lcobucci
commented
5 days ago Let's pull it to a separate lib, then, and see what the stats show us.
Open SvenRtbg opened 1 week ago
lcobucci
commented
5 days ago Let's pull it to a separate lib, then, and see what the stats show us.
SvenRtbg
commented
4 days ago I don't feel I'd be initially involved there, am I? I don't like leaving half-finished work, however I for sure lack admin permissions to create anything within @lcobucci 's projects. :) How to proceed?
Ocramius
commented
4 days ago @SvenRtbg given you are alway very active here, I would say that we could totally (pending @lcobucci's opinion, obviously) give you maintainership on the new repo.
lcobucci
commented
3 days ago I'll setup the new repo and give access to you folks. I'm just having limited time atm
SvenRtbg
commented
2 days ago No need to rush, I'm AFK until Monday.
The heavy work is offloaded to phpseclib/phpseclib v3, which is added as a dependency.
Note: Please focus review onto the fact that everyone states that RSASSA-PSS key pairs are somehow special.
My understanding is that PSS is just a different kind of padding that utilizes randomness as a salt, and the signing part is just basic RSA. I have tested with dedicated RSA-PSS key pairs, and the only difference is that the key is explicitly labeled as RSA-PSS, and may contain additional info about the expected hash, mgfhash and salt length. It wasn't noticed by the PHPSecLib implementation, though.
Keep in mind I might have missed an important point here, as I implemented the obvious part, and maybe some non-obvious things, but I wouldn't consider myself the expert here.
Most importantly, I would like to see someone testing against a real-world token use case, as the tests inside are basically verifying that the implementation in the class matches the implementation in the test, which is effectively the same code.
closes #1074