Solving the getRandomValues problem

[LinusU]

One thing that I would like to change asap is that getRandomValues currently doesn't fill the buffer immediately. I can see why the current approach was done, but I think that it's a security bug waiting to happen.

Some alternatives as I see them:

1. Build a native module that exports an initial seed derived from a secure RNG, then use that seed in a JavaScript implemented RNG that we call when getRandomValues is called. If done correctly, this should keep the properties of the underlying secure RNG.

2. Keep a pool of random data that asynchronously fills by polling the webview for more data. If getRandomValue is called when there isn't enough random data, throw an error.

3. Add getRandomValues directly into React Native as a pull request.

I would love to see option 3 here, but realistically I think that option 2 is the easiest to implement short term. Option 1 would require very much scrutiny and tests to make sure that our RNG maintains the security properties of the underlying. Basically, we would need to check which RNG e.g. Android uses and implement the same one in JavaScript.

I think I'll try to take a stab at option 2, since it should be a quick fix.

[LinusU]

Started working on getting it into React Native 😁

facebook/react-native@master...LinusU:get-random-values

[LinusU]

PR is up 🙌

facebook/react-native#20686

[LinusU]

Finally working! 💪

ping @saulshanabrook & @nadinelyab, would love some thumbs up ❤️

🚀 facebook/react-native#20686 🚀

[saulshanabrook]

Option two makes sense to me! I gave that pr a thumbs up :)

Great to see some interest in this project.

[sirpy]

i've removed getRandomValues as its not a bridge implementation
added in readme instructions to install alternative packages if getRandomValues is needed