Open MaKleSoft opened 5 years ago
alippai
commented
5 years ago Yes, it's gone. I don't understand the random generators and they are hard to implement right, so I decided to drop it. Also the same time NodeJS v10.12.0 landed RSA key generation (https://nodejs.org/api/crypto.html#crypto_crypto_generatekeypair_type_options_callback) and Web Cryptography API has it too. I believe it's better to use it natively in every environment.
MaKleSoft
commented
5 years ago Yes, I agree that randomness should be sourced from native primitives when possible but I think there would still be value in including key generation using a PNRG provided by the user. Maybe something like
(params: RSAKeyParams, pnrg: (len: number) => Uint8Array) => {publicKey: Uint8Array, privateKey: Uint8Array}For me, the point of using this library is to have a fallback for platforms that don't provide advanced crypto like RSA. Any platform that has support for RSA key generation will also have implementations for encryption, signing etc so in those cases there is really no point in using this library at all. PNRGs on the other hand are more widely supported natively and as a last resort there are still pure js implementations provided by other libraries.
My use case specifically is for browsers that do have crypto.getRandomValues() but don't or only only partially support the WebCrypto standard. asmcrypto checks all the boxes except RSA key generation. I really like the quality and completeness of this library and I'd prefer if I didn't have to pull in another dependency just for key generation, so I'd be super greatful if you'd consider adding a bring-your-own-pnrg RSA key generation option.
Awesome work on this library btw. I think the move to typescript was a great decision and the code quality is way beyond most other js crypto libraries that I've seen. There is almost no documentation on how to use it but I've had zero problems inferring the api from the source which says a lot imo. Thanks and keep up the good work!
aseevia
commented
4 years ago @MaKleSoft, I've found myself in a similar situation, trying to put up a "drop in replacement" for WebCrypto API for browses or situations where it is unavailable. What I ended up doing is just bringing back the RSA.generateKey functionality from the old version of asmCrypto, and converting it to TypeScript. It uses the ISAAC prng, which is fast enough, has no known issues, and is cryptographically sound. But I think it doesn't matter if the lib uses it's own prng implementation or allow to provide external function, it should be assumed
The RSA.generateKey function is the only thing that is missing from the library to make it usable as a replacement for native browser SubtleCrypto, so I think that removing it completely was a bad Idea, but I guess the author initially intended to use the lib for some other purposes.
Now the question to @alippai, will you accept a pull request bringing back the RSA.generateKey method? (Using the external prng perhaps, and with the clear statement that you can't guarantee any security strength of these keys).
Looks like this is no longer present in v2? Looked through most of the source and couldn't find a replacement. Is RSA key generation no longer supported?