New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement EdDSA Signer #605
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Slamdunk this looks quite good, thanks 👍
I've got a few small requests, though 😬
Ed25519 is awesome, among the asymmetric signing is the fastest, and its keys are so easy to store and generate:
|
try { | ||
return sodium_crypto_sign_detached($payload, $key->contents()); | ||
} catch (SodiumException $sodiumException) { | ||
throw new InvalidKeyProvided($sodiumException->getMessage(), 0, $sodiumException); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've used InvalidKeyProvided
exception but not its factory methods because SodiumException
has much wider scope range
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could introduce a named constructor there but this works too.
@Slamdunk I'm just wondering about the optional dependency on sodium... Do you have anything against just requiring it? We added mbstring requirement in the past (which is only there for ECDSA), so the precedent is there. Apart from that, sodium is pretty stable and works really well - I have it enabled in most of the projects I work. That would allow for us to remove the checks and move the "breakage" to build time instead of runtime. I had the idea in the past to break the signers into satellite repositories but that creates more complexity for very little benefit. What's your take? |
Sub-packages are a good idea for non-core features that require external libraries, you don't want to be slowed down in the mainline by a dependency.
No: often maintainers prefer PR that do not force anything to users, so I went with a runtime check, since we haven't had a prior discussion. Here comes the updated push |
@Slamdunk I just rebase to add the GPG signature on commits and tidy the history a bit. Will merge once CI is done. Thanks a lot! |
Hope to see this in
4.1.0
release