-
-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RSA public/private key #19
Comments
I'd like to add two remarks, if you don't mind:
So an ideal implementation of RSASigner IMHO would detect if the provided key is a private or public key. If it's a private key, both functions can work directly using it. If it's a public key, |
Ah, being able to use If it's that easy to use the private key for verification then we should definitely avoid asking the user to input both keys. That's another user input step which I'm happy to avoid. I'm thinking the best solution here is to have the RSA signers take a Key enum: enum Key {
case public(value: Bytes)
case private(value: Bytes)
} In an attempt to create a JWT with a By not requiring the private key we can allow this package to be used in client code. The {
"signer": {
"type": "rsa",
"algorithm": "rs256",
"key": {
"type": "public",
"value": "..."
}
}
} |
I think introducing a public enum or otherwise changing the current public interface is not necessary. The RSASigner could try to parse the raw bytes in both formats and see which function returns success, throwing an error only in sign mode with a public key, or if neither decoding worked. Everything else should Just Work transparently. (Also, if RSASigner was a class instead of a protocol, it would be possible to decode the key only once in the initializer instead of in each request. It's an immutable bag of big integers, and as DER-encoded bytes are held in memory anyway, keeping the RSA in too is not less secure.) |
+1 to the idea of parsing the key once and holding onto that. However, I like the clarity around providing either a public or private key at the configuration level. If someone reading the code sees I'll throw together a PR for this and see if there are any underwater rocks with either option that might make the other more attractive. |
Unless I'm mistaken, the RSA signers should have a separate public and private key. The private key is used for signing and the public key is used for verifying the signature.
Right now you can only add one key that is used for both.
The text was updated successfully, but these errors were encountered: