Generating PGP keypair, and signing text with an encrypted PGP private key, in Javascript

Question

I'm writing something that needs to do electronic signatures.

Some users will be geeks like me and already have their own PGP keys. Most won't, and won't want to futz with installing or maintaining it anyway.

As a workaround solution, I want to do the following:

1. Create a public/private keypair for the user that uses a separate "signing" password.
2. When I need the user to sign something, provide the plaintext to the user, along with some other info inside it like timestamps and other references, and have them sign it with the private key that I store.

There are basically two ways to do this (for users who don't have their own PGP keys).

1. The user submits the signing password to me over SSL. I generate the private keypair server side, and temporarily unlock the private key when needed to sign. I don't store the password at all, and I get rid of the unlocked private key ASAP.
2. The user generates the pub/priv key in Javascript. They send me the pubkey and encrypted private key and keep a copy in local storage. When they need to sign something, I make sure their local storage has it (and push if not), they decrypt and sign the text locally using JS. I never see their signing password nor their unlocked private key.

Either way, I also sign the result w/ the server's key. But I need there to be a user-unique, non-repudiatable way for the user to sign text too, and having them have a PGP key that I maintain is the simplest way to do so.

Option 1 is a lot simpler to do, and works well enough to meet my minimum needs.

Option 2 is a bit more trustworthy, in that unless I subvert the JS (which I still could do), I can't use their privkey myself.

However, in order to do it, I need a JavaScript library that can

1. generate a pub/priv keypair
2. decrypt a private key for use
3. sign a block of text with that private key

What libraries can do this?

P.S. Please note that I don't need to encrypt to a given public key. I need the user to sign with their own (encrypted-as-stored) key.

Answer 1

First, read this article: http://www.matasano.com/articles/javascript-cryptography/

If you are still convinced that javascript crypto is a good idea for what you're doing, then:

PGP is fairly complicated and you don't need 95% of what it does, I would recommend that you instead consider using Ed25519 for signatures - a javascript version is available at http://www.flownet.com/ron/code/ed25519.js . It's an elliptic curve based system that is substantially faster than RSA with equivalent security and much smaller keys. The keys are so small, in fact, that you can have the user choose a 'signing passphrase', feed it to scrypt[1] with their user ID as the salt, and use the output as the private key (you just need to frob three bits to make it a valid Ed25519 private key).

1. https://github.com/cheongwy/node-scrypt-js

Answer 2

I think your article claims wrong things. For Example, it says, there would be no way preventing for example math.RND() to be overwritten - but it can be done easily - write html file with inline js on top of the file. in that code you freeze every object, openpgp.js depends on.

Object.freeze()

so you could build a secure env. indeed! transfer the index.html with ssl, freeze what's important, prevent other js files to be loaded, make sure connections to other servers are not allowed and so on.

Answer 3

Have a look at http://openpgpjs.org - it should have implemented most of the functionality you're looking for.