whyoleg
commented
11 months ago Hey! Thanks for raising the issue here!
First, regarding RSA in apple provider.
I will add RSA for apple provider in coming release (in several weeks, I have a prototype already in some old branch). But keep in mind, that Security Framework (where RSA is implemented out-of-the-box) have minimal support for key encoding/decoding, and until we will have some kind of ASN.1 (DER) encoder/decoder implemented in cryptography-kotlin (there is no such kind of things for Kotlin Multiplatform, yet), there will be only PKCS#1 format (it differs from standard DER/PEM encoding).
Some links for context about difference between RSA key formats:
- https://www.starkandwayne.com/blog/credhub-keysmust-be-pem-encoded-pkcs1-keys/index.html#:~:text=The%20difference%20between%20these%20two,released%20after%20PKCS%231%20chronologically.
- https://stackoverflow.com/questions/48958304/pkcs1-and-pkcs8-format-for-rsa-private-key
- https://crypto.stackexchange.com/questions/103582/confusion-over-pkcs1-and-traditional-options-with-openssl
Second, regarding Apple export regulations.
As far as I found, if you are using open source solutions (like cryptography-kotlin which is using openssl, which are both open-source) - you are falling into exemption, and so there should be no problems. Still, AFAIU you will still need to send annual (year-end) self-classification report to the US government to comply with the encryption export regulations, though, as far as I see, this step is needed even if you use standard Apple encryption, or even just do HTTPS requests - they all are treated as exemption, and so you will need only to submit this report. Looks like Google Play has the same policy for encryption, so it should be something standard (I believe).
Still, Im not a lawyer, Im not an expert in iOS development and distribution - so it's better to contact someone regarding this, even if you use Apple provided encryption.
Also, here I also have some links, which I found useful, and so may be it will be useful for you/your team. But, please look carefully, as articles/answers have rather different date of publication, and there were a lot of changes to U.S. laws (somewhen in 2016-2017), so be careful and patient:
- https://github.com/krzyzanowskim/CryptoSwift/discussions/928
- https://developer.apple.com/help/app-store-connect/reference/export-compliance-documentation-for-encryption
- https://stackoverflow.com/questions/56296001/does-apple-accept-ios-apps-with-statically-linked-openssl-in-the-app-store
- https://www.reddit.com/r/swift/comments/cyektl/am_i_exempt_from_complying_with_encryption_export/
- https://kitefaster.com/2017/08/10/encryption-export-compliance-ios-apps/
- https://medium.com/@cossacklabs/apple-export-regulations-on-crypto-6306380682e1
- https://stackoverflow.com/a/45888609
- https://docs.cossacklabs.com/themis/regulations/us-crypto-regulations/
May be this (a lot of links) is not what you expected when you've posted the question, but Im trying my best to at least understand what are the consequences of this and how it will affect end-users.
StefanOltmann
michalkierasinski
JesusMcCloud
I wish support for RSA.PKCS1 on the
-appleprovider. Theopenssl3-prebuiltworks fine on iOS for me, but I fear that I will have to provide a export compliance, because it's additional cryptography to the apple build-in: https://developer.apple.com/documentation/security/complying_with_encryption_export_regulationsAs far as I understand I do not need to fill this form I just use cryptography provided by Apples framework.
My use case is verification of RS256 JWT signatures.