[API Proposal]: Add support for Ed25519 #63174
Comments
annerajb
added
the
api-suggestion
dotnet-issue-labeler
bot
added
area-System.Security
untriaged
|
Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones, @krwq Issue DetailsBackground and motivationBackgroundI work a lot with Ed25519 and love dotnet to do development, Last year I reported a issue trying to use Ed25519 and the TLS 1.3 integration wit openssl on SslStream did not support Ed25519 certificates and keys. See here I hope this proposal is more complete and actionable to get any process started. traction / usageThis has been requested for a while now or will be used more in the future.
summary of assembly with public API changes
platformsThis would only support platforms where Openssl 1.1.1 is used by dotnet (right now afaik Linux only) Todos
Reference / resources:RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA) API Proposalnamespace System.Security.Cryptography
{
public partial struct EDDsaParameters
{
public ECCurveType Curve;
//enum to say if it's a Ed25519 or Ed448 or w/e comes out next?
public enum ECCurveType
{
Ed25519 = 0,
}
//opaque / raw 32 bytes private key
public byte[]? PrivateKey;
//opaque / raw 32 bytes of public key (if private is set we can derive public from it)
public byte[]? PublicKey;
}
//Provides an abstract base class that encapsulates the Edwards-curve Digital Signature Algorithm (EdDSA).
public abstract partial class EDDsa : AsymmetricAlgorithm
{
protected EDDsa();
public override string SignatureAlgorithm;
public static new EDDsa Create();
//creates a eddsa with the specific public / private key
public static EDDsa Create(EDDsaParameters parameters);
//ImportFromEncryptedPem calls ImportEncryptedPkcs8PrivateKey
public override void ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<byte> passwordBytes, ReadOnlySpan<byte> source, out int bytesRead);
public override void ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<char> password, ReadOnlySpan<byte> source, out int bytesRead);
public override void ImportPkcs8PrivateKey(ReadOnlySpan<byte> source, out int bytesRead);
public override void ImportSubjectPublicKeyInfo(ReadOnlySpan<byte> source, out int bytesRead);
//ExportEncryptedPkcs8PrivateKey calls TryExportEncryptedPkcs8PrivateKey
public override bool TryExportEncryptedPkcs8PrivateKey(ReadOnlySpan<byte> passwordBytes, PbeParameters pbeParameters, Span<byte> destination, out int bytesWritten);
public override bool TryExportEncryptedPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters pbeParameters, Span<byte> destination, out int bytesWritten);
//ExportPkcs8PrivateKey calls TryExportPkcs8PrivateKey
public override bool TryExportPkcs8PrivateKey(Span<byte> destination, out int bytesWritten);
//ExportSubjectPublicKeyInfo calls TryExportSubjectPublicKeyInfo
public override bool TryExportSubjectPublicKeyInfo(Span<byte> destination, out int bytesWritten);
//---------------------------------
public abstract void ImportParameters(EDDsaParameters parameters);
public abstract EDDsaParameters ExportParameters(bool includePrivateParameters);
//-------- sign and verify
public abstract byte[] SignData(byte[] data);
public virtual byte[] SignData(byte[] data, int offset, int count);
public virtual bool TrySignData(ReadOnlySpan<byte> data, Span<byte> destination, out int bytesWritten);
public abstract bool VerifyData(byte[] data, byte[] signature);
public virtual bool VerifyData(byte[] data, int offset, int count, byte[] signature);
public virtual bool VerifyData(ReadOnlySpan<byte> data, ReadOnlySpan<byte> signature);
}
//should it be EdDsaOpenSsl or EDDsaOpenSsl
public sealed partial class EDDsaOpenSsl : EDDsa
{
public EDDsaOpenSsl() { }
public EDDsaOpenSsl(System.IntPtr handle) { }
public EDDsaOpenSsl(System.Security.Cryptography.EDDsaParameters parameters) { }
public EDDsaOpenSsl(System.Security.Cryptography.SafeEvpPKeyHandle pkeyHandle) { }
protected override void Dispose(bool disposing);
public SafeEvpPKeyHandle DuplicateKeyHandle();
public override EDDsaParameters ExportParameters(bool includePrivateParameters);
public override void ImportParameters(EDDsaParameters parameters);
public override byte[] SignData(byte[] data);
public override bool VerifyData(byte[] data, byte[] signature);
}
}
namespace System.Security.Cryptography.X509Certificates
{
class X509Certificate
{
public sealed partial class PublicKey
{
public EDDsa? GetEDDsaPublicKey();
}
//should it be EdDsaCertificateExtensions
public static partial class EDDsaCertificateExtensions
{
public static X509Certificate2 CopyWithPrivateKey(this X509Certificate2 certificate, EDDsa privateKey);
//should it be GetEdDsaPrivateKey and GetEdDsaPublicKey
public static EDDsa? GetEDDsaPrivateKey(this X509Certificate2 certificate);
public static EDDsa? GetEDDsaPublicKey(this X509Certificate2 certificate);
}
}
}API UsageNot sure if I am doing this section correctly but expected usages are: //load a ed25519 certificate or chain that can be passed to SslStream
var server_tls_cert = new X509Certificate2("server_chain25519.pfx", "qwerty");
var server_tls_cert = new X509Certificate2("server_tls.pem", "server.key");// generate a new 25519 key
var ed25519 = EDDsaOpenSsl.Create("Ed25519");
//sign and verify with that key
var signature = ed25519.SignData("Hello");
Assert.IsTrue(ed25519.VerifyData("Hello",signature));//load a existing public or private key
var existingkey = new EDDsaParameters()
{
Curve = Ed25519,
PrivateKey = Convert.FromBase64String("CsOkD5npRC16IZ0NGue/oVBNixzwQbIKGNbDNS10w/g=")
};
var ed25519Loaded = EDDsaOpenSsl.Create(existingkey);
ed25519Loaded.SignData("Hello");SslStream sslStream = new SslStream(client.GetStream(), false);
var server_tls_cert = new X509Certificate2("server_chain25519.pem", "key");
sslStream.AuthenticateAsServer(server_tls_cert , clientCertificateRequired: false, checkCertificateRevocation: true);Alternative DesignsOne option but sounded awful... was instead of making a EdDsa class making just a There are multiple algorithms that openssl supports that are opaque / raw and shared roughly the same set of functions.
The downside being that if implemented as only a In addition it didn't seem like good API design since they are different algorithms / functions and is not extensible / usable by other platforms that would implement support for this. RisksOne risk that unfortunately I can't say is that the change may not cover all areas of dotnet where AssymetricAlgorithms are used and leave places where even though it uses a AssymetricAlgorithm or a X509Certificate it would not support Ed25519 keys using this class. one example of this would be SslStream wouldn't work if this is not updated to support it
|
I'm certainly not an expert on cryptography, but I do know about macOS interop: |
We've had many discussions about CryptoKit (#52482 (comment), #29811) and it's not entirely straight forward. Even if CryptoKit were used, that would only give capabilities for the raw Ed25519 primitive. It would not work with The lack of platform support anywhere other than OpenSSL currently makes this a bit of a tough sell to me. I have some thoughts on the APIs
|
One of the initial benefit I saw from using On a closer look it seems the heavy lifting is really handled by
Updated the sample to switch to ReadOnlySpan and remove offset arguments.
I noticed I missed renaming I also removed the parameter less
Also added a |
For SymmetricAlgorithm that's effectively true... not because of a strong desire to abandon the types, but because all we've added lately was AE(AD) and it has such a different shape than SymmetricAlgorithm and ICryptoTransform that we decided they were just their own thing. (We didn't make a new AE(AD) base type because the algorithms have enough variation that the base type wasn't providing value). For AsymmetricAlgorithm, we've been increasing the places that can take one... like EnvelopedCms.Decrypt. It's just trickier in API because DSA and ECDSA don't need extra context, but RSA has the PKCS1 vs PSS or PKCS1 vs OAEP (and what OAEP) split... which is why CertificateRequest doesn't take AsymmetricAlgorithm.
