Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic digest for rsa::pkcs1v15::Signature? #364

Open
QuinnWilton opened this issue Sep 7, 2023 · 2 comments
Open

Generic digest for rsa::pkcs1v15::Signature? #364

QuinnWilton opened this issue Sep 7, 2023 · 2 comments

Comments

@QuinnWilton
Copy link

Hey Tony, long time no chat!

I'm using RustCrypto in a project involving JOSE. I have some fairly open ended extensibility requirements, so I'm leveraging RustCrypto's generic signature traits as much as possible, to support users defining their own signing implementations, such as over WebCrypto with wasm, or using an HSM. As part of this, I've defined a trait for mapping RustCrypto signature encodings to their corresponding algorithm name in JWA.

This is generally working great, for most signature types:

pub trait JWSSignature: SignatureEncoding {
    const ALGORITHM: jose_jwa::Signing;
}

impl JWSSignature for ecdsa::Signature<p256::NistP256> {
    const ALGORITHM: jose_jwa::Signing = jose_jwa::Signing::Es256;
}

impl JWSSignature for ecdsa::Signature<k256::Secp256k1> {
    const ALGORITHM: jose_jwa::Signing = jose_jwa::Signing::Es256K;
}

But I run into issues with RSASSA-PKCS1-v1_5 and RSASSA-PSS signatures, as implemented in the rsa crate, because their corresponding signature types don't specify the hash function used in the signature, and so there isn't a 1:1 mapping between signatures and their JWA name.

For example:

impl JWSSignature for rsa::pkcs1v15::Signature {
    // Might be Rs256, Rs384, or Rs512
    const ALGORITHM: jose_jwa::Signing = ???;
}

This information is available on the corresponding signing key types for both variants of RSA signatures, so I'm wondering whether it would make sense for the digest type to also be tracked on the signatures themselves, in order to differentiate between signatures which use different hash functions.

In my case, it's not the end of the world if this isn't supported, because no one should really be deploying RSASSA-PKCS1-v1_5 using SHA-512 anyway, but that I ran into this limitation in the first place had me wondering whether it was a gap in the API worth thinking about.

Thanks for all the great work here, I'm really enjoying how the whole ecosystem slots together so nicely :)
@QuinnWilton
Copy link
Author

Ah! It actually looks like you suggested essentially this design a few years ago: #34 (comment)

Is that still something that you think would be valuable? I personally also like the idea of including the MGF type for PSS too.

@tarcieri
Copy link
Member

tarcieri commented Sep 7, 2023

In the ecdsa crate I ended up adding a SignatureWithOid type for these sorts of use cases: https://docs.rs/ecdsa/0.16.8/ecdsa/struct.SignatureWithOid.html

A generic type parameter is another option but gets tricky if you encounter runtime dynamism like something like SignatureWithOid can handle.

Alternatively you can make your own newtype wrapper parameterized with your own algorithm identifier, similar to SignatureWithOid (but blissfully OID-free!)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tarcieri @QuinnWilton