jwcrypto - npm Package Compare versions

Comparing version 0.2.3 to 0.3.0

lib/jwcrypto.js

@@ -12,6 +12,36 @@ /* This Source Code Form is subject to the terms of the Mozilla Public
     delay = utils.delay,
+    rng = require("./rng"),
     libs = require("../libs/minimal");
 
-var RNG = new libs.SecureRandom();
+var RNG = new rng.RNG();
 
+var IS_SEEDED = false;
+var POST_SEED_CALLBACKS = [];
+
+// start autoseeding
+// queue up the things waiting for seeds
+RNG.autoseed(function() {
+  // mark this true so that, in case some of the callbacks in
+  // POST_SEED_CALLBACKS do asynchronous things, the POST_SEED_CALLBACKS
+  // array will no longer be modified.
+  IS_SEEDED = true;
+
+  // go through callbacks
+  POST_SEED_CALLBACKS.forEach(function(one_cb) {
+    one_cb();
+  });
+
+  // clean up as null so that weird egregious errors will
+  // show up (e.g. double seeding.)
+  POST_SEED_CALLBACKS = null;
+});
+
+function waitForSeed(doStuff) {
+  if (IS_SEEDED) {
+    return doStuff();
+  } else {
+    POST_SEED_CALLBACKS.push(doStuff);
+  }
+}
+
 function NoSuchAlgorithmException(message) {
@@ -32,6 +62,8 @@ this.message = message;
     throw new algs.NotImplementedException("algorithm " + opts.algorithm + " not implemented");
-
-  // generate on the specific algorithm
-  // no progress callback
-  algObject.generate(opts.keysize, RNG, cb);
+    
+  waitForSeed(function() {
+    // generate on the specific algorithm
+    // no progress callback
+    algObject.generate(opts.keysize, RNG, cb);
+  });
 };
@@ -60,7 +92,9 @@
   var jsonBytes = utils.base64urlencode(JSON.stringify(payload));
-  
-  secretKey.sign(algBytes + "." + jsonBytes, RNG, function() {}, function(rawSignature) {
-    var signatureValue = utils.hex2b64urlencode(rawSignature);
 
-    delay(cb)(null, algBytes + "." + jsonBytes + "." + signatureValue);
+  waitForSeed(function() {
+    secretKey.sign(algBytes + "." + jsonBytes, RNG, function() {}, function(rawSignature) {
+      var signatureValue = utils.hex2b64urlencode(rawSignature);
+      
+      delay(cb)(null, algBytes + "." + jsonBytes + "." + signatureValue);
+    });
   });
@@ -143,5 +177,5 @@ };
 
-// rng
+// entropy here is a string that is expected to be relatively high entropy
 exports.addEntropy = function(entropy) {
-  // do something! FIXME XXX
+  RNG.addEntropy(entropy);
 };
@@ -148,0 +182,0 @@

libs/exports_minimal.js

@@ -8,3 +8,2 @@ //
 exports.BigInteger = BigInteger;
-exports.SecureRandom = SecureRandom;
 exports.sjcl = sjcl;
@@ -11,0 +10,0 @@ exports.hex2b64 = hex2b64;

libs/exports.js

@@ -9,3 +9,2 @@ //
 exports.BigInteger = BigInteger;
-exports.SecureRandom = SecureRandom;
 exports.sjcl = sjcl;
@@ -12,0 +11,0 @@ exports.hex2b64 = hex2b64;

libs/minimal_package.txt

@@ -9,4 +9,2 @@ preliminaries.js
 jsbn-patch.js
-external/prng4.js
-external/rng.js
 exports_minimal.js

package.json

 {
     "name": "jwcrypto"
-  , "version": "0.2.3"
+  , "version": "0.3.0"
   , "dependencies": {
@@ -5,0 +5,0 @@ "browserify": "1.8.1",

README.md

@@ -38,3 +38,3 @@ JavaScript implementation of JSON Web Signatures and JSON Web Tokens, especially as needed by BrowserID.
 
-  1. ensure that `libgmp` is installed on your system, it's required by [bigint](https://github.com/substack/node-bigint), upon which jwcrypto depends
+  1. ensure that `libgmp` is installed on your system (e.g. `apt-get install libgmp-dev`), it's required by [bigint](https://github.com/substack/node-bigint), upon which jwcrypto depends
   2. npm install jwcrypto
@@ -48,4 +48,9 @@ 3. in javascript: `require('jwcrypto')`
 
-    // random number generation is taken care of automatically.
+    // random number generation is taken care of automatically
+    // with auto-seeding that is optimized for server or browser
+    // setup
+
     // more entropy can be added as follows
+    // this can be useful to incorporate server-provided entropy
+    // on clients that don't have any good entropy of their own
     // entropy should be either a 32 bit int, an array of ints, or a string
@@ -52,0 +57,0 @@ jwcrypto.addEntropy(entropy);

test/jwcrypto-test.js

@@ -18,2 +18,14 @@ #!/usr/bin/env node
 
+suite.addBatch({
+  "adding entropy": {
+    topic: function() {
+      jwcrypto.addEntropy("foobarbaz");
+      return null;
+    },
+    "works": function() {
+      assert.ok(true);
+    }
+  }
+});
+
 testUtils.addBatches(suite, function(alg, keysize) {
@@ -20,0 +32,0 @@ var keypair;

New alerts

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Fixed alerts

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

352036

increased by4.5%

Number of package files

75

increased by10.29%

Lines of code

5930

increased by2.95%

Number of lines in readme file

179

increased by2.87%

Number of low supply chain risk alerts

8

decreased by-38.46%

Worsened metrics

Number of medium supply chain risk alerts

3

increased by50%

No dependency changes