Add support for PS256, PS384, PS512 about fusionauth-jwt HOT 7 CLOSED

When is it planned to release this feature?

from fusionauth-jwt.

Not sure. I need to do some more research to see how much if any of this is possible within the JDK and if any eternal deps are required. If external deps are required I'll probably not implement it in this library and instead make a a separate library to build the additional verifier and signer objects.

from fusionauth-jwt.

As I understand it, current JDKs support this: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8229518

In my opinion, supporting PSS is important, since the asymmetric alternatives have flaws:
RSxxx uses PKCS#1 v1.5 (difficult to implement correct, see recurring problems with Bleichenbacher attacks; PSS solves the problem fundamentally) and ESxx uses ECDSA (possibility of leaking the private key by using a weak random numbers) on NIST curves (http://safecurves.cr.yp.to/).

from fusionauth-jwt.

Thanks for the link @JuliusPC I'll take a look.

from fusionauth-jwt.

It looks like the support is pretty good, I prototyped a verifier. I may be able to get this out shortly.

from fusionauth-jwt.

Committed initial support for these algorithms.
76a9fdd

I need to do some more testing, and make sure the JSON Web Key parsing doesn't need any changes, but so far it looks pretty straight forward.

Using this new algorithms will require the latest Java 8 (>= u251), or later versions of Java.

from fusionauth-jwt.

Available in version 3.5.0.

from fusionauth-jwt.