New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v5] Unexport openpgp.crypto, openpgp.util, and low-level types #1175
Conversation
7e668e4
to
bc946b0
Compare
Although I do understand the underlying reasons, I'm a bit annoyed about this removal. (Same for the |
Yeah, I understand. The "proper" way to do this, however (reuse code between OpenPGP.js and the app) would be to split up these components into separate modules, and then import them from both OpenPGP.js and your app. Of course, we're not there yet, but that's kind of the direction we'd like to move in. Additionally, one result of this might be that we'd use an external library for md5 (if it's a good replacement) rather than having our own implementation, for example. If you want to help with this, and for example scout out if there's a good implementation of md5 (also for your own usage, although, obligatory warning, md5 should not be used for any security-critical applications), that'd be welcome of course. Similarly for the util functions; perhaps there is already a good ES6 module / library that allows importing individual util functions, if not, perhaps we should make one. Exporting |
Any evolution regarding utils/crypto.* export (and reusability by an app), nowadays? |
Hello 👋 We didn't work on making a separate package for the utils so far. If you want to work on this, and have a concrete proposal, let me know! I can make a stub repository as well, for example, to have a place to work on that. |
@drzraf as far as the utils are concerned, you can have a look at pmcrypto, where we keep a subset of the openpgpjs utils, which may be sufficient for your use case. You can import the utils file only ( I have reservations about maintaining a separate repo for the crypto parts, since these are fairly openpgp-specific, and security-wise the implemented algos are not always state-of-the-art; on the contrary, they have been deprecated by e.g. NIST (see RSA with PKCS#1 padding). I believe there are better libs out there, designed with general purpose in mind. Plus, thanks to the development of SubtleCrypto (WebCrypto API) and its integration in Node, the need for platform-specific code is diminishing. |
These exports don't have much to do with OpenPGP, and don't make much sense in a library called OpenPGP.js. These exports also thwart tree-shaking, as they don't allow granular imports - e.g. to import AES, you'd need to import the whole crypto "namespace". If absolutely required, you can
import aes from "openpgp/src/crypto/cipher/aes"
instead, for example (e.g. with esm on Node.js). And finally, removing these imports will allow us to change the internal API more easily, and switch between low-level crypto libraries without breaking anything, etc.