Jump to content
lindenR

JOSE functions - IcsJoseFindAlg

Recommended Posts

The test of an RSA key at line 774 in  OverbyteICSSSLJose displays a misleading message

 

            if (keytype <> EVP_PKEY_RSA) or (f_EVP_PKEY_bits(PrivateKey) < 2048) then
                   Raise EDigestException.Create('RSA private key 2,048 or longer required');

 

My key length is 2048 however it fails the keytype test as the key is 912 ie

 

NID_rsassaPss                   = 912;  // V8.50  RSASSA-PSS

 

not 6 as expected by this test ... 

Share this post


Link to post

Sorry, RSA-PSS key support is only partially implemented, it is shown as pending at the top of the unit. 

 

I spent a lot of time learning and implementing the Jose stuff, and started to code new keys types, but never got to test them properly since they are rarely used even 18 months later.  In the end I have to move on and implement the Let's Encrypt stuff this was written for. 

 

Looking at the code, RSA-PSS keys are actually checked later in that function for jsigRsaPss256, or are you saying they can also be used with jsigRsa256?

 

Angus

 

Edited by Angus Robertson

Share this post


Link to post

OOPS Missed that later on ... this key is a a Google supplied one that they want to use as a RS256 signature ... https://developers.google.com/identity/protocols/OAuth2ServiceAccount so I guess yes :) 

 

Using a jsigRsaPss256 key as a jsigRSA256 would logically seem to be reasonable (however I'm NO authority on this stuff) 

 

but even so the exception raised is not helpful as the length is correct just a mismatch of types

 

maybe a optional _AllowUpClass : boolean = false

 so 774 becomes something like

 

if (f_EVP_PKEY_bits(PrivateKey) < 2048) then
     Raise EDigestException.Create('RSA private key 2,048 or longer required')

else

    if NOT ((keytype = EVP_PKEY_RSA) or ( _AllowUpClass and  ( keytype in [ NID_rsassaPss, other rsaClasses ]))) then

        Raise EDigestException.Create('NOT a RSA private key')

 

 

... anyway thanks for getting back

Share this post


Link to post

I was testing Google Accounts last week, it's OAuth2 implementation is unusual but now supported by ICS, did not get as far as trying a service account.  But if Google is returning RSA-PSS keys, we need to support them, so on my list.

 

Angus

 

Share this post


Link to post

Angus ... doing more code and the Google PK  (the correct one) is RS256 not sure which key that one i was referring to was  (juggling Azure/okta/and Google at the moment)

 

Share this post


Link to post

A RSA-PSS key should be PS256 not RS256, but this is really down the other end, whether it accepts both type of RSA keys for RS256.  Easy to relax our code, if the server is also relaxed.  I'll look at this stuff when I do SASL for gmail. 

 

Angus

  • Like 1

Share this post


Link to post

Did you get anywhere using the Google RSA-PSS private key?  I've made IcsJoseFindAlg recognise them OK, but then hit a problem in IcsJoseJWKPubKey because the OpenSSL RSA functions don't seem to work on RSA-PSS keys so I can not read the exponents needed, I think this was why I have up testing RSA-PSS 18 months ago hoping OpenSSL would fix this, but not yet.  There are possible workarounds.

 

Angus

 

Update: OpenSSL changed the RSA functions to recognise RSA-PSS keys in October, but not had a new release of 1.1.1 since, so we need to be patient and it will work soon.

Edited by Angus Robertson

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×