I like to leave it as an idea here, just to think about it or to research: how about porting a good and performant RNG as a WebAssembly library which provides API for JavaScript instead of using JavaScript's Math.random(), and using the latter as a fallback with a fair warning for developers?

Rust wraps providers of operating system's RNGs and it also discloses that some browsers support Crypto.getRandomValues() as a better RNG for cryptographic operations.

问题：

keypire使用报错

测试步骤：

import keypair from 'keypair';
const pair = keypair();

现状：

core.mjs:11754 ERROR TypeError: crypto.randomBytes is not a function
at ctx.seedFileSync (index.js:1032:21)
at _reseedSync (index.js:921:21)
at ctx.generateSync (index.js:874:9)
at ctx.generate (index.js:801:18)
at forge.random.getBytes (index.js:1831:23)
at Object.nextBytes (index.js:1858:28)
at BigInteger.bnpFromNumber [as fromNumber] (index.js:2552:4)
at new BigInteger (index.js:1898:35)
at pki.rsa.stepKeyPairGenerationState (index.js:3972:21)
at pki.rsa.generateKeyPair (index.js:4322:13)

版本信息：

v1.0.4

期望：

成功

This just started happening when run in a browser it throws

crypto.randomBytes is not a function and I am not exactly sure how to circumvent this.

Hi

Would it be possible to use this lib with authorized_keys on Linux?

Reading http://askubuntu.com/questions/46424/adding-ssh-keys-to-authorized-keys it says

This public key has the .pub extension when generated using ssh-keygen and its contents begin with ssh-rsa AAAAB3.

All my pubkeys generated with keypair starts with MIIEp. Would this be a problem?

The '\n' printing in the key values makes the key values useless. When doing a POST method with these keys as input, the string treats '\n' as characters rather than new line. Hence when calculating the fingerprints it always give an error.

Kindly look into this issue.

The basic use case for a keypair is to sign and verify. verification commonly works with the public key derived from a certificate (x.509). That means that this pblic key by itself cannot be used to sign and verify, for example, with jsrsasign

A huge thanks for this awesome script, it saved me weeks of senseless solution finding
:)

I'd like to use keypair client-side. I tried creating index.html with:

<script type="text/javascript" src="keypair.js"></script>
<script type="text/javascript">
var pair = keypair();
console.log(pair);
</script>

but it doesn't work:

Uncaught ReferenceError: module is not defined
Uncaught ReferenceError: keypair is not defined

How to make it available from browser?

var keypair=require('keypair');
console.log(new keypair.BigInteger(16));

/home/engine/private_js/secure.js:1
(function (exports, require, module, __filename, __dirname) { /*
^
TypeError: const 'a' has already been declared
at Object. (/home/engine/private_js/secure.js:1:11)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Function.Module.runMain (module.js:497:10)
at startup (node.js:119:16)
at node.js:906:3
[root@server node_modules]#

I have also tried installing the npm module https://www.npmjs.org/package/jsbn

I get the same error when trying to get jsbn.BigInteger because of keypair.

How can I use BigInteger outside of your module?

package.json says MIT, README says BSD, LICENSE file says BSD or GPL.

Can I use the generate keys for ssh2? I am guessing.. I can use the private key just fine, but I need to convert the public key into ssh2 (with ---- BEGIN SSH2 PUBLIC KEY ----) format so that I can put them under ~/.ssh/authorized_keys before I can connect using ssh2 npm module?

Hello,
I am using the keypair add-on on my server as follows: let pair = keypair();
Each time the server routine is called, it returns the same character sets for the public key. I see that the private key varies (as desired) but the public key is always the same. Starts with MIIB and ends DAQAB
Am I doing something wrong?

Hi, what is the current status of this project? Is it still actively maintained?

It is becoming widely accepted that 1024 bits are too small for an RSA key pair. Please make the default size 2048 bits.

See the following:
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
http://news.netcraft.com/archives/2012/09/10/minimum-rsa-public-key-lengths-guidelines-or-rules.html
http://technet.microsoft.com/en-us/security/advisory/2661254
http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1

Type checking

See:

Please change from:

if(crypto) {

to

if(null !== crypto) { # Yoda-Condition not needed

For such critical lib there are too less type checkings in this lib, normally such critical libs should only work in strict mode! :-)

Fallbacks

Currently you're using too many fallbacks to prevent errors. Each fallback/weakening) should be optional. Examples in your code:

1. crypto-lib is optional
2. weak entropy (see

   keypair/index.js

   Line 984 in 9596418

   /* Mozilla claims getRandomValues can throw QuotaExceededError, so

   ).

Recommendation:
In future versions such fallbacks can be added, but just as option. E.g. if crypto is not available you could output an error with a security warning, how to disable required usage of crypto. Same with weaker entropy...

not sure if there is anything that can be done about this but generating keys is damn slow:

var keypair = require('keypair');
console.time();
keypair();
console.timeEnd();

Output of multiple runs on Macbook, 3GHz Intel Core i7:

22324ms
6746ms
1522ms
10037ms

It seems to be more slow on the first run, I guess that's v8 getting it's optimisation on?

If this isn't isolated to me, it might be worthwhile mentioning performance in the readme, and recommend this be run in a child process or something to keep the blocking out of the main thread.