Closed lessless closed 9 years ago
garyf
commented
9 years ago Hi @lessless
In the reference (http://tools.ietf.org/html/rfc3447#section-7.2), the governing requirement is found in section 7.2.1, Step 1:
Length checking: If mLen > k - 11, output "message too long" and stop. (where k == 256 bytes for 2048 key bits)
More discussion here: http://security.stackexchange.com/questions/33434/rsa-maximum-bytes-to-encrypt-comparison-to-aes-in-terms-of-security
lessless
commented
9 years ago @garyf thank you for explanation and links.
But in the README RS256 refers to RSASSA-PKCS-v1_5 using SHA-256 not the RSAES-PKCS1-v1_5 :cry:
Pardon those, maybe stupid questions, this is my almost first encounter with the guts of the cryptography, and I'm almost heart-broken.
Spec says that EMSA-PKCS1-v1_5 encoding can throw message too long error If the hash function outputs "message too long," and 256 bytes length limitation doesn't apply to SHA-256. Right?
garyf
commented
9 years ago @lessless in the 'guts' is where all truth is found; the 256 byte length limitation is not applicable
81427b7 anticipates a resolution
lessless
commented
9 years ago @garyf right. thank you!
Hello @garyf, thanks for the library, though it took a time to find my way through it to sign an Google API's service-to-service request as per https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests they require following claims to be present:
[iss, scope, aud, exp, iat]but even on the 3rd claim library throwing an "message too large error"
I understand that this is done on purpose https://github.com/garyf/json_web_token_ex/blob/master/lib/json_web_token/algorithm/rsa.ex#L12 but in the referenced document I didn't find the part where it is said that message couldn't be over 245 bytes long. That even sounds doubtful.
Am I doing something wrong?