Possible to reduce number of dependencies? #3
Comments
|
Hello, I agree with the general feel that the dependencies should be as few as possible, however: Currently (on ubuntu 14.04) the php openssl extension does not support ecc at all, a patch for that went in in the beginning of the year (https://bugs.php.net/bug.php?id=66501) which means that using openssl for the EC operations is a non-option. Unfortunately phpseclib does not support EC either, so right now that dependency could be dropped in favour of using openssl for the certificate checks. The selftests should have enough coverage that it's possible to test around with the code what parts work where. /klas |
Looking at the pull request linked in that bug, that concerned a bug in php_openssl_is_private_key() which caused openssl_sign() to output a warning when EC keys are used. Not sure if we are affected by is_private_key() not working properly when verifying signatures with openssl_verify(). |
|
Played a bit more with it, and it only breaks when passing a key resource to openssl_verify() Proof of concept that only depends on OpenSSL + phpseclib, and no longer on mdanter/ecc and GMP: |
|
Very interesting! /klas |
I am looking for a simple way to add U2F support to a web application.
And it seems this project is capable of doing that, however I am a bit put off by the amount of dependencies pulled in.
Currently one seems to need:
I know one can use Composer to simplify dependency management, however I would really prefer to just have a single PHP file solution instead.
Was wondering that since you are requiring OpenSSL anyway, if it wouldn't be possible to use OpenSSL for the ECDSA validation as well, and get rid of all the other dependencies.
As in:
Is there any reason that wouldn't work, and the existing approach is used?
(haven't tried it yet, as I don't have an U2F token to test with yet)
The text was updated successfully, but these errors were encountered: