-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web examples client encryption #412
base: main
Are you sure you want to change the base?
Conversation
first sprint of UEFA tsml ticket
UEFA new layout shtml
added redeemed text, compressed images
WIP add basic edcon draft TokenScript
WIP Alipay Samples
correct contracts swap
TS Template es.html front-end for 6/11 tickets WIP
…r demo is in working order across all scenarios.
…ed a polyfill for BigInt (however my intention is to move to use the attestation lib very soon and remove this inside the example code)
…er usage and a significantly larger userbase.
…TokenScript/TokenScript into web-examples-new-data-structure
…edDevonTicket.jsto work with this polyfill library.
switched npm package polyfill for bigint to big-integer, updated Sign…
let's do an experiment if you generate an encryption key and not store it in the Local storage, encrypt a message, copy the encrypted (or store it in local storage), then close the browser and open it again, access the same key, can you decrypt the message? note that in the entire time you can't save the key in the local storage otherwise, it defeats the purpose of using encryption in the first place. I am beginning to worry that the API maker in the web api didn't persist the key anywhere, making it impossible to use the same key across the session unless you manually save the key somewhere. If it is the case, the api isn't very helpful to us. |
return window.crypto.subtle.generateKey({ | ||
name: 'AES-GCM', | ||
length: 256, | ||
}, true, ['encrypt', 'decrypt']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The encryption key should not be extractable if you don't intend to export it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have any additional comments to what @colourful-land said. However, I am also completely unfamiliar with JS and its security.
The only thing I can think of, is if there needs to be done something explicitly to ensure that the key is associated with only a specific web domain that constructed it? Or if this is handle implicitly by SubtleCrypto
e54d791
to
1368554
Compare
No description provided.