Add RSASSA-PSS (PS256) signature support BEP #1390
Conversation
randilt
requested review from
MaryamZi,
gimantha,
hasithaa,
jclark and
sameerajayasoma
as code owners
There was a problem hiding this comment.
Pull Request Overview
This PR adds a Ballerina Enhancement Proposal (BEP) for RSASSA-PSS (PS256) signature support in the Ballerina crypto module. The current implementation only supports classic RSA signatures using PKCS#1 v1.5 padding, but modern security protocols increasingly require or prefer RSASSA-PSS signatures.
- Creates comprehensive technical specification for adding RSASSA-PSS signature generation and verification APIs
- Proposes API design following existing crypto module patterns with
signRsaSsaPss256andverifyRsaSsaPss256Signaturefunctions - Documents implementation architecture, risks, dependencies, and future roadmap for PS256 support
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| Two new functions will be added to the `crypto` module following the exact naming pattern of existing RSA signature functions: | ||
|
|
||
| ````ballerina |
There was a problem hiding this comment.
Use triple backticks (```) instead of quadruple backticks (````) for code blocks. Quadruple backticks are non-standard markdown syntax.
| ````ballerina | |
| ```ballerina |
| # + privateKey - Private key used for signing | ||
| # + return - The generated signature or else a `crypto:Error` if the private key is invalid | ||
| public isolated function signRsaSsaPss256(byte[] input, PrivateKey privateKey) returns byte[]|Error; | ||
| ```` |
There was a problem hiding this comment.
Use triple backticks (```) instead of quadruple backticks (````) for code block closing. Quadruple backticks are non-standard markdown syntax.
| ```` |
| ```` | ||
|
|
||
| ````ballerina |
There was a problem hiding this comment.
Use triple backticks (```) instead of quadruple backticks (````) for code blocks. Quadruple backticks are non-standard markdown syntax.
| ```` | |
| ````ballerina |
| # + publicKey - Public key used for verification | ||
| # + return - Validity of the signature or else a `crypto:Error` if the public key is invalid | ||
| public isolated function verifyRsaSsaPss256Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|Error; | ||
| ```` |
There was a problem hiding this comment.
Use triple backticks (```) instead of quadruple backticks (````) for code block closing. Quadruple backticks are non-standard markdown syntax.
| ```` |
|
@randilt add minor comments, please check |
Co-authored-by: Danesh Kuruppu <daneshk@users.noreply.github.com>
Applied the suggestions and intentionally kept the additional backticks (ignored copilot suggestions). The outer four backticks are needed because the code block itself contains triple backticks. |
However, we typically use triple backticks for code blocks in other proposals. |
|
@randilt, shall we have triple backticks to be consistent with others? Can you do that? Proposal LGTM |
2 participants
Purpose
This PR adds a Ballerina Enhancement Proposal (BEP) for RSASSA-PSS (PS256) signature support in the Ballerina crypto module. The current crypto library only supports classic RSA signatures using PKCS#1 v1.5 padding, limiting developers who need modern cryptographic standards like JWT PS256, OAuth 2.0, and other security protocols that require or prefer RSASSA-PSS signatures.
Resolves #8292
Goals
Related PRs