Why remove the old one? If you're loading from an existing key then having to specify a parameter just makes things potentially misleading (e.g. it says "create Ed25519", but after the load it's Ed448). An overload that takes the parameter is fine, that tells the implicit key generation which curve to use.
Using an enum is very limiting. If we load an Ed448 from a key file but that's not in the enum we're in a bad state. It probably wants to be something like a strongly typed string.
Either "EdwardsDsa" or "EdDsa", but definitely not "EDDsa"... the first D doesn't stand for anything, it's just "Ed" or "Edwards" concat (Digital Signature Algorithm)=>DSA=>Dsa.
https://dotnet.microsoft.com/en-us/platform/telemetry says that 60% of the command line usage is now on Linux (which is higher than I expected... guess we did a good job on cross-plat!). Assuming that all Linux usages have OpenSSL 1.1.1 or OpenSSL 3, and that none of them have disabled EdDSA, that leaves a 60/40 split that we don't have any current expectation of healing. If macOS supported certificates with EdDSA then we could at least assume/pretend that Windows will eventually follow; and if Windows were to support it in preview builds then we'd know that eventually 38% (the 98% that install updates of the 39% Windows usage) more would have Right now having something that only works on one OS family is a bit of a hard sell. |
I think that's kind of what bugs me a little about it. It's a cryptoagility-esq API that doesn't quite work. For that particular example, even though it accepts an EdDSA can't encrypt, but you'll be able to pass an instance in anyway. Maybe X25519 could if we ever added something like ECIES if we ever got there. And because |
|
Well, in your quoted example, we already know that we're a KeyTrans, which means that the relevant cert/KeyRecipientInfo was RSA (the only algorithm that would have matched a KeyTrans). For KeyAgree, if we supported that, and we supported both DH and ECDH, it'd look like if (privateKey is DiffieHellman dh)
{
}
else if (privateKey is ECDiffieHellman ecdh)
{
}
else
{
throw something;
}We could make the public entrypoint be Encrypt is harder, since there's not already a RecipientInfo (etc) to tell us if we're supposed to use PKCS1/OAEP-SHA1/OAEP-SHA-2-256/... I agree it's a bit asymmetric (semi-pun not intended, but it's the best word), but it feels better than |
|
Imho this discussion should also include the support for
There are many use cases in the industrial space where this makes a lot of sense. The edge devices run Linux and embedded sensors may only support the EdDsa/Curve25519/ChaChaPoly flavors due to their minimal CPUs. |
|
Still not implemented??? |
|
Seeing how JWTs with EdDSA are becoming more popular this is definitely something that is needed sooner rather than later if we want to keep verifying those without having to rely on third party libraries. |
|
As a first step, I did a rough implementation of Ed25519 for macOS and OpenSSL, enough to get passing with DJB's test vectors. This meets our "two of three" semi-requirement, but it would mean we lack the ability to implement this on Windows. Here is the API shape that I came up with: namespace System.Security.Cryptography
{
public abstract partial class Ed25519 : System.Security.Cryptography.AsymmetricAlgorithm
{
public const int SignatureSizeInBytes = 64;
public static bool IsSupported { get; }
public abstract bool HasPrivateKey { get; }
[UnsupportedOSPlatformAttribute("android")] // MAYBE this does not apply.
[UnsupportedOSPlatformAttribute("browser")]
[UnsupportedOSPlatformAttribute("ios")]
[UnsupportedOSPlatformAttribute("tvos")]
[UnsupportedOSPlatformAttribute("windows")]
public static new System.Security.Cryptography.Ed25519 Create();
public byte[] ExportPrivateKey();
public int ExportPrivateKey(System.Span<byte> destination);
public bool TryExportPrivateKey(System.Span<byte> destination, out int bytesWritten);
protected abstract int ExportPrivateKeyCore(System.Span<byte> destination);
public byte[] ExportPublicKey();
public int ExportPublicKey(System.Span<byte> destination);
public bool TryExportPublicKey(System.Span<byte> destination, out int bytesWritten);
protected abstract int ExportPublicKeyCore(System.Span<byte> destination);
public abstract void GenerateKey();
public void ImportPrivateKey(byte[] privateKey) { }
public void ImportPrivateKey(System.ReadOnlySpan<byte> privateKey) { }
protected abstract void ImportPrivateKeyCore(System.ReadOnlySpan<byte> privateKey);
public void ImportPublicKey(byte[] publicKey) { }
public void ImportPublicKey(System.ReadOnlySpan<byte> publicKey) { }
protected abstract void ImportPublicKeyCore(System.ReadOnlySpan<byte> publicKey);
public byte[] SignData(byte[] data);
public byte[] SignData(System.ReadOnlySpan<byte> data);
public int SignData(System.ReadOnlySpan<byte> data, System.Span<byte> destination);
public bool TrySignData(System.ReadOnlySpan<byte> data, System.Span<byte> destination, out int bytesWritten);
protected abstract int SignDataCore(System.ReadOnlySpan<byte> data, System.Span<byte> destination);
public bool VerifyData(byte[] data, byte[] signature);
public bool VerifyData(System.ReadOnlySpan<byte> data, System.ReadOnlySpan<byte> signature);
protected abstract bool VerifyDataCore(System.ReadOnlySpan<byte> data, System.ReadOnlySpan<byte> signature);
// Not included: All of the overrides from AsymmetricAlgorithm
}
public sealed partial class Ed25519OpenSsl : System.Security.Cryptography.Ed25519
{
public static new bool IsSupported { get; }
[UnsupportedOSPlatformAttribute("android")]
[UnsupportedOSPlatformAttribute("browser")]
[UnsupportedOSPlatformAttribute("ios")]
[UnsupportedOSPlatformAttribute("tvos")]
[UnsupportedOSPlatformAttribute("windows")]
public Ed25519OpenSsl(System.Security.Cryptography.SafeEvpPKeyHandle pkeyHandle);
[UnsupportedOSPlatformAttribute("android")]
[UnsupportedOSPlatformAttribute("browser")]
[UnsupportedOSPlatformAttribute("ios")]
[UnsupportedOSPlatformAttribute("tvos")]
[UnsupportedOSPlatformAttribute("windows")]
public Ed25519OpenSsl();
// Not included: All of the overrides from AsymmetricAlgorithm or Ed25519
}
}Some comparisons with the proposal above:
|
bartonjs
added
api-ready-for-review
|
@vcsjones The original proposal reminded me that we should do the API for X509Certificate2+Ed25519, so I've gone ahead and merged that with your proposal into the top post. Even if we cut it apart into two implementation PRs, it's probably worth getting the X.509 part pre-signed-off. |
That's fine if we just want to get the API approved... but I don't know that we should do that for .NET 8. From my earlier post:
We can't implement Ed25519 + X.509 on Apple (and Apple summarily explodes on an Ed25519 cert). Would you take that for .NET 8 if we can only implement those APIs for OpenSSL? |
Assuming that an Ed25519 (public only) cert already opens on Linux, it feels reasonable to add GetPublicKey with the algorithm... and then to add Ed25519 to the PFX association table and add GetPrivateKey and CopyWithPrivateKey. I think it'd be in good* company with DSA FIPS 186-3 in that I believe that "big DSA" certs work on Linux-only. If loading the cert fails, then all bets are off, of course. * debatable. OK, not really debatable, it's bad company, but it's a stock English phrase... |
namespace System.Security.Cryptography;
public abstract partial class Ed25519 : AsymmetricAlgorithm
{
public const int SignatureSizeInBytes = 64;
public static bool IsSupported { get; }
public static new Ed25519 Create();
protected Ed25519();
public abstract bool HasPrivateKey { get; }
public byte[] ExportPrivateKey();
public int ExportPrivateKey(Span<byte> destination);
public bool TryExportPrivateKey(Span<byte> destination, out int bytesWritten);
protected abstract int ExportPrivateKeyCore(Span<byte> destination);
public byte[] ExportPublicKey();
public int ExportPublicKey(Span<byte> destination);
