/** * @file KeySetupStep.jsx * @description Key generation step for partner setup after admin approval. * Generates X25519 (scope DEK ECDH) and ES256 (DPoP) keypairs entirely in the * browser using the Web Crypto API. Private keys never leave client memory. */ window.KeySetupStep = function KeySetupStep({ clientId, registrationAccessToken, onComplete }) { const [generating, setGenerating] = React.useState(false); const [submitting, setSubmitting] = React.useState(false); const [error, setError] = React.useState(null); const [keys, setKeys] = React.useState(null); const [submitted, setSubmitted] = React.useState(false); const [copied, setCopied] = React.useState({}); const [privateSaved, setPrivateSaved] = React.useState(false); const [certPackage, setCertPackage] = React.useState(null); const [certPackageError, setCertPackageError] = React.useState(null); const [certPackageSaved, setCertPackageSaved] = React.useState(false); const copyToClipboard = async (text, field) => { try { await navigator.clipboard.writeText(text); setCopied(prev => ({ ...prev, [field]: true })); setTimeout(() => setCopied(prev => ({ ...prev, [field]: false })), 2000); } catch (err) { setError('Failed to copy to clipboard'); } }; const arrayBufferToBase64 = (buffer) => { const bytes = new Uint8Array(buffer); let binary = ''; for (let i = 0; i < bytes.length; i++) { binary += String.fromCharCode(bytes[i]); } return btoa(binary); }; const generateKeys = async () => { setGenerating(true); setError(null); try { // Generate X25519 keypair for scope DEK ECDH const x25519 = await crypto.subtle.generateKey('X25519', true, ['deriveBits']); const x25519PublicRaw = await crypto.subtle.exportKey('raw', x25519.publicKey); const x25519PrivatePkcs8 = await crypto.subtle.exportKey('pkcs8', x25519.privateKey); // X25519 PKCS8 DER has the 32-byte raw key as the last 32 bytes const x25519PrivateRaw = x25519PrivatePkcs8.slice(-32); const x25519PublicBase64 = arrayBufferToBase64(x25519PublicRaw); const x25519PrivateBase64 = arrayBufferToBase64(x25519PrivateRaw); // Generate ES256 (P-256) keypair for DPoP (RFC 9449) const ecdsa = await crypto.subtle.generateKey( { name: 'ECDSA', namedCurve: 'P-256' }, true, ['sign', 'verify'] ); const ecdsaPublicJwk = await crypto.subtle.exportKey('jwk', ecdsa.publicKey); const ecdsaPrivateJwk = await crypto.subtle.exportKey('jwk', ecdsa.privateKey); const ecdsaPrivatePkcs8Der = await crypto.subtle.exportKey('pkcs8', ecdsa.privateKey); const ecdsaPrivatePkcs8B64 = arrayBufferToBase64(ecdsaPrivatePkcs8Der); const ecdsaPrivatePem = '-----BEGIN PRIVATE KEY-----\n' + (ecdsaPrivatePkcs8B64.match(/.{1,64}/g) || []).join('\n') + '\n-----END PRIVATE KEY-----\n'; // JWK thumbprint per RFC 7638 const thumbprintInput = JSON.stringify({ crv: ecdsaPublicJwk.crv, kty: ecdsaPublicJwk.kty, x: ecdsaPublicJwk.x, y: ecdsaPublicJwk.y }); const thumbprintHash = await crypto.subtle.digest( 'SHA-256', new TextEncoder().encode(thumbprintInput) ); const thumbprintBytes = new Uint8Array(thumbprintHash); let thumbprintBase64url = btoa(String.fromCharCode(...thumbprintBytes)) .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''); const dpopKeyId = thumbprintBase64url; setKeys({ x25519: { publicBase64: x25519PublicBase64, privateBase64: x25519PrivateBase64, }, dpop: { publicJwk: { kty: ecdsaPublicJwk.kty, crv: ecdsaPublicJwk.crv, x: ecdsaPublicJwk.x, y: ecdsaPublicJwk.y, kid: dpopKeyId, }, privateJwk: { ...ecdsaPrivateJwk, kid: dpopKeyId }, privatePem: ecdsaPrivatePem, thumbprint: thumbprintBase64url, keyId: dpopKeyId, } }); } catch (err) { if (err.name === 'NotSupportedError') { setError( 'Your browser does not support X25519 key generation. ' + 'Please use Chrome 113+, Firefox 130+, or Safari 17.4+, ' + 'or use the CLI tool: npx ts-node src/cli/generatePartnerKeys.ts' ); } else { setError('Key generation failed: ' + (err.message || 'Unknown error')); } } finally { setGenerating(false); } }; const handleSubmitPublicKey = async () => { if (!keys || !clientId || !registrationAccessToken) return; setSubmitting(true); setError(null); try { await API.submitPublicKey(clientId, registrationAccessToken, keys.x25519.publicBase64); setSubmitted(true); try { const pkg = await API.fetchCertPackage(clientId, registrationAccessToken); if (pkg && pkg.zipBase64 && pkg.filename) { setCertPackage(pkg); } } catch (pkgErr) { setCertPackageError(pkgErr.message || 'Unable to fetch certificate package'); } if (onComplete) onComplete(); } catch (err) { setError(err.message || 'Failed to submit public key'); } finally { setSubmitting(false); } }; const downloadDpopPem = () => { if (!keys || !keys.dpop || !keys.dpop.privatePem) return; const blob = new Blob([keys.dpop.privatePem], { type: 'application/x-pem-file' }); const url = URL.createObjectURL(blob); const a = document.createElement('a'); a.href = url; a.download = `v0uchme-partner-dpop-${clientId.substring(0, 8)}.pem`; document.body.appendChild(a); a.click(); document.body.removeChild(a); URL.revokeObjectURL(url); }; const downloadCertPackage = () => { if (!certPackage) return; const binary = atob(certPackage.zipBase64); const bytes = new Uint8Array(binary.length); for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i); const blob = new Blob([bytes], { type: 'application/zip' }); const url = URL.createObjectURL(blob); const a = document.createElement('a'); a.href = url; a.download = certPackage.filename; document.body.appendChild(a); a.click(); document.body.removeChild(a); URL.revokeObjectURL(url); setCertPackageSaved(true); }; const downloadPrivateKeys = () => { const data = { x25519_encryption: { description: 'X25519 private key for scope DEK ECDH decryption', privateKeyBase64: keys.x25519.privateBase64, publicKeyBase64: keys.x25519.publicBase64, }, dpop_signing: { description: 'ES256 private key for DPoP proof signing (RFC 9449)', keyId: keys.dpop.keyId, privateKeyJwk: keys.dpop.privateJwk, privateKeyPem: keys.dpop.privatePem, publicKeyJwk: keys.dpop.publicJwk, thumbprint: keys.dpop.thumbprint, }, generated_at: new Date().toISOString(), warning: 'Store these keys securely. They are NOT stored by v0uchme and cannot be recovered.' }; const blob = new Blob([JSON.stringify(data, null, 2)], { type: 'application/json' }); const url = URL.createObjectURL(blob); const a = document.createElement('a'); a.href = url; a.download = `v0uchme-partner-keys-${clientId.substring(0, 8)}.json`; document.body.appendChild(a); a.click(); document.body.removeChild(a); URL.revokeObjectURL(url); setPrivateSaved(true); }; const CopyButton = ({ text, field }) => ( ); if (submitted) { return (

