Skip to content

Purge SJCL #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 19, 2017
Merged

Purge SJCL #73

merged 4 commits into from
Nov 19, 2017

Conversation

jeskew
Copy link
Contributor

@jeskew jeskew commented Nov 19, 2017

The SJCL, even just the parts we're vendoring, is a large, sophisticated crypto dependency that we're not actually using. It would be a lot of noise for any automated or manual security review of the SDK.

The SJCL was still being used in the random source packages, but the only runtimes we're targeting that don't support IE 11 Crypto or WebCrypto (to wit, React Native and potentially NativeScript) also wouldn't be able to use the SJCL's fortuna implementation, as it relies on attaching event listeners to window and document.

I've saved a reversion of the last commit on my fork if we do end up needing these packages.

@chrisradek
Copy link
Contributor

Interesting... so we'll still need to figure out a solution in react-native. Do you know if file:// is considered a secure context? I wonder how much this will decrease our bundle size!

I'm fine with removing it assuming code build passes.

@jeskew
Copy link
Contributor Author

jeskew commented Nov 19, 2017

Contexts starting with file:// and http://localhost are considered secure, but getRandomValues is available in insecure contexts as well.

We will need to figure something out for idempotency tokens in react native, but that is true with or without this PR.

@chrisradek
Copy link
Contributor

At least right now it's just idempotency tokens we have to worry about. At least customers can manually provide those to get around it.

@jeskew jeskew merged commit 1ea275c into aws:master Nov 19, 2017
@jeskew jeskew deleted the fix/purge-sjcl branch November 19, 2017 21:19
trivikr referenced this pull request in trivikr/aws-sdk-js-v3 Dec 10, 2018
@jeskew
Purge SJCL (#73)
91db7be 
* Remove SJCL from browser random source

* Use crypto feature detection rather than generic runtime detection

* Remove packages vendoring portions of the SJCL

* Fix flaky signature tests
@lock
Copy link

lock bot commented Sep 26, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@lock lock bot locked as resolved and limited conversation to collaborators Sep 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeskew @chrisradek