RSA signature using SHA-256 hashing algorithm

[Aranir]

Is it possible to create an RSA signature using SHA-256 hashing algorithm?

As this is the only one supported by the Google App Engine for authentication.

[jasongoodwin]

Hey sure - it can be added relatively easily if it's not implemented.
I'll have a peak shortly.

Sent from my iPhone

On Sep 13, 2014, at 7:13 AM, Roger Küng notifications@github.com wrote:

Is it possible to create an RSA signature using SHA-256 hashing algorithm?

As this is the only one supported by the Google App Engine for authentication.

—
Reply to this email directly or view it on GitHub.

[jasongoodwin]

Been pretty busy - feel free to make a PR if you implemented this. It's on my radar.

[jasongoodwin]

Obviously I suck and haven't added this - working on a book and hope to be done end of the month - I'll try to add the missing hash algorithms shortly.

[obihann]

Any progress on this? I also would love the addition of RSA since it would let me better use private keys for signing and public keys for verification, if you need some help I'd be up to pitch in.

[jasongoodwin]

It's not done - it should be fairly trivial. If you want to do it, fork and make a pull request - I'll review it and accept it. I'm pretty busy until maybe mid july but it really should be trivial to implement. I'm leaving myself a post-it to remind me to do it after hours one day. It would be awesome if you can do it - just let me know if you start work so we don't duplicate efforts.

[obihann]

I can start tonight probably, I just want to double check I'm understanding things correctly so here is my use case:

1. I generate a JWT and instead of using HMAC I use JWT, and instead a passphrase like "password" I will be able to pass in a RSA private key
2. Then on whatever other server is attempting to verify the JWT, they can do so using a matching public key?

For coding, its really just an additional algorithm, the rest is already in place or would be done by the user implementing authentikat-jwt.

[jasongoodwin]

Hey, you should just be able to implement the algorithm fairly simply:
The JWS file here has the existing algorithms:
https://github.com/jasongoodwin/authentikat-jwt/blob/master/src/main/scala/authentikat/jwt/JsonWebSignature.scala

Add the new case classes for the algorithms, the new pattern matching for the different RSA generators, and then the private key is still just a text string I believe. So you'd make the method to do the hashing. That should be more or less it. Validation is just done by hashing and comparing. If you don't get it done I'll try to tackle it over the weekend as well - I'm just really behind on writing this damn book.

[jasongoodwin]

Any progress? I'll look at it tonight if not.

[jasongoodwin]

Hey I had a stab at it tonight but was not able to complete it. This probably requires an API change - the signature is produced with a private key, and then verified with the public key. Not a terribly complex problem to solve but the encryption APIs take a bit of effort to work with.

[jasongoodwin]

Example here _ I could be wrong in terms of jwt though. I'll read through the spec and libs. http://www.java2s.com/Tutorial/Java/0490__Security/RSASignatureGeneration.htm

[spry-rproud]

Any progress updates?

[obihann]

@spry-rproud none from me but thanks for the poke :) @jasongoodwin if you don't get to this during the week I'll take another stab at it over the weekend, I have a hectic week coming up so I can't do this any sooner unfortunately. I'm making a note now for myself to try to resolve this on the weekend 👍

[jasongoodwin]

Hey obihann has a PR for this - I'll hang out w/ it this week and hopefully release it by next weekend.
Thanks for your patience and sorry for the delay in getting this feature in. I'm hoping by next weekend I can have it validated and released.