RFC 7518 specifies SHA lengths?

DCIT / perl-CryptX

https://metacpan.org/pod/CryptX

Other

35 stars 23 forks source link

RFC 7518 specifies SHA lengths? #45

Closed FGasper closed 6 years ago

FGasper commented 6 years ago

https://tools.ietf.org/html/rfc7518#page-8

^^ There doesn’t seem to be any use given for, say, P-256 with SHA-1, though that is the default for the RFC 7518 methods in Crypt::PK::ECC.

Should the defaults be changed to correspond to the curve length? Otherwise each implementation will need to maintain the mapping on the page linked above.

karel-m commented 6 years ago

I do not think this should be handled at Crypt::PK::ECC level. In fact I already have this sort "mapping" in another module https://metacpan.org/source/MIK/Crypt-JWT-0.021/lib/Crypt/JWT.pm#L521

The rfc7518 in sign_message_rfc7518 is more about the output format of the signature.

FGasper commented 6 years ago

What is the intended use of being able to sign things with sign_message_rfc7518 in a way that contradicts RFC 7518, such as a P-256 key with SHA-1?

For example, if I have a P-256 key, the hash algorithm that the RFC describes is SHA-256, and only SHA-256.

karel-m commented 6 years ago

The sign_message_rfc7518 is just about the output format which is completely different compared to sign_message.

sign_message_rfc7518 simply puts <r><s> into a buffer (output len is 2x curve size)
sign_message uses an ASN.1 sequence (which binary incompatible with previous case)

I agree that the name of sign_message_rfc7518 is a bit misleading but it is perfectly fine to use sign_message_rfc7518 also with another curves (I mean non-NIST) and/or another hashes than SHA2.

I can mention this in documentation.

FGasper commented 6 years ago

OK, so the function name is meant to be more “sign in the style of RFC 7518” rather than “sign according to RFC 7518”.

FWIW, for me, anyway, yeah, it would be helpful if the documentation were like:

NOTE: This creates/verifies signatures according to the structure that RFC 7518 describes but does not apply the RFC logic for the hashing algorithm. You’ll still need to specify, e.g., sha256 for a P-256 key to get a fully RFC-7518-compliant signature.

I’m still curious what application is served by putting SHA-1 with an RFC 7518 signature, but anyway. Thank you for your time and for maintaining this very useful module. :)

karel-m commented 6 years ago

CryptX-0.062 released