Closed grempe closed 8 years ago
FYI, I have registered my enhanced fork of this project at bower.io so it can be installed. The package name there is 'secrets.js-grempe' and the version # is 0.2.0.
Please feel free to use that version if the original author chooses not to accept my (admittedly large) pull request.
Registration info:
~/src/secrets.js (master ✗)$ bower info secrets.js-grempe
bower secrets.js-grempe#* cached git://github.com/grempe/secrets.js.git#0.2.0
bower secrets.js-grempe#* validate 0.2.0 against git://github.com/grempe/secrets.js.git#*
{
name: 'secrets.js-grempe',
main: 'secrets.js',
version: '0.2.0',
homepage: 'https://github.com/grempe/secrets.js',
authors: [
'Alexander Stetsyuk <alexstets@gmail.com>',
'Glenn Rempe <glenn@rempe.us>'
],
description: 'Shamir\'s threshold secret sharing scheme for javascript.',
keywords: [
'secret',
'sharing',
'shamir'
],
license: 'MIT',
ignore: [
'**/.*',
'node_modules',
'bower_components',
'spec'
]
}
Available versions:
- 0.2.0
You can request info for a specific version with 'bower info secrets.js-grempe#<version>'
~/src/secrets.js (master ✗)$ bower search secrets
Search results:
secrets.js git://github.com/theorm/secrets.js.git
secrets.js-grempe git://github.com/grempe/secrets.js.git
~/src/secrets.js (master ✗)$
Hi, here is a pretty major re-factoring and includes the addition of a full test suite. Some of the big-ticket items are (in no particular order):
This should be 100% backwards compatible with the original share format and the public API. The driving force was to have a tested version of the module, and to make some changes the lean towards security by default instead of as an extra action that the developer has to understand and implement (e.g. no fallback to insecure Math.random, and automatic zero-padding.) This was also a good way for me to more fully understand the code before relying on it from a security standpoint. I'd be really pleased if you would pull this in to the mainstream repo. It would also be great if the bower registration held by @theorm were transferred to you now that a bower.json file is included. I bumped the version to 0.2.0. Its may not need to be a major semver release (e.g. 1.0.0) since the API is still the same.
I added some items for consideration in the README which would require a share format change. The two most important ideas are to add a checksum to the share, and to remove the ID from the public share. This seems to me like an information leakage since it provides info about how many shares were originally generated which could be useful to an attacker or an imposter.
I am using secrets.js in a side-project I am working on now and the cleanup was helpful to me. I hope you and others find it useful as well. Of course I am open to comments or concerns.
Cheers,
Glenn