public bool TryExportPublicKey(Span<byte> destination, out int bytesWritten);
protected abstract int ExportPublicKeyCore(Span<byte> destination);
public abstract void GenerateKey();
public void ImportPrivateKey(byte[] privateKey);
public void ImportPrivateKey(ReadOnlySpan<byte> privateKey);
protected abstract void ImportPrivateKeyCore(ReadOnlySpan<byte> privateKey);
public void ImportPublicKey(byte[] publicKey);
public void ImportPublicKey(ReadOnlySpan<byte> publicKey);
protected abstract void ImportPublicKeyCore(ReadOnlySpan<byte> publicKey);
public byte[] SignData(byte[] data);
public byte[] SignData(ReadOnlySpan<byte> data);
public int SignData(ReadOnlySpan<byte> data, Span<byte> destination);
public bool TrySignData(ReadOnlySpan<byte> data, Span<byte> destination, out int bytesWritten);
protected abstract int SignDataCore(ReadOnlySpan<byte> data, Span<byte> destination);
public bool VerifyData(byte[] data, byte[] signature);
public bool VerifyData(ReadOnlySpan<byte> data, ReadOnlySpan<byte> signature);
protected abstract bool VerifyDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> signature);
}
public sealed partial class Ed25519OpenSsl : Ed25519
{
[UnsupportedOSPlatformGuard("android")]
[UnsupportedOSPlatformGuard("browser")]
[UnsupportedOSPlatformGuard("ios")]
[UnsupportedOSPlatformGuard("tvos")]
[UnsupportedOSPlatformGuard("windows")]
public static new bool IsSupported { get; }
[UnsupportedOSPlatform("android")]
[UnsupportedOSPlatform("browser")]
[UnsupportedOSPlatform("ios")]
[UnsupportedOSPlatform("tvos")]
[UnsupportedOSPlatform("windows")]
public Ed25519OpenSsl(SafeEvpPKeyHandle pkeyHandle);
[UnsupportedOSPlatform("android")]
[UnsupportedOSPlatform("browser")]
[UnsupportedOSPlatform("ios")]
[UnsupportedOSPlatform("tvos")]
[UnsupportedOSPlatform("windows")]
public Ed25519OpenSsl();
}namespace System.Security.Cryptography.X509Certificates;
public sealed partial class PublicKey
{
public Ed25519? GetEd25519PublicKey();
}
public partial class X509Certificate2
{
public Ed25519? GetEd25519PublicKey();
public Ed25519? GetEd25519PrivateKey();
public X509Certificate2 CopyWithPrivateKey(Ed25519 privateKey);
} |
terrajobst
added
api-approved
|
Thanks both for double-checking 👍 |
I think that in the end it comes down to what the end goal is. For me as a user of the implementation I only care about the signatures being compatible between implementations. If the signatures produced on Apple are verifiable by other EdDsa implementations and don't produce invalid signatures those would suffice in my opinion for anything I would use them for (jwt token generation etc.). It might be that in some cases where government contracts or the likes are affected people need FIPS compliant implementations but iirc those are sometimes actually worse than state of the art implementations of common crypto. Seeing as how Apple doesn't provide an alternative in this case and the only alternative is non-implementation I'd say go ahead but mark it explicitly as non-conformant for Apple platforms with a big warning sign. |
How/where would you recommend we do that? If someone wrote a platform neutral library that used Ed25519 so long as We'd essentially have to make a clone of the UnsupportedOS analyzer to carry something like NonConformantImplementation. Even that's not really good enough, because annotations are a design time problem, and conformance is a runtime problem... if .NET 8 says that Ed25519 is non-conformant on macOS, then any library building against .NET 8 as a minimum version believes that to be true. But, by .NET 9, we learn that Apple has pushed out an update to make their algorithm conform. Well, we can't remove the annotation from the .NET 8 targeting pack... so now the annotations lie. While the RFC doesn't literally say Another problem that I'd have with "go ahead" here is that we try really hard to make .NET be .NET everywhere. When we can't, we usually want the experience to be PlatformNotSupportedException (or a similar "sorry, this doesn't work"). Saying that the same code gives a deterministic signature on some OSes, and a non-deterministic signature on others, isn't staying in that spirit. So, yes, while the alternative is non-implementation, I feel that non-implementation is the better option. |
Mostly documentation regarding this function. In the end anyone that uses it should have read the documentation and know what they are getting themselves into. I get that this might be an issue for libraries that are cross platform and just link back to the base implementation and as you say the non-conformancy should spread to those sort of.
Might it be a better solution to not push this directly into the runtime but instead have it as a NuGet package that stays in preview until this issue is resolved? That way people that know what they are getting themselves into can use it but it doesn't appear as readily available to the general public.
I think this is the biggest argument in favor of non-implementation. However there are enough things still in .NET that behave differently on Windows vs. other platforms and others that don't work the same on macOS either (see HTTP1/2 over HTTPS) which don't necessarily lead to PlatformNotSupported but just slightly different behaviour. In the end I get that you'd not want to add to the pile of things that work differently though so fair enough. To me it seems that unless you'd consider shipping just the Linux Openssl implementation this might stay in Limbo for a rather long time. Is there any specific reason why a macOS Openssl version wouldn't work? Is it just that this is a dependency you don't want to pull into the runtime? |
Two things here. First, when I say "platform", I mean different cryptographic implementations, not operating systems. OpenSSL on macOS and Linux is still one "platform", so that does not help us with our desire to support multiple platforms with cryptographic primitives. Second, shipping OpenSSL in-box is not an option - .NET's current stance, by policy, is that we do not ship implementations with cryptographic implementations. We have in the past used OpenSSL on macOS if happened to be on the system - this is still used for AesCcm, for example. However this is an anti-goal. We want to cut ties from OpenSSL on macOS, not take further dependencies on it. |
|
Would it make sense to only support signature verification? (maybe not, AFAICT the current interfaces expect that either both signing and verification are supported, or none of them is) |
It's a reasonable thing to consider. It's an option I laid out in my earlier comment:
I largely chalked that up to being 1.5 platforms, not 2. To me it seems like it would be done for the sake of just meeting our minimum platform requirements, and would be a subpar experience on macOS. Though, without signing, I think leaving half the purpose of the algorithm out would be a stretch to say it supports two platforms in the first place. |
|
Is there value in verify-only across the board? What are some scenarios for verifying but not producing? |
The most common use case for verifying is when you want to verify a signature another party produced. JWT is a good example - a server may respond with a signed JWT, and a client has the public key for that party and wants to verify the signature exists. I don't doubt there are many use cases for a verify only implementation - but in my personal opinion, it still teeters too close to having only one implementation. |
|
Another option here could be to by default throw PNSE for non conformant stuff and create a feature switch "AllowNonConformantEd25519" - PNSE could provide detail about existence of that switch. I'm personally also fine with not supporting this until Windows/Android add their implementations |
That more or less I think falls in line with something @bartonjs reasoned through:
|
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Any update on this? At the moment we rely on a nuget package based on bouncy castle to sign our jwr bit is outdated and still references microsoft.jwt.model 5.4.0 with critical unresolved security issues |
Unfortunately not. The status remains the same as noted in this previous comment. The implementation remains blocked. |
|
Then again go damn back to openssl used crypto stuff. You guys block so many things on mac or functionality in general just because you don't want to use openssl on mac for example. It worked before (see aes gcm) where it was removed for now reasons too and replaced with the apple implementation for no real reasons. |
|
OpenSSL is not distributed in-box with operating system on macOS. That would shift the burden of distributing it to you as a user, including all security updates. Moreover, no one is stopping you from using third-party libraries such as NSec. |
