search

veraison / go-cose

go library for CBOR Object Signing and Encryption (COSE)
Mozilla Public License 2.0
49 stars 26 forks source link

Add support for RS256, RS384, RS512 constants #163

Closed hslatman closed 1 year ago

hslatman commented 1 year ago

This PR replaces https://github.com/veraison/go-cose/pull/140. It closes https://github.com/veraison/go-cose/issues/141.

It only provides the constants for the algorithms. A cose.Signer or cose.Verifier needs to be implemented and provided from outside the package to use these algorithms. Using NewSigner and NewVerifier will return an error when called with one of these algorithms, because PKCS#1 v1.5 signing and verification aren't implemented in go-cose itself.

Example usage with external mycose package:

import (
        "crypto/rand"

    "github.com/veraison/go-cose"
    "go.step.sm/crypto/keyutil"

    "mycose"
)

func main(){
    key, _ := keyutil.GenerateSigner("RSA", "", 2048)
    cs := mycose.NewRS256Signer(key)  // adheres to cose.Signer

        data := []byte("1234")
    sig, _ := cs.Sign(rand.Reader, data)

    headers := cose.Headers{
        Protected: cose.ProtectedHeader{
            cose.HeaderLabelAlgorithm: cose.AlgorithmRS256,
        },
    }
    sig, _ = cose.Sign1(rand.Reader, cs, headers, data, nil)

}
codecov[bot] commented 1 year ago

Codecov Report

Merging #163 (0eac3fc) into main (160b7e0) will increase coverage by 0.02%. Report is 1 commits behind head on main. The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #163      +/-   ##
==========================================
+ Coverage   93.80%   93.82%   +0.02%     
==========================================
  Files          11       11              
  Lines        1695     1701       +6     
==========================================
+ Hits         1590     1596       +6     
  Misses         72       72              
  Partials       33       33
Files Changed Coverage Δ
algorithm.go 100.00% <100.00%> (ø)
signer.go 100.00% <100.00%> (ø)
verifier.go 100.00% <100.00%> (ø)

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

SteveLasker commented 1 year ago

@or13, PTAL

hslatman commented 1 year ago

The error message could be better.

Algorithm not supported, external signer required (link to documentation).

As is, the user is likely to assume it's not possible to use the library with the algorithm... Unless they read the comments in the code.

I think you mean the general error message; not just for the RSx constants? I agree that the error could be improved. That might need more valid COSE algorithm constants to be added, so that the error message can distinguish between valid algorithm identifiers (that require an external signer) vs. invalid algorithm identifiers (that won't/shouldn't work with external signers)