Skip to content
This repository has been archived by the owner on Jul 21, 2023. It is now read-only.

Find alternative to node-webcrypto-ossl #38

Closed
dignifiedquire opened this issue Nov 24, 2016 · 13 comments
Closed

Find alternative to node-webcrypto-ossl #38

dignifiedquire opened this issue Nov 24, 2016 · 13 comments
Assignees
@dignifiedquire
Labels
exp/expert Having worked on the specific codebase is important help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws)

Comments

@dignifiedquire
Copy link
Member

dignifiedquire commented Nov 24, 2016
edited
Loading

Sadly we will have to let go of node-webcrypto-ossl as it is blocking users from using it in electron.

Details can be found here:

We currently use

Of which
@dignifiedquire dignifiedquire added kind/bug A bug in existing code (including security flaws) exp/expert Having worked on the specific codebase is important help wanted Seeking public contribution on this issue labels Nov 24, 2016
@dignifiedquire
Copy link
Member Author

cc @diasdavid :(

@dignifiedquire
Copy link
Member Author

After some more investigation it seems that node core is able to do encryption and decryption using RSA keys, but generate them.

@daviddias
Copy link
Member

@dignifiedquire what about https://www.npmjs.com/package/keypair ? I was using it before node-forge

@dignifiedquire
Copy link
Member Author

Pure js was the reason things were so slow, this needs to do better than that.

@daviddias
Copy link
Member

Generating keys is a one-time operation. Breaking users ability to use it in electron and Windows is more prejudicial.

@haadcode
Copy link

Can we somehow include OpenSSL into the build process of node-webcrypto-ossl?

@dignifiedquire
Copy link
Member Author

Breaking users ability to use it in electron and Windows is more prejudicial.

This is not correct, there are only two specific cases we actually break

  • Any OS with a non working node-gyp setup.
  • Electron server process.

The electron renderer process will work fine given that it is running inside a browser and has webcrypto available. The detection here might fail if you don't use a bundler to generate you renderer files, but this is easily fixable.

Those two specific cases do not warrant making things significantly slower for everyone in my opinion.

Can we somehow include OpenSSL into the build process of node-webcrypto-ossl?

You really don't want that, as that would mean recompiling openssl on every install

--

Moving forward I think the following is our best option

  • Migrate everything to node core that is possible
  • For RSA key generation use webcrypto-ossl as an optional dependency and fallback to a pure JS version in node.js
  • Write a proposal and make a PR for node core to add RSA key generation. It's 2016, missing RSA key generation is still baffling for me..

@haadcode
Copy link

haadcode commented Nov 26, 2016
edited
Loading

I'm trying to build it manually, adding the absolute path to openssl headers in bindings.gyp:

"include_dirs": [
	"/Users/haad/code/node/deps/openssl/openssl/include",
	"<!(node -e \"require('nan')\")"
],

...and that compiles it fine with electron-rebuild.

So what I take from this is that we could include openssl source in the module and make it build. Which is funny because I remember using node-webcrypto-ossl module in August-ish, had same problems and remember that I got it all working nicely. So I wonder what changed.

Looking into it more...

@haadcode
Copy link

Or we provide pre-built binaries for the Electron use case (limited to latest version)?

@dignifiedquire
Copy link
Member Author

Or we provide pre-built binaries for the Electron use case (limited to latest version)?

Not sure if that's possible, but yes if we can provide prebuilt versions for all major platform combinations that you would also be a viable option forward, ref #31

@dignifiedquire
Copy link
Member Author

One other option would be to benchmark try to integrate https://github.com/vibornoff/asmcrypto.js

@dignifiedquire
Copy link
Member Author

Quick benchmark (Node 7.2)

Current (node-webcrypto-ossl)

generateKeyPair 1024bits x 36.15 ops/sec ±10.99% (38 runs sampled)
generateKeyPair 2048bits x 8.40 ops/sec ±14.55% (25 runs sampled)
generateKeyPair 4096bits x 1.01 ops/sec ±40.31% (10 runs sampled)

asmcrypto.js

generateKeyPair 1024bits asmcrypto.js x 2.79 ops/sec ±23.42% (12 runs sampled)
generateKeyPair 2048bits asmcrypto.js x 0.36 ops/sec ±67.37% (6 runs sampled)
generateKeyPair 4096bits asmcrypto.js x 0.07 ops/sec ±55.12% (5 runs sampled)

keypair

generateKeyPair 1024bits - keypair x 2.65 ops/sec ±32.29% (12 runs sampled)
generateKeyPair 2048bits - keypair x 0.21 ops/sec ±71.87% (5 runs sampled)
generateKeyPair 4096bits - keypair x 0.02 ops/sec ±61.46% (5 runs sampled)

@haadcode
Copy link

that is a considerable difference :/

@Mithgol Mithgol mentioned this issue Nov 27, 2016
Closed
@daviddias daviddias mentioned this issue Nov 27, 2016
Closed
@dignifiedquire dignifiedquire mentioned this issue Nov 29, 2016
Merged
2 tasks
@dignifiedquire dignifiedquire self-assigned this Nov 29, 2016
@daviddias daviddias removed the status/in-progress In progress label Nov 30, 2016
@harshjv harshjv mentioned this issue Jan 3, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dignifiedquire dignifiedquire

Labels
exp/expert Having worked on the specific codebase is important help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dignifiedquire @daviddias @haadcode