JSONWebToken.swift icon indicating copy to clipboard operation
JSONWebToken.swift copied to clipboard

Published 20 hours ago verified publisher icon kylef

Added RS256 and RS512 Support

Open popwarfour opened this issue 7 years ago • 4 comments

Had to increase deployment target to support SwiftRSA framework.

Updated README also

popwarfour avatar Jul 30 '17 14:07 popwarfour

Hi @popwarfour, I appreciate your efforts here and I'm completely for adding RSASSA-PKCS1 support to this library however I have a few concerns about the use of a third party crypto library SwiftRSA. Would you be willing to update this pull request to use system crypto (CommonCrypto) instead of SwiftRSA? There are a number of trade-offs and I think ultimately using an audited and certified library such as CommonCrypto will be more secure.

CommonCrypto is not available on non-Apple platforms, so here we can use system OpenSSL. However it seems that you perhaps are no looking to use the library on Linux so it makes sense that the RSASSA-PKCS1 would only be available on Darwin based platforms with CommonnCrypto for now.

  • Both CommonCrypto and OpenSSL are FIPS 140 compliant unlike SwiftRSA. CommonCrypto and OpenSSL are both widely used, widely trusted and audited.
  • IANAL and interpreting the BIS regulations are not simple. Users of this library (myself included) distribute applications using JSONWebToken either in the United States or use the Apple App Stores. Which means that the crypto code will have to meet US Export Compliance. I believe the custom encryption code in SwiftRSA will complicate the matters in a Self Classification Report to BIS.
  • Swift compiler does not have support for disabling certain types of optimisations which can weaken or break cryptography unlike C.

Would you be willing to update this pull request to use system crypto (CommonCrypto) instead of SwiftRSA?

kylef avatar Oct 06 '17 19:10 kylef

What is the status on this? I need RS256 support for a project. It is considered unsecure to store a secret in a unsecure client (such as an app) so we can't use HS256, right?

icedice avatar Oct 24 '17 14:10 icedice

You can use my fork for now. I haven't had the time to make kylef's suggested changes.

popwarfour avatar Oct 25 '17 17:10 popwarfour

I'm trying to use your fork now. I simply starting by trying to get the sample data from jwt.io (RS256) to work, so use this as input:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.EkN-DOsnsuRjRO6BxXemmJDm3HbxrbRzXglbN2S4sOkopdU4IsDxTI8jO19W_A4K8ZPJijNLis4EZsHeY559a4DFOd50_OqgHGuERTqYZyuhtF39yxJPAjUESwxk2J5k_4zM3O-vtd1Ghyo4IbqKKSy6J9mTniYJPenn5-HIirE

But I'm not sure what format the secret/public key should be in, i tried raw public key with and without -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- and i tried a self signed certificate containing the public key ( because of this thread https://stackoverflow.com/questions/43629383/validate-jwt-token-with-rs256-or-rs512-with-swift-ios).

Could you point me in the right direction?

icedice avatar Oct 30 '17 12:10 icedice