fix: Use RSA-PSS when verifying handshake nonces #65
Conversation
| import org.bouncycastle.jce.provider.BouncyCastleProvider | ||
|
|
||
| object CryptoUtils { | ||
| val BC_PROVIDER = BouncyCastleProvider() |
There was a problem hiding this comment.
@sdsantos, are you aware of any potential performance/stability issues with using the security provider this way vs Security.addProvider()?
I came across https://bugs.openjdk.java.net/browse/JDK-8168469 but presumably that doesn't apply here because this BouncyCastleProvider should only be created once in the lifetime of the process, right?
I wanted to avoid the Security.addProvider() approach because I couldn't think of any simple way to call it in the unit/instrumentation test suites, but I'm happy to change tack if you can think of a way to do it.
There was a problem hiding this comment.
I'm not familiar with it, but I've had to do something similar for Conscrypt, see App.setupTLSProvider(). It basically runs on App onCreate, which will also run for Instrumentation tests.
There was a problem hiding this comment.
Makes sense. I think the tricky bit is making it work in the unit test suite then: I think the only option would be to decorate the tests that directly or indirectly need BC with @ExtendWith(CustomJUnitExtensionThatRegistersBC).
Since we aren't aware of any performance/stability issue, what do you think if we keep the current implementation? We still have to call setProvider(...) in the cases where it matters, the difference is whether we pass the string "BC" or the BouncyCastleProvider instance.
gnarea
changed the title
Counterpart on the server: relaycorp/relaynet-gateway-android#65
Counterpart on the server: relaycorp/relaynet-gateway-android#65
|
🎉 This PR is included in version 1.0.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
No description provided.