Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
js-crypto-ec
Advanced tools
Readme
WARNING: At this time this solution should be considered suitable for research and experimentation, further code and security review is needed before utilization in a production application.
This library is designed to 'universally' provide an elliptic curve cryptography functions, i.e., it works both on most modern browsers and on Node.js just by importing from NPM/source code. Note that in the design principle, the library fully utilizes native APIs like WebCrypto API to accelerate its operation if available. This library provides APIs to employ ECDSA, ECDH and their key generation, i.e., sign
, verify
, generateKey
and deriveSecret
.
At your project directory, do either one of the following.
$ npm install --save js-crypto-ec // npm
$ yarn add js-crypto-ec // yarn
$ git clone https://github.com/junkurihara/jscu.git
$ cd js-crypto-utils/packages/js-crypto-ec
& yarn build
Then you should import the package as follows.
import ec from 'js-crypto-ec'; // for npm
import ec from 'path/to/js-crypto-ec/dist/index.js'; // for github
The bundled file is also given as js-crypto-ec/dist/jscec.bundle.js
for a use case where the module is imported as a window.jscec
object via script
tags.
This library always uses JWK-formatted keys (RFC7517) to do any operations. If you utilize keys of other format, like PEM, please use js-crypto-key-utils
to convert them to JWK.
elliptic.generateKey('P-256').then( (key) => {
// now you get the JWK public and private keys
const publicKey = key.publicKey;
const privateKey = key.privateKey;
})
const publicJwk = {kty: 'EC', crv: 'P-256', x: '...', y: '...'}; // public key
const privateJwk = {ktyp: 'EC', crv: 'P-256', x: '...', y: '...', d: '...'}; // paired private key
const msg = ...; // Uint8Array
// sign
ec.sign(
msg,
privateJwk,
'SHA-256',
'raw' // output signature is not formatted. DER-encoded signature is available with 'der'.
).then( (signature) => {
// now you get the signature in Uint8Array
return ec.verify(
msg,
sign,
publicJwk,
'SHA-256',
'raw' // input signature is not formatted. DER-encoded signature is available with 'der'.
);
}).then( (valid) => {
// now you get the result of verification in boolean
});
const publicJwkA = {kty: 'EC', crv: 'P-256', x: '...', y: '...'}; // public key of player A
const privateJwkA = {ktyp: 'EC', crv: 'P-256', x: '...', y: '...', d: '...'}; // paired private key of player A
const publicJwkB = {kty: 'EC', crv: 'P-256', x: '...', y: '...'}; // public key of player B
const privateJwkB = {ktyp: 'EC', crv: 'P-256', x: '...', y: '...', d: '...'}; // paired private key of player B
// At A's side
const sharedAtPlayerA = ec.deriveSecret(publicJwkB, privateJwkA).then( (secretAtA) => {
// now you get the shared secret from my (player A's) private key and player B's public key
})
// At B's side
const sharedAtPlayerB = ec.deriveSecret(publicJwkA, privateJwkB).then( (secretAtB) => {
// now you get the shared secret from my (player B's) private key and player A's public key
})
NOTE: We SHOULD NOT use the derived secret as an encryption key directly. We should employ an appropriate key derivation procedure like HKDF to use the secret for symmetric key encryption.
At this point, this library supports the following curve for elliptic curve cryptography.
Licensed under the MIT license, see LICENSE
file.
FAQs
Universal Module for Elliptic Curve Cryptography (ECDSA and ECDH) in JavaScript
The npm package js-crypto-ec receives a total of 1,761 weekly downloads. As such, js-crypto-ec popularity was classified as popular.
We found that js-crypto-ec demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.