lindenR 0 Posted November 21, 2019 The test of an RSA key at line 774 in OverbyteICSSSLJose displays a misleading message if (keytype <> EVP_PKEY_RSA) or (f_EVP_PKEY_bits(PrivateKey) < 2048) then Raise EDigestException.Create('RSA private key 2,048 or longer required'); My key length is 2048 however it fails the keytype test as the key is 912 ie NID_rsassaPss = 912; // V8.50 RSASSA-PSS not 6 as expected by this test ... Share this post Link to post
Angus Robertson 577 Posted November 21, 2019 (edited) Sorry, RSA-PSS key support is only partially implemented, it is shown as pending at the top of the unit. I spent a lot of time learning and implementing the Jose stuff, and started to code new keys types, but never got to test them properly since they are rarely used even 18 months later. In the end I have to move on and implement the Let's Encrypt stuff this was written for. Looking at the code, RSA-PSS keys are actually checked later in that function for jsigRsaPss256, or are you saying they can also be used with jsigRsa256? Angus Edited November 21, 2019 by Angus Robertson Share this post Link to post
lindenR 0 Posted November 21, 2019 OOPS Missed that later on ... this key is a a Google supplied one that they want to use as a RS256 signature ... https://developers.google.com/identity/protocols/OAuth2ServiceAccount so I guess yes :) Using a jsigRsaPss256 key as a jsigRSA256 would logically seem to be reasonable (however I'm NO authority on this stuff) but even so the exception raised is not helpful as the length is correct just a mismatch of types maybe a optional _AllowUpClass : boolean = false so 774 becomes something like if (f_EVP_PKEY_bits(PrivateKey) < 2048) then Raise EDigestException.Create('RSA private key 2,048 or longer required') else if NOT ((keytype = EVP_PKEY_RSA) or ( _AllowUpClass and ( keytype in [ NID_rsassaPss, other rsaClasses ]))) then Raise EDigestException.Create('NOT a RSA private key') ... anyway thanks for getting back Share this post Link to post
Angus Robertson 577 Posted November 22, 2019 I was testing Google Accounts last week, it's OAuth2 implementation is unusual but now supported by ICS, did not get as far as trying a service account. But if Google is returning RSA-PSS keys, we need to support them, so on my list. Angus Share this post Link to post
lindenR 0 Posted November 23, 2019 Angus ... doing more code and the Google PK (the correct one) is RS256 not sure which key that one i was referring to was (juggling Azure/okta/and Google at the moment) Share this post Link to post
Angus Robertson 577 Posted November 23, 2019 A RSA-PSS key should be PS256 not RS256, but this is really down the other end, whether it accepts both type of RSA keys for RS256. Easy to relax our code, if the server is also relaxed. I'll look at this stuff when I do SASL for gmail. Angus 1 Share this post Link to post
Angus Robertson 577 Posted December 3, 2019 (edited) Did you get anywhere using the Google RSA-PSS private key? I've made IcsJoseFindAlg recognise them OK, but then hit a problem in IcsJoseJWKPubKey because the OpenSSL RSA functions don't seem to work on RSA-PSS keys so I can not read the exponents needed, I think this was why I have up testing RSA-PSS 18 months ago hoping OpenSSL would fix this, but not yet. There are possible workarounds. Angus Update: OpenSSL changed the RSA functions to recognise RSA-PSS keys in October, but not had a new release of 1.1.1 since, so we need to be patient and it will work soon. Edited December 3, 2019 by Angus Robertson Share this post Link to post