Gathering detailed insights and metrics for isomorphic-webcrypto
Gathering detailed insights and metrics for isomorphic-webcrypto
🎲 webcrypto library for Node, React Native and IE11+
Installations
npm install isomorphic-webcryptoReleases
Unable to fetch releases
Developer
Developer Guide
BETA
Module System
CommonJS, UMD
Min. Node Version
Typescript Support
Yes
Node Version
14.3.0
NPM Version
6.14.8
Statistics
116 Stars
94 Commits
43 Forks
3 Watching
33 Branches
3 Contributors
Updated on 13 Sept 2024
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
16,118,713
Last day
-1.4%
23,787
Compared to previous day
Last week
5%
137,742
Compared to previous week
Last month
19.3%
538,664
Compared to previous month
Last year
1.8%
4,259,598
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
11
Dev Dependencies
19
Optional Dependencies
4
Versions
isomorphic-webcrypto 
webcrypto library for Node, React Native and IE11+
What?
There's a great Node polyfill for the Web Crypto API, but it's not isomorphic.
IE11 and versions of Safari < 11 use an older version of the spec, so the browser implementation includes a webcrypto-shim to iron out the differences. You'll still need to provide your own Promise polyfill.
There's currently no native crypto support in React Native, so the Microsoft Research library is exposed.
Note: If you're performing cross-platform jwt operations, consider jwt-lite or jwt-verifier-lite (for OpenID Connect), which build on
isomorphic-webcrypto
Install
npm install isomorphic-webcrypto
Usage
There's a simple hashing example below, but there are many more WebCrypto examples here. This example requires you to npm install hex-lite.
1const crypto = require('isomorphic-webcrypto') 2const hex = require('hex-lite') 3// or 4import crypto from 'isomorphic-webcrypto' 5import hex from 'hex-lite' 6 7crypto.subtle.digest( 8 { name: 'SHA-256' }, 9 new Uint8Array([1,2,3]).buffer 10) 11.then(hash => { 12 // hashes are usually represented as hex strings 13 // hex-lite makes this easier 14 const hashString = hex.fromBuffer(hash); 15})
React Native
React Native support is implemented using the Microsoft Research library. The React Native environment only supports Math.random(), so react-native-securerandom is used to provide proper entropy. This is handled automatically, except for crypto.getRandomValues(), which requires you wait:
1const crypto = require('isomorphic-webcrypto') 2 3(async () => { 4 // Only needed for crypto.getRandomValues 5 // but only wait once, future calls are secure 6 await crypto.ensureSecure(); 7 const array = new Uint8Array(1); 8 crypto.getRandomValues(array); 9 const safeValue = array[0]; 10})()
Working React Native examples:
- Using create-react-native-app with Expo
- Using an ejected create-react-native-app
I just want to drop in a script tag
You should use the webcrypto-shim library directly:
1<!-- Any Promise polyfill will do --> 2<script src="https://unpkg.com/bluebird"></script> 3<script src="https://unpkg.com/webcrypto-shim"></script>
Compatibility
- IE11+
- Safari 8+
- Edge 12+
- Chrome 43+
- Opera 24+
- Firefox 34+
- Node 8+
- React Native
Although the library runs on IE11+, the level of functionality varies between implementations. The grid below shows the discrepancies between the latest versions of each environment.
Legend
- ~ works with some caveats - see the __tests__ directory for the caveats
- ? untested
- x unsupported algorithm
- strikethrough broken method
| Key | Node | React Native | Chrome/Firefox | Safari | Edge | IE11 |
|---|---|---|---|---|---|---|
| HS256 | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify |
| HS384 | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify |
| HS512 | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | x |
| RS256 | importKey exportKey generateKey sign verify | importKey exportKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | ~importKey exportKey ~generateKey verify | ~importKey ~exportKey generateKey verify |
| RS384 | importKey exportKey generateKey sign verify | importKey exportKey sign verify | importKey exportKey generateKey sign verify | importKey generateKey sign verify | ~importKey exportKey ~generateKey sign verify | importKey exportKey generateKey sign verify |
| RS512 | importKey exportKey generateKey sign verify | importKey exportKey sign verify | importKey exportKey generateKey sign verify | importKey generateKey sign verify | ~importKey exportKey ~generateKey sign verify | importKey exportKey generateKey |
| PS256 | importKey exportKey generateKey sign verify | importKey exportKey sign verify | importKey exportKey generateKey sign verify | importKey generateKey sign verify | ? | ? |
| PS384 | importKey exportKey generateKey sign verify | importKey exportKey sign verify | importKey exportKey generateKey sign verify | importKey generateKey sign verify | ? | ? |
| PS512 | importKey exportKey generateKey sign verify | importKey exportKey sign verify | importKey exportKey generateKey sign verify | importKey generateKey sign verify | ? | ? |
| ES256 | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | x | x |
| ES384 | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | x | x |
| ES512 | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | importKey exportKey generateKey sign verify | x | x | x |
| RSA1_5 | ? | ? | ? | ? | ? | ? |
| RSA-OAEP | ? | ? | ? | ? | ? | ? |
| RSA-OAEP-256 | ? | ? | ? | ? | ? | ? |
| A128KW | ? | ? | ? | ? | ? | ? |
| A192KW | ? | ? | ? | ? | ? | ? |
| A256KW | ? | ? | ? | ? | ? | ? |
| dir | ? | ? | ? | ? | ? | ? |
| ECDH-ES | ? | ? | ? | ? | ? | ? |
| ECDH-ES+A128KW | ? | ? | ? | ? | ? | ? |
| ECDH-ES+A192KW | ? | ? | ? | ? | ? | ? |
| ECDH-ES+A256KW | ? | ? | ? | ? | ? | ? |
| A128GCMKW | ? | ? | ? | ? | ? | ? |
| A192GCMKW | ? | ? | ? | ? | ? | ? |
| A256GCMKW | ? | ? | ? | ? | ? | ? |
| PBES2-HS256+A128KW | ? | ? | ? | ? | ? | ? |
| PBES2-HS384+A192KW | ? | ? | ? | ? | ? | ? |
| PBES2-HS512+A256KW | ? | ? | ? | ? | ? | ? |
Here's a legend for the JWA alg abbreviations:
| Key | Signature, MAC or Key Management Algorithm |
|---|---|
| HS256 | HMAC using SHA-256 |
| HS384 | HMAC using SHA-384 |
| HS512 | HMAC using SHA-512 |
| RS256 | RSASSA-PKCS1-v1_5 using SHA-256 |
| RS384 | RSASSA-PKCS1-v1_5 using SHA-384 |
| RS512 | RSASSA-PKCS1-v1_5 using SHA-512 |
| ES256 | ECDSA using P-256 and SHA-256 |
| ES384 | ECDSA using P-384 and SHA-384 |
| ES512 | ECDSA using P-521 and SHA-512 |
| PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 |
| PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 |
| PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 |
| RSA1_5 | RSAES-PKCS1-v1_5 |
| RSA-OAEP | RSAES OAEP using default parameters |
| RSA-OAEP-256 | RSAES OAEP using SHA-256 and MGF1 with SHA-256 |
| A128KW | AES Key Wrap with default initial value using 128-bit key |
| A192KW | AES Key Wrap with default initial value using 192-bit key |
| A256KW | AES Key Wrap with default initial value using 256-bit key |
| dir | Direct use of a shared symmetric key as the CEK |
| ECDH-ES | Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF |
| ECDH-ES+A128KW | ECDH-ES using Concat KDF and CEK wrapped with "A128KW" |
| ECDH-ES+A192KW | ECDH-ES using Concat KDF and CEK wrapped with "A192KW" |
| ECDH-ES+A256KW | ECDH-ES using Concat KDF and CEK wrapped with "A256KW" |
| A128GCMKW | Key wrapping with AES GCM using 128-bit key |
| A192GCMKW | Key wrapping with AES GCM using 192-bit key |
| A256GCMKW | Key wrapping with AES GCM using 256-bit key |
| PBES2-HS256+A128KW | PBES2 with HMAC SHA-256 and "A128KW" wrapping |
| PBES2-HS384+A192KW | PBES2 with HMAC SHA-384 and "A192KW" wrapping |
| PBES2-HS512+A256KW | PBES2 with HMAC SHA-512 and "A256KW" wrapping |
License
MIT
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
project is archived
Details
- Warn: Repository is archived.
