Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web examples client encryption #412

Draft
wants to merge 774 commits into
base: main
Choose a base branch
from
Draft

Web examples client encryption #412

wants to merge 774 commits into from

Conversation

nicktaras
Copy link
Contributor

No description provided.

Weiwu Zhang and others added 30 commits November 18, 2019 18:14
James Zaki's suggestions
96c7966
more editorial opinion from Zaki are integrated
abc0463
@bitcoinwarrior1
first sprint of UEFA tsml ticket
7b16a1b
@bitcoinwarrior1
Merge pull request #275 from AlphaWallet/UEFA
545096a 
first sprint of UEFA tsml ticket
@bitcoinwarrior1
fix redeemed conditional is wrong
3c217f1
@bitcoinwarrior1
only set redeemed value if it has actually loaded
c7e7d3f
@bitcoinwarrior1
add rinkeby and xDAI to UEFA
e2ff115
@bitcoinwarrior1
with new rinkeby address
fdc6606
@rosieprom @bitcoinwarrior1
Implement UEFA design in TokenScript
480bfe0
@bitcoinwarrior1
Merge pull request #283 from AlphaWallet/UEFA-new-layout-shtml
9b55c27 
UEFA new layout shtml
@bitcoinwarrior1
remove residual files
bd834fa
@rosieprom
added redeemed text, compressed images
c0bf838
@zhangzhongnan928
Update README.md
385d51b
@zhangzhongnan928
Update README.md
e314954
@zhangzhongnan928
Update README.md
a66acd4
@rosieprom
fixed shared.css to work on Android/iOS
6030f0c
@rosieprom
changed the background image and some height issue fix
81c7f3d
@bitcoinwarrior1
Merge pull request #291 from AlphaWallet/UEFA-redeem-item
0ed4344 
added redeemed text, compressed images
@bitcoinwarrior1
WIP add basic edcon draft TokenScript
ea23654
@zhangzhongnan928
Merge pull request #298 from AlphaWallet/edcon
48a8c83 
WIP add basic edcon draft TokenScript
@bitcoinwarrior1
add base files for alipay
a25a702
@bitcoinwarrior1
add location info to edcon
fa6df2c
@bitcoinwarrior1
add pickup to alipay
2157ef9
@bitcoinwarrior1
populate with sample contracts and info
9876fde
@bitcoinwarrior1
Merge pull request #299 from AlphaWallet/alipay
e78db85 
WIP Alipay Samples
@bitcoinwarrior1
rename AliEuro TokenScripts
6b71301
@bitcoinwarrior1
fix up names
93f542c
@bitcoinwarrior1
AliEuro TokenScripts with layouts
12ef7fb 
correct contracts

swap
@bitcoinwarrior1
Merge pull request #301 from AlphaWallet/airport-dropoff
7ffa49c 
TS Template es.html front-end for 6/11 tickets WIP
@rosieprom
alipay amended css
7c7f5d1
nicktaras and others added 21 commits January 5, 2021 23:54
@nicktaras
added notes inside readme. Added secret inside of ticket client js ob…
8d71095 
…ject
@nicktaras
updated unit test with secret inside query string
cfcdc4b
@nicktaras
work in progress to format the query data
f2ab186
@nicktaras
added units tests and update to logic to read from decoded data
1407fb6
@nicktaras
working with SignedDevconTicket. Unit tests no longer working, howeve…
542849e 
…r demo is in working order across all scenarios.
@nicktaras
updated readme
0c495a8
adding support for es2020 in eslint
e3b65de
removing .eslintcache from git history
e6616c2
@nicktaras
added fix for safari to stop duplicate tickets showing on screen. Add…
580fbae 
…ed a polyfill for BigInt (however my intention is to move to use the attestation lib very soon and remove this inside the example code)
@nicktaras
merge conflict
a027706
@nicktaras
updated readme
1903d49
reorg dirs prepare release
b4bc27c
@nicktaras
code tidy negoticator and switched npm package for big int with simpl…
616264e 
…er usage and a significantly larger userbase.
@nicktaras
Merge branch 'web-examples-new-data-structure' of https://github.com/…
88c63cf 
…TokenScript/TokenScript into web-examples-new-data-structure
@nicktaras
Web example: devcon issuer
09ed5c0
@nicktaras
switched npm package polyfill for bigint to big-integer, updated Sign…
fce6c9b 
…edDevonTicket.jsto work with this polyfill library.
@AW-STJ
Merge pull request #411 from TokenScript/web-examples
c81f55f 
switched npm package polyfill for bigint to big-integer, updated Sign…
@nicktaras
added poc for web encryption
80e8404
@nicktaras
client secret crypto demo fix in Negociator (in working state) for re…
9da7ded 
…view.
@nicktaras
merged with main
9152f19
@nicktaras
removed getTicketInstances param
2dc3c0c
@SmartLayer
Copy link

let's do an experiment if you generate an encryption key and not store it in the Local storage, encrypt a message, copy the encrypted (or store it in local storage), then close the browser and open it again, access the same key, can you decrypt the message? note that in the entire time you can't save the key in the local storage otherwise, it defeats the purpose of using encryption in the first place.

I am beginning to worry that the API maker in the web api didn't persist the key anywhere, making it impossible to use the same key across the session unless you manually save the key somewhere. If it is the case, the api isn't very helpful to us.

SmartLayer
SmartLayer requested changes Jan 8, 2021
View reviewed changes
examples/sites/devcon-issuer/react/src/TokenScript/Crypto.js
return window.crypto.subtle.generateKey({
name: 'AES-GCM',
length: 256,
}, true, ['encrypt', 'decrypt'])
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The encryption key should not be extractable if you don't intend to export it

jot2re
jot2re reviewed Jan 8, 2021
View reviewed changes
Copy link
Collaborator

@jot2re jot2re left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have any additional comments to what @colourful-land said. However, I am also completely unfamiliar with JS and its security.
The only thing I can think of, is if there needs to be done something explicitly to ensure that the key is associated with only a specific web domain that constructed it? Or if this is handle implicitly by SubtleCrypto

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jot2re jot2re jot2re left review comments

@SmartLayer SmartLayer SmartLayer requested changes

@oleggrib oleggrib Awaiting requested review from oleggrib

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet