use ECDSA with SHA256 signers and verifiers for elliptic curve algorithms about node-jwa HOT 8 CLOSED

Hi,

I ran in exactly the same issue.
My (probably too quick-and-dirty) solution looks like this: pgaubatz/browserify-sign@0dd151d
I'm not quite sure if it makes sense to submit a PR...

@shea256 What do you think?

Cheers,
Patrick

from node-jwa.

@pgaubatz I don't think this actually fixes the problem.

I just ended up writing my own JWT library: https://github.com/blockstack/jwt-js

Maybe it'll be helpful for you. It only currently supports the curve SECP256k1, but it is designed in a way that anyone can easily write a client for ES256, RS256, etc.

from node-jwa.

Yeah, so at the time the module was written, while openssl supported EC, there wasn't an algorithm available to call it with. So specifying RSA here gets it into openssl, and aftet it parses the PEM, it does the right thing.

I would be happy to accept a pull request which used the correct name (I looked when this issue first opened - it appears it might exist in openssl now) - perhaps deciding based off if the openssl or node.js version.

from node-jwa.

@shea256 ES256 is secp256r1, not k1

from node-jwa.

@omsmith yes, I'm aware.

I mentioned that my library only currently supports SECP256k1 (which I abbreviate as ES256k) and while my library currently doesn't support the widely accepted ES256 and RS256 standards, those could easily be added in. I might actually add in an ES256 client soon, which will use SECP256r1 (according to the standards).

from node-jwa.

There is an open PR on browserify-sign (what browserify uses to get node crypto to work) which addresses this. When that PR goes through, a change to this library to not masquerade as rsa and just use 'sha' + bits should work. Tried it out by monkeypatching locally.

from node-jwa.

Alright they merged that PR over in Browserify. @omsmith what were the limitations of a PR over here? I have a patch I wrote that's very dumb that basically just switches from RSA-SHA to sha prefixing for all ECDSA and works with Browserify as soon as that PR lands in a release. Unfortunately, I don't know too much about how this works with regards to Node or other versioning caveats. All I know is that Browserifying with these fixes works.

from node-jwa.

@samuelhorwitz feel free to submit your changes as a PR and we'll see what happens with the test suite (which will run it against older versions of node as well).

from node-jwa.