whyoleg / cryptography-kotlin Goto Github PK

Introduce an API for storing keys in JDK KeyStore, Apple KeyChain, SecureEnclave and other places.

Add support for ECDSA secp256k1 (current is secp256r1)
Add more cryptography providers like bouncycastle and spongycastle

val ecdsa = provider.get(ECDSA)
val keyPairGenerator = ecdsa.keyPairGenerator(EC.Curve.P521)
val keyPair: ECDSA.KeyPair = keyPairGenerator.generateKey()

I wasn't found setPublicKey()

I wish support for RSA.PKCS1 on the -apple provider. The openssl3-prebuilt works fine on iOS for me, but I fear that I will have to provide a export compliance, because it's additional cryptography to the apple build-in:
https://developer.apple.com/documentation/security/complying_with_encryption_export_regulations

As far as I understand I do not need to fill this form I just use cryptography provided by Apples framework.

My use case is verification of RS256 JWT signatures.

@whyoleg How to use the below code here.

Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");

Hey there 👋

I just started using the BigInt functionality of this library and a slightly different use case came across: CRC (Cyclic Redundancy Check). Would that be in-scope for this library? If so, how likely is it to be supported? Thanks!

This is a proposal to support native Arm64 Linux. Artifacts might be build on Linux/Mac X64/Arm64 without additional testing. I believe providing artifacts without additional testing is better than nothing for tier-3 targets. I don't know though, whether connecting openssl to this new target challanging or not.

Introduce standalone JOSE support module with JWT/JWK/etc.
Support for JWK encoding/decoding can also be used afterwards in providers other than WebCrypto.

Full list of RFCs:

• JWS: https://datatracker.ietf.org/doc/html/rfc7515
• JWE: https://datatracker.ietf.org/doc/html/rfc7516
• JWK: https://datatracker.ietf.org/doc/html/rfc7517
• JWA: https://datatracker.ietf.org/doc/html/rfc7518
• JWT: https://datatracker.ietf.org/doc/html/rfc7519
• JOSE examples: https://datatracker.ietf.org/doc/html/rfc7520

Introduce support for encoding/decoding of X.509 Certificates in ASN.1 module.
Additionally add support for storing certificates/certificate chains in PKCS12 format.

• support lists encoding
• Support default (optional values) encoding configuration
• Support unknown keys
• Support context-specific classes (f.e x [0] INTEGER OPTIONAL )

Current Linux implementation for PlatformRandom only checks for an error, but does not check if the number returned (the number of bytes retrieved from /dev/urandom) filled the ByteArray completely.

See fillCompletely

And fillCompletelyUsage

for pointers

Guide should cover all available operations (not all algorithms). Some defaults could be different, from what is in JDK, so this also should be mentioned. Here is a list of JDK candidates for migration from:

• MessageDigest
• Cipher
• Signature
• Mac
• KeyGenerator
• KeyPairGenerator
• Key (for key encoding)
• KeyFactory (for key decoding

For the linux implementation of PlatformRandom it should poll /dev/random once and only once before attempting to retrieve bytes from /dev/urandom to ensure it is properly seeded. This was an issue with SecureRandom on Android for API 1-18 which caused some mayhem.

https://android-developers.googleblog.com/2013/08/some-securerandom-thoughts.html

Can see my implementation for pointers https://github.com/05nelsonm/secure-random/blob/master/secure-random/src/linuxAndroidMain/kotlin/io/matthewnelson/secure/random/internal/URandom.kt

Those algorithms are useful when developing multiplatform applications with ktor.

Project: Compose Multiplatform
Library version: 0.3.0
agp = "8.2.0"
kotlin = "1.9.22"
compose-bom = "2024.02.02"

I have an error implementing cryptography-bom in the commonMain module
cryptography-bom
cryptography-core
provider-jdk

Caused by: org.gradle.api.internal.artifacts.ivyservice.DefaultLenientConfiguration$ArtifactResolveException: Could not resolve all files for configuration ':composeApp:iosArm64CompilationDependenciesMetadata'.

Allow to perform operations (such as encryption) over Sources from kotlinx.io, including files.
Additionally if needed some more low-level APIs could be implemented, so that kotlinx.io integration will just use it, f.e:

• Function operations (cipher, signature, hash), where it will be possible to call update/final (like in JDK APIs)
• Operations with provided output buffer
• functions for calculating signature/digest/plaintext/etc sizes

• Operators (+-/* etc)
• benchmarks for different operations
• BigIntRange
• toByte/toInt/etc exact variants (which will fail on overflow)
• Integration with Random API
• align exceptions, validation, error messages between platforms

How to reproduce:

• Environment: Windows 11 (latest updates)
• Check out the main branch and load the project on Android Studio
• Run "dev.whyoleg.cryptography.providers.openssl3.prebuilt.PrebuiltLibCrypto3Test" on mingwX64 target

Expected result: Test runs and passes

Actual result:
FAILURE: Build failed with an exception.

• What went wrong:
  Execution failed for task ':cryptography-provider-openssl3-prebuilt:mingwX64ReleaseTest'.

command 'C:\Users\blurk\git\cryptography-kotlin\cryptography-providers\openssl3\prebuilt\build\bin\mingwX64\releaseTest\test.exe' exited with errors (exit code: -1073741515)

Comments:
I run into the same issue when adding the the lib through a gradle dependency: "implementation("dev.whyoleg.cryptography:cryptography-provider-openssl3-prebuilt-mingwx64:0.2.0")". Think makes cryptography-kotlin unusable on Windows targets.
I wanted to further debug the problem before posting the issue, but I don't know where to start from.

