isomorphic-webcrypto icon indicating copy to clipboard operation
isomorphic-webcrypto copied to clipboard

Published 20 hours ago verified publisher icon kevlened

Upgrade to the latest MSR crypto library

Open kevlened opened this issue 3 years ago • 5 comments

https://github.com/microsoft/MSR-JavaScript-Crypto

related-to: #36

kevlened avatar Nov 20 '20 17:11 kevlened

@kevlened Besides, the version you mention seems to support concurrent calls. I'm currently using isomorphic-webcrypto in a React Native project and I started to refactor a crypto dependent third party library to remove problematic Promise.all. Yet, unless concurrent calls are forbidden (which would drastically limit user interactions) it is a lost cause.

I'll try to integrate https://github.com/microsoft/MSR-JavaScript-Crypto and test the result. If I can help, do not hesitate.

phil1618 avatar Feb 03 '21 19:02 phil1618

Cryptography is CPU-bound, so long operations will lock the thread. To get around the problem in the browser, the MSR library uses WebWorkers. React-native doesn’t support WebWorkers by default, but you may be able to patch it with a native module. Unfortunately, I don’t know any WebWorker libraries that work out-of-the-box with Expo yet.

An alternative to all this may be using an Expo WebView and proxying calls to that. That would give massively improved performance, not lock the main thread, and automatically get any Safari security updates.

kevlened avatar Feb 03 '21 21:02 kevlened

I agree with your analysis. But I'm not concerned by the performance gain that could be achieved by externalising the computations for the main thread (yet). I'm rather interested in the 1.5 version change mentioned in https://github.com/microsoft/MSR-JavaScript-Crypto#changes-with-version-15. There, we can read:

Now allow concurrent crypto calls of the same type at the same time. Before, concurrent 
crypto operations that shared code would possibly return incorrect results.  
Now, for example, you could perform multiple encryptions at the same time with streaming.

As a matter of fact, currently, you might encountered issues if you try to import keys or decrypt objects concurrently. Typically, if you execute something like:

Promise.all([crypto.subtle.importKey(format, key_1, ...),... , crypto.subtle.importKey(format, key_N, ...)])

This is the kind of concurrent calls I was mentioning and how it would be a bad idea to design the application in such a way to avoid occurence of these concurrencies (the Promise.all being a simple way to produce them).

=======

That being said, your advice related to the WebView is very interesting!

I was aware of this mechanism as a way to relax the main thread charge but now, I'm thinking that a WebView could embed the whole crypto library I'm working with... but that is not the subject of the issue :-) Thanks anyway !

phil1618 avatar Feb 03 '21 22:02 phil1618

Ah. I assumed you were using Promise.all to try to speed up the crypto operations, but you're just trying to avoid unexpected side effects if someone calls crypto methods concurrently. Let me know if you attempt a migration, I'd love to see it.

If you attempt a WebView-based polyfill, there are two caveats:

  1. A WebView needs to be in the root of the App component
  2. Crypto.getRandomValues can’t be synchronous

kevlened avatar Feb 04 '21 15:02 kevlened

@kevlened Is there any chance you will update this library with the latest version of the MSR crypto library? I'm tryting to derive a key with the ECDH algorithm but it says: 'unsupported algorithm' whilst in the latest version, it should be supported. Thanks in advance!

SanderPeeters avatar Apr 29 '22 11:04 SanderPeeters