Skip to content

Use SHA2 and PSS for client assertion #4616

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Feb 6, 2024
Merged

Use SHA2 and PSS for client assertion #4616

merged 6 commits into from
Feb 6, 2024

Conversation

@bgavrilMS
Copy link
Member

@bgavrilMS bgavrilMS commented Feb 6, 2024

Fixes #4428

Changes proposed in this request

  • use SHA2 and PSS for all authority types except Generic, dSTS and ADFS.
  • refactor to use string operations instead of JSON serialization for creating assertions

Testing

Performance impact

Using strings operations instead of JSON serialization leads to a small ~1KB memory improvement while the performance is marginally better, ~10% gain.

OLD

Method UseX5C UseExtraClaims Mean Gen0 Allocated
SimpleAssertion False False 690.4 us 0.9766 8 KB
SimpleAssertion False True 683.2 us 0.9766 10.35 KB
SimpleAssertion True False 680.3 us 3.9063 25.43 KB
SimpleAssertion True True 705.1 us 3.9063 27.27 KB

NEW

Rows 5-8 use SHA2

Method UseSha2 UseX5C UseExtraClaims Mean Gen0 Allocated
SimpleAssertion False False False 687.2 us - 7.06 KB
SimpleAssertion False False True 658.0 us 0.9766 9.08 KB
SimpleAssertion False True False 640.8 us 2.9297 23.56 KB
SimpleAssertion False True True 657.4 us 3.9063 25.59 KB
SimpleAssertion True False False 662.6 us 0.9766 8.27 KB
SimpleAssertion True False True 657.8 us 0.9766 10.31 KB
SimpleAssertion True True False 670.3 us 3.9063 24.78 KB
SimpleAssertion True True True 678.4 us 3.9063 26.8 KB

Documentation

  • All relevant documentation is updated.

@bgavrilMS bgavrilMS changed the title Use SHA2 and PSS where possible Use SHA2 and PSS for client assertion Feb 6, 2024
@bgavrilMS bgavrilMS merged commit d2f015a into main Feb 6, 2024
@bgavrilMS bgavrilMS deleted the bogavril/sha22 branch February 6, 2024 12:07
@Avery-Dunn Avery-Dunn mentioned this pull request Oct 31, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gladjohn gladjohn Awaiting requested review from gladjohn

@neha-bhargava neha-bhargava Awaiting requested review from neha-bhargava

@pmaytak pmaytak Awaiting requested review from pmaytak

@trwalke trwalke Awaiting requested review from trwalke

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] AAD client assertions should be computed using SHA 256 and an approved padding scheme

2 participants

@bgavrilMS