Conversation
|
@buleuszmatak I'll give you a few days to check this out and comment before I merge it. |
|
|
||
| @Override | ||
| public byte[] getEncoded() { | ||
| return privateKey.getSecret(); |
There was a problem hiding this comment.
https://github.com/nats-io/nkeys.java/pull/18/changes#r2711848345
If this isn't correct, it may be wrong since the original.
Yes
Also, it may not matter for the purpose of the NKEY.
Yes. nkeys.java returns incorrect value, but everywhere it calls this method, it expects the value, so things cancel out for the nkey.java itself.
After all, it's essentially just a NATS thing, not a general security thing.
java.security.KeyPair is a general security thing, and io.nats.nkey.NKey#getKeyPair is public.
I'm sure I don't understand why this is a problem, but this works
Ed25519PrivateKeyParameters privateKey = new Ed25519PrivateKeyParameters(nkey.getKeyPair().getPrivate().getEncoded()); Ed25519Signer signer = new Ed25519Signer(); signer.init(true, privateKey); signer.update(input, 0, input.length); return signer.generateSignature(); }
org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters#Ed25519PrivateKeyParameters(byte[]) expects raw seed, as opposed to io.nats.nkey.KeyWrapper which claims to return key in the PKCS#8 format.
Possible solutions are:
- don't return
java.security.KeyPair, but some NATS thing - restrict access to
io.nats.nkey.NKey#getKeyPair - prefix returned values to actually be PKCS#8
- fixing this here, in FIPS provider, would be as simple as returning result of
getEncodedinstead ofgetSecretand calling the previous methods where the raw value is needed within theFipsNKeyProvider
- fixing this here, in FIPS provider, would be as simple as returning result of
There was a problem hiding this comment.
Good suggestion, turned this into an issue to address later. #28
Co-authored-by: Buleusz Matak <215200949+buleuszmatak@users.noreply.github.com>
Co-authored-by: Buleusz Matak <215200949+buleuszmatak@users.noreply.github.com>
2 participants
No description provided.