99designs
Implement rsa-sha1/rsa-sha256/ecdsa-sha256 algorithms
This supersedes my original PR that only implemented the rsa-* algorithms, and adds support for ecdsa-sha256 as well.
Notes for reviewer
- I think the ECDSA signature generation is correct, but the HTTP signatures RFC is light on details, and just points to the format that JOSE uses.
- Probably extra attention needs to be paid to the ECDSA implementation to make sure it adheres to the spec. Unfortunately, the RFC doesn't provide any test fixtures to use for signature generation/verification.
Thanks for submitting this. I think it's really important. It also needs some careful review which I can't do right now. I hope somebody else can, otherwise I'll get to it eventually.
Thanks for submitting this. I think it's really important. It also needs some careful review which I can't do right now. I hope somebody else can, otherwise I'll get to it eventually.
No worries :). Definitely agree that this should be reviewed carefully, especially the ECDSA implementation, since the RFC is pretty light on details for it.
Hi @ejholmes, I'm looking at adding EC support to 99designs/http-signatures-php , and I'm also working on improving the RFC itself. Agreed it's not up to scratch, what specifically are you looking to see?
From my end, I don't like that we're pointing to the JWS spec, we should rather aim at an EC-specific spec but I'm not familiar with the literature (or much about EC in general), so some research needed.
@liamdennehy I think most of my issues were addressed with the addition of a https://github.com/w3c-ccg/http-signatures-test-suite, but I haven't had a chance to test this PR against it.