You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You should not be able to sign non hashed payloads
payloads MUST be hashed using a cryptographic hash function as part of the ECDSA spec.
Some Crypto library API's, expected hashed strings so that implementors can choose which hash function to use in their cryptosystem
Allowing developers to misuse hash functions in our library is dangerous, and not inline with defensible code practices.
XMTP sdks should only expose functions which expect raw strings
XMTPv2 uses two different hashing functions, so explicit functions should be created to ensure that developers never invoke sign on unhashed data
In particular this function https://github.com/xmtp/xmtp-js/blob/main/src/crypto/PrivateKey.ts#L73-L85 needs to explicitly disallow being called without a hashed payload.
The text was updated successfully, but these errors were encountered:
You should not be able to sign non hashed payloads
payloads MUST be hashed using a cryptographic hash function as part of the ECDSA spec.
Some Crypto library API's, expected hashed strings so that implementors can choose which hash function to use in their cryptosystem
Allowing developers to misuse hash functions in our library is dangerous, and not inline with defensible code practices.
XMTP sdks should only expose functions which expect raw strings
XMTPv2 uses two different hashing functions, so explicit functions should be created to ensure that developers never invoke sign on unhashed data
In particular this function https://github.com/xmtp/xmtp-js/blob/main/src/crypto/PrivateKey.ts#L73-L85 needs to explicitly disallow being called without a hashed payload.
The text was updated successfully, but these errors were encountered: