KeyFactory ECDSA vs EC
221 views
Skip to first unread message
Stian Thorgersen
Jan 9, 2020, 10:43:00 AM1/9/20
to Keycloak Dev
Within Keycloak we use KeyFactory ECDSA to parse keys. ECDSA is available in BouncyCastle, but not JDK.
It looks like ECDSA is just an alias in BouncyCastle and there shouldn't be any issues with switching to EC, but to be honest I'm not perfectly certain that's the case.
In Keycloak it doesn't cause any problems, but could cause issues in applications using for example JWKUtils to parse keys if they don't have BouncyCastle included/configured.
There's a PR to switch, but not sure if we should merge it or not:
Marek Posolda
Jan 10, 2020, 9:10:05 AM1/10/20
to st...@redhat.com, Keycloak Dev
In theory, we can check if bouncycastle
is on classpath and decide based on that. Something like:
KeyFactory
kf;
try {
Class.forName("org.bouncycastle.Foo");
kf =
KeyFactory.getInstance("ECDSA");
} (cathc
CalssNotFoundException cnfe) {
kf
= KeyFactory.getInstance("EC");
}
This is just a possible safe
workaround. If we're certain that having "EC" doesn't break
anything, it would be ideal to just stick with that and not do
workaround. But I am also not 100% sure...
Marek
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAJgngAfqa4B5XvKBChbOaPMeDDCeuiyBjwSOWjR8TFVG1h_8_Q%40mail.gmail.com.
Stian Thorgersen
Jan 13, 2020, 2:57:52 AM1/13/20
to Marek Posolda, Keycloak Dev
I'm not keen on that approach. If EC is safe to use we should just use it, but if we can know that for sure, then we should stick with ECDSA. We only test/support with the BouncyCastle provider at the moment anyways, so somehow supporting non-BouncyCastle is out of scope.
Bruno Oliveira
Jan 14, 2020, 5:11:25 AM1/14/20
to st...@redhat.com, Marek Posolda, Keycloak Dev
Tecnically speaking using a key generated with EC should be compatible
with ECDSA. At the moment I cannot think about any use case where
support both should be required.
As far as I know BouncyCastle was the first to provide support for
Elliptic Curves and JDK still catching up on this. If we look at the
slides here:
https://static.rainfocus.com/oracle/oow19/sess/1553278162777001mzA2/PF/DEV-3945-v10_1568859710817001R3n8.pdf
Maybe when we switch to JDK 11, we could reconsider if there's a good
reason for that.
>> <https://groups.google.com/d/msgid/keycloak-dev/CAJgngAfqa4B5XvKBChbOaPMeDDCeuiyBjwSOWjR8TFVG1h_8_Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
--
abstractj
with ECDSA. At the moment I cannot think about any use case where
support both should be required.
As far as I know BouncyCastle was the first to provide support for
Elliptic Curves and JDK still catching up on this. If we look at the
slides here:
https://static.rainfocus.com/oracle/oow19/sess/1553278162777001mzA2/PF/DEV-3945-v10_1568859710817001R3n8.pdf
Maybe when we switch to JDK 11, we could reconsider if there's a good
reason for that.
>> .
>>
>>
>>
>
>--
>You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
>To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAJgngAeeG9Mj2%2BmadxOKNSHrRtSQCBpXm39VjAR6CTssaxSjbg%40mail.gmail.com.
>>
>>
>
>--
>You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
--
abstractj
Reply all
Reply to author
Forward
0 new messages