node-webcrypto-ossl icon indicating copy to clipboard operation
node-webcrypto-ossl copied to clipboard

Published 20 hours ago verified publisher icon PeculiarVentures

HMAC sign/verify ignores algorithm param length

Open microshine opened this issue 8 years ago • 14 comments

  • [ ] Extend tests for different length (vectors/simple)

  • [ ] Extend Hmac.sign and Hmac.verify functions

microshine avatar Dec 21 '16 18:12 microshine

WebCrypto doesn't support this specification W3 WebCryptoAPI HMAC

microshine avatar Dec 24 '16 03:12 microshine

We need to support the HMAC since Chrome and Firefox are supporting it. Also for PKIjs the algorithm is necessary for encryption cases.

YuryStrozhevsky avatar Dec 24 '16 06:12 YuryStrozhevsky

@YuryStrozhevsky Could you review it? https://github.com/PeculiarVentures/node-webcrypto-ossl/blob/master/lib/crypto/hmac.ts#L36

microshine avatar Dec 27 '16 19:12 microshine

Is this still a problem after the core update? I think this might be the reason why I cannot get signal-desktop to run with this implementation

witchent avatar Apr 18 '20 09:04 witchent

@witchent I published a new version of node-webcrypto-ossl. I fixed issues with a default length parameter for HMAC mechanism. Now it uses 512 length by default for all hash algorithms and sets length property to key algorithm

microshine avatar Apr 18 '20 20:04 microshine

@witchent Please let me know if it fixes your issue for signal-desktop

microshine avatar Apr 18 '20 20:04 microshine

Sadly it does not. I actually don't really know why anyway though, with your old version everything works fine, but with the new one I get a different mac calculated as the phone sends.

I am starting to believe that the problem lies somewhere else though, as I tested the HMAC mechanism and it did do exactly what I wanted it to. So maybe something happened to a different part in your library, but I don't know what yet. Will get back to you if I find out whats wrong.

Thanks again

witchent avatar Apr 18 '20 21:04 witchent

@witchent I'm trying to find a difference between the previous and current versions. But I need your help with that. Can we have a chat via Skype or Hangouts? My email is [email protected]

microshine avatar Apr 18 '20 22:04 microshine

I add you on skype

witchent avatar Apr 18 '20 22:04 witchent

@witchent I updated the previous version of [email protected]. It fixes an issue with AES-CTR param.

Please try it and let me know if it fixes your problem.

To install prev version use

npm i node-webcrypto-ossl@^1

microshine avatar Apr 20 '20 14:04 microshine

Yes, this one works fine. Still a bit sad that the new one does not, but it is way better than keeping a fork. Thanks a lot :)

witchent avatar Apr 20 '20 19:04 witchent

@witchent is this for the regular signal client or a personal project?

rmhrisk avatar Apr 20 '20 19:04 rmhrisk

More of a personal project, but public accessible. It is a matrix <--> signal bridge. So v1 is good enough for the project, it's more that it is super weird that it does not work with v2 anymore.

witchent avatar Apr 20 '20 20:04 witchent

A matrix to signal bridge would be interesting. Yes, I am worried about the v1->v2 difference for sure. Just wanted to asses how much effort to put in once that's resolved ;)

rmhrisk avatar Apr 20 '20 21:04 rmhrisk