Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

isomorphic-webcrypto

Package Overview
Dependencies
Maintainers
1
Versions
34
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

isomorphic-webcrypto

webcrypto library for Node, React Native and IE11+

  • 2.3.8
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
121K
increased by1.3%
Maintainers
1
Weekly downloads
 
Created
Source

isomorphic-webcrypto NPM bundlephobia

webcrypto library for Node, React Native and IE11+

What?

There's a great Node polyfill for the Web Crypto API, but it's not isomorphic.

IE11 and versions of Safari < 11 use an older version of the spec, so the browser implementation includes a webcrypto-shim to iron out the differences. You'll still need to provide your own Promise polyfill.

There's currently no native crypto support in React Native, so the Microsoft Research library is exposed.

Note: If you're performing cross-platform jwt operations, consider jwt-lite or jwt-verifier-lite (for OpenID Connect), which build on isomorphic-webcrypto

Install

npm install isomorphic-webcrypto

Usage

There's a simple hashing example below, but there are many more WebCrypto examples here. This example requires you to npm install hex-lite.

const crypto = require('isomorphic-webcrypto')
const hex = require('hex-lite')
// or
import crypto from 'isomorphic-webcrypto'
import hex from 'hex-lite'

crypto.subtle.digest(
  { name: 'SHA-256' },
  new Uint8Array([1,2,3]).buffer
)
.then(hash => {
  // hashes are usually represented as hex strings
  // hex-lite makes this easier
  const hashString = hex.fromBuffer(hash);
})

React Native

React Native support is implemented using the Microsoft Research library. The React Native environment only supports Math.random(), so react-native-securerandom is used to provide proper entropy. This is handled automatically, except for crypto.getRandomValues(), which requires you wait:

const crypto = require('isomorphic-webcrypto')

(async () => {
  // Only needed for crypto.getRandomValues
  // but only wait once, future calls are secure
  await crypto.ensureSecure();
  const array = new Uint8Array(1);
  crypto.getRandomValues(array);
  const safeValue = array[0];
})()

Working React Native examples:

I just want to drop in a script tag

You should use the webcrypto-shim library directly:

<!-- Any Promise polyfill will do -->
<script src="https://unpkg.com/bluebird"></script>
<script src="https://unpkg.com/webcrypto-shim"></script>

Compatibility

  • IE11+
  • Safari 8+
  • Edge 12+
  • Chrome 43+
  • Opera 24+
  • Firefox 34+
  • Node 8+
  • React Native

Although the library runs on IE11+, the level of functionality varies between implementations. The grid below shows the discrepancies between the latest versions of each environment.

Legend

  • ~ works with some caveats - see the __tests__ directory for the caveats
  • ? untested
  • x unsupported algorithm
  • strikethrough broken method
KeyNodeReact NativeChrome/FirefoxSafariEdgeIE11
HS256importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
HS384importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
HS512importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
x
RS256importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
~importKey
exportKey
~generateKey
sign
verify
~importKey
~exportKey
generateKey
sign
verify
RS384importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
~importKey
exportKey
~generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
RS512importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
~importKey
exportKey
~generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
PS256importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
??
PS384importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
??
PS512importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
??
ES256importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
xx
ES384importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
xx
ES512importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
importKey
exportKey
generateKey
sign
verify
xxx
RSA1_5??????
RSA-OAEP??????
RSA-OAEP-256??????
A128KW??????
A192KW??????
A256KW??????
dir??????
ECDH-ES??????
ECDH-ES+A128KW??????
ECDH-ES+A192KW??????
ECDH-ES+A256KW??????
A128GCMKW??????
A192GCMKW??????
A256GCMKW??????
PBES2-HS256+A128KW??????
PBES2-HS384+A192KW??????
PBES2-HS512+A256KW??????

Here's a legend for the JWA alg abbreviations:

KeySignature, MAC or Key Management Algorithm
HS256HMAC using SHA-256
HS384HMAC using SHA-384
HS512HMAC using SHA-512
RS256RSASSA-PKCS1-v1_5 using SHA-256
RS384RSASSA-PKCS1-v1_5 using SHA-384
RS512RSASSA-PKCS1-v1_5 using SHA-512
ES256ECDSA using P-256 and SHA-256
ES384ECDSA using P-384 and SHA-384
ES512ECDSA using P-521 and SHA-512
PS256RSASSA-PSS using SHA-256 and MGF1 with SHA-256
PS384RSASSA-PSS using SHA-384 and MGF1 with SHA-384
PS512RSASSA-PSS using SHA-512 and MGF1 with SHA-512
RSA1_5RSAES-PKCS1-v1_5
RSA-OAEPRSAES OAEP using default parameters
RSA-OAEP-256RSAES OAEP using SHA-256 and MGF1 with SHA-256
A128KWAES Key Wrap with default initial value using 128-bit key
A192KWAES Key Wrap with default initial value using 192-bit key
A256KWAES Key Wrap with default initial value using 256-bit key
dirDirect use of a shared symmetric key as the CEK
ECDH-ESElliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF
ECDH-ES+A128KWECDH-ES using Concat KDF and CEK wrapped with "A128KW"
ECDH-ES+A192KWECDH-ES using Concat KDF and CEK wrapped with "A192KW"
ECDH-ES+A256KWECDH-ES using Concat KDF and CEK wrapped with "A256KW"
A128GCMKWKey wrapping with AES GCM using 128-bit key
A192GCMKWKey wrapping with AES GCM using 192-bit key
A256GCMKWKey wrapping with AES GCM using 256-bit key
PBES2-HS256+A128KWPBES2 with HMAC SHA-256 and "A128KW" wrapping
PBES2-HS384+A192KWPBES2 with HMAC SHA-384 and "A192KW" wrapping
PBES2-HS512+A256KWPBES2 with HMAC SHA-512 and "A256KW" wrapping

License

MIT

Keywords

FAQs

Package last updated on 27 Feb 2021

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc