Comments (8)
Yes, my comment was in support of a change in default, as in "we use sha256 in latchset/jwcrypto and it gave no problems so far"
from jose.
I am okay with changing the default. However, care should be taken to validate that this doesn't break clevis or tang.
from jose.
I submitted a PR for clevis, to have it handle a different default hash for the thumbprints. tang would not be affected by such a change.
from jose.
As a data point, we use sha256 by default in jwcrypto:
https://github.com/latchset/jwcrypto/blob/787f69a82e2e9d9a425c75c4ac729e52461db4fb/jwcrypto/jwk.py#L927
from jose.
Right, but if somebody calls jose
directly, he will get SHA-1. For example as when verifying key hash from cockpit, which has this just this in the last part:
jose jwk thp -i-
https://github.com/cockpit-project/cockpit/blob/master/pkg/storaged/crypto-keyslots.jsx#L322
or from tang's tang-show-keys
:
https://github.com/latchset/tang/blob/master/src/tang-show-keys#L35
from jose.
I am okay with changing the default as well. I will do some investigation beforehand on how clevis/tang would behave with it.
from jose.
@sergio-correia Thanks for looking into that. The above change is probably a first step, but more changes will need to follow, including changes to the tang
(tang-show-keys
now uses default sha1 thumbprints) and cockpit (calls the tang-show-keys
or jose
directly without specifying which hash to use either).
from jose.
@sergio-correia Thanks for looking into that. The above change is probably a first step, but more changes will need to follow, including changes to the
tang
(tang-show-keys
now uses default sha1 thumbprints) and cockpit (calls thetang-show-keys
orjose
directly without specifying which hash to use either).
tang-show-keys
displays the thumbprints using the jose
's default hash algorithm (SHA1 as of now). If that default changes, the thumbprints will change, naturally, but they should still work with clevis
-- I just added a second commit to that PR updating the encryption path as well.
So, for instance (tang-show-keys
slightly modified):
$ tang-show-keys
S1 -> Ocx3bX2P9myWZ2gwgV1mWN1CjLk
S224 -> OivRmo86_m9j1fcAGXmZP-b8NYPWVAEn6jFGqw
S256 -> W9hOYnHQAgDjNIYk4ChKjNgh07vO3OyJ6du61o8metU
S384 -> nymK5nTbNxNSPsaak1JjbKU7wV5CGHaOIsyrqhWpGu01QGpkQe112dquUMfeceOY
S512 -> ZFfbUo4qRRfc0J65yc_9U43YrYNU2BmL4jco4vvxZSDrqoR-boXHq4teL3pXt2EqZgvll8HJxHg93c6B1CUXiw
Using any of these thumbprints should be fine, e,g:
echo foo | clevis encrypt tang '{"url":"localhost", "thp":"Ocx3bX2P9myWZ2gwgV1mWN1CjLk"}'
echo foo | clevis encrypt tang '{"url":"localhost", "thp":"ZFfbUo4qRRfc0J65yc_9U43YrYNU2BmL4jco4vvxZSDrqoR-boXHq4teL3pXt2EqZgvll8HJxHg93c6B1CUXiw"}'
I am not sure about cockpit, but if they are using the thumbprint from tang-show-keys
with clevis
, it should be good.
from jose.
Related Issues (20)
- Consider increasing test timeouts
- [Question] How to correctly verify JWS for OIDC?
- [Question] How to use the library with a (software) HSM?
- 11: test suite is failing HOT 11
- Entering password (-p) in scripts HOT 4
- Dual license with MIT?
- Release v12
- Does not link against OpenSSL 3 HOT 3
- Fedora rawhide container failing due to issues on dnf.conf format HOT 2
- Github actions should be migrated so that version v3 is used
- Decrypt Error with Open SSL 3 HOT 4
- OpenSSL 3.1 decryption issue
- RSA-OAEP padding is not enable by default
- Test `alg_comp` fails when using a different zlib implementation
- Properly zeroing json objects obtained from functions
- CVE-2023-50967: Denial of service via a large p2c value HOT 2
- Issues with lld 18 on FreeBSD HOT 1
- Release v13
- Release v14
- IANA and ECMR HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jose.