Setup Complete

Your encryption public key has been registered. Your partner account is fully configured.

{certPackage && (

Download your certificate package

This one-time download contains your mTLS client cert, CockroachDB client cert, CA bundle, env.template (with client_secret), JWKS, and README. v0uchme does not retain a copy.

)} {certPackageError && (

Certificate package unavailable

{certPackageError}

)}

Next steps:

); } return (

Generate Encryption Keys

Your account has been approved. Generate your cryptographic keys to complete setup.

Zero-knowledge key generation

Keys are generated entirely in your browser. Private keys never leave your device and are not sent to v0uch.me. Only the public key is submitted for registration.

{error && (

{error}

)} {!keys ? (

Requires Chrome 113+, Firefox 130+, or Safari 17.4+

Alternatively, use the CLI: npx ts-node src/cli/generatePartnerKeys.ts

) : (
{/* Step 1: Save private keys */}

Step 1: Save Your Private Keys

Download and store these securely. They cannot be recovered.

{keys.x25519.privateBase64}
{JSON.stringify(keys.dpop.privateJwk)}
{/* Step 2: Review public keys */}

Step 2: Review Public Keys

These public keys will be registered with v0uch.me when you click "Submit" below.

{keys.x25519.publicBase64}
{JSON.stringify(keys.dpop.publicJwk)}

Thumbprint: {keys.dpop.thumbprint}

{/* Step 3: Submit */}
{!privateSaved && (

Please confirm you have saved your private keys before submitting.

)}
)}
); };