Home

Awesome

webcrypto-liner

license npm version test

NPM

A polyfill for WebCrypto that "smooths out" the rough-edges in existing User Agent implementations.

Though WebCrypto is well supported across browsers, several browsers still have prefixed and buggy implementations. Additionally, they do not always support the same algorithms, for example, Edge does not support SHA1 or ECC while both Firefox and Chrome do.

NOTE: If you are not familiar with how to use the various capabilities of WebCrypto see this great example page.

Browsers support

<img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/edge/edge_48x48.png" alt="IE / Edge" width="24px" height="24px" /></br> Edge<img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/firefox/firefox_48x48.png" alt="Firefox" width="24px" height="24px" /></br>Firefox<img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/chrome/chrome_48x48.png" alt="Chrome" width="24px" height="24px" /></br>Chrome<img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/safari/safari_48x48.png" alt="Safari" width="24px" height="24px" /></br>Safari
last 2 versionslast 2 versionslast 2 versionslast 2 versions

Information

webcrypto-liner is a wrapper for WebCrypto designed to address these issues, at the same time it was designed to be modular so that it can also be used for testing the addition of new algorithms to WebCrypto in the future.

Intentionally webcrypto-liner does not implement any cryptography though it does consume libraries that do. We strongly recommend you read "What’s wrong with in-browser cryptography?" before using this library.

The libraries webcrypto-liner relies on include:

PackageDescriptionSizeOptional
asmcrypto.jsA performant JavaScript implementation of popular cryptographic utilities with performance in mind.131 KBYes
ellipticFast Elliptic Curve Cryptography in plain javascript130 KBYes
webcrypto-coreA input validation layer for WebCrypto polyfills <sup>1</sup>25 KBNo

<sup>1 This library is compiled into webcrypto-liner.</sup>

webcrypto-liner will always try to use a native implementation of webcrypto, or a prefixed version of webcrypto, before it falls back to a Javascript implementation of a given algorithm. We have no control over the corresponding implementation and what it does, for example, it may not use window.crypto.getRandomValues even if it is available and the mechanism it uses to gather randomness may be both insecure and weak.

We have done no security review or take a position on the security of these third-party libraries. YOU HAVE BEEN WARNED.

To keep webcrypto-liner as small as possible (right now it is ~11kb without dependencies) it was designed to be modular, so if you do not need ECC support, do not include elliptic as a dependency and it will not be loaded.

If you do not load any of the dependencies that provide cryptographic implementations webcrypto-liner will work as an interoperability layer, very similar to webcrypto-shim.

webcrypto-liner supports the following algorithms and key lengths:

CapabilityDetails
Encryption/DecryptionRSA-OAEP, DES-CBC<sup>1</sup>, DES-EDE3-CBC<sup>1</sup>, AES-ECB <sup>1</sup>, AES-CBC, AES-ECB and AES-GCM
Sign/VerifyRSA-PSS, RSASSA_PKCS1-v1_5 and ECDSA
HashSHA-1, and SHA-256, SHA-512
Derive Key/BitsECDH, PBKDF2
KeywrapAES-GCM, AES-CBC, AES-ECB <sup>1</sup>, DES-CBC<sup>1</sup>, DES-EDE3-CBC<sup>1</sup>
ECC CurvesP-256, P-384, P-521, and K-256<sup>2</sup> (secp256k1)
RSA Key Lengths1024, 2048, 3072, and 4096
AES Key Lengths128, 192 and 256

<sup>1</sup> Mechanism is not defined by the WebCrypto specifications. Use of mechanism in a safe way is hard, it was added for the purpose of enabling interoperability with an existing system. We recommend against its use unless needed for interoperability.

<sup>2</sup> K-256 (secp256k1) curve is not defined by the WebCrypto specifications.

You can see the webcrypto-liner in use in the pv-webcrypto-tests page.

Using

<head>
  <!-- Crypto providers are optional -->
  <script src="https://cdnjs.cloudflare.com/ajax/libs/babel-polyfill/7.7.0/polyfill.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/asmCrypto/2.3.2/asmcrypto.all.es5.min.js"></script>
  <script src="https://cdn.rawgit.com/indutny/elliptic/master/dist/elliptic.min.js"></script>
  <!-- Crypto -->
  <script src="webcrypto-liner.shim.js"></script>
</head>
<body>
  <script> 
    crypto.subtle.generateKey({name: "AES-GCM", length: 192}, true, ["encrypt", "decrypt"])
      .then(function(key){
        return crypto.subtle.encrypt({
            name: "AES-GCM", 
            iv: new Uint8Array([1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16]),
            tagLength: 128
          }, key, new Uint8Array([1,2,3,4,5]))
      })
      .then(function(enc){
        console.log(new Uint8Array(enc));
      })
      .catch(function(err){
        console.log(err.message); // Chrome throws: 192-bit AES keys are not supported
      })
  </script>
</body>

Dependencies

typescript

npm install typescript --global

Installation

The module has been designed to be useful in ES6 and ES5 projects. The default is ES5 with commonjs, to install and build you would run:

npm install
npm run build

FAQ

Related