Support using Cryptographic providers

Question

Support using Cryptographic providers

aps-augentictech opened this issue 2 years ago · comments

António Pedro Santos commented 2 years ago

Hi y'all

Describe the problem you'd like to have solved

In my project, I'm required to use an HSM (Hardware Security Module) for computing digital signatures. This particular HSM provides a Java API which includes a java.security.Provider class. This class is tasked with making the HSM specific calls for computing signatures with a given java.security.PrivateKey reference.
The same could be said if we want to use BouncyCastleProvider, another common crypto provider in the Java and .NET crypto communities.
Specifying the signature provider is standard Java, as can be observed in the Signature.getInstance(String algorithm, String provider).
Unfortunately, there's no way in auth0 to pass a provider instance or it's name to the CryptoHelper.

Describe the ideal solution

Since auth0 is already relying on java.security.Signature class to compute signatures, for me, the ideal solution would be to add a provider parameter to the JWTCreator.Builder#sign(Algorithm algorithm) method to match the java.security.Signature.getInstance(String algorithm, String/Provider provider) method in the Java API.

Alternatives and current work-arounds

I'm unsure if setting the HSM provider as the provider in position 0 of the providers list would suffice. Other than this, I'm forking auth0 and modifying the code.

Additional information, if any

I'm using auth0 3.16.0.
I'm also available to implement this and create a pull request with the code. I'm doing it right now..

Regards
Antonio Pedro Santos

António Pedro Santos · Answer 1 · Wed Jul 13 2022 05:38:58 GMT+0800 (China Standard Time)

Hello again,

I have the code ready but have no permissions to push a new branch ;). I was able to keep the API untouched, as the tests remain unchanged and still compile.

Hope to hear back from you. In the meantime, I'm using my fork from release-4.0.0.

Regards
Antonio Pedro Santo
provider_support_patch.zip
s

António Pedro Santos · Answer 2 · Wed Jul 13 2022 05:39:41 GMT+0800 (China Standard Time)

Yeah, in the previous comment I attached the patch but forgot to say so..

Regards
APS

Jim Anderson · Answer 3 · Tue Sep 06 2022 21:09:00 GMT+0800 (China Standard Time)

Hi @aps-dnxt, apologies for the delay. Thanks for the request and offer to make a PR. We'll take a look at this and see if this is something that makes sense to add.

António Pedro Santos · Answer 4 · Fri Sep 09 2022 02:21:34 GMT+0800 (China Standard Time)

Hi @jimmyjames

In our case it did given that we are using both BouncyCastle's Provider and a Luna HSM (which has it's own provider).
Maybe it's an edge case but it would also provide more flexibility to the lib. Win-win, right?

Regards,
APS

Taylor Eagy · Answer 5 · Thu Sep 22 2022 02:36:18 GMT+0800 (China Standard Time)

I had a similar situation come up where I was using this JWT library in a java application running on a CentOS 7 image with FIPS enabled and it was refusing to allow any of the algorithms supported by this library to be used. It would be nice to allow alternative providers like BouncyCastle for those cases. It would be great if Argon2 could be added. Spring's Security Crypto module uses bouncy castle under the hood to implement it. https://docs.spring.io/spring-security/site/docs/6.0.x/api/org/springframework/security/crypto/argon2/Argon2PasswordEncoder.html

Jim Anderson · Answer 6 · Fri Sep 23 2022 09:44:04 GMT+0800 (China Standard Time)

@aps-dnxt 👋 If we can add this through standard Java typings, it may be a win-win. Could you provide some details about the new public APIs proposed (signatures) and if any additional dependencies would be required (doesn't sound like it, but just to be sure). Or if you already have the changes made, we could just review in a PR (are you still unable to make a PR?). If not we can look at the patch you provided (though we do want contributions so should figure out why that's an issue). Thanks again!

António Pedro Santos · Answer 7 · Mon Sep 26 2022 12:22:38 GMT+0800 (China Standard Time)

Hi @jimmyjames! Just opened a PR. Yes, I used all standard Java typings. Hope it's up to the project's quality.
I also thank you and the rest of the team for all the work you threw at this so that I can use it in my project :).

Regards.

stale · Answer 8 · Sun Jan 08 2023 07:39:47 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

stale · Answer 9 · Mon May 22 2023 06:52:10 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️