Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Webcrypto #111

Closed
wants to merge 6 commits into from
Closed

Webcrypto #111

wants to merge 6 commits into from

Conversation

tarpdalton
Copy link

this removes the dependency on crypto.js and uses the webcrypto API. I haven't updated the CLI with the new logic, but I wanted to open this PR with what I had so far. #20

@tarpdalton tarpdalton mentioned this pull request Jun 21, 2018
Closed
@tarpdalton
Copy link
Author

It looks like you can't use a the web crypto API in a node module. So I don't think we can remove the crypto.js dependency from the CLI.

@tarpdalton tarpdalton closed this Feb 12, 2020
@epicfaace
Copy link
Contributor

@tarpdalton can't you continue to use crypto-js in the node module, but just change the code in the template HTML file to use the web crypto API (and fallback to asynchronously loading crypto-js if needed?)

@tarpdalton
Copy link
Author

@epicfaace yeah we could do that. We would just have to make sure the something encrypted by crypto-js can be decrypted by webcrypto correctly

@DanielRuf
Copy link

I guess this can be revisited now since Node.js 15 has a Webcrypto module now. Current stable Node.js version is 16.
https://nodejs.org/api/webcrypto.html

Also there is this package: https://www.npmjs.com/package/node-webcrypto-ossl

@tarpdalton tarpdalton reopened this Jul 9, 2021
@tarpdalton
Copy link
Author

thats cool. yeah we should use the webcrypto api in the node, and then crypto-js can be fully removed

@tarpdalton
Copy link
Author

i got the cli working with node webcrypto api. crypto-js is removed. I don't really use this lib so I can't test it out, but it worked for some simple things. Someone should test it out before it merges

@robinmoisson
Copy link
Owner

robinmoisson commented Feb 9, 2022
edited
Loading

Hey @tarpdalton , thanks a lot for this big PR and my sincere apologies for taking so long to answer (3.5 years since you first opened it 🙄 ). It would be great to remove the crypto-js dependency.

I have two concerns:

  • I need to get more into it but the code is more complex, it feels a bit like rolling out my own crypto and I'm worried of hidden footguns there
  • if I'm not mistaken the WebCrypto api is only available in secure contexts, so the decryption would not work if the page is served over HTTP. This is pretty annoying as I think it might be a legitimate use case, maybe there can be the option of using either crypto-js or WebCrypto but it brings complexity both to the code and the end user. So not sure what to do about it

I'll link to your fork in the readme in the meantime if some people want to use that version already.

@robinmoisson robinmoisson changed the base branch from gh-pages to main February 10, 2022 19:10
@hurrymaplelad hurrymaplelad mentioned this pull request Oct 24, 2022
Closed
@robinmoisson
Copy link
Owner

We now finally rely on WebCrypto in StatiCrypt! The code was merged in #164 , it's pretty noisy due to wanting to be as compatible as possible with 2.x custom templates, but it'll get much cleaner in 3.x (the WIP branch is already here).

Thank you very much for opening and updating this PR over the years, it's been a good sanity check for me to read your approach here and useful for the final implementation. As a (very small) token of gratitude, I added your name in the "Thank you! 🙏" README section. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tarpdalton @epicfaace @DanielRuf @robinmoisson