Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve signing keys interoperability. #172

Open
gibbz00 opened this issue Jun 3, 2024 · 1 comment · May be fixed by #173
Open

Improve signing keys interoperability. #172

gibbz00 opened this issue Jun 3, 2024 · 1 comment · May be fixed by #173

Comments

@gibbz00
Copy link

gibbz00 commented Jun 3, 2024

Two things that I'm trying to achieve: Creating the signing keys when starting a server. And being able to have access to the original signing key so that it can be used in other libraries (e.g for ramosbugs/oauth2-rs#274).

I'm currently creating the keys myself to achieve this. They are then converted to PEM to be read from PEM again in
CoreRsaPrivateSigningKey::from_pem. I'm also forced to store both versions of the same key separately.

let rs256_signing_key = rsa::pkcs1v15::SigningKey::new(RsaPrivateKey::new(&mut csprng, 2048)?);
let oidc_rs256_signing_key = CoreRsaPrivateSigningKey::from_pem(&rs256_signing_key.to_pkcs1_pem(Default::default())?, None)?;

As such, I would like the ability for CoreRsaPrivateSigningKey to provide a new_random constructor, but also a method which exposes the inner signing key. Perhaps unified under PrivateSigningKey trait methods. Doing so removes the need for users to pull in a bunch of crypto-dependencies themselves, whilst still being able to reuse the private signing in other parts of the rust ecosystem.

I would be more than happy to create PRs myself if these features would be appreciated.

@gibbz00 gibbz00 changed the title Improve singing keys interoperability. Improve signing keys interoperability. Jun 3, 2024
@gibbz00 gibbz00 linked a pull request Jun 3, 2024 that will close this issue
@ramosbugs
Copy link
Owner

Hey @gibbz00, I'm curious about the use case here. Usually signing keys are somewhat long-lived (at least 24 hours, though typically on the order of months with major OIDC providers), so my assumption was that they'd be generated elsewhere and then loaded from disk or a secrets vault at startup. Would you mind providing a bit more context so I can determine how widely-applicable these changes are likely to be?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants