Support for signing algorithms found in AWS KMS

[hmedlinphocas]

We are looking at using Biscuit auth in our application but we are currently blocked with only Ed25519 being supported for signing and verification. The reason we would like other algorithms is so we can have our keys managed by AWS KMS and KMS currently does not support Ed25519.

Is there anything in the roadmap to have more algorithm support? If not, we can submit a PR to add support for the ECC_* algorithms in KMS along with external signing provider support. However we can only add this to the Java implementation. Would this be something that would be accepted and released or do you require the changes made to the other supported languages?

[Geal]

there's currently work going on to add support for ECDSA signatures, and we plan to add it to the spec soon. The main issue right now is finding key and signature serialization formats that would be broadly usable across languages (with existing implementations, etc). Support for KMS and other HSMs would definitely be useful. What would you have in mind on the API side? Maybe we could move to something like the rust implementation's RootKeyProvider, which can look up a key from the id in token, and then provides an abstraction that can sign

[itstheceo]

Thanks for the context and linking the existing work. I do appreciate your purview is broader with support for multiple languages, maintainability etc; it makes sense using Rust in the long term. My team is fortunately only concerned with Java. We have decided to take the protobuf changes for P256 from the draft PR, and write an implementation in Java. It is still in progress. We can propose it upstream when ready. We will have more capacity once we have an MVP solution for our use case.

[Geal]

Great! I've written down how the serialization of P256 should happen in a spec PR. It might be a bit different from the initial rust test, because I want to make sure it can work across implementations. These requirements should work well with bouncycastle