RSA signature using SHA-256 hashing algorithm

[Aranir]

Is it possible to create an RSA signature using SHA-256 hashing algorithm?

As this is the only one supported by the Google App Engine for authentication.

[jasongoodwin]

Hey sure - it can be added relatively easily if it's not implemented. I'll have a peak shortly.

Sent from my iPhone

On Sep 13, 2014, at 7:13 AM, Roger Küng notifications@github.com wrote:

Is it possible to create an RSA signature using SHA-256 hashing algorithm?

As this is the only one supported by the Google App Engine for authentication.

— Reply to this email directly or view it on GitHub.

[jasongoodwin]

Been pretty busy - feel free to make a PR if you implemented this. It's on my radar.

[jasongoodwin]

Obviously I suck and haven't added this - working on a book and hope to be done end of the month - I'll try to add the missing hash algorithms shortly.

[obihann]

Any progress on this? I also would love the addition of RSA since it would let me better use private keys for signing and public keys for verification, if you need some help I'd be up to pitch in.

[jasongoodwin]

It's not done - it should be fairly trivial. If you want to do it, fork and make a pull request - I'll review it and accept it. I'm pretty busy until maybe mid july but it really should be trivial to implement. I'm leaving myself a post-it to remind me to do it after hours one day. It would be awesome if you can do it - just let me know if you start work so we don't duplicate efforts.

[obihann]

I can start tonight probably, I just want to double check I'm understanding things correctly so here is my use case:

1. I generate a JWT and instead of using HMAC I use JWT, and instead a passphrase like "password" I will be able to pass in a RSA private key
2. Then on whatever other server is attempting to verify the JWT, they can do so using a matching public key?

For coding, its really just an additional algorithm, the rest is already in place or would be done by the user implementing authentikat-jwt.

[jasongoodwin]

Hey, you should just be able to implement the algorithm fairly simply: The JWS file here has the existing algorithms: https://github.com/jasongoodwin/authentikat-jwt/blob/master/src/main/scala/authentikat/jwt/JsonWebSignature.scala

Add the new case classes for the algorithms, the new pattern matching for the different RSA generators, and then the private key is still just a text string I believe. So you'd make the method to do the hashing. That should be more or less it. Validation is just done by hashing and comparing. If you don't get it done I'll try to tackle it over the weekend as well - I'm just really behind on writing this damn book.

[jasongoodwin]

Any progress? I'll look at it tonight if not.

[jasongoodwin]

Hey I had a stab at it tonight but was not able to complete it. This probably requires an API change - the signature is produced with a private key, and then verified with the public key. Not a terribly complex problem to solve but the encryption APIs take a bit of effort to work with.

[jasongoodwin]

Example here _ I could be wrong in terms of jwt though. I'll read through the spec and libs. http://www.java2s.com/Tutorial/Java/0490__Security/RSASignatureGeneration.htm

[spry-rproud]

Any progress updates?

[obihann]

@spry-rproud none from me but thanks for the poke :) @jasongoodwin if you don't get to this during the week I'll take another stab at it over the weekend, I have a hectic week coming up so I can't do this any sooner unfortunately. I'm making a note now for myself to try to resolve this on the weekend :+1:

[jasongoodwin]

Hey obihann has a PR for this - I'll hang out w/ it this week and hopefully release it by next weekend. Thanks for your patience and sorry for the delay in getting this feature in. I'm hoping by next weekend I can have it validated and released.

[jasongoodwin]

I'm Working on this over the weekend. The fact that eg RSA works a bit differently with the public and private keys has me rethinking the API. It looks a bit messy in inside too - I want to switch it up a bit. I have more time so I should be able to finish this up over the weekend. Thanks for your patience!!

[jasongoodwin]

K I have a bunch of the refactoring done for RSA signing and validation (finally). Sorry for the wait. I'm going to change how it's implemented to use something like bouncy castle for better memory usage as the Java Security pieces used are not thread safe so there is a bunch of extra memory overhead. I should be able to release it this week.

It's a major revision - API breaking change - so I need to produce a migration guide to go along with it.

Thanks for waiting!

[jasongoodwin]

hey my book is published etc so I have some more time now. That killed me. http://www.amazon.com/Learning-Akka-Jason-Goodwin/dp/1784393002

I gave this another run over today and tested it a bit. I think it needs some peer review and a bit of focus before I formally release and publish. I pushed the change to the develop branch as 1.0.0-SNAPSHOT. if you need it publish it locally and drop some feedback here. I'll think about it a bit but would be nice to have someone to bounce ideas off of about the use of the api. I should write a few integration tests to see how it works all together and give examples. The docs will be out of whack now too as the API is broken from previous versions.

If you want to contribute, try testing the other rsa algorithms etc. Also changing to bouncy castle from the java security libs should net performance improvements as the java abstractions are not thread safe so require lots of object creation.

Because it's a fairly significant change to the api, it would really help if someone publishes it local and tries to upgrade their project. I'm wondering if there should still be some sort of token verify abstraction but I'm starting to think not:

One of the concerns there is that someone trying to break it could pass algorithm=none and so the check would pass verification so there would need to be allowed algorithms. It might be fine to ship without this though - it moves the concern to the application to ensure that the token is signed with an expected algorithm - I'm not sure if the JWT library should handle too much of this but it makes it a touch harder to use without it.

Right now the RSA implementation expects PrivateKey and PublicKey to be provided, so again, how those are obtained is up to the user.

[jasongoodwin]

Added ES and PS algorithms as well. I'll release it soon but it needs some additional verification. Can anyone try 1.0.0-M1 RSA on the develop branch to see if it works in their use cases? The API is a bit different in that you explicitly have to provide the signer or verifier.

[jasongoodwin]

1.0.0-M1 published to central. I want to add some more features and test this better w/ integrations before calling it a real release but all encryption algorithms are in place.

[jasongoodwin]

Have you been able to test/verify the behavior?

[Philippus]

I tried it out this weekend and found some bugs: https://github.com/jasongoodwin/authentikat-jwt/pull/34

[jasongoodwin]

Thank you so much for looking at this!!

On Sun, Jul 16, 2017 3:07 PM, Philippus Baalman notifications@github.com wrote: I tried it out this weekend and found some bugs:

34

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or mute the thread.