You can 使用 WebCrypto 生成 RSA 密钥对并将其导出如 jwk(Json Web 密钥)、pkcs#8(私有)或 spki(公共)。看SubtleCrypto.exportKey() https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/exportKey和下面的示例代码
要将密钥以受保护的方式导出到外部系统,您可以使用如下标准:
-
PKCS#8:PKCS#8 私钥格式定义于IETF 公钥密码标准加密#8。 https://www.rfc-editor.org/rfc/rfc5208#page-4允许使用密码进行加密,但 WebCryptography exportKey 不支持它。它提供了 PrivateKeyInfo
-
PKCS#12:PKCS#12 是一种密钥库交换格式。它可以包含私钥、带有公钥的证书和认证链。内容使用密码进行 3DES 加密。文件通常带有扩展名 .pfx 或 .p12
很遗憾WebCrypto 不支持以加密的通用格式导出例如PKCS#8- 加密或PKCS#12。您可以使用第三方库以其中一种格式导出密钥,例如forge https://github.com/digitalbazaar/forge
示例代码
WebCrypto RSASSA-PKCS1-v1_5 - 生成密钥
window.crypto.subtle.generateKey(
{
name: "RSASSA-PKCS1-v1_5",
modulusLength: 2048, //can be 1024, 2048, or 4096
publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
hash: {name: "SHA-256"}, //can be "SHA-1", "SHA-256", "SHA-384", or "SHA-512"
},
true, //whether the key is extractable (i.e. can be used in exportKey)
["sign", "verify"] //can be any combination of "sign" and "verify"
)
.then(function(key){
//returns a keypair object
console.log(key);
console.log(key.publicKey);
console.log(key.privateKey);
})
.catch(function(err){
console.error(err);
});
WebCrypto RSASSA-PKCS1-v1_5 - 导出密钥
window.crypto.subtle.exportKey(
"pkcs8", //can be "jwk" (public or private), "spki" (public only), or "pkcs8" (private only)
privateKey //can be a publicKey or privateKey, as long as extractable was true
)
.then(function(keydata){
//returns the exported key data
console.log(keydata);
})
.catch(function(err){
console.error(err);
});
Forge -PKCS#8 https://github.com/digitalbazaar/forge#pkcs8
//needed: wrap webcrypto pkcs#8 to forge privateKey (see doc)
// encrypts a PrivateKeyInfo and outputs an EncryptedPrivateKeyInfo
var encryptedPrivateKeyInfo = pki.encryptPrivateKeyInfo(
privateKeyInfo, 'password', {
algorithm: 'aes256', // 'aes128', 'aes192', 'aes256', '3des'
});
// 将 EncryptedPrivateKeyInfo 转换为 PEM
var pem = pki.encryptedPrivateKeyToPem(encryptedPrivateKeyInfo);
Forge - PKCS#12 https://github.com/digitalbazaar/forge#pkcs12
//needed: wrap webcrypto pkcs#8 to forge privateKey (see doc)
// generate a p12 that can be imported by Chrome/Firefox
// (requires the use of Triple DES instead of AES)
var p12Asn1 = forge.pkcs12.toPkcs12Asn1(privateKey, certChain, password, {algorithm: '3des'});
// base64-encode p12
var p12Der = forge.asn1.toDer(p12Asn1).getBytes();
var p12b64 = forge.util.encode64(p12Der);