Releases: TogaTech/tEnvoy
Minified Node, NPM, CI
This release contains a minified version of the Node.js distribution of tEnvoy, which can now be installed through npm (npm install tenvoy). Additionally, we added CI to autominify tEnvoy files and run a tester on commit, and we used CI to push changes to NPM on release.
Updated Key Class References
In addition to being able to instantiate keys with tEnvoyPGPKey, tEnvoyNaClKey, and tEnvoyNaClSigningKey, you can now use tEnvoy.PGPKey, tEnvoy.NaClKey, and tEnvoy.NaClSigningKey.
Node.js Support
You can now use tEnvoy with node.js.
const { tEnvoy, tEnvoyPGPKey, tEnvoyNaClKey, tEnvoyNaClSigningKey } = require("./node/tenvoy.js");We have also created a ./node/tester.js, which will be used in the future as a tester to ensure that tEnvoy works as intended.
Fix Bug with Shared Key Generation
This release fixes a bug with shared key generation when using privateKey.genSharedKey(publicKey).
v6 Rewrite
Notice: v6 is NOT backwards-compatible with v5. There are known bugs in v5 that were fixed in v6, so we highly recommend that you update your program to work with v6 as soon as possible.
The most important part of this release is the expanded browser compatibility. In v5, we used #variableName to keep sensitive class fields private, but this new standard has not yet been adopted by all browsers. We have updated the class syntax to allow for private fields through scoped variables while ensuring that tEnvoy is compatible with more browsers.
This release contains a huge overhaul of the method structures. All methods are organized into TogaTech.tEnvoy.core, TogaTech.tEnvoy.hash, TogaTech.tEnvoy.keyFactory, TogaTech.tEnvoy.random, and TogaTech.tEnvoy.util. Additionally, most methods support formal parameters instead of an ambiguous args object as a single parameter. The only methods that still use a single parameter object are the key generation methods, which have a complex set of optional features.
Additionally, we have added the .toPublic() method to tEnvoyPGPKey, tEnvoyNaClKey, and tEnvoyNaClSigningKey, which converts a private key object to a public key object.
In terms of security, we added constant-time comparison to our password verification methods of key objects to protect against side-channel attacks.
Finally, we fixed some bugs:
- Promise-based methods now use
rejectinstead ofthrow - tEnvoyPack now correctly handles arrays containing all numbers but with floats, numbers less than 0, or numbers greater than 255
- General bugfixes (typos, incorrect error messages, improved error handling)
Updated Key Class References
In addition to being able to instantiate keys with tEnvoyPGPKey, tEnvoyNaClKey, and tEnvoyNaClSigningKey, you can now use tEnvoy.PGPKey, tEnvoy.NaClKey, and tEnvoy.NaClSigningKey.
Added Security Through Private Variables
We ensured that all internal uses of methods are either referenced through this.methodName or this.#parentObject.methodName to slightly increase security and resistance to methods being overwritten. However, objects should still be properly scoped to protect the methods.
Better Side-Channel Attack Resistance, More tEnvoyPack Support
In this release, we added better side-channel attack resistance to NaCl operations. PGP operations are resistant to side-channel attacks through OpenPGP.js, but we could not confirm the existence of side-channel attack resistance in TweetNaCl.js. Therefore, we made sure randomized padding was added to the end of every NaCl-encrypted message, and in our Uint8Array conversion methods, we added operations (similar to the operations on the actual content array) on a fake array with the same length as the padded portion. Although there is still a small risk of side-channel attacks or detection of the data type of the message, encryption and decryption is much more resistant to these kinds of attack vectors.
Additionally, we added support for more datatypes in tEnvoyPack, our new standard for encrypting and decrypting messages with tEnvoyNaClKey. Along with these features, we added the pack and unpack methods, which wrap around our Uint8Array conversion methods.
Symmetric Key Generation
By using genPGPSymmetricKey({passwordProtected: [], password: null, key}) or genNaClSymmetricKey({passwordProtected: [], password: null, key}), you can generate keys for symmetric encryption.
NaCl Cryptography
This release includes full support for NaCl cryptography, including encryption and decryption using shared (generated from private and public key using Diffie-Hellman key exchange) and secret keys (for symmetric cryptography), as well as signatures, signature verification, and signature verification based on message.
We also added some helper methods, mixedToUint8Array(mixed, includeType = false, length = null) and uint8ArrayToMixed(uint8Array, includeType = false), which convert between mixed (String, Integer, Array, Uint8Array, JSON/Object) to Uint8Array, optionally including the type which will automatically preserve in the conversion, and a length (padded if smaller than length, cut off if larger than type).