|
Did you really just suggest using another 3rd party lib that has a dep on another 3rd party library instead of having people just use a simple brew install openssl or so on mac which is a very common thing, especially for devs. And having linux/mac implementations just working the same way out of the box and having a great similar experience? It worked fine for everyone before when some things used openssl on mac here and it would still do and be a consistent and better experience for everyone. |
No. NSec is port of libsodium to C#, no extra dependencies and it is self-contained. It's merely a suggestion, not an endorsement. As much as I would like .NET to ship an in-box implementation of this cryptographic primitive it's not currently possible within the given constrains (cryptography stack is shipped with OS and .NET doesn't implement encryption algorithms by itself; at least two of the three major platforms support a given cryptographic primitive).
Firstly, you somehow assume that all consumers of .NET are developers. That's not the case. Neither is
It didn't work fine for everyone. In fact, it was a common pit of failure because developers often had OpenSSL installed on their machines and mistakenly assumed that |
|
NSec pinvokes libsodium so it is a dependency and not a port. I don't think there were many open issues anywhere (can't speak for you doing internal stuff) regarding openssl and issues on it. Sure brew is not installed by default but it's still the most common way to install any kind of packages like openssl or others. Including updating those. It's very rare that you use other things on macOS regarding that. Even some MS docs use it as suggestion for some deps that are required for several things already because it's probably the most use dep/library tool out there. Also why not keep it as an option as proposed before through an environment variable to use openssl? That would have been nice for example for things like AesGcm which is fully unusable for me now on macOS as .NET "implementation" due to how a client that I have to work with. Sure I got a 'workaround' by copying the code before it got changed but still that wasn't nice to do. Such a switch (more like the openssl lib path) kind of worked at that time and turned AesGcm from unsupported to supported already. |
I stand corrected. There was some other managed port and I got them confused. That said, it solves the distribution problem by shifting it into NuGets that are linked into your application and where you are responsible for their timely updates. libsodium was also audited several times in the past so it comes with some indirect guarantees. It may not be a perfect solution but it's a solution that you can use right now.
I am not in any way disputing that, when it comes to developers. It's totally different story when it comes to end users who obtain most applications from the App Store or as web downloads. I happen to be a developer with
This is off-topic and we have already discussed this to death in the past. The decision to drop the OpenSSL support from |
|
Would be great if the support includes .net Android as well. |
|
Android 13 (API level 33) is documented as supporting Ed25519. https://developer.android.com/reference/kotlin/java/security/Signature Let's see if we can land Ed25519 for Linux and Android. |
Background and motivation
Background
I work a lot with Ed25519 and love dotnet to do development, Last year I reported a issue trying to use Ed25519 and the TLS 1.3 integration wit openssl on SslStream did not support Ed25519 certificates and keys. See here
I hope this proposal is more complete and actionable to get any process started.
Traction / usage
This has been requested for a while now or will be used more in the future.
Reference / resources:
DNS Sec ed25519
RFC 8080: Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC
RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)
RFC 8410: Algorithm Identifiers for Ed25519, Ed448, X25519, and X448
for Use in the Internet X.509 Public Key Infrastructure
API Proposal
Ed25519 is a specific set of options from Edwards DSA (EdDSA).
Due to lack of general support for EdDSA from underlying stacks, this proposal ignores the general algorithm, and focuses on this specific variant.
The text was updated successfully, but these errors were encountered: