terrylks
commented
4 years ago @bradlhart May I know the reason of changing eosjs-ecc to elliptic? any referencing discussion?
Open bradlhart opened 4 years ago
terrylks
commented
4 years ago @bradlhart May I know the reason of changing eosjs-ecc to elliptic? any referencing discussion?
terrylks
commented
4 years ago @bradlhart
When I go through https://github.com/EOSIO/eosjs-ecc/blob/master/src/key_private.js
It required ecurve and getCurveByName('secp256k1'). You are suggesting to get to curve from elliptic instead.
Why don't we just change this within eosjs-ecc library instead and keep it as a generic library for developers? We should provide an easy way for user to generate or validate EOS private / public keys pair. Now seems everyone need to generate / validate by their own.
Just want to have a clarification of the necessity on this change.
bradlhart
commented
4 years ago elliptic is a more widely used package and can be easily used with eosjs. As a result, the need for a second elliptic library (eosjs-ecc) is no longer necessary.
eosjs v21 includes several classes to convert and use signatures as well as private and public keys (https://github.com/EOSIO/eosjs/releases/tag/v21.0.0-rc1). Additionally, we are adding helper functionality for some of the widely used functions in eosjs-ecc so that most developers don't need to use elliptic directly (https://github.com/EOSIO/eosjs/pull/653).
However, you mentioned that you wanted to generate a key pair and that functionality won't be added so that it's not encouraged to generate private keys in production in the browser as it is insecure.
tbfleming
commented
4 years ago eosjs-ecc is a copy-pasta of multiple open-source repos. The code fell behind updates to the original repos, and one of original repos (the one some of the key crypto functions was copied from) went out of maintenance. We don't have anyone available who can check eosjs-ecc for security vulnerabilities which may have already been fixed in newer libraries and keep it up to date.
eosjs 21 relies on a well-maintained crypto library so we can avoid this maintenance problem going forward.
With the near release of eosjs v21, a push from eosjs-ecc to elliptic has been decided. This repository utilizes eosjs-ecc and should migrate to the new methodology using eosjs v21 and elliptic.
Before the release of eosjs v21, the eosjs edge release on npm will have the necessary functionality as well as the elliptic npm package to create a branch for this repo ready to release after eosjs v21.
Please see related PRs for example migrations: EOSIO/eosio-reference-chrome-extension-authenticator-app#37 EOSIO/ual-scatter#56 EOSIO/eosjs-ledger-signature-provider#32