JSON Web Signature #43
Comments
|
Thanks for writing this down. JSON Web Keys would fit into TUF very well. It is a specification for expressing public keys in JSON without using (for example) PEM encodings. The whole of JSON Web Signature would fit less well because it is anti-normalization but overall what are collectively called the JOSE specifications are delightful. Wheel uses the extraordinarily convenient Ed25519 elliptic curve signing algorithm to produce its signatures. Key generation, signing, and verification are all fast enough even in the 270-line pure python fallback implementation. Keys are only 256 bits or 32 bytes so you can just include them directly rather than bothering with key fingerprints. I should also mention that JOSE and JSON Web Signatures / Keys are independent of the signing algorithm used. Wheel extends it to (only) use Ed25519 because it's incredibly convenient, but it works with RSA too. |
|
Sounds pretty sweet. We will definitely look at this! :] |
|
I wrote this concise ASN.1 DER parser & RSA signature verification library over the weekend. It can also convert public keys to JSON Web Key. https://bitbucket.org/dholth/rsalette/src/tip/rsalette.py https://bitbucket.org/dholth/rsalette/src/tip/asn1lette.py |
|
This sounds like it would help make our transition easier; we will definitely take a look at it as soon as we get some time. Thanks! |
|
Beginning work on the jws branch. |
|
I would recommend you continue to use openssl when it is available but you could consider using the pure Python RSA checker when it is not; it is obviously very convenient to be able to do everything in pure Python. We could convert the json web key back to PEM for openssl. In json web signatures / json web algorithms what you call "evp" is probably something like "RS256" which means PKCS#1 v1.5 RSA signatures using SHA-256 as the hash function. I think you might actually be using SHA-1 which isn't formally part of the JSON web algorithms specifications; it's trivial to change the hash function used for signing. |
|
I like the idea of doing as much as possible in pure Python; it would certainly make testing simpler. |
|
Mine was written mostly to prove to myself that RSA verification would I see that still has Sybren Steuvel's credits on it, like mine :-) I On Sun, Mar 31, 2013, at 09:05 PM, TKK wrote: [1]@dholth , we think you might like to look at [2]Seattle's Python [3]Wiki [4]Source code — Reply to this email directly or [5]view it on GitHub. References |
Got it :)
@JustinCappos , I think you are better-qualified to answer this question. |
|
No, we don't have this support I don't think. I believe we borrowed from Thanks, On Sun, Mar 31, 2013 at 10:17 PM, TKK notifications@github.com wrote:
|
|
Getting more and more OT, but if you want it PKCS#1 v1.5 signing is easy, approximately 0x00 + 0xff * n + (ASN.1 hash function id) + message hash (0xff repeated n times to pad to the RSA block size). |
|
Not happening anytime soon, unfortunately. |
Following Daniel Holth's suggestion, investigate how JSON Web Signature would fit with TUF.
According to Monzur Muhammad: "He mentioned that it was more secure than RSA-2048 despite the key being a small size. You can use pip to install wheel, which can be used to generate/verify/sign keys."
The text was updated successfully, but these errors were encountered: