WasmCryptoProvider

Namespace: WvdS.System.Security.Cryptography.Providers

JavaScript Interop-based crypto provider for Blazor WebAssembly. Communicates via IJSRuntime with openssl.wasm.

Overview

The WasmCryptoProvider enables post-quantum cryptography in Blazor WebAssembly applications through:

JavaScript Interop to WebAssembly-compiled OpenSSL
Fully asynchronous API (required for JS Interop)
Identical functionality to NativeCryptoProvider

Architecture

Blazor WebAssembly
      |
      v
+-----------------+
| WasmCrypto-     |
| Provider        |
| (C#)            |
+--------+--------+
         | IJSRuntime.InvokeAsync
         v
+-----------------+
| wvds-crypto.js  |
| (JavaScript)    |
+--------+--------+
         |
         v
+-----------------+
| openssl.wasm    |
| (WebAssembly)   |
+-----------------+

Properties

Property	Type	Description
`Name`	string	`"WASM (JS Interop)"`
`IsAvailable`	bool	`true` when initialized

Dependency Injection

// Program.cs (Blazor WebAssembly)
builder.Services.AddScoped<ICryptoProvider>(sp =>
    new WasmCryptoProvider(sp.GetRequiredService<IJSRuntime>()));

Initialization

@inject ICryptoProvider CryptoProvider
 
@code {
    protected override async Task OnInitializedAsync()
    {
        await CryptoProvider.InitializeAsync();
 
        if (CryptoProvider.IsAvailable)
        {
            var version = CryptoProvider.GetOpenSslVersion();
            Console.WriteLine($"OpenSSL WASM: {version}");
        }
    }
}

Required JS/WASM Files

In wwwroot/index.html:

<head>
    <!-- OpenSSL WASM Module -->
    <script src="_content/WvdS.Crypto/openssl.js"></script>
 
    <!-- WvdS Crypto Wrapper -->
    <script src="_content/WvdS.Crypto/wvds-crypto.js"></script>
</head>

ML-DSA and ML-KEM

The methods are identical to NativeCryptoProvider:

// ML-KEM
var (publicKey, privateKey) = await provider.GenerateMlKemKeyPairAsync("ML-KEM-768");
var (sharedSecret, ciphertext) = await provider.EncapsulateAsync(recipientPublicKey);
byte[] sharedSecret = await provider.DecapsulateAsync(ciphertext, privateKey);
 
// ML-DSA
var (sigPub, sigPriv) = await provider.GenerateMlDsaKeyPairAsync("ML-DSA-65");
byte[] signature = await provider.SignMlDsaAsync(data, sigPriv);
bool isValid = await provider.VerifyMlDsaAsync(data, signature, sigPub);

Additional WASM-specific Methods

Key Derivation

Method	Description
`Pbkdf2Async`	PBKDF2 via Web Crypto API
`Pbkdf2WithPqSaltAsync`	PBKDF2 with PQ-enhanced salt
`Argon2idAsync`	Memory-hard KDF via OpenSSL WASM
`HkdfDeriveKeyAsync`	HKDF Extract + Expand
`DeriveHybridKeyAsync`	Combines classic + PQ secret

Stream/Chunked Encryption

Method	Description
`EncryptChunkedAsync`	Chunked AES-GCM encryption
`DecryptChunkedAsync`	Chunked AES-GCM decryption
`EncryptStreamWithPqKeyAsync`	ML-KEM + chunked encryption
`DecryptStreamWithPqKeyAsync`	ML-KEM + chunked decryption

Utility

Method	Description
`RandomBytesAsync`	Cryptographically secure random numbers via Web Crypto API
`CreateHybridSignatureAsync`	Create hybrid signature
`DeriveTls13KeysAsync`	TLS 1.3 key schedule

Security Notes

Requires .NET 8.0+ with Blazor WebAssembly
Browser memory is less secure than server memory
Private keys should not be stored long-term in the browser
For sensitive operations: Prefer server-side processing
openssl.wasm and wvds-crypto.js must be correctly loaded

Best Practices for Browser Crypto:

Use ephemeral keys for session-based encryption
Keep sensitive private keys on the server
Do not use IndexedDB/localStorage for unencrypted keys
Configure CSP headers correctly for WASM

Inhaltsverzeichnis