Added support for ES256 (ECDSA with P-256 and SHA-256) JWT signing algorithm.#34
Added support for ES256 (ECDSA with P-256 and SHA-256) JWT signing algorithm.#34tomaskukol wants to merge 2 commits into
Conversation
…EvpPublicKey is very sensitive to correct keys and can crash Pharo, fixed failing tests.
| JWAES256 class >> checkSignatureOfParts: parts withKey: publicKeyPemString [ | ||
|
|
||
| | jwtHeaderAndPayload signatureByteArray publicKey derSignature | | ||
| self assertPublicKeyPemString: publicKeyPemString. |
There was a problem hiding this comment.
I wouldn't put the check here. Providing an API for checking surely is a good idea even it just checks the string format not the actually cert. But this type of defensive programming raises costs of execution for everyone. This should be handled by the user code
There was a problem hiding this comment.
I think you are right, but I got PharoVM SIGSEGV crash, when it is used with non-PEM strings. I wanted to prevent such a crash by this as this code can be loaded automatically by JWSCompactSerializer by the match of algorithm parameterValue without any user intervention. I am not sure what to do with that.
This algorithm is nice as it allows to use separate private and public key instead of one shared secret key.
What do you think @noha?
This is a minimal implementation of ES256 JWT signing algorithm.
JWT ES256 (ECDSA using P-256 and SHA-256) is a secure, asymmetric signing algorithm used in OAuth 2.0, OpenID Connect, and API authentication to verify token integrity. It is commonly used in scenarios requiring high security with smaller signatures, such as in Apple services, mobile apps, IoT, modern web apps and banks.
You can see more details at spec (https://datatracker.ietf.org/doc/html/rfc7518#section-3.4).