Can nodejs create a crypto key + certificate for me?

[i...@bodokaiser.io]

Hello,

you all know OpenSSL key pairs used for SSL connections.

I want to create one in node.js natively unfortunately I only found spawning a child process which calls openssl from the command line can do this.

Is this correct or is there also a native npm package which does this for me?

Best,

Bodo

[Ben Noordhuis]

I don't know of any npm packages. If there are, they probably shell
out to `openssl` because:

a) there is no support in node.js core for generating private keys
or certificates except for ephemeral Diffie-Hellman keys, and

b) it's exceedingly difficult for native add-ons to link to the
bundled copy of OpenSSL. We'll fix that - someday.

[i...@bodokaiser.io]

I want to encrypt a json object with a public key so I do not have to worry about it being transported without ssl/tls. 
As relaying on only one static key pair would be quite dangerous I wanted to use "dynamic" key pairs (one key pair for each connection).

I am not commong with Diffie-Hellman but it seems usable for this situaiton. 

Is this correct or would you recommend to stick with using the OpenSSL shell?

[i...@bodokaiser.io]

Actually what would be the benefit of using Diffie-Hellman for key pair generation over randomBytes?

[Austin William Wright]

What are you actually trying to do?

Implementing security isn't something to take lightly... Even if you think you're not protecting anything of great importance, your users often are. For instance, many users will (despite appeals to common sense) use the same password that they do for their bank account.

Don't write your own crypto. It is not a one-man job: crypto libraries like OpenSSL spend great amounts of time under peer review by large numbers of developers and experts (and that's still not good enough!). I've never seen a secure hand-built cryptographic protocol. And anything you build, if it ends up containing all the features necessary to be secure, is going to look suspiciously like TLS.

Use TLS. Fork a call to OpenSSL to generate an X.509 certificate, and use the certificate fingerprint to identify it.

Diffie-Hellman generates a shared secret over an interactive, authenticated channel. There's no good reason for anyone to use Diffie-Hellman directly. The only part of the 'crypto' module that anyone should be using is HMAC or PBKDF2... Everything else can be handled by TLS (for interactive communication) or PGP (for storing data securely... I don't know about Node.js support for PGP, but native support for it would be nice).

And, in case anyone was thinking so, I would _NOT_ trust a JavaScript library to do this under _any_ circumstances.

Finally, I'd seek out a security professional. If you feel the need to encrypt something (like in a database), there's probably larger issues to consider.

[Ben Noordhuis]

On Sat, Aug 31, 2013 at 1:16 PM, <i...@bodokaiser.io> wrote:
> Actually what would be the benefit of using Diffie-Hellman for key pair
> generation over randomBytes?

Apples and oranges. The DH functions are for setting up an encrypted
communication channel between two or more peers. crypto.randomBytes()
is for generating, well, random bytes.

[Bodo Kaiser]

Hi Austin,

I want to encrypt a json document and send it through insecure channels (e.g. unencrypted email, untrusted messaging channels).

The json document itself is encrypted by "crypto.createCipher" and decrypted by "crypto.createDicipher".

First I was some how stuck on using a private/public key for crypting the json document but actually this is unnecessary.

Using one single shared key is enough and this could actually be generated by "crypto.randomBytes".

I was just a bit confused to the different set of algorithms and approaches as I actually never worked with crypto stuff before.

Are there still any issues with my current approach?

--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
 
---
You received this message because you are subscribed to a topic in the Google Groups "nodejs" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nodejs/DtlsT0xMMHs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[José F. Romaniello]

Have a look to node-forge, is entirely js. We are using it on my selfsigned module to generate self signed certs.

--

--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
 
---

You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.

[José F. Romaniello]

This one https://github.com/digitalbazaar/forge

[Maxime ROBERT]

I just found this https://www.npmjs.com/package/akeypair
And it's absolutely awesome
(i know it's late, but for other people coming around here !)