refactor(experimental): a function for generating secret keys #1379
Conversation
steveluscher
requested review from
joncinque,
jordaaash,
mcintyre94 and
buffalojoec
steveluscher
force-pushed
the
pr1379
branch
2 times, most recently
from
e1b4bc4 to
1c5a315
Compare
There was a problem hiding this comment.
Nice, this looks great! Really like the ability to keep the generated keys from being logged etc
Have you thought about if/how we should support use cases where you do need the raw private keys? One example that comes to mind would be Metaplex's keypairIdentity
Say more! My rough plan if/when someone asks for this is:
|
|
For the Metaplex case I'm pretty certain we just write a new |
steveluscher
force-pushed
the
pr1379
branch
2 times, most recently
from
3f79574 to
7683f54
Compare
|
I'm going to massively rework this. I just learned that ED25519 keys are coming to
|
|
I think you're right about |
steveluscher
force-pushed
the
pr1379
branch
2 times, most recently
from
6e4aa80 to
387dabc
Compare
| expect.assertions(1); | ||
| const { privateKey } = await generateKeyPair(); | ||
| expect(privateKey).toHaveProperty('usages', ['sign']); | ||
| }); |
There was a problem hiding this comment.
Nice, this API looks great! 🔥
There was a problem hiding this comment.
It's SO good. Except for the part where it's all stupid magic combinations you have to know (ie. you can generate Ed25519 keys with "sign" and "verify" usages, but supply the "deriveKey" usage and it will fatal at runtime). That part I hate.
…nments ## Summary The idea here is that we're going to _presume_ that the browser has an Ed25519-compatible key generator, then polyfill it otherwise. From that perspective, the tests should just presume that it's present, and we should leave the testing of the polyfill up to the polyfill tests.
…mine whether Ed25519 is supported ## Summary It's just nice to have these well tested, and all in one place. These will only become more complicated, so it's best to get them out of the code. Only thing is, I wish that TypeScript could assert about globals: https://stackoverflow.com/q/76657623/802047 ## Test Plan ``` cd packages/keys/ pnpm test:unit:browser pnpm test:unit:node ```
## Summary This PR introduces `generateSecretKey()`. You might need to use this when you need to sign for the creation of an account, for instance. Instead of vending the _bytes_ of a secret key, however, we use JS-native `CryptoKey` instances. These are opaque tokens that you can return at a later time to perform some action, like deriving the public key for the secret they represent, or signing a message. The idea is that you can freely pass these `CryptoKey` instances around your application without worrying about accidentally logging the key material itself – ie. to Sentry or to the browser console. The only environments that support Ed25519 key generation at the moment: * Node >=17.4 * Safari 17 For other environments, we'll supply a polyfill that implements key generation, signing, encryption, decryption, and verification in userspace. Spec: https://wicg.github.io/webcrypto-secure-curves/#ed25519 Proposal repo: https://github.com/WICG/webcrypto-secure-curves Implementation status: WICG/webcrypto-secure-curves#20 ## Test Plan ``` cd packages/keys/ pnpm test:unit:browser pnpm test:unit:node ```
|
🎉 This PR is included in version 1.78.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
Because there has been no activity on this PR for 14 days since it was merged, it has been automatically locked. Please open a new issue if it requires a follow up. |
refactor(experimental): a function for generating secret keys
Summary
This PR introduces
generateSecretKey(). You might need to use this when you need to sign for the creation of an account, for instance.Instead of vending the bytes of a secret key, however, we use JS-native
CryptoKeyinstances. These are opaque tokens that you can return at a later time to perform some action, like deriving the public key for the secret they represent, or signing a message.The idea is that you can freely pass these
CryptoKeyinstances around your application without worrying about accidentally logging the key material itself – ie. to Sentry or to the browser console.The only environments that support Ed25519 key generation at the moment:
For other environments, we'll supply a polyfill that implements key generation, signing, encryption, decryption, and verification in userspace.
Spec: https://wicg.github.io/webcrypto-secure-curves/#ed25519
Proposal repo: https://github.com/WICG/webcrypto-secure-curves
Implementation status: WICG/webcrypto-secure-curves#20
Test Plan
Stack created with Sapling. Best reviewed with ReviewStack.
SubtleCrypto#verify#1400SubtleCrypto#sign#1399SubtleCrypto#exportKey#1397CryptoKeybelongs to the polyfill or not #1396generateKey()that implements Ed25519 key generation in userspace #1395Cryptoin both browser and Node environments #1392