Namespace: WvdS.System.Security.Cryptography.Providers
JavaScript Interop-based crypto provider for Blazor WebAssembly. Communicates via IJSRuntime with openssl.wasm.
The WasmCryptoProvider enables post-quantum cryptography in Blazor WebAssembly applications through:
NativeCryptoProviderBlazor WebAssembly
|
v
+-----------------+
| WasmCrypto- |
| Provider |
| (C#) |
+--------+--------+
| IJSRuntime.InvokeAsync
v
+-----------------+
| wvds-crypto.js |
| (JavaScript) |
+--------+--------+
|
v
+-----------------+
| openssl.wasm |
| (WebAssembly) |
+-----------------+
| Property | Type | Description |
|---|---|---|
Name | string | "WASM (JS Interop)" |
IsAvailable | bool | true if initialized |
// Program.cs (Blazor WebAssembly) builder.Services.AddScoped<ICryptoProvider>(sp => new WasmCryptoProvider(sp.GetRequiredService<IJSRuntime>()));
@inject ICryptoProvider CryptoProvider @code { protected override async Task OnInitializedAsync() { await CryptoProvider.InitializeAsync(); if (CryptoProvider.IsAvailable) { var version = CryptoProvider.GetOpenSslVersion(); Console.WriteLine($"OpenSSL WASM: {version}"); } } }
In wwwroot/index.html:
<head> <!-- OpenSSL WASM Module --> <script src="_content/WvdS.Crypto/openssl.js"></script> <!-- WvdS Crypto Wrapper --> <script src="_content/WvdS.Crypto/wvds-crypto.js"></script> </head>
var (publicKey, privateKey) = await provider.GenerateMlDsaKeyPairAsync("ML-DSA-65");
byte[] data = Encoding.UTF8.GetBytes("Browser-signed data"); byte[] signature = await provider.SignMlDsaAsync(data, privateKey);
bool isValid = await provider.VerifyMlDsaAsync(data, signature, publicKey);
var (publicKey, privateKey) = await provider.GenerateMlKemKeyPairAsync("ML-KEM-768");
var (sharedSecret, ciphertext) = await provider.EncapsulateAsync(recipientPublicKey);
byte[] sharedSecret = await provider.DecapsulateAsync(ciphertext, privateKey);
PBKDF2 via Web Crypto API.
byte[] salt = await provider.RandomBytesAsync(32); byte[] derivedKey = await provider.Pbkdf2Async( password: "UserPassword", salt: salt, iterations: 100000, outputLength: 32, hash: "SHA-256");
PBKDF2 with PQ-enhanced salt.
byte[] key = await provider.Pbkdf2WithPqSaltAsync( password: "UserPassword", baseSalt: baseSalt, pqPublicKey: recipientPqPublicKey, iterations: 100000, outputLength: 32);
Memory-hard KDF via OpenSSL WASM.
byte[] key = await provider.Argon2idAsync( password: passwordBytes, salt: salt, outputLength: 32, iterations: 3, memoryKiB: 65536, parallelism: 4);
For large data volumes with chunk processing.
byte[] key = await provider.RandomBytesAsync(32); // Encrypt byte[] encrypted = await provider.EncryptChunkedAsync( plaintext, key, chunkSize: 65536); // 64 KB Chunks // Decrypt byte[] decrypted = await provider.DecryptChunkedAsync(encrypted, key);
Combines ML-KEM key exchange with chunked encryption.
// Encrypt for recipient var (kemCiphertext, encryptedData) = await provider.EncryptStreamWithPqKeyAsync( plaintext, recipientPublicKey, chunkSize: 65536); // Decrypt byte[] decrypted = await provider.DecryptStreamWithPqKeyAsync( kemCiphertext, encryptedData, privateKey);
byte[] prk = await provider.HkdfExtractAsync(salt, inputKeyMaterial);
byte[] okm = await provider.HkdfExpandAsync(prk, info, outputLength: 32);
Extract + Expand in one step.
byte[] key = await provider.HkdfDeriveKeyAsync( ikm: sharedSecret, length: 32, salt: optionalSalt, info: contextInfo);
Combines classic and PQ secret.
byte[] hybridKey = await provider.DeriveHybridKeyAsync( classicSecret: ecdhSecret, pqSecret: mlKemSecret, outputLength: 32);
Tls13KeyMaterial keys = await provider.DeriveTls13KeysAsync( sharedSecret, clientHello, serverHello); // Access derived secrets var clientKey = keys.ClientHandshakeTrafficSecret; var serverKey = keys.ServerHandshakeTrafficSecret;
Creates hybrid signature from classic signature and ML-DSA.
