kevlened / msrcrypto Goto Github PK
View Code? Open in Web Editor NEWGitHub mirror of the MSR JavaScript Cryptography Library
Home Page: https://www.microsoft.com/en-us/download/details.aspx?id=52439
License: Other
GitHub mirror of the MSR JavaScript Cryptography Library
Home Page: https://www.microsoft.com/en-us/download/details.aspx?id=52439
License: Other
The following works on browser webcrypto but not when using msrcrypto, it throws an error with message about "keyData". I've tested both in browser and in expo react native in both it throws the same error.
try {
await crypto.subtle.importKey(
"raw",
new Uint8Array([1, 1, 2, 2, 1, 1, 2, 2, 1, 1, 2, 2, 1, 1, 1, 1]),
"AES-GCM",
false,
["encrypt", "decrypt"]
);
} catch (e) {
console.log(e.message);
}
The error from expo
[Unhandled promise rejection: Error: keyData]
- node_modules/msrcrypto/dist/msrcrypto.js:9130:28 in buildParameterCollection
- node_modules/msrcrypto/dist/msrcrypto.js:9174:38 in executeOperation
- ... 12 more stack frames from framework internals
If I pass "false" to the extractable parameter in importkey an error is thrown at line 9112
with the message "extractable"
looking at the code the problem seem to be here:
Line 9110 in 07e3364
the correct way to check if a variable is present would be to check if it is ===undefined otherwise you don't allow "false" as a valid value
How hard would it be to add pbkdf support by taking this:
https://github.com/PeculiarVentures/webcrypto-liner/tree/master/src/mechs/pbkdf
maybe some pointer how and where I can try to integrate it
Thank you for maintaining this library's version in the node ecosystem.
As you may have seen, due to some vulnerabilities our team found in the original Microsoft library, we worked through coordinated disclosure with Microsoft and this has resulted in fixes being applied and made public in CVE-2018-8319.
As they have numbered the fixed version 1.4.1 (see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8319), which "collides" with the versioning you have currently in this package, I suggest updating the NPM package to the new (secure) code available from Microsoft to help the downstream projects consuming this NPM library from using the insecure versions of the code.
Please feel free to contact me here or offline if you have questions.
related-to: #5
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.