Conversation

Hey Javascript people. Let's say I'm sitting here and going "I need to sign a binary blob then later verify that signature... I know, I'll use SubtleCrypto.sign". Do you feel a need to fling my laptop aside and yell "NO! You fool!! Use ____ from NPM!!" instead?

Replying to

SubtleCrypto is named that way to discourage using it directly because it provides low-level APIs not designed for direct use outside cryptography libraries. It's probably not a good idea to use this directly if you aren't an expert on cryptography making a higher-level library.

Replying to

and

Do you only need signing and verification, or do you really need authenticated encryption? Do you need public/private keys, or is it the same instance of the code handling both encryption/signing and verification/decryption?

Replying to

I need public/private keys, and I need signing. Data blobs are being distributed by way of untrusted third parties. I may or may not need encryption. I guess it would be nice to offer it as an option as long as I'm signing and public keys are being distributed anyway out of band

Replying to

I recommend using npmjs.com/package/libsod. Web Cryptography provides unsafe, low-level APIs and was designed by Netflix to implement DRM rather than anything useful. The only real use case is inside higher-level cryptography libraries with a need to provide legacy algorithms.

npmjs.com

npm: libsodium-wrappers

The Sodium cryptographic library compiled to pure JavaScript (wrappers). Latest version: 0.7.10, last published: 6 months ago. Start using libsodium-wrappers in your project by running `npm i...

Replying to

Thanks. This is reassuring because what I was planning on doing was using TweetNacl, a js port of libsodium. SubtleCrypto seems maybe workable but there are just too many tunable knobs I don't trust myself to tune.

Daniel Micay

@DanielMicay

Replying to

@mcclure111

Seems TweetNaCl.js is an unofficial port of TweetNaCl to JavaScript by the way. It's the harder to use NaCl API rather than libsodium and they might have screwed up porting it. libsodium.js will be simpler and I have a lot more faith that it's a high quality implementation.

12:13 AM · Jun 3, 2021Twitter Web App

Retweet