A Day In The Life Of...

CipherSmith: a browser-based crypto toolkit

Joshua Thijssen · ciphersmithcryptographytoolswebdevpkijwt
← PreviousVerifying your age in a privacy preserving manner

For years I had a small private page on my machine with a bunch of hacky tools for day-to-day crypto work. Hashing a string, base64 encoding something, generating a random key. Nothing fancy. Just stuff I got tired of copy-pasting terminal commands for every single time.

The problem with most online tools is that they want you to paste sensitive data into some random form on some random server. Which is a terrible idea when the thing you’re pasting is a private key or an API token. And tools like CyberChef are great, but it’s a lot of UI to navigate when you just want to quickly hash a string.

So a few weeks ago I cleaned things up and turned my private page into something actually usable: ciphersmith.io.

What’s in there

The scope got a bit out of hand. Let me walk through it.

PKI

This is what I use most. Working with certificates is painful enough without having to remember which openssl flags to use every single time.

The PKI side covers the full lifecycle. Generate RSA (2048/4096-bit), ECDSA (P-256/384/521), or Ed25519 key pairs. Create a self-signed root CA. Generate CSRs with Subject Alternative Names. Sign those CSRs with configurable Extended Key Usage. Verify certificate chains. Match a certificate to its private key.

There’s also an Inspect tool that shows you what’s actually inside a certificate, CSR, or key in a readable way. A Hostname Check that verifies a hostname against a certificate’s SANs (including wildcards per RFC 6125). And PKCS#12 bundle creation and parsing. You can also add custom X.509 v3 extensions, including OtherName entries – I need those since we work with Dutch UZI and URA certificates.

Symmetric and asymmetric crypto

The basics: SHA-1/256/384/512 hashing, HMAC, AES-256-GCM encryption and decryption (PBKDF2 key derivation), and HKDF for key expansion.

Asymmetric: RSA-OAEP encryption, ECDH and X25519 key agreement, digital signatures with RSA-PKCS1-v1_5, RSA-PSS, ECDSA, and Ed25519.

JOSE

JWT, JWE, and JWS. You can create, decode, verify and sign JWTs with all the usual algorithm families (HS256/384/512, RS256/384/512, PS256/384/512, ES256/384/512, EdDSA). JWE covers all major RFC 7518 combinations. There’s also a JWK to PEM converter.

This is probably the most-used feature. Paste a token, pick the algorithm, drop in the public key, and immediately see if the signature is valid and what the claims say. Very handy when debugging OIDC or OAuth flows.

Passwords, OTPs, and secrets

Argon2 password hashing with Argon2id/i/d variants and preset modes (interactive, balanced, sensitive).

TOTP and HOTP (RFC 6238/4226) with SHA-1/256/512, configurable digit count and period. Useful when you want to test authenticator setups without grabbing your phone.

Shamir Secret Sharing: split a secret into N shares, recover it from any K of them. Not something you reach for every day, but when you do, you really don’t want to paste your secret into a random website to do it.

Encoding and random generation

Base64 (standard and URL-safe), hex, text. UUID v4, v7 (time-ordered, RFC 9562), and v5 (namespace + SHA-1). Cryptographically random bytes up to 65,536, output as hex, Base64, or a decimal array.

The obscure stuff

There’s an OPRF / VOPRF / POPRF implementation (RFC 9497) supporting P-256, P-384, and P-521 with full protocol transcripts. Almost nobody needs this today, but we’re working on pseudonym systems where I need a quick way to check flows without setting up a full test environment. OPRF-based systems are still early, but I think they’ll become more relevant over the next few years.

Nothing leaves your browser

The tagline is “All operations run locally. Nothing stored, nothing sent.” I mean it. No backend, no analytics, no logging. Everything runs in the browser using the WebCrypto API and a handful of well-audited libraries (@noble/curves, @noble/hashes, @peculiar/x509). No custom crypto implementations, just neat little frontends.

It also works offline once the page has loaded.

It’s a dev tool

Don’t use this in production pipelines. Use proper libraries in your actual environment. This is for the “let me quickly check this JWT”, “does this certificate chain validate”, “I need a test CA right now” situations.

What’s next

I’m planning to open-source it once I’ve cleaned a few things up. If there’s something you keep reaching for and can’t find a decent privacy-respecting browser tool for, let me know.

Live at ciphersmith.io.

← PreviousVerifying your age in a privacy preserving manner