Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace tweetnacl by @noble/curves #5

Merged
merged 3 commits into from
Dec 15, 2023
Merged

Replace tweetnacl by @noble/curves #5

merged 3 commits into from
Dec 15, 2023

Conversation

gtsonevv
Copy link
Collaborator

@gtsonevv gtsonevv commented Nov 24, 2023
edited
Loading

Pre-flight checklist

  • I have read the Contributing Guidelines on pull requests.
  • Commit messages follow the conventional commits spec
  • If this is a code change: I have written unit tests.
  • If this changes code in a published package: I have run pnpm changeset to create a changeset JSON document appropriate for this change.
  • If this is a new API or substantial change: the PR has an accompanying issue (closes #1199) and the maintainers have approved on my working plan.

Motivation

This PR aims to replace tweetnacl with @noble/curves to improve the security of near-api-js. The reason is that tweetnacl has a problem called signature malleability. This means that someone could create a different signature for the same message without knowing the secret key. This could lead to vulnerabilities in certain situations. @noble/curves doesn't have this issue, making it a more secure choice for our cryptographic needs. Additionally, @noble/curves is much smaller than tweetnacl. It’s used in a lot of Ethereum projects including Metamask and protonmail, so it should be reliable replacement.

Test Plan

The existing keypair generation, signature generation and validation tests are passing.

Related issues/PRs

#1199

@gtsonevv gtsonevv requested a review from vikinatora November 24, 2023 09:21
vikinatora
vikinatora approved these changes Nov 24, 2023
View reviewed changes
packages/crypto/src/key_pair_ed25519.ts Outdated
@@ -50,7 +55,8 @@ export class KeyPairEd25519 extends KeyPairBase {
}

toString(): string {
return `ed25519:${this.secretKey}`;
const extendedSK = baseEncode(new Uint8Array([...baseDecode(this.secretKey), ...this.publicKey.data]));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can optimize this a bit by calculating the value ofextendedSK in the constructor and returning the value in toString()

@gtsonevv gtsonevv force-pushed the replace-tweetnacl-by-@noble/curves branch from 8467c53 to cdd8d1c Compare November 24, 2023 09:58
@gtsonevv gtsonevv merged commit d594279 into master Dec 15, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikinatora vikinatora vikinatora approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security: ed25519 verification accepts forged signatures
2 participants
@gtsonevv @vikinatora