Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using eosjs-ecc, should migrate to eosjs v21 methodology #136

Open
bradlhart opened this issue Dec 18, 2019 · 4 comments
Open

Using eosjs-ecc, should migrate to eosjs v21 methodology #136

bradlhart opened this issue Dec 18, 2019 · 4 comments

Comments

@bradlhart
Copy link

bradlhart commented Dec 18, 2019

With the near release of eosjs v21, a push from eosjs-ecc to elliptic has been decided. This repository utilizes eosjs-ecc and should migrate to the new methodology using eosjs v21 and elliptic.

Before the release of eosjs v21, the eosjs edge release on npm will have the necessary functionality as well as the elliptic npm package to create a branch for this repo ready to release after eosjs v21.

Please see related PRs for example migrations:
EOSIO/eosio-reference-chrome-extension-authenticator-app#37
EOSIO/ual-scatter#56
EOSIO/eosjs-ledger-signature-provider#32

@terrylks
Copy link
Contributor

@bradlhart May I know the reason of changing eosjs-ecc to elliptic? any referencing discussion?

@terrylks
Copy link
Contributor

@bradlhart
When I go through https://github.com/EOSIO/eosjs-ecc/blob/master/src/key_private.js
It required ecurve and getCurveByName('secp256k1'). You are suggesting to get to curve from elliptic instead.

Why don't we just change this within eosjs-ecc library instead and keep it as a generic library for
developers? We should provide an easy way for user to generate or validate EOS private / public keys pair. Now seems everyone need to generate / validate by their own.

Just want to have a clarification of the necessity on this change.

@bradlhart
Copy link
Author

elliptic is a more widely used package and can be easily used with eosjs. As a result, the need for a second elliptic library (eosjs-ecc) is no longer necessary.

eosjs v21 includes several classes to convert and use signatures as well as private and public keys (https://github.com/EOSIO/eosjs/releases/tag/v21.0.0-rc1). Additionally, we are adding helper functionality for some of the widely used functions in eosjs-ecc so that most developers don't need to use elliptic directly (EOSIO/eosjs#653).

However, you mentioned that you wanted to generate a key pair and that functionality won't be added so that it's not encouraged to generate private keys in production in the browser as it is insecure.

@tbfleming
Copy link

eosjs-ecc is a copy-pasta of multiple open-source repos. The code fell behind updates to the original repos, and one of original repos (the one some of the key crypto functions was copied from) went out of maintenance. We don't have anyone available who can check eosjs-ecc for security vulnerabilities which may have already been fixed in newer libraries and keep it up to date.

eosjs 21 relies on a well-maintained crypto library so we can avoid this maintenance problem going forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants