DTLS 1.3 RSA-PSS Signature Scheme Support #778
Conversation
|
Also, AFAICT this is the last of the mandatory-to-Implement signatures ( |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #778 +/- ##
==========================================
+ Coverage 81.40% 81.59% +0.18%
==========================================
Files 103 103
Lines 5717 5803 +86
==========================================
+ Hits 4654 4735 +81
- Misses 684 689 +5
Partials 379 379
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Some early thoughts on this from you would be really awesome :D - if you have time, of course. This PR implements what's noted above, but wanted to also use it as a discussion point for this comment from @theodorsm :
|
| // SelectSignatureScheme returns most preferred and compatible scheme. | ||
| func SelectSignatureScheme(sigs []Algorithm, privateKey crypto.PrivateKey) (Algorithm, error) { | ||
| // For DTLS 1.2, RSA-PSS schemes are filtered out as they are only supported in DTLS 1.3. | ||
| func SelectSignatureScheme(sigs []Algorithm, privateKey crypto.PrivateKey, protocolVersion protocol.Version) (Algorithm, error) { |
There was a problem hiding this comment.
We should be very strict on breaking current public APIs. We should rather offer a separate API like SelectSignatureScheme13 or as a functional optional config .
There was a problem hiding this comment.
My preference is the functional optional config, but we don't use that pattern anywhere else in pion/dtls or pion/* afaict. What is your preference?
There was a problem hiding this comment.
We are moving towards the functional optional config: #765, #731 (comment)
|
Some quick comments to add to the discussion: We are having a disucssion about DTLS 1.2 and DTLS 1.3 architectural separation in PR #738. So far I am thinking to split off the code in I support the functional optional config as this is the way forward for Pion (#765). I will take a closer look at this draft in the coming week. |
|
for #765 I'll open a PR soon for the config pattern, I did work on it but I forgot to push it. |
Will hold off working on this till then :) |
3 participants
DTLS 1.3 RSA-PSS Signature Scheme Support
Address part of #776
Adds support for the
RSA_PSS_RSAE_SHA256digital signature algorithm, which is mandatory-to-implement per RFC 8446 section 9.1.Also adds support for:
RSA_PSS_RSAE_SHA384RSA_PSS_RSAE_SHA512RSA_PSS_PSS_SHA256RSA_PSS_PSS_SHA384RSA_PSS_PSS_SHA512This is all dead code, but I opted for a small, self-contained, PR. Next up is a bigger change: implementing the
signature_algorithms_certextension, but perhaps this PR is enough to start the conversation for #776 (comment). cc:// @theodorsmBasically, breaks
SelectSignatureScheme:func([]Algorithm, crypto.PrivateKey) (Algorithm, error)func([]Algorithm, crypto.PrivateKey, protocol.Version) (Algorithm, error)But if we don't want to break the API we could do something like this:
and
and can still be called the way it is called today:
but also
I'm new here so I don't know how much we care or don't care about breaking this contract - but either way, there is a way forward (and I really like the functional optional config options).