JoshKaufman / ursa

URSA - RSA public/private key OpenSSL bindings for Node.js
Other
620 stars 135 forks source link

[WIP] Adds a pure JS implementation of ursaNative.cc #141

Closed roblabla closed 7 years ago

roblabla commented 8 years ago

This makes the compiled module optional, making URSA easier to install, and allowing it to work in browser environments.

A few things are missing before I can consider this complete, this can be seen by the commented out tests. It's mostly missing exceptions. Also, it seems like node-rsa doesn't handle the case where sLen is maxed for its PSS implementation. I have to figure what's going on there before I can enable RSA_PKCS1_SALT_LEN_MAX.

roblabla commented 8 years ago

PSS padding with LEN_MAX now works thanks to a fix in node-rsa. All that's left is getting the errors right. Also, going to try getting the rsa_native_fixes.js upstreamed into node-rsa.

quartzjer commented 8 years ago

I'm looking for a new maintainer: https://github.com/quartzjer/ursa#maintainer-needed

JoshKaufman commented 7 years ago

@roblabla I needed a rsa library for node and took over this repo instead of going with node-rsa precisely because it uses the latest available native openssl over a javascript implementation.

The way I see it I'd rather use a battle tested and well maintained library and have it not work in browsers vs using a javascript implementation and be responsible for its security implications.

what's your thoughts?

roblabla commented 7 years ago

I used to use ursa because it was the only RSA implementation available. When I moved some of my code to the client, I needed access to RSA on the client-side, and thus made a shim around node-rsa to make it mimick the URSA API. It also turned out it made it much, much easier to use URSA on windows.

Since then, I've stopped using URSA entirely, using node's crypto API instead, and wrapping node-rsa around it for the browser.

I'm not sure what people would use ursa for today TBH, so I'm not sure what the correct trade-off is.

JoshKaufman commented 7 years ago

ok, I'm going to merge the other PR that has a link to node-rsa for browser use case.

the node crypto module is great and I use it for encryption/decryption but as far as I know you can't generate rsa key pairs