-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Derive Key #83
base: main
Are you sure you want to change the base?
Derive Key #83
Conversation
@oleiade I have sat down to write this a couple times and seems that I haven't gotten it all out at once... so here I go again. I have been looking at the implementation in node written in c++ to get an idea of what implementation of the spec looks like. I believe I understand what the spec desires to be implemented but I have a few questions still:
For the moment those are the main 2 but I think others might present themselves in discussion of these. |
webcrypto/algorithm.go
Outdated
@@ -178,6 +187,8 @@ func isRegisteredAlgorithm(algorithmName string, forOperation string) bool { | |||
return isAesAlgorithm(algorithmName) | |||
case OperationIdentifierSign, OperationIdentifierVerify: | |||
return algorithmName == HMAC || algorithmName == ECDSA | |||
case OperationIdentifierDeriveBits, OperationGetKeyLength: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't it be OperationIdentifierDeriveKey
instead? 🙇♂️ (note that maybe deriveKey
might rely on the bits derivation under the hood and I'm not just aware of it)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that is what I found the step 2 in the spec here for deriveKey requires deriveBits. So I think the issues for deriveBits need worked on first before I can continue so that is my current side mission 😄 I also realized that step 6 requires a "get key length" which was the util function I was referring to in my part 2 of the question from the other day. I think that is also going to be needed for the deriveBits issues so 2 birds 1 stone type of thing going on. Either way I am fairly sure that function will need to be our own implementation because I am not seeing it in any of the libraries that you mentioned.
Hi @catdevman 👋🏻 This looks good and as if it's going in the right direction, great work so far 👏🏻 1If I understood your question correctly (feel free to clarify if you think I did not 🙂):, I believe we've been doing this to have the same types as described in the specs and the operations described on them as methods. For instance, the AESCBCParams implements the encrypt and decrypt operations defined by the spec as methods. The general idea is to try to stick to what the spec describes as closely as possible. In these cases, I believe the initial intent was to avoid having super-long function names. 2Regarding implementing algorithms, please do not implement those yourselves. This library has a strict policy to stick to either the standard library or a proven set of community libraries. Here are the libraries I recommend you use: I have also needed clarification in the initial implementation by how to match the algorithms the specification defines, and how to stick to it. After consulting with some of Grafana's security team members, my key learning is that, in this case, one does not need to understand the steps of each algorithm but rather match the algorithm described to a concrete operation in an existing library implementation of the algorithm. For instance, where the specification might enter into details about the different steps of AES encryption and include those in their steps, we, as implementers, can most likely stick to the encrypt operation of the AES go package to perform all those operations in one go. The same goes for other algorithms. If you end up implementing the concrete steps of ECDH key derivation, you're most likely doing something wrong and should instead look into figuring out how to use one of the ECDH package's operations directly instead 🙂 Moving onLet me know if this is helpful, and don't hesitate to ask further questions, happy to help 🙇🏻 |
@oleiade Do you think you could help me come up with some test use cases for I started with one here(but I don't think that is quite right and the spec hasn't really helped me figure out what my test should look like): |
oh never mind I just found some good ones from the node repo. |
Hey @catdevman 👋🏻 We actually use an existing and official set of tests for testing the WebCrypto module implementation: https://github.com/web-platform-tests/wpt More specifically, we need the implementation of If you take a look at the The concrete steps in your case would probably look like the following:
Once all (if not most) of the tests pass, we'll be good to go 👍🏻 I'll admit this can be somewhat tedious work, so don't hesitate to let us know if we can help in any way, along the implementation. Happy to help, and even jump on a call if that's useful at any point in time 🙇🏻 |
@oleiade Can you also share how to run these tests. I have been do |
@oleiade I edited my above comment... but from what I can tell the tests run from the
|
For now I will add them into the |
Regarding the Can you give a shot to this approach for dervive key, and let me know if that works out? 🙇🏻 |
…multiple implementations determining what was handed to the DeriveBits function
Hey @catdevman ! Just a bit of context for tests in this repository. We mostly use two types of tests here. The first is against the WebAPI test suite, which aims to test the compatibility of k6's implementation of the WebCrypto API with the standard. It's the one that @oleiade mentioning here. However, it usually isn't ideal as a standard. Unfortunately, the WebAPI test suite didn't cover all the cases we had, especially considering that K6 was specific. That's why we came up with the idea of golden tests, which run against the examples and validate that they work (or at least do not throw exceptions) with every commit. Hope that explains! |
Yes that is very helpful explain @olegbespalov |
@catdevman please be aware of #85 |
Thanks for the heads up, I'll check out that and see if I can gain some nuggets of wisdom. That'll be a fun one to resolve looks like a lot of the same files get touched 😂 |
One more update here 🙈 since it was a massive day for the webcrypt 😅
So, likely, as you can see, the only two files have conflicts. And I don't think that they are complicated to resolve. However, I'd like to comment on another change chat affects the PR/branch. First, recently there was a change in k6 that forced us to update the signatures and adjust the way how we handle Second, I hope it would be more beneficial for the external contributors if we stopped embedding the static web platform test files (that we manually adjusted) into the repository. Instead, we would do the checkout part of the repo and apply some patches. Looking at patch files, you can learn key differences between k6 runtime and what should be adjusted. It is always clear what the difference is. These changes you can find in:
If you have any questions, feel free to ping me. I could try to help! |
Am I free to start on this again once I pull in the changes? |
Hi @catdevman Thanks for returning to us and checking! One possible inconvenience that I see that inside the @grafana/k6-core team, we decided to graduate the WebCrypto API module and back merge the code to the k6 core (https://github.com/grafana/k6 repository) the issue is grafana/k6#3154. We'll preserve the git history, like we did for the browser module (grafana/k6#4056), but still, all paths will be updated and the contribution PR should be open against grafana/k6. We don't have a cetane ETA for that change, but hopefully, I'll be able to open and merge this PR this/next week. So once I'll do that, I can comment and update you again. How does that sound? |
@olegbespalov that's perfect, shouldn't be hard to make a patch from what I've done and update the paths inside the patch so they're correct. Let me know when the promotion is done and I'll take another crack at it. |
For reference, the PR for merging xk6-webcrypto into the core is there once it will be merged, the contribution could be pointing directly to the k6, and I'll at some point archive this repository. I'll also be happy to provide any support or clarify something if needed. |
No description provided.