Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for RSA-PSS (PS256, PS384, PS512) signatures #72

Closed
babelouest opened this issue Aug 1, 2018 · 6 comments
Closed

Add support for RSA-PSS (PS256, PS384, PS512) signatures #72

babelouest opened this issue Aug 1, 2018 · 6 comments
Labels
enhancement

Comments

@babelouest
Copy link
Contributor

To complete the jwa support, libjwt should also support RSA-PSS signatures.

I have to admit, even if it seems easy to add, the RSA-PSS algorithm support is quite new in OpenSSL and GnuTLS librairies.

Do you think it's a good idea at the time?
@babelouest
Copy link
Contributor Author

I answer to myself:
In GnuTLS, RSA-PSS signing and verification is available in the 3.6 branch but not in the 3.5 branch
In OpenSSL, RSA-PSS is available in the 1.1.1 branch but not in the 1.1.0 branch

Both versions are still not officially released, and it will take a little bit longer to be available in the distribs, so I guess the better approach is to wait a little bit longer.

Although, if I'm right, the changes would look like:

Include file

// include/jwt.h insert on line 62
	JWT_ALG_PS256,
	JWT_ALG_PS384,
	JWT_ALG_PS512,

GnuTLS

// libjwt/jwt-gnutls.c insert line 150
	case JWT_ALG_PS256:
		alg = GNUTLS_DIG_SHA256;
		pk_alg = GNUTLS_PK_RSA_PSS;
		break;
	case JWT_ALG_PS384:
		alg = GNUTLS_DIG_SHA384;
		pk_alg = GNUTLS_PK_RSA_PSS;
		break;
	case JWT_ALG_PS512:
		alg = GNUTLS_DIG_SHA512;
		pk_alg = GNUTLS_PK_RSA_PSS;
		break;
// And also change the function jwt_verify_sha_pem accordingly

OpenSSL

// libjwt/jwt-openssl.c insert line 198
	/* RSA-PSS */
	case JWT_ALG_PS256:
		alg = EVP_sha256();
		type = EVP_PKEY_RSA_PSS;
		break;
	case JWT_ALG_PS384:
		alg = EVP_sha384();
		type = EVP_PKEY_RSA_PSS;
		break;
	case JWT_ALG_PS512:
		alg = EVP_sha512();
		type = EVP_PKEY_RSA_PSS;
		break;
// Make similar inserts in function jwt_verify_sha_pem

babelouest added a commit to babelouest/libjwt that referenced this issue Jul 26, 2019
@babelouest
Implement RSA-PSS sign/verification as mentionned in benmcollins#72
8bc8c12
@babelouest
Copy link
Contributor Author

I am able to sign and verify jwt using RSA-PSS algorithm using the GnuTLS backend!
https://github.com/babelouest/libjwt/tree/rsa-pss

(spoiler alert: it's not as easy as I thought in the post above... :p )

Now I need to complete the openssl backend but I'm less fluent in openssl library than in gnutls library.

@benmcollins (and others), if you're willing to help and have time to help on the openssl part, I'd be very grateful :-)

@benmcollins
Copy link
Owner

Since you have test cases, I should be able to get this setup quickly. JWT.io has PS256/384 tests so I can validate against that.

@babelouest
Copy link
Contributor Author

Thanks, jwt.io was helpful to me too.
I found this SO question that seems helpful to understand rsa-pss sign/verification with libssl: https://stackoverflow.com/questions/44546272/activate-padding-and-salt
Otherwise, the documentation seems very slim...

@babelouest
Copy link
Contributor Author

@benmcollins , do you want me to open a pull request to your repo, so you can continue from my code in a new branch?

@benmcollins
Copy link
Owner

Completed in current code base.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benmcollins @babelouest