// Create classic signature (e.g., ECDSA) byte[] classicSig = CreateEcdsaSignature(data); // Create hybrid signature byte[] hybridSig = await provider.CreateHybridSignatureAsync( data, classicSig, mlDsaPrivateKey);
Cryptographically secure random numbers via Web Crypto API.
byte[] random = await provider.RandomBytesAsync(32);
byte[] certBytes = await provider.CreateEphemeralCertificateAsync( "CN=Browser Certificate", TimeSpan.FromHours(1), mlDsaPrivateKey);
byte[] signedCert = await provider.SignCertificateAsync(tbsCertificate, privateKey);
| Method | Parameters | Return |
|---|---|---|
GenerateMlDsaKeyPairAsync | string algorithm | Task<(byte[], byte[])> |
SignMlDsaAsync | byte[] data, byte[] privateKey | Task<byte[]> |
VerifyMlDsaAsync | byte[] data, byte[] signature, byte[] publicKey | Task<bool> |
| Method | Parameters | Return |
|---|---|---|
GenerateMlKemKeyPairAsync | string algorithm | Task<(byte[], byte[])> |
EncapsulateAsync | byte[] publicKey | Task<(byte[], byte[])> |
DecapsulateAsync | byte[] ciphertext, byte[] privateKey | Task<byte[]> |
| Method | Parameters | Return |
|---|---|---|
Pbkdf2Async | string password, byte[] salt, int iterations, int outputLength, string hash | Task<byte[]> |
Pbkdf2WithPqSaltAsync | string password, byte[] baseSalt, byte[] pqPublicKey, int iterations, int outputLength | Task<byte[]> |
Argon2idAsync | byte[]/string password, byte[] salt, int outputLength, int iterations, int memoryKiB, int parallelism | Task<byte[]> |
| Method | Parameters | Return |
|---|---|---|
HkdfExtractAsync | byte[] salt, byte[] ikm | Task<byte[]> |
HkdfExpandAsync | byte[] prk, byte[] info, int length | Task<byte[]> |
HkdfDeriveKeyAsync | byte[] ikm, int length, byte[]? salt, byte[]? info | Task<byte[]> |
DeriveHybridKeyAsync | byte[] classicSecret, byte[] pqSecret, int outputLength | Task<byte[]> |
| Method | Parameters | Return |
|---|---|---|
EncryptChunkedAsync | byte[] plaintext, byte[] key, int chunkSize | Task<byte[]> |
DecryptChunkedAsync | byte[] ciphertext, byte[] key | Task<byte[]> |
EncryptStreamWithPqKeyAsync | byte[] plaintext, byte[] publicKey, int chunkSize | Task<(byte[], byte[])> |
DecryptStreamWithPqKeyAsync | byte[] kemCiphertext, byte[] encryptedData, byte[] privateKey | Task<byte[]> |
| Method | Parameters | Return |
|---|---|---|
RandomBytesAsync | int length | Task<byte[]> |
CreateHybridSignatureAsync | byte[] data, byte[] classicSig, byte[] pqPrivKey | Task<byte[]> |
DeriveTls13KeysAsync | byte[] sharedSecret, byte[] clientHello, byte[] serverHello | Task<Tls13KeyMaterial> |
// Blazor Component @page "/crypto-demo" @inject ICryptoProvider CryptoProvider <h3>PQ Crypto Demo</h3> <p>Status: @_status</p> @code { private string _status = "Initializing..."; protected override async Task OnInitializedAsync() { try { await CryptoProvider.InitializeAsync(); // Key Exchange Demo var (alicePublic, alicePrivate) = await CryptoProvider.GenerateMlKemKeyPairAsync(); var (sharedSecret, ciphertext) = await CryptoProvider.EncapsulateAsync(alicePublic); var decapsulated = await CryptoProvider.DecapsulateAsync(ciphertext, alicePrivate); bool keysMatch = sharedSecret.SequenceEqual(decapsulated); // Signature Demo var (sigPub, sigPriv) = await CryptoProvider.GenerateMlDsaKeyPairAsync(); byte[] message = Encoding.UTF8.GetBytes("Test Message"); byte[] signature = await CryptoProvider.SignMlDsaAsync(message, sigPriv); bool isValid = await CryptoProvider.VerifyMlDsaAsync(message, signature, sigPub); _status = $"Keys match: {keysMatch}, Signature valid: {isValid}"; } catch (Exception ex) { _status = $"Error: {ex.Message}"; } } }
openssl.wasm and wvds-crypto.js must be correctly loadedWolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional