2

This is a very strange issue, to me. I was developing a basic little PGP tool and it all worked well, I deployed and forgot. Went to test this morning on the server and it lags, crashing the browser sometimes but always spiking cpu to 100%. The culprit is the async call openpgp.generateKey(), that's what hangs after a build. When I serve it up via npm start its super snappy with no issues at all. I used create react app for this and have tried disabling chunking via this post: How can I disable chunk(code splitting) with webpack4?

But it didn't help. I have to assume that something in that build process is causing this, I just can't figure out what. Any help would be greatly appreciated!

import { useState } from 'react'
import * as openpgp from 'openpgp';

function GenKeys () {
    const genKeyPair = async (name, email, passphrase) => {
        const { privateKey, publicKey } = await openpgp.generateKey({
            type: 'rsa', // Type of the key
            rsaBits: 4096, // RSA key size (defaults to 4096 bits)
            userIDs: [{ name, email }], // you can pass multiple user IDs
            passphrase // protects the private key
        });
        setPrivateKey(privateKey)
        setPublicKey(publicKey)
    }


    const [name, setName] = useState('')
    const [email, setEmail] = useState('')
    const [passphrase, setPassphrase] = useState('')
    const [privateKey, setPrivateKey] = useState('')
    const [publicKey, setPublicKey] = useState('')

    return <div>
        <input defaultValue={name} onChange={e => setName(e.target.value)} placeholder='Name' />    
        <input defaultValue={email} onChange={e => setEmail(e.target.value)} placeholder='Email' /> 
        <input defaultValue={passphrase} onChange={e => setPassphrase(e.target.value)} type="password" placeholder='Password' />    
        <button onClick={e => genKeyPair(name, email, passphrase)}>Gen Keys</button>
        <div>
            <div>
                Private Key
                <br />
                <textarea value={privateKey}></textarea>
            </div>
            <div>
                Public Key
                <br />
                <textarea value={publicKey}></textarea>
            </div>
        </div>
    </div>;

}

export default GenKeys;
jamezyx
  • 75
  • 8
  • Which version of openpgp are you using? – Sumit Parakh Mar 10 '23 at 08:26
  • "^5.7.0" which seems to be the latest – jamezyx Mar 10 '23 at 08:54
  • 2
    I created a small repo, but using astro with solidjs [demo](https://openpgp-generator.vercel.app/) and I'm seeing the expected behavior where generating an RSA key @ 4096 bit encryption is quite CPU intensive. I'm by no means an encryption expert, but this seems to be the trade off for [4096 vs 2048 bit encryption](https://security.stackexchange.com/questions/65174/4096-bit-rsa-encryption-keys-vs-2048). On a related note, this library when compiled is MASSIVE! It clocks in at ~500kb. I'd suggest looking into other alternatives like server-side encryption to reduce client load/sluggishness. – Matt Carlotta Apr 21 '23 at 03:47
  • 1
    I put together another [demo](https://openpgp-generator-server.vercel.app/), but this time using NextJS/React and off-loading the RSA key generation to the server-side. As you'll notice, the client and their machine is unaffected, but generating the key takes quite a while. There is one other major drawback to this approach in that if the server gets bogged down with many key generation requests, then expect the server response time and page loading to be very slow. Also, if the key generation request takes too long or takes up too much memory, then the response may return an error. – Matt Carlotta Apr 21 '23 at 22:28

1 Answers1

0

If you are running your code on a Linux machine what you could do in this kind of situation: use 'strace' on the concerned process (here npm) to watch where some bottleneck or unsuspected behavior could occur.

PastelDeNata
  • 11
  • 2
  • This is extremely generic advice, and only really for desperate situations. – tripleee Apr 28 '23 at 04:27
  • I understand, but with such few details it is hard to assess in a better way IMHO... – PastelDeNata Apr 29 '23 at 11:26
  • In such situations, perhaps it's better to abstain from answering. Once you earn more reputation points on this site, you will be able to leave comments, and (with more rep still) vote to close as unclear. – tripleee Apr 29 '23 at 14:03