ECDSA algos ES{256,384,512} support

[calderonth]

Is this project interested in implementing ECDSA algos ES{256,384,512} support? It's a shame to be restricted to RSA based signatures.

[cdbattags]

Any algo OpenSSL supports we should be able to implement (since we're using FFI) and I'm open to any PRs.

Only caveat is we need to be sure to stay backwards compatible.

[six8]

Thanks for making progress on this. Are you looking into public key/private key verification support?

[cdbattags]

@six8 how do you mean?

What you're describing is quite a broad group of algos called asymmetric cryptography.

Any algorithm specifically in mind?

[six8]

Specifically ES256 with an elliptical curve private and public key.

Example of private and public key generation with JWT encoding/decoding in Python:

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec
import jwt

key = ec.generate_private_key(ec.SECP256K1, default_backend())

private_key_pem = key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()
)
public_key_pem = key.public_key().public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo,
)

encoded_jwt = jwt.encode(
    jwt_data,
    private_key_pem,
    "ES256"
)
jwt.decode(
    encoded_jwt,
    key=public_key_pem,
    algorithms=["ES256"],
    verify=True,
)

[NikoGrano]

As far I see, this works fine with the certs. I need 512 support for this, be prepared for my PR.

[NikoGrano]

So https://github.com/cdbattags/lua-resty-jwt/blob/master/lib/resty/evp.lua#L389-L419 needs to be rewritten to support also ES verification.

I have example here https://github.com/google/jwt_verify_lib/blob/master/src/verify.cc#L70-L109, but I could not understand fully what I should do. If there is Lua FFI experts, help would be more than just "awesome".

[calderonth]

Hello @NikoGrano,

I will have a look this week to see if I can expand to add ES512 support if you haven't a PR until then.

[alexandrim0]

Hello! Will you support of ES256 for signing JWE?

[cdbattags]

More than happy to review/accept a PR for it!

[NikoGrano]

For now I solved this problem by writing JWT verifier in Go and running it trough shell...

Hopefully this helps somebody needing support asap.

[calderonth]

I've been working on this but am trying to fix/add unit tests to gain confidence in the code.

On Thu, 14 May 2020, 19:13 Niko Granö, notifications@github.com wrote:

For now I solved this problem by writing JWT verifier in Go and running it trough shell...

Hopefully this helps somebody needing support asap.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cdbattags/lua-resty-jwt/issues/24#issuecomment-628803591, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF3DVSW5NSLTDJGSQV6NF3RRQYGHANCNFSM4KQIX6SA .