Replies: 1 comment 3 replies
-
Async crypto APIs are already used when available in a given runtime. Moving the public API to a Promise based one was a prerequisite given that Web Crypto API is entirely async anyway.
I do not plan on adding support for this. Replacing CryptoKey / KeyObject / Uint8Array "KeyLike" is not what the internal validations could easily change. These services also only IMO come into play when producing signed tokens, since you're always able to export the public key material and have that available in your process. Then, when it comes to signing, forming the signing input is an easy task, one can argue you don't necessarily need a library for it in the first place given you're proposing you'd be providing the code that actually obtains the signature. |
Beta Was this translation helpful? Give feedback.
-
I note previous replies on this topic here and here. I also note these replies are over 2 years old and there is now support for an async node crypto.
However, I'd like to put forward an argument for supporting async crypto functions in NodeJS - or rather, support for custom signing/verifying functions.
It is becoming an increasing requirement that applications perform cryptographic operations using external key management services such as AWS KMS and Azure Key Vault - this allows non-exportable private keys, possibly backed by Hardware Security Modules, to be used to perform cryptographic operations externally to the application memory.
In these circumstances the application has no access to the secret material and so cannot pass it to node's native crypto functions. Instead, a REST API or similar interaction must be performed to obtain the output and this is an async operation.
At the moment this library supports the fact that signing and verifying operations are asynchronous, the final piece of the puzzle is to allow some way to replace the built-in node crypto integration with a provided operation.
There could be a couple of ways to do this:
KeyLike
type, an internal key type could be created that can hold references to how it performs signing/verifying and this could be provided to the library by a consumer allowing signing to be handed-off to an external service.SignOptions
/VerifyOptions
that are passed to thesign
/verify
functions, when these are supplied they could be used in place of the runtime functions.Beta Was this translation helpful? Give feedback.
All reactions