在 JS 中导出 AES-KW 密钥

Question

我尝试在 js 中派生 AES-KW 密钥，例如：

let { publicKey: pub, privateKey: key } = 
  await crypto.subtle.generateKey(
    { name: 'ECDH', namedCurve: 'P-521' },
    true,
    ['deriveKey'],
  )

await crypto.subtle.deriveKey(
  { name: 'ECDH', public: pub },
  key,
  { name: 'AES-KW', length: 256 },
  false,
  ["encrypt", "decrypt"],
)

错误：未捕获（承诺）DOMException：无法使用指定的密钥用法创建密钥。

不知道为什么，因为AES-GCM可以成功

Answer 1

从技术上讲，crypto.subtle.deriveKey with name: 'AES-KW' as derivedKeyAlgorithm provides a key which can be used for wrapping another key according to RFC 3394, see also AES-KW. For this ['wrapKey', 'unwrapKey'] has to be used as keyUsages instead of ['encrypt', 'decrypt'], see also this example (getKey)。

以name: 'AES-GCM'作为derivedKeyAlgorithm，['encrypt', 'decrypt']作为keyUsages提供了一个密钥，可用于加密和解密 使用 AES-GCM。

AES-KW 示例：

crypto.subtle.generateKey(
    { name: 'ECDH', namedCurve: 'P-521' }, 
    true, 
    ['deriveKey']
    ).then(function(keypair){
        crypto.subtle.deriveKey(
            { name: 'ECDH', public: keypair.publicKey },  // In practice, this is the public key of the recipient
            keypair.privateKey,                           // In practice, this is the own private key
            { name: 'AES-KW', length: 256 },
            true,
            ["wrapKey", "unwrapKey"],
        ).then(function(wrappingKey){
            console.log(wrappingKey);
        })
    })

在 JS 中导出 AES-KW 密钥

Derive a AES-KW key in JS

javascript

aes