There should be a folder for an application or examples, and the entire UI stuff, readme and all should be in there.

They should not be mixed in like they are.

This is a complicated one, right now our server is running in the current user context because we are doing development. As such it is interactive and can display user interface.

When we switch to it running as a service it will no longer be able to do that.

The various PKCS#11 implementations we will have will want the ability to present pin/password prompts. For them to do so there will need to be an interactive component that invokes the provider.

One way to do this is to use webcrypto-local on the service and have it invoke a session to a user mode "server" that invokes node-webcrypto-p11. We would want to automate the establishment of the pairing between the two components if we did this approach.

We will also need to consider how to handle multi-user systems with this also.

Though solving this problem will require some refactoring, I suggest we continue on the current path and come back to it.

If we create Request for certificate with RSA-OAEP key we cannot use this key for request signing

@rmhrisk What should we do for this case?

Right now we don't provide disambiguating information about the certificate:

In general extensions and issuer name would help:

Seems related to using first item.

The "Create" page creates a certificate request.

Downloading the certificate request gives us a .cer

It should be ".csr" or "p10" with a mime type of:
application/pkcs10

We cant do RSA-OAEP without having a certificate to sign it with so for now lets just disable or remove it.

We will need an API to select certificates that match an application's criteria, we are tracking that here: #4

This bug is to track designing a dialog for that API to use, here are some mocks to seed that process:

It would also make sense to have a confirm prompt:

We may also want to have basic smart card support:

These dialogs are inspired by: https://blogs.technet.microsoft.com/dodeitte/2015/05/31/how-to-change-the-certificate-store-used-for-lync-client-certificates/

@rmhrisk

I've got some problems with opening multi sessions for one PKCS#11 token.

SoftHSM module throws error Error: CKR_USER_ALREADY_LOGGED_IN:256
Yubico module throws error Error: CKR_SESSION_COUNT:177

node-webcrypto-p11 uses

const mod = graphene.Module.load()
mod.initialize()

I can't use initialize twice for one module, even I use Module.load for each time. Because JS load native module only once.

To fix it we have to load native in its own thread for each new Module.load

if we use current version of node-webcrypto-p11, then user can enter PIN only once and use this PKCS11 session for each 2key session.

Also div not covering whole screen

This:

Or This:

When I go to import a CSR in PEM encoding I get an error in the console:

But the UI displays no error, I would have expected a message like:

An error occurred while importing a certificate. 
Please make sure the certificate is well formed and try again.

But I also would have expected this import to actually work, I tried again with the same certificate encoded as DER though the certificate did not get imported it also did not get an error.

We can do a basic check on the provided certificate to see if it is ASCII to determin if we should DER encode before passing to PKIjs. One simple way is via a regular expression:

/^[ -~\t\n\r]+$/;

You could also check for the PEM Armour?

http://stackoverflow.com/questions/30322774/how-do-we-validate-the-format-of-the-csr-using-regex

And based on that decide what is needed to be done.

Either way we need error handling in the UI for errors.

branch: application

Right now you have to refresh to detect the server starting, we will need to implement a poll to catch the server start.

importCert in x509 form is odd because we create PKCS#10 request. This call will throw error for each time
https://github.com/PeculiarVentures/webcrypto-local/blob/application/src/app/sagas/webcrypto/certificate.js#L100

Right now the client basically polls the server to see if its done, it should instead wait on an event from the server to tell it to continue or give up.

There will be cases where the server fails for unexpected reasons, right now we have such a case because a smart card is not supported, for example:

In this case, the UI made a call and the server complained:

The UI should catch such cases and display a generic error, something like:

An error occurred trying to access the remote cryptographic implementation.

Please try again.

We could maybe include the stack in a text box so people could copy it and paste it into a support forum.

In Windows they have an API called CertSelectCertificate(), it takes a set of criteria and filters certificate to those that match that set.

We will want to have a similar API to make it easy to pick the certificates that match an applications criteria.

In theory, this API would take in a CertificateStorage array and return a certificate, things it might also take as input include:

These values would be used by something like the dialog proposed in #5

We should also consider how we can make this a re-usable component, maybe do it as a WebCompontent?

2key-ratchet works for Mozilla, but IndexedDB storage doesn't keep Identity keys for next connection. User has approve each new connection.

Currently, the project combines two public keys together, hashes them, HEX's that hash, and takes the numbers.

It is better to take the last n bits or first n bits, and convert them into decimal.

parseInt(binary, 2);

This is because HEX will have a bias in its output, this change will make the pins far more random.

We will need to update SECURITY.md.

https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.sjbhgghdr

It is insecure, and deprecated, lets not expose:

Right now we do not show 3072, we should

We want to provide enough information to disambiguate if we can, key size could help:

Our pairing mechanism requires the application to present the user a pin it compares to a pin displayed by the operating system for the webcrypto-local service.

Here is a rough prototype we can use as an input to this process:

We will want this to display as a DIV dialog so it can automatically be dismissed when the pairing is complete.

We may end up needing a user mode component to perform cryptographic operations, if so we may also want a pairing confirmation dialog:

We have several error cases:

• The requested operation is not supported by the cryptographic provider.
• The requested operation was denied by the cryptographic provider.
• The token or smart card was removed.
• An unknown error occurred.

For operations like generate, import we need to select Provider which will keep new item.

WebCrypto does not allow the same key to be used for both signing and encryption, certificates sometimes are used for both.

We have to choose to have webcrypto-local enforce this restriction or to accommodate the certificate usage pattern.

Initially, I suggest we honor the more restrictive WebCrypto approach and change if it becomes a problem.

The reason WebCrypto enforces this rule is to prevent accidental cryptographic mistakes, some algorithms will leak key details if used in the way certs allow.

The user doesn't know why button is disabled:

ex: https://tls.openmirage.org

I should be able to fill out form only with keyboard, I can not open/set get the combo boxes to have focus

Right now we leak a bunch of data to the browser session, we may want to have a debug mode where an admin user can enable this detail or an explicit message to request it that must be approved by the user but by default we want to return only what is minimally needed to perform task.

Any application running in the context of the application will have the ability to directly use the IdentityKey.

I believe, if we put the IdentityKey (and other keys) in a service worker, then only whatever API that is exposed by the service worker will be able to interact with those keys.

Since we utilize non-exportable keys, even if we do not do this they can not steal the key but they could create their own pre-keys (or other keys) and get them signed then use them elsewhere.

My moving these keys to the ServiceWorker and using PostMessage to communicate with it we mitigate this risk.

We should add this to our SECURITY.md also.

We should put the same signature details section in the requests UI:

Stepan,

I generated some CSRs, that of course generated keys but I do not see keys in the list, is that expected?