go-jose icon indicating copy to clipboard operation
go-jose copied to clipboard

Published 20 hours ago verified publisher icon square

Support JWT with ES256K (secp256k1) signature

Open baha-ai opened this issue 5 years ago • 15 comments

As I understand it, go-jose currently supports these keys:

  • P-256
  • P-384
  • P-521

are there any plans to support ES256K keys in go-jose? As in this Java example: https://connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-es256k-signature

baha-ai avatar Oct 01 '19 15:10 baha-ai

I'm not planning on working on this at the moment, but pull requests are welcome!

csstaub avatar Oct 23 '19 04:10 csstaub

The curve parameter a of secp256k1 is 0, while the package crypto/elliptic only supports short-form Weierstrass curves with a=-3. We have to use another library, e.g., the secp256k1 in go-ethereum.

I wonder if this is acceptable by using the above mentioned secp256k1 package to finish this issue.

If there is another solution, please let me know. I am willing to add the curve secp256k1 to this repo.

sunshuzhou avatar Nov 01 '19 14:11 sunshuzhou

The curve parameter a of secp256k1 is 0, while the package crypto/elliptic only supports short-form Weierstrass curves with a=-3. We have to use another library, e.g., the secp256k1 in go-ethereum.

I wonder if this is acceptable by using the above mentioned secp256k1 package to finish this issue.

If there is another solution, please let me know. I am willing to add the curve secp256k1 to this repo.

I'm concerned about this ethereum go implementation is using a C library here. I don't think we wanna depend on C.

Preferably, if there's a native go implementation, it would be best.

Thanks

baha-ai avatar Nov 01 '19 15:11 baha-ai

@sunshuzhou ref secp256k1 in native go PR (it is not merged) https://github.com/golang/go/pull/26873

also, the PR was forked here as separate reference: https://github.com/eliwjones/crypto

baha-ai avatar Nov 04 '19 21:11 baha-ai

@Baha-sk Nice to hear about that. If the secp256k1 curve is made available in native go crypto/elliptic, supporting ES256K keys in go-jose will be easy. I will track that issue golang/go#26873.

sunshuzhou avatar Nov 11 '19 03:11 sunshuzhou

A draft RFC registering ES256K: COSE and JOSE Registrations for WebAuthn Algorithms (M. Jones).

troyronda avatar Nov 11 '19 12:11 troyronda

@csstaub will you be willing to accept a PR that imports https://github.com/btcsuite/btcd to implement this issue? (package in question: https://github.com/btcsuite/btcd/tree/master/btcec)

If yes, we can submit a PR that imports this library.

baha-ai avatar Nov 13 '19 20:11 baha-ai

I'd be much happier if we didn't have to import the entire btcd package.

mbyczkowski avatar Nov 19 '19 00:11 mbyczkowski

Have to concur with @mbyczkowski here, that's a lot to ~implement~ import as a dependency. Any chance this can be split out into its own package?

csstaub avatar Nov 19 '19 05:11 csstaub

Also, to clarify, by "split out into its own package" I mean have the secp256k1 implementation in a package outside of btcd that can be imported without pulling in the whole btcd code along with it.

csstaub avatar Nov 20 '19 02:11 csstaub

It's also possible to turn github.com/btcsuite/btcd/btcec into a Go module without extracting the code from the repo (see multi-module repos FAQ), but I'm not sure how btcd maintainers feel about that.

mbyczkowski avatar Nov 20 '19 04:11 mbyczkowski

@csstaub @mbyczkowski thank you for your input which are valid. But we don't own nor have contributed to btcd.. @kdimak has tested its signing/verification and compared the results with a secp256k1 C implementation and the output is the same.

So importing a Go package seems to be a better solution than importing C calls in Go as the project doesn't need to depend on C.

To be honest this algorithm is gaining traction in the Crypto world and is being standardized. It would be great if Go-Jose gets updated with the newest (standard) signing/encryption algorithms available. It's a definite plus for Go-Jose library users.

Not sure how to go forward with this, but we are hoping to use Go Jose with this algorithm, we can definitely create a fork, but it's not our goal. Our last resort would be to forego this project and build our own JWE/JWS (simple) implementation that specifically supports secp256k1.

ps: we use modules in our projects too, but have no relation whatsoever with nor are we endorsing btcd project. We found out that they implement the algorithm we need in Go (through Google search of course).

baha-ai avatar Nov 20 '19 15:11 baha-ai

It's also possible to turn github.com/btcsuite/btcd/btcec into a Go module without extracting the code from the repo (see multi-module repos FAQ), but I'm not sure how btcd maintainers feel about that.

I can definitely create an issue in btcd project to ask if they can switch btcd/btcec packge to a Go module. The whole project does support Go modules already.

baha-ai avatar Nov 20 '19 15:11 baha-ai

@mbyczkowski @csstaub @kdimak issue in btcd to make btcec package a go mod is posted: https://github.com/btcsuite/btcd/issues/1495

Hopefully they will agree to the proposal..

baha-ai avatar Nov 20 '19 15:11 baha-ai

@mbyczkowski @csstaub @kdimak issue in btcd to make btcec package a go mod is posted: btcsuite/btcd#1495

Hopefully they will agree to the proposal..

Apparently btcd provided a link to a fork that has the crypto primitive in a go mod so we can reference it (alone) in go-Jose. It's claimed to be from the btcd authors. @kdimak have updated his PR (#278) referencing this new package.

baha-ai avatar Jan 13 '20 17:01 baha-ai