Reason
Found 1/24 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 12 are checked with a SAST tool
Reason
93 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
- Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
- Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
- Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
- Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-j4f2-536g-r55m
- Warn: Project is vulnerable to: GHSA-r7qp-cfhv-p84w
- Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
- Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6
- Warn: Project is vulnerable to: GHSA-f5x2-xv93-4p23
- Warn: Project is vulnerable to: GHSA-gmpm-xp43-f7g6
- Warn: Project is vulnerable to: GHSA-pf27-929j-9pmm
- Warn: Project is vulnerable to: GHSA-327c-qx3v-h673
- Warn: Project is vulnerable to: GHSA-x4cf-6jr3-3qvp
- Warn: Project is vulnerable to: GHSA-mph8-6787-r8hw
- Warn: Project is vulnerable to: GHSA-7mhc-prgv-r3q4
- Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
- Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
- Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-7x7c-qm48-pq9c
- Warn: Project is vulnerable to: GHSA-rc3x-jf5g-xvc5
- Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
- Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
- Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-82v2-mx6x-wq7q
- Warn: Project is vulnerable to: GHSA-v8v8-6859-qxm4
- Warn: Project is vulnerable to: GHSA-4xcv-9jjx-gfj3
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m / GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-9x9j-836w-8f55
- Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
- Warn: Project is vulnerable to: GHSA-w7rc-rwvf-8q5r
- Warn: Project is vulnerable to: GHSA-5fw9-fq32-wv5p
- Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9
- Warn: Project is vulnerable to: GHSA-4cpg-3vgw-4877
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-rxrc-rgv4-jpvx
- Warn: Project is vulnerable to: GHSA-7f53-fmmv-mfjv
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-hxcc-f52p-wc94
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-g4rg-993r-mgx7
- Warn: Project is vulnerable to: GHSA-gff7-g5r8-mg8m
- Warn: Project is vulnerable to: GHSA-fxwf-4rqh-v8g3
- Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
- Warn: Project is vulnerable to: GHSA-xfhh-g9f5-x4m4
- Warn: Project is vulnerable to: GHSA-qm95-pgcg-qqfq
- Warn: Project is vulnerable to: GHSA-cqmj-92xf-r6r9
- Warn: Project is vulnerable to: GHSA-vx3p-948g-6vhq
- Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
- Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw
- Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
- Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
- Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc
- Warn: Project is vulnerable to: GHSA-jgrx-mgxx-jf9v
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-662x-fhqg-9p8v
- Warn: Project is vulnerable to: GHSA-394c-5j6w-4xmx
- Warn: Project is vulnerable to: GHSA-78cj-fxph-m83p
- Warn: Project is vulnerable to: GHSA-fhg7-m89q-25r3
- Warn: Project is vulnerable to: GHSA-mgfv-m47x-4wqp
- Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-6fc8-4gx4-v693
- Warn: Project is vulnerable to: GHSA-h6q6-9hqw-rwfv
- Warn: Project is vulnerable to: GHSA-5fg8-2547-mr8q
- Warn: Project is vulnerable to: GHSA-crh6-fp67-6883
- Warn: Project is vulnerable to: GHSA-72mh-269x-7mh5
- Warn: Project is vulnerable to: GHSA-h4j5-c7cj-74xg
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
Score
2
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More