This package provides a cross-platform implementation of the Web Cryptograph API.
Disclaimer: This is not an officially supported Google product.
This packages provides an implementation of the
Web Cryptograph API across multiple platforms. Outside the
browser, this package features a native implementation embedding
BoringSSL using dart:ffi
. When used inside a
web browser this package wraps the window.crypto
APIs and
providing the same Dart API as the native implementation.
This way, package:webcrypto
provides the same crypto API on Android, iOS, Web, Windows, Linux and Mac.
Example
import 'dart:convert' show base64, utf8;
import 'package:webcrypto/webcrypto.dart';
Future<void> main() async {
final digest = await Hash.sha256.digestBytes(utf8.encode('Hello World'));
print(base.encode(digest));
}
Features:
- Get random bytes
- Digest (sha-1/sha-256/sha-384/sha-512)
- HMAC (sign/verify)
- RSASSA-PKCS1-v1_5 (sign/verify)
- RSA-PSS (sign/verify)
- ECDSA (sign/verify)
- RSA-OAEP (encrypt/decrypt)
- AES-CTR, AES-CBC, AES-GCM (encrypt/decrypt)
- ECDH (deriveBits)
- HKDF (deriveBits)
- PBKDF2 (deriveBits)
- BoringSSL, Chrome and Firefox implementations pass the same test cases.
Missing:
- Exceptions and errors thrown for invalid input is not tested yet.
- The native implementation executes on the main-thread, however, all expensive APIs are asynchronous, so they can be offloaded in the future.
For a discussion of the API design of this package,
see doc/design-rationale-md
.
Unlike most plugins it is possible to run code that uses package:webcrypto
with flutter test
. For this to work the native library must be built in the
application folder where flutter test
is called. This can be done with:
# Only necessary when package:webcrypto is used from 'flutter test'
# This is not necessary for development with 'flutter run' and hot-reload
$ flutter pub run webcrypto:setup
# Now it's possible to run tests that uses package:webcrypto
$ flutter test test/my_test_file_using_webcrypto.dart
This requires:
cmake
- a C compiler (like
gcc
orclang
) - Linux or Mac.
The native library will be stored in .dart_tool/webcrypto/
which should
not be under source control.
It is also possible to run tests with Flutter Web using
flutter test -p chrome
, this does not require any additional setup steps.
This package has a few limitations compared to the
Web Cryptograph API. For a discussion of parity with
Web Cryptography APIs see doc/webcrypto-parity.md
.
deriveKey
is not supported, however, keys can always be created fromderivedBits
which is supported.wrapKey
is not supported, however, keys can be exported an encrypted.unwrapKey
is not supported, however, keys can be decrypted and imported.AES-KW
is not supported because it does not supportencrypt
/decrypt
.
This package has many tests cases to asses compatibility across the native implementation using BoringSSL and various browser implementations of the Web Cryptography APIs.
At the moment compatibility testing is limited to native implementation, Chrome, Firefox and Safari.
Known Issues:
- Chrome and BoringSSL does not support valid ECDH spki-formatted keys exported by Firefox prior to version 72.
- Firefox does not support PKCS8 import/export for ECDSA and ECDH keys.
- Firefox does not handle counter wrap around for
AES-CTR
. - Safari does not support P-521 for ECDSA and ECDH.
- The browser implementation of streaming methods for encryption,
decryption, signing and verification buffers the entire input, because
window.crypto
does not expose a streaming API. However, the native implementation using BoringSSL does support streaming.