js-jose icon indicating copy to clipboard operation
js-jose copied to clipboard

Published 20 hours ago verified publisher icon square

Browser compatible implementation of Chacha20/Poly1305, X25519 and ED25519

Open Mischala opened this issue 7 years ago • 10 comments

I'm currently working on a project that requires Chacha20/Poly1305 & X25519 for JWE, and ED25519 for JWS for all data sent to the backend, from a browser.

Currently it's possible to use all of these on Node, because its Crypto module contains an implementation of them.

However, I need it in the Browser. I'm thinking of integrating a pure JavaScript implementation of Chacha20/Poly1305 X25519 and ED25519 into js-jose, for this purpose. To be compliant with the following RFCs: RFC7539 RFC8439 RFC8037

My question is, would you be interested in a PR? or is the focus on WebCrypto only?

Thanks, Mischa

Mischala avatar Sep 21 '18 00:09 Mischala

@alokmenghrajani What do you think? Maybe we should support it if an external implementation is provided?

I would like to avoid having crypto primitives in this library.

mcpherrinm avatar Sep 21 '18 00:09 mcpherrinm

If you added them to https://github.com/PeculiarVentures/webcrypto-liner then the changes to js-jose would be small and architecturally consistent to js-Jose. Additionally this would not increase the size of js-jose for those users who do not need this capability.

rmhrisk avatar Sep 21 '18 01:09 rmhrisk

If webcrypto-liner supported chacha20/poly1305/x25519/ed25519, we could make js-jose work with that I think.

mcpherrinm avatar Sep 21 '18 01:09 mcpherrinm

Yes, we already added secp256k1 even though not part of webcrypto specs, as a result changes to js-Jose to support this alg here would be minimal. In my opinion an approach like this is the only way it would potentially make sense to add a new algorithm to js-Jose.

rmhrisk avatar Sep 21 '18 01:09 rmhrisk

Yeah, was just having a look, seems webcrypto-liner does not support the required ciphers, which makes sense, as it's a polyfill for WebCrypto, which does not support them (yet).

I was planning on making the support for these ciphers a peer dependency, using the same kind of platform-switching logic js-jose is already using to support both Browser and Node environments

Mischala avatar Sep 21 '18 01:09 Mischala

Yes, they have not been added to webcrypto-liner.

IMHO it would not be good to add crypto directly to js-jose or to add a new crypto interface to js-jose as an alternative to webcrypto.

rmhrisk avatar Sep 21 '18 04:09 rmhrisk

I agree with @rmhrisk. If the actual crypto code lives elsewhere, we can make the required minimal changes to js-jose.

alokmenghrajani avatar Sep 24 '18 18:09 alokmenghrajani

Yep, if I were to implement these ciphers I would do so downstream. However, #77 is blocking me on this. If js-jose will not run in a React environment then I cannot proceed with implementing this feature.

Mischala avatar Sep 26 '18 02:09 Mischala

Hi, I have used the jose.js for JWE-RSA in my angular project is working fine with chrome but not working in IE11 browser, can any one suggest me something on this.

sagarchokatkar avatar Sep 19 '19 04:09 sagarchokatkar

IE 11 does not support WebCrypto. see https://github.com/PeculiarVentures/webcrypto-liner

rmhrisk avatar Sep 19 '19 05:09 rmhrisk