We have created a small sample app in the repo: https://github.com/svinayiw/webcrypto
to demonstrate this problem. The app runs without error on android, but when running on ios, it generates the error:

The operation failed for an operation-specific reason

We have used this bit of code on several platforms (web, node.js and react-native). It only seems to fail under react-native on ios. Can you help us understand:

• Is this a bug/problem in react-native-webview-crypto or perhaps in our usage of it?
• Is there a way to get a more descriptive error back from the method running in the webview

Sorry, there's some unnecessary junk in utils/crypto.ts building up the message to send to subtle.sign. I've tried setting message to something simpler, like just the string "This is a test message" and I still get the same error.

To replicate:
npm start
npm run ios
In the emulator, press the "Sign key" button
Observe the error message in the console

Can try on android:
hpm start
npm run android
Press button and no error message (and by the way, signing works correctly for us on android)

update facebook/react-native#1424 when finished

This happens on Android when app is closed and opened again.
The new React component is created but the global module context holds old reference to worker.

npm ERR! node_modules/react-native
npm ERR!   react-native@"0.63.4" from the root project
npm ERR!   peer react-native@">=0.56" from [email protected]
npm ERR!   node_modules/react-native-webview-crypto
npm ERR!     react-native-webview-crypto@"*" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer react-native@">=0.60 <0.62" from [email protected]
npm ERR! node_modules/react-native-webview
npm ERR!   react-native-webview@"*" from the root project
npm ERR!   peer react-native-webview@"^8.*" from [email protected]
npm ERR!   node_modules/react-native-webview-crypto
npm ERR!     react-native-webview-crypto@"*" from the root project

Is it possible to get this working with the latest react native?

When running generateKey with extractable set to false:

await generateKey({"name": "ECDSA", "namedCurve": "P-256"}, false, ["sign", "verify"])

the following error is always thrown:

stringify error InvalidAccessError: key is not extractable

This was encountered by others too: smallbets/userbase#275

The above code should generate a key pair with an unextractable private key.

I'm having issues on current React Native (0.69.5). Is the package being actively maintained? Open to P/R's? Available to ask questions?

Error:
Invariant Violation: EdgeInsetsPropType has been removed from React Native. Migrate to EdgeInsetsPropType exported from 'deprecated-react-native-prop-types'.

I'm trying to decrypt data that I received from BE, I'm using the same generated aesKey for that and when I'm trying to call the decrypt method
await crypto.subtle.decrypt( { name: "AES-GCM", iv: iv, additionalData: authData }, aesKey, authTag)
then I receive an warning:
Possible Unhandled Promise Rejection (id: 12): Object { "message": "The operation failed for an operation-specific reason", "name": "OperationError", "stack": "", }
It occurs only on iOS / Android, when I'm using the same methods on web itself then it works perfectly. Is there any limitation due to using crypto in webview on mobile apps?

One thing that I would like to change asap is that getRandomValues currently doesn't fill the buffer immediately. I can see why the current approach was done, but I think that it's a security bug waiting to happen.

Some alternatives as I see them:

1. Build a native module that exports an initial seed derived from a secure RNG, then use that seed in a JavaScript implemented RNG that we call when getRandomValues is called. If done correctly, this should keep the properties of the underlying secure RNG.

2. Keep a pool of random data that asynchronously fills by polling the webview for more data. If getRandomValue is called when there isn't enough random data, throw an error.

3. Add getRandomValues directly into React Native as a pull request.

I would love to see option 3 here, but realistically I think that option 2 is the easiest to implement short term. Option 1 would require very much scrutiny and tests to make sure that our RNG maintains the security properties of the underlying. Basically, we would need to check which RNG e.g. Android uses and implement the same one in JavaScript.

I think I'll try to take a stab at option 2, since it should be a quick fix.

Hi! Thank you for checking out this issue! To keep it brief:

I'm staring a bare project using expo init, then follow this tutorial to fix Webview-Crypto imports. Using the latest version of react-native-webview-crypto at 0.0.24.

On iOS (hardware and emulator), when calling crypto.subtle.x() functions (eg generateKey()), they execute very quickly and efficiently.

On Android (hardware and emulator), the MainWorker seems to get stuck when executing the same code:

App.js looks like this:

<SafeAreaProvider>
      <PolyfillCrypto debug={(verbose) => console.log(verbose)} />
      <AuthProvider>
            <Navigator/>
      </AuthProvider>
</SafeAreaProvider>

Upon calling a crypt.subtle function, I can see the message being sent to the WebView, but nothing is printed after that. So when executing the following...

const hm = await global.crypto.subtle.generateKey({
            name: "RSA-OAEP",
            modulusLength: 4096,
            publicExponent: new Uint8Array([1, 0, 1]),
            hash: "SHA-256"
      },
      true,
      ["encrypt", "decrypt"]
)

I'm seeing the following (via the verbose console-debug-print in PolyfillCrypto), meaning that PolyfillCrypto is mounted.

[webview-crypto] Sending message: {"method":"subtle.generateKey","args":[{"name":"RSA-OAEP","modulusLength":4096,"publicExponent":{"0":1,"1":0,"2":1},"hash":"SHA-256"},true,["encrypt","decrypt"]],"payloadObject":{"method":"subtle.generateKey","id":"494f-a099-9147-18cb-7986-e1b7-7d03-515a","args":[{"name":"RSA-OAEP","modulusLength":4096,"publicExponent":{"0":1,"1":0,"2":1},"hash":"SHA-256"},true,["encrypt","decrypt"]]}}

On iOS, following above message, I see many more messages, and a generated key. On Android the call gets stuck.

The only thing that I haven't taken care of is the blank.html asset, mentioned in the README. Though when looking at the code in the latest version, the part of the code that requires that is commented out. Anyhow, I tried creating the blank.html page, and putting it in different places to no avail (Expo managed workflow has no separate android/.../src/assets folder).

Any ideas on how to make the PolyfillCrypto work for Expo Android? I've tested this behaviour on 3 different android phones, and two android emulators. Each time a subtle function is being called, the call gets stuck.

Thank you for your time and help! 🙏

me and @sleaper we develop an app which makes a lot of concurrent calls into the webview. Hundreds, possibly thousands at once.
Would be really cool if this could batch those into a single payload to avoid the overhead of sending hundreds of separate payloads there and back.

From https://www.chromium.org/blink/webcrypto

Access to the WebCrypto API is restricted to secure origins (which is to say https:// pages).

When react-native-webview-crypto creates the WebViewBridge it specifies for URI about:blank which isn't considered secure by chrome (And so most of newest androids) - As of now, if you open about:blank page in chrome (72.0), open the console and run window.crypto.subtle you'll get undefined. If you try the same on any HTTPS site you'll get the crypto API

A possible workaround would be for WebViewBridge to open a HTTPS website... but then that means that the crypto module will need an internet connection to run.

Is there any other way for the webview to accept an offline site as secure?

Hi Folks,

I use the react native webview component to load up my log in screen on the Mobile application. With the latest Safari on iOS update in iOS 15, there is a need to make the webview load in a secure context. I use https:// to load the webview.
I use the PolyfillCrypto from this library which enables me to use window.crypto.subtle.
But when I try to use window.crypto.subtle.generateKey function, the method throws an exception saying undefined is not an object (evaluating 'a.subtle()[f]')

Is there some way I can load the webview in a secure context other than just having a https session?

Link from Apple team: https://trac.webkit.org/changeset/279628/webkit

Any help appreciated. Thanks.

@sirpy I got an error {"message": "exception in stringify-ing message: subtle.digest c796-dd57-8df1-2fcc-95f4-61f6-8e36-10d9", "reason": [RangeError: Maximum call stack size exceeded.]} when I tried to store image data base64 in gunDB user graph. It works fine in web. Do you have any idea how to fix it?

Hi there,

As this closed issue points out #22

I am getting an error:

{
  "message": "exception in stringify-ing message: subtle.encrypt 6fd0-0d4a-2fda-9ba2-b4f4-86fc-dfc3-f529", 
  "reason": [RangeError: Maximum call stack size exceeded.]
}

The exception is thrown by this piece of code:

const cipherText = await crypto.subtle.encrypt(
    {
        name: "AES-CBC",
        iv: IV,
    },
    sessionKey,
    Buffer.from(message)
)

Where sessionKey is a CryptoKey and message is a JSON object as follows:

const message = JSON.stringify({
    type: "IMG",
    message: '<base64 JPG string 583,608 characters long>'
})

I am using the following versions:

  "react": "^18.0.0",
  "react-native": "^0.69.7",
  "buffer": "^6.0.3",
  "react-native-webview": "^11.23.1",
  "react-native-webview-crypto": "^0.0.25",

Any advice?

Thanks
Francesco