Migrating from node-webcrypto-ossl

[yalamber]

Hello,
I am using pki.js library with node-webcrypto-ossl in an electron app. While using node-webcrypto-ossl on windows for electron it produces various error and I was thinking of migrating to this library. Is there any difference between this library and node-webcrypto-ossl? Will it be fine to use any as replacement in any project?

[microshine]

webcrypto is based on NodeJS crypto API. The minimum version of NodeJS must be v10. But electron doesn't implement all NodeJS crypto API (etc. generateKeys). This is why I use node-webcrypto-ossl for my Fortify project

[yalamber]

@microshine are you able to build node-webcrypto-ossl for electron on windows?

[yalamber]

@microshine i saw your fortify project and added
openssl_1_0_2 = 1 to my .npmrc seems like build succeeded.
Thank you

[microshine]

@yalamber You must put libeay32.dll near nodessl.node (node-webcrypto-oss/build/Release) or electron.exe

[microshine]

@yalamber you can take prebuild openssl here https://github.com/PeculiarVentures/fortify/releases

[yalamber]

@microshine Thank you so much. I rebuilt using old version of openssl and it went fine.

[CMCDragonkai]

Will this eventually replace node-crypto-ossl?

[rmhrisk]

Yes, our current thinking is that once all the blocking issues are addressed (assuming that can be done) we will make that switch.

Right now some algorithms can't be implemented because of issues in node.crypto and there is an issue with running inside Electron applications. We are not aware of any other issues at this time.

[CMCDragonkai]

Are all the blocking issues listed somewhere?

Also I'm concerned about whether the crypto API will be truely async across all the platforms. See the concerns listed on this package: https://www.npmjs.com/package/@ronomon/crypto-async

[rmhrisk]

The current known issues are here: https://github.com/PeculiarVentures/webcrypto/issues?q=is%3Aissue+is%3Aopen+label%3A%22blocking+deprecation+of+node-webcrypto-ossl%22

We have done benchmarking and in all cases, if I recall correctly the performance between node-webcrypto-ossl was essentially the same or marginally faster. I suspect that there will be no issue but we should create a bug to test for this.

The desire to deprecate the native c module is based on:

• Some people have no C experience and when they encounter issues building they move on to using all JS solutions that are very insecure.
• Maintaining the C version is more costly.

The downsides of doing the switch are (so far):

• People have to switch.
• We get blocked by the node team for support for different algorthms.
• When node deprecates an algorithm we will have to also.

Were open to different approaches here, we just are trying to help the internet with this library.

[rmhrisk]

Reopening this issue so people can use it to discuss the topic.

[CMCDragonkai]

Now that nodejs has a webcrypto object crypto.webcrypto. Does this library use any routines directly from crypto.webcrypto?

It seems to rely only on node's crypto library and just reimplements the same interface.

I was using @pecular/x509 and there was an example on the README.md that showed the ability to fill in the crypto provider:

It seemed like this was sufficient:

import { webcrypto } from 'crypto';
import * as x509 from '@peculiar/x509';

x509.cryptoProvider.set(webcrypto as Crypto);

In that case, is there still a reason to use this library if the node version is 16.17+?