Can I signatureVerifier the same as ECDSA for RSA OAEP ?
Example:
val verificationResult: Boolean =
keyPair.publicKey.signatureVerifier(digest = SHA512).verifySignature("text1".encodeToByteArray(), signature)

The current issue is just a dashboard for all algorithms/operations/providers supported or planned to be supported by the library. Status is updated after release where specific item is implemented. List is ordered only by release version and doesn't represent priority in which new items will be implemented.
Feel free to comment if you are missing something from or outside the list!

For detailed information about which provider support which algorithms please consult documentation: https://whyoleg.github.io/cryptography-kotlin/providers/

Status is provided in format of [ ] when it’s not implemented and [x] (X.Y.Z) when it’s implemented in version X.Y.Z

Algorithms

• (0.1.0) MD5 (hash)
• (0.1.0) SHA1 (hash)
• (0.1.0) SHA256, SHA512 (hash)
• (0.1.0) HMAC (mac)
• (0.1.0) AES-CBC (cipher)
• (0.1.0) AES-GCM (cipher)
• (0.1.0) RSA-OAEP (cipher)
• (0.1.0) RSA-PSS (signature)
• (0.1.0) ECDSA (signature)
• (0.2.0) SHA224, SHA384 (hash)
• (0.2.0) SHA3 family (hash)
• (0.2.0) RSA-PKCS1-V1.5 (signature)
• (0.3.0) AES-CTR (cipher)
• AES-KW (key wrap/unwrap)
• ChaCha20-Poly1305 (stream cipher)
• ECDH (key agreement)
• PBKDF2 (prf)
• HKDF (kdf)
• Agron2 (prf)
• scrypt (prf)
• brcypt (prf)
• CMAC (mac)
• Blowfish (cipher)
• Blake (hash)
• TOTP/HOTP (otp)
• SHAKE (hash)
• Ed25519 curve (signature)
• AES-ECB (cipher) - LEGACY
• RSA without padding (cipher/ signature[?]) - LEGACY
• RSA-PKCS1-V1.5 (cipher) - LEGACY

Operations

• (0.1.0) Hashing
• (0.1.0) Cipher and AEAD Cipher
• (0.1.0) Signature generation and verification
• Key agreement
• Key derive (kdf/prf)
• Multi-key agreement support
• Key wrap/unwrap
• OTP (One Time Password) support
• Hybrid Encryption

Providers

• (0.1.0) WebCrypto
• (0.1.0) Apple
• (0.1.0) JDK
• (0.1.0) OpenSSL3
• CryptoKit
• Windows CNG
• AWS/GCP KMS provider
• BorringSSL (optional, in addition to openssl)
• NodeJS engine
• OpenSSL3 KMP (JVM , may be JS/Wasm)
• wasi-crypto or via component model

Hi,
whenever i execute linuxX64Binaries i get this error: https://pastes.dev/sru6wccvSU .
I hope you can help me.

Library version: 0.2.0
Kotlin version: 1.9.10
Use openssl3-prebuilt provider for generate ESDSA keys on iOS.

The /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld command returned non-zero exit code: 1.
output:
ld: Undefined symbols:
  _deflate, referenced from:
      _zlib_stateful_compress_block in libcrypto.a[192](libcrypto-lib-c_zlib.o)
      _bio_zlib_write in libcrypto.a[192](libcrypto-lib-c_zlib.o)
      _bio_zlib_ctrl in libcrypto.a[192](libcrypto-lib-c_zlib.o)
  _deflateEnd, referenced from:
      _zlib_stateful_finish in libcrypto.a[192](libcrypto-lib-c_zlib.o)
      _bio_zlib_free in libcrypto.a[192](libcrypto-lib-c_zlib.o)
  _deflateInit_, referenced from:
      _zlib_stateful_init in libcrypto.a[192](libcrypto-lib-c_zlib.o)
      _bio_zlib_write in libcrypto.a[192](libcrypto-lib-c_zlib.o)
  _inflate, referenced from:
      _zlib_stateful_expand_block in libcrypto.a[192](libcrypto-lib-c_zlib.o)
      _bio_zlib_read in libcrypto.a[192](libcrypto-lib-c_zlib.o)
  _inflateEnd, referenced from:
      _zlib_stateful_finish in libcrypto.a[192](libcrypto-lib-c_zlib.o)
      _bio_zlib_free in libcrypto.a[192](libcrypto-lib-c_zlib.o)
  _inflateInit_, referenced from:
      _zlib_stateful_init in libcrypto.a[192](libcrypto-lib-c_zlib.o)
      _bio_zlib_read in libcrypto.a[192](libcrypto-lib-c_zlib.o)
  _zError, referenced from:
      _bio_zlib_write in libcrypto.a[192](libcrypto-lib-c_zlib.o)
      _bio_zlib_read in libcrypto.a[192](libcrypto-lib-c_zlib.o)
      _bio_zlib_ctrl in libcrypto.a[192](libcrypto-lib-c_zlib.o)