given that all keys have an .export() which may be parsed to get that info, how would .fields expose anything that's not exposed already?

.fields does not expose anything new, but it does expose critical information, which is exactly why you could never write the value of .fields to a log file, show it to a user, pass it to an untrusted function, or display it as part of your application. Whereas .params can be logged, used, passed and displayed without any security issues.

[panva]

I think it is possible to see .fields and .params as related, but disjoint sets of properties. For example, where .params has a modulusLength property, .fields could have a modulus property, but modulusLength is not really a field of the key.

Fair enough, i can see how this method can be labeled as "log safe" / not containing private information.

.fields seems to be far more difficult to design and will most likely also be difficult to use. And so far, I didn't find many use cases for .fields that would not be solved by .params, apart from your specific JWK use case.

Other than the philosophical discussion about types and property names - what's the difficult part and how could i help to move it forward? PEM, DER and JWK are all treated as first-class under webcrypto's CryptoKey and I only wish to see the same with KeyObject one day.

[cjihrig]

Nit, but could you rewrite this as:

if (this[kParams] === undefined)
  this[kParams] = this[kHandle].getAsymmetricParams();
return this[kParams];

[bnoordhuis]

I was going to suggest something similar at first but it's locally consistent, get asymmetricKeyType() uses the same style.

[BridgeAR]

@tniessen is there still something to do here, since this already got two LGs?

[tniessen]

Yes, I still need to implement some properties. I am working on a different PR to fix a few crypto issues and need to make sure these two are compatible. Sorry about the delay.

[willclarktech]

.fields seems to be far more difficult to design and will most likely also be difficult to use. And so far, I didn't find many use cases for .fields that would not be solved by .params, apart from your specific JWK use case.

I have a potential use case for exposing .fields. I'm trying to implement a private set intersection algorithm based on RSA keys, but I need to do two things which don't seem to be supported currently by Node's crypto:

1. Sign a number directly (i.e. without hashing it first): I can easily write this function to avoid using a crypto.Sign object, but not without accessing the private key fields.
2. Perform some modular arithmetic using the public key fields.

Currently I think my best option is to export the keys and parse the DER/PEM, which is a bit of a headache.

[panva]

@tniessen is it possible to pick this up? Especially getting the namedCurve out of an ec type KeyObject is a great optimization - i don't have to export and parse the DER to figure out what curve a key is...

[tniessen]

@panva In theory, sure, I just don't know if this makes a whole lot of sense now that WebCrypto is in core. What do you think?

[panva]

@panva In theory, sure, I just don't know if this makes a whole lot of sense now that WebCrypto is in core. What do you think?

I think @jasnell will concur, that WebCrypto API is not meant as a replacement for the much more flexible and performant crypto module. I think we should not stop innovating it. I'm still looking forward to landing both .params and eventually even .fields KeyObject properties.

WebCrypto API helps in writing isomorphic modules for different runtimes but it comes at a huge performance cost and inflexibility especially because of its CryptoKey abstraction that closely ties the key with the algorithm it's intended to be used for. Generally, when talking to developers they see Web Crypto API as painful to use, and i concur there too - having just ported jose to be isomorphic (unreleased and unpublished private branch for now) it puts a lot of restrains on the API one can offer, restrains I didn't have when considering only crypto to be the runtime of choice.

I'm not sure how likely WebCrypto API is to be backported to lts/12 and lts/14 but .params and .fields should be an easy one with large impact (for my modules at least).

I would still choose to use crypto in libuv threads over WebCrypto when given the choice.

[jasnell]

I think @jasnell will concur, that WebCrypto API is not meant as a replacement for the much more flexible and performant crypto module. I think we should not stop innovating it. I'm still looking forward to landing both .params and eventually even .fields KeyObject properties.

I 100% agree. The WebCrypto API is not meant to replace the existing crypto system.