This is really embarassing
on virtually any site on the internet,
window.crypto.subtle
returns
SubtleCrypto {}
__proto__: SubtleCrypto
in the chrome console (v61 (Official Build) (64-bit))
except for
my webpage, and blank.org
where
window.crypto.subtle
returns
undefined
according to https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle
it's a read-only property that should always return a SubtleCrypto object.
what could I have done, or what has blank.org done that it could possibly not?
ps: in firefox it seems to work as intended on both my site and blank.org
According to the spec (via Github issues) a la this Google page for WebCrypto:
crypto.subtle is supposed to be undefined in insecure contexts
check your URL's
if it is
https://localhost:PORT
or 0.0.0.0:port
or 127.0.0.0:port
change it to proper hostname URL something like
http://localhost:PORT
worked for me! Thanks #Zmart
It would appear you have to use sites with https://...... and not vanilla http://....
From the spec - easy to miss (and linked by Zmart, above):
Access to the WebCrypto API is restricted to secure origins (which is to say https:// pages).
If you don't run your website on SSL with https the answer is: You can't use window.crypto.subtle. You have to configure SSL for your webserver. Look in MDN docs about Crypto.subtle it has a big warning on top op the page saying Secure context which means it is only available on https.
BUT there is an alternative solution if you still need a support for http only. And it does not involve using window.crypto.subtle but other open-source third party library instead. Here is how:
You can use Forge which is a crypto library that has same functionality like window.crypto.sybtle It has all crypto algorithms for your needs.
You can use forge instead of window.crypto when you run your services over http.
Be aware that APIs are very different and you need to write different code for cryptography using forge than using window.crypto.
You need to read forge docs to make specific cryptography method work for your use case.
You CAN NOT use same code that works in window.crypto.subtle when using forge you need to find your own way how to use forge for encryption.
For your reference to see how forge vs window.crypto.subtle codes are different read below.
Links to original window.crypto.subtle based darkwire.io code and translated darkwire.io code that is using forge instead of window.crypto.subtle:
original code using window.crypto.subtle:
here
code translated to use forge, can run on http without SSL:
here
I had translated darkwire.io to use forge for my own project that runs on http and needs encrypted communication method between clients.
Related
google cast provides sample github links, which uses default cast extension to cast the data by registering from developer console, but how to use this sender/receiver application without using chrome extension by auto detecting the device and cast the data, is there any specific tutorials to follow up?
I've been working on a project that uses a similar approach like the one you're asking about and I came across a couple of repo's on github that helped me along the way but there isn't so much on the internet about it.
Basically you can communicate with the Google cast device without relying on the google extension by applying two steps.
Discover the device on the local network by using a service discovery service such as Bonjure or MDNS, here's a sample repo on github that uses a pure JavaScript implementation.
Communicate with the Google cast device over the network by using google's CASTV2 protocol over TLS and here's one of the most popular implementations can be found here on this github repo and also here's a high level implementation of the same library these libraries are also in written in JavaScript.
I would like to ask if is still impossible, using JavaScript, to get key from USB token or from certificate stored in Browser. I was reading many articles which said WebCryptoApi doesn't enable to do that.
Is any option to get key from token? Maybe something was changed?
It is not possible for now. The WebCryptoApi does not support using keys stored in external keystores like smartcards, Mozilla keystore or Windows KeyStore (used by Chrome and Explorer), and reading the comments of the last conferences, it is not a current priority.
There is another Javascript API specification of W3C to be used with Web Cryptography Api. See WebCrypto Key Discovery
This note describes a JavaScript API for discovering named, origin-specific pre-provisioned cryptographic keys for use with the Web Cryptography API.
Unfortunately is still a working group under development.
I think that with the Chrome Native Messaging implementations its possible.
The native messaging implemented into Firefox and Edge too.
Check this:
https://github.com/open-eid/chrome-token-signing
I would like to ask if is still impossible, using JavaScript, to get key from USB token or from certificate stored in Browser. I was reading many articles which said WebCryptoApi doesn't enable to do that.
Is any option to get key from token? Maybe something was changed?
It is not possible for now. The WebCryptoApi does not support using keys stored in external keystores like smartcards, Mozilla keystore or Windows KeyStore (used by Chrome and Explorer), and reading the comments of the last conferences, it is not a current priority.
There is another Javascript API specification of W3C to be used with Web Cryptography Api. See WebCrypto Key Discovery
This note describes a JavaScript API for discovering named, origin-specific pre-provisioned cryptographic keys for use with the Web Cryptography API.
Unfortunately is still a working group under development.
I think that with the Chrome Native Messaging implementations its possible.
The native messaging implemented into Firefox and Edge too.
Check this:
https://github.com/open-eid/chrome-token-signing
I am trying to do some angular code analysis. In that way I need to get a list of all the declared modules in the webpage.
I could not find how to do it with the angular API (I believe that's not possible) but I stumbled on this. Using the AST to get modules looks interesting and promising. I could use Acorn or Esprima but I was wondering if chrome had an API to get the AST of current tab. (Possible with firefox)
EDITS:
By AST, I mean Abstract Syntax Tree. It's a data structure generated by a parser from a script to easily interpret it. All browsers use it to interpret js. More info can be found on here
Here is an example from wikipedia:
No, Chrome's V8 does not expose any internals as part of Extension APIs, or, for that reason, remote debugger protocol.
What you see in Dev Tools is about the limit of what is exposed.
You'll need to re-parse it yourself or use a modified version of Chromium that exposes the information you need.
Is it possible to use pure JavaScript to sign XML documents in the browser?
I believe there are hard security restrictions here, but maybe there is some way of doing that.
Here is a solution based on Web Crypto - https://github.com/PeculiarVentures/xadesjs
If you mean the XmlDSig which involves accessing the local cert store then I am afraid that currently there is no way to have a reliable Javascript code that could access the cert store at the client side and use the private key of the certificate.
Hundreds of developers would die for such technology, however, the Web Crypto API is still a draft and is not implemented by web browsers.
To sign documents at the client side you still need an OS bridge
a browser plugin - possibly a most difficult route as writing plugins for all possible browsers for all possible systems could be an overkill
a Java applet - considering Chrome has just dropped the support for NPAPI (plugin API), this seems to be obsolete. Mozzila will drop the support soon, too.
a ClickOnce application that is run by a client .NET platform - that still works, however is limited to OSes that support .NET/ClickOnce
If you need more references, Google for "javascript access certificate store". Example SO threads:
How to access windows certificate store in javascript?
Access browser certificate store using javascript
(these and other threads also support the argument that this is currently not possible)
I am looking for the same functionality.
As of now I found https://github.com/yaronn/xml-crypto
but did not tried yet.
For just signing (not XML) with x509 certificate I sucessfully used https://github.com/digitalbazaar/forge
If you need signature in a browser, maybe you need a specialized solution?
For example, this: https://www.cryptopro.ru/products/cades/plugin
(Use google translate).