You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We'd like to use BouncyCastle's OpenPGP RSA/ECDSA keys with HSM-backed private keys.
This is a change request proposal to open PgpSignatureGenerator for extension to enable to adapt the signature operations to HSM calls.
Can provide a PR.
Background:
We want to use the great OpenPGP implementation of BouncyCastle .NET with external (HSM-backed) RSA or ECDSA keys.
Currently PgpSignatureGenerator.InitSign() creates the ISigner instance based on the provided PublicKeyAlgorithmTag and PgpPrivateKey via the PgpUtilities.CreateSigner() factory.
E.g. for a PublicKeyAlgorithmTag.RsaSign it always creates the RsaDigestSigner: ISigner implementation which uses an (in-memory / software) RsaPrivateCrtKeyParameters key.
Change request: Open PgpSignatureGenerator for extension (custom ISigner implementation)
One option (there are others; this is only the least invasive one): Add a PgpSignatureGenerator.InitSign() overload which takes an ISigner instance as input (instead of calling the PgpUtilities.CreateSigner() static factory method) and store it for later signing calls in the sig field. (Can provide alternative suggestions.)
That way a library user can provide either the full ISigner implementation, or a GenericSigner instance with an IAsymmetricBlockCipher implementation to adapt the ProcessBlock() call to e.g. an HSM call. We've already tested this E2E with RSA and ECDSA by "faking" the InitSign() call with reflection calls and it works: Can self-sign GPG keys and create BinaryDocument signatures.
Non-goal: Custom cipher algorithms (in addition to PublicKeyAlgorithmTag); it's just about the implementation of the signature operations (of the existing algos).
In case you approve the general idea, we can provide details for the change request (+ alternatives) as well as a pull request.
The text was updated successfully, but these errors were encountered:
TL;DR:
PgpSignatureGeneratorfor extension to enable to adapt the signature operations to HSM calls.Background:
PgpSignatureGenerator.InitSign()creates theISignerinstance based on the providedPublicKeyAlgorithmTagandPgpPrivateKeyvia thePgpUtilities.CreateSigner()factory.PublicKeyAlgorithmTag.RsaSignit always creates theRsaDigestSigner: ISignerimplementation which uses an (in-memory / software)RsaPrivateCrtKeyParameterskey.Change request: Open
PgpSignatureGeneratorfor extension (customISignerimplementation)One option (there are others; this is only the least invasive one): Add a
PgpSignatureGenerator.InitSign()overload which takes anISignerinstance as input (instead of calling thePgpUtilities.CreateSigner()static factory method) and store it for later signing calls in thesigfield. (Can provide alternative suggestions.)That way a library user can provide either the full
ISignerimplementation, or aGenericSignerinstance with anIAsymmetricBlockCipherimplementation to adapt theProcessBlock()call to e.g. an HSM call. We've already tested this E2E with RSA and ECDSA by "faking" theInitSign()call with reflection calls and it works: Can self-sign GPG keys and createBinaryDocumentsignatures.Non-goal: Custom cipher algorithms (in addition to
PublicKeyAlgorithmTag); it's just about the implementation of the signature operations (of the existing algos).In case you approve the general idea, we can provide details for the change request (+ alternatives) as well as a pull request.
The text was updated successfully, but these errors were encountered: