RSA Signing

[collinhundley]

What would it take to extend this library to support RSA in addition to HMAC? I'd like to use it for signing JWT tokens, but Google only supports RS256.

Looks like CommonCrypto supports it, so I'm assuming OpenSSL does too.

[billabt]

I can take a look at it.

[collinhundley]

@billabt that would be really helpful, thanks!

[billabt]

@collinhundley: What exactly are you looking for? RSA key generation, signing/verification and public/private encryption/decryption? These appear to be the most common and are available with macOS/CommonCrypto and OpenSSL...

[collinhundley]

I'd like to sign JWT tokens using RSA. I'm no crypto expert, but I use BlueCryptor for a JWT library and it currently uses HMAC. Google'a APIs only support RSA signing though.

[billabt]

Ok. I'll see what I can do... No sure how soon I can get to it. Might have some time this weekend or maybe sooner.

[collinhundley]

@billabt any luck here?

[billabt]

I haven't had the chance to look at it yet. Possibly this weekend. Been busy with another project. Sorry.

[billabt]

After doing some research over the weekend, I found that a key header on macOS is NOT included in the macOS SDK. This header is CommonRSACryptor.h. Not sure why it's not included along with the other CommonCrypto APIs. Without this header, there's no way, other than using the platform specific (i.e. they're different on iOS versus macOS) keychain APIs. I'm not sure why this header is excluded from the CommonCrypto bundle. I've opened a bug/enhancement request with Apple regarding this. Let's see what they suggest. Doing the RSA operations using OpeSSL is not an issue.

[billabt]

I'm still exploring other options...

[collinhundley]

Hmm, that is strange. Could we implement the OpenSSL side first while we wait to hear back from Apple? For my particular use I only need the Linux code anyway.

[billabt]

I'll have to think about that one... Let me finish exploring other options. I'd prefer to build an API that's going to work for both macOS (and friends) and Linux rather than build one based on the OpenSSL implementation and then have to change it later to make it more generic to accommodate the macOS implementation. I don't think Apple is going to give us access to the CommonRSACryptor.h header anytime soon.

[collinhundley]

Makes sense. I might look into the OpenSSL API to get familiar with it, since my project is a bit time sensitive. Might be able to patch something together until we build something more robust.

[billabt]

The OpenSSL API for signing is pretty simple. Since you're using BlueCryptor already, you've already go the OpenSSL module available. It should be just a simple matter of calling the API at the appropriate point. Let me know if you run into any issues calling the API, maybe I can help.

[collinhundley]

Hey @billabt any progress on this? I'm looking at the OpenSSL API now and noticed that you started an RSA implementation.

[billabt]

Still investigating. Trying to avoid use of keychain APIs on macOS.

[collinhundley]

I've got an implementation working with OpenSSL on macOS. The advantage is that the API is the same as Linux, but it requires us to import IBM-Swift/OpenSSL-OSX

[collinhundley]

If you want to check out my initial (rough) implementation, you can find it here.

It doesn't follow the Updatable protocol, so I won't submit a PR for it yet. But it's a working example using OpenSSL.

[billabt]

Ok, cool. I took a quick look at it. Unfortunately, the way it's implemented forces both CommonCrypto AND OpenSSL to be linked into the binary. This is NOT acceptable. Way too heavyweight. If all you're looking for is signing, I'd suggest that you use an extension to BlueCryptor for your application. This lets you add the functionality to the BlueCryptor framework for your app without forcing BlueCryptor to link both libraries into the framework on macOS. This won't affect your app since you've stated that you're targeting Linux as your platform. All you'd have would be OpenSSL. This'll give you a solution for your app without having to modify the BlueCryptor framework. This'll hold you over until I figure out the best way to provide FULL RSA support in the BlueCryptor framework. Make sense?

[collinhundley]

Yeah, the idea isn't to keep the OpenSSL implementation on macOS - it's just an easy way to develop with code completion (especially since I'm not super familiar with the OpenSSL API). However, this implementation is a starting point for the Linux version regardless of the direction you choose to take for macOS. It can be easily modified if you want RSA to adopt Updatable.

[vadimeisenbergibm]

Explanation about RS256 of JSONWebToken

JWSAlgorithm.RS256 - RSA PKCS#1 signature with SHA-256

[billabt]

There's another framework that I'm working on that will do what you want. It's just not ready yet. I've still got to add Linux support to it. I'll leave this issue open until it's released and then let you know.

[collinhundley]

Hey @billabt, any update here? I've got a new application that needs to be signed using RSA-SHA1. Would love to hear about your new framework, if you've made any progress with it.

[billabt]

@collinhundley: This is still a work in progress. The macOS portion is complete. The Linux side is still a work in progress but we hope to make it available shortly. Look for BlueRSA, currently set up as private but will go public upon completion.

[reitzig]

FWIW, it's possible to use SecKeyCreateEncryptedData and SecKeyCreateDecryptedData directly on (mac|i)OS; with suitable parameters, it'll do RSA. (Unfortunately, I'm not at the liberty to share code at this point, sorry.) I'd assume signing is available in a similar way.

Looking forward for BlueRSA, though!

[drewmccormack]

Another vote for BlueRSA. Looking forward to it. I need to verify RSA signatures.

[billabt]

BlueRSA should provide what you need.