A tracer is a simple but important tool for auditing crypto security that allows the analyst to see the calls made by an application to a crypto interface. This is especially useful if the application and/or the crypto provider are only available in binary or black-box form (e.g. an HSM), but the crypto API is known. Even if source code is available, a simple tracer can save a lot of time compared to instrumenting code or manually setting trace points.
Recently we’ve been involved reviewing the draft W3C Web Crypto API. As a result of this and as part of our ongoing work on web crypto, our intern Gregoire put together a Chrome extension that traces calls to the WebCrypto API.
As you can see in the screenshots, a simple dropdown gives a list of all key objects in the session and their attributes.
You can get an output file in JSON format giving all the calls the web app made together with their parameters, or a list of the key objects.
We’ve released the tracer under BSD license. You can get the code from the Cryptosense Github page.