-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fill in for ring
's deficiencies
#42
Comments
openssl
to fill in for ring
's deficienciesring
's deficiencies
Hi @lawliet89, I started playing with porting the crypto of biscuit to openssl (you can see the result here: https://gitlab.mjdsystems.ca/MJDSys/biscuit-openssl ). I did that as I wanted to tap some crypto currently available in openssl not yet available in Ring. So far I'm just playing with what I need for my projects, but I'd be happy to help bring these changes back into biscuit (behind a feature gate is fine!) if you would like. Do you have any idea of what you would like this support to look like? I was thinking maybe putting all the crypto behind some set of traits, so a user could substitute in their own preferred crypto library in the future, though I fear that might make simple use of the library hard. One easy thing I could submit as a PR here is removing the constant time equality checks in the unit tests. As they are tests, I don't think we need that to be constant time as they are just tests. I wouldn't change the "real" code, as that would have security implications. |
I think gating it behind a feature gate would be fine. The traits idea might be too complicated, you're right. Eventually, I'd like to not use OpenSSL at all and just use everything that ring has to offer. Sure, a PR would be great if you're up for it. |
@lawliet89 Sorry, somehow Github never poked me about this comment. I'll see what I can do. |
Thanks @MJDSys. Maybe I have to |
Is there an ugly way to get an rsa pubkey as |
No. Ring does not have that API last I checked.
On Thu, 24 Aug 2017, 06:24 Matthew Scheirer ***@***.***> wrote:
Is there an ugly way to get an rsa pubkey as Vec<u8> from n and e out of
a jwk right now without pulling in openssl?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#42 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA8APUMNFAntINEJe9fvXENZ8eE98PQ-ks5sbKa0gaJpZM4MuUcU>
.
--
Regards
Yong Wen
|
If you have If you have |
ECDSA signing is in ring 0.13.0-alpha4. |
Hey! |
Or could we move from |
ring seems to have many issues and mostly appears to be unmaintained, I think the 3 main other options are the "openssl", "native-tls", or RustCrypto crates so I think it would make sense to look at moving to one of those given that the last stable release of ring was over 2 years ago which means it has 2+ years worth of BoringSSL CVEs unfixed. |
AFAIK, there were no bugs inherited from BoringSSL that required fixes to be backported to the stable release. That's a good thing. |
openssl
or others.Maybe gate these behind a feature switch.
Current
ring
deficiencies that will be addressed:ECDSA signing (Add ECDSA P-256 signing support briansmith/ring#207 and Add ECDSA P-384 signing. briansmith/ring#209)Not in
ring
, but "nice to have" forbiscuit
:JWK
to and from DER/PEM)Not in
ring
, but I am not surebiscuit
needs it:RSA1_5
RSA_OAEP
A128KW
,A192KW
,A256KW
A192GCMKW
ECDH-ES+A128KW
,ECDH-ES+A192KW
,ECDH-ES+A256KW
PBES2_HS256_A128KW
PBES2_HS384_A192KW
PBES2_HS512_A256KW
A128CBC_HS256
A192CBC_HS384
A256CBC_HS512
The text was updated successfully, but these errors were encountered: