Fix util.mixedToUint8Array

We fixed an issue where util.mixedToUint8Array (and indirectly util.pack) would fail when packing a Uint8Array from unpacked JSON.

Fix util.uint8ArrayToMixed

We fixed an issue where util.uint8ArrayToMixed (and indirectly util.unpack) would fail when unpacking a Uint8Array from packed JSON.

Fix Version

We fixed an issue where calling .version on an instance of tEnvoy returned an incorrect version. The version property should now return the correct version (v7.0.5 or the latest version).

Backup NaCl Keys

In this release, we added support for backing up NaCl keys to a list of words (24 words for tEnvoyNaClKey and public tEnvoyNaClSigningKey, 48 words for private tEnvoyNaClSigningKey) through the new backup method. The backups can be restored to a key object using the fromBackup method or through using the backup option in keyFactory.genNaClKeys similar to how the key option is used.

Critical Security Fix in verifyWithMessage

CRITICAL: UPDATE IMMEDIATELY

This release resolves a critical vulnerability in the verifyWithMessage method of tEnvoyNaClSigningKey. Previously, verifyWithMessage would always return true for any signature that had a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid.

Improved Password Storage

In this release, we improved the password storage in key objects to be stored as a packed Uint8Array for longer-term storage in memory. The password Uint8Array is zeroed out along with the key when the destroy method is called. Additionally, we exposed the util.compareConstant method, which compares strings and arrays for equality using operations that are closer to constant-time.

Deterministically Generate tEnvoyNaClSigningKey

In this release, we added formal support for generating a tEnvoyNaClSigningKey directly from the keyFactory.genNaClKeys method by setting the keyType parameter to privateSigning or publicSigning.

v7

Notice:

v7 is NOT backwards-compatible with v6. There are known bugs in v6 that were fixed in v7, so we highly recommend that you update your program to work with v7 as soon as possible.

Breaking Changes:

• Updated the pbkdf2 algorithm that uses PBKDF2-HMAC-SHA256, the v7 pbkdf2 algorithm is more secure but will derive different keys compared to the v6 algorithm
• Removed SJCL as a dependency and deleted it from tEnvoy.core.

Features (since v6.0.6):

• Add ephemeral encryption and decryption capabilities to tEnvoyNaClKey with the methods encryptEphemeral(message, nonce, ?password) and decryptEphemeral(encryptedEphemeral, ?password)
• Deterministically generate tEnvoyPGPKey using keyFactory.genPGPKeys({keyArmored: "..."})
• Deterministically generate tEnvoyNaClKey using keyFactory.genNaClKeys({key: "...", keyType: "..."})
• Add util.arrayDeepCopy to create a deep copy of an Array or Uint8Array
• Add a setPasswordProtected method to key objects to update the methods that require a password (this method will always require a password)
• Switched key storage to always use a Uint8Array for storing keys in long-term memory
• Added a destroy method to key objects to zero out the Uint8Array key in memory and delete all methods from the key

Bugfixes (since v6.0.6):

• Fixed a bug with util.hexToString

Fix Dependency Issue

We fixed an issue where tEnvoy was accidentally including tenvoy from npm as a dependency.

Minor Bug Fixes

A minor bug associated with manually generating a tEnvoyPGPKey, tEnvoyNaClKey, or tEnvoyNaClSigningKey in node.js is now resolved.