From cfe40bba6270bd433f43554f3b40543fae531e15 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Thu, 7 Dec 2023 16:16:11 +0100 Subject: [PATCH] fix: RSA removed, according to #164 --- docs/en/algorithms.rst | 18 +++++------------- docs/en/pid-eaa-data-model.rst | 27 +++++++++++++-------------- docs/en/pid-eaa-issuance.rst | 24 +++++++++++++----------- docs/en/relying-party-solution.rst | 25 ++++++++++++++----------- docs/en/trust.rst | 11 ++--------- 5 files changed, 47 insertions(+), 58 deletions(-) diff --git a/docs/en/algorithms.rst b/docs/en/algorithms.rst index 7fae0ee7f..2340749d0 100644 --- a/docs/en/algorithms.rst +++ b/docs/en/algorithms.rst @@ -14,10 +14,13 @@ The following algorithms MUST be supported: * - **Algorithm** - **Operations** - **References** - * - **RS256** + * - **ES256** + - Signature + - :rfc:`7518`. + * - **ES384** - Signature - :rfc:`7518`. - * - **RS512** + * - **ES256** - Signature - :rfc:`7518`. * - **RSA-OAEP** @@ -42,12 +45,6 @@ The following algorithms are RECOMMENDED to be supported: * - **Algorithm** - **Operations** - **References** - * - **ES256** - - Signature - - :rfc:`7518`. - * - **ES512** - - Signature - - :rfc:`7518`. * - **PS256** - Signature - :rfc:`7518`. @@ -89,10 +86,5 @@ The following algorithms MUST NOT be supported: - Signature - :rfc:`7518`. -.. warning:: - - The length of the RSA keys MUST be equal to or greater than 2048 bits. - A length of 4096 bits is RECOMMENDED. - diff --git a/docs/en/pid-eaa-data-model.rst b/docs/en/pid-eaa-data-model.rst index 8e7791f7b..de6bf9d36 100644 --- a/docs/en/pid-eaa-data-model.rst +++ b/docs/en/pid-eaa-data-model.rst @@ -253,7 +253,7 @@ The corresponding SD-JWT verson for PID is given by { "typ":"vc+sd-jwt", - "alg":"RS512", + "alg":"ES256", "kid":"dB67gL7ck3TFiIAf7N6_7SHvqk0MDYMEQcoGGlkUAAw", "trust_chain" : [ "NEhRdERpYnlHY3M5WldWTWZ2aUhm ...", @@ -273,12 +273,12 @@ The corresponding SD-JWT verson for PID is given by "status": "https://pidprovider.example.org/status", "cnf": { "jwk": { - "kty": "RSA", - "use": "sig", - "n": "1Ta-sE …", - "e": "AQAB", - "kid": "YhNFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs" - } + "crv": "P-256", + "kty": "EC", + "x": "qrJrj3Af_B57sbOIRrcBM7br7wOc8ynj7lHFPTeffUk", + "y": "1H0cWDyGgvU8w-kPKU_xycOCUNT2o0bwslIQtnPU6iM", + "kid": "5t5YYpBhN-EgIEEI5iUzr6r0MR02LnVQ0OmekmNKcjY" + } }, "type": "PersonIdentificationData", "verified_claims": { @@ -422,7 +422,7 @@ The corresponding SD-JWT for the previous data is represented as follow, as deco { "typ":"vc+sd-jwt", - "alg":"RS512", + "alg":"ES256", "kid":"d126a6a856f7724560484fa9dc59d195", "trust_chain" : [ "NEhRdERpYnlHY3M5WldWTWZ2aUhm ...", @@ -442,12 +442,11 @@ The corresponding SD-JWT for the previous data is represented as follow, as deco "status": "https://issuer.example.org/status", "cnf": { "jwk": { - "kty": "RSA", - "e": "AQAB", - "use": "sig", - "kid": "d126a6a856f7724560484fa9dc59d195", - "alg": "RS256", - "n": "oians5wYCWk4wFtEStVYcn_xOw9edKMNGH33_q6_pBI0XaTY7P3apUgjO0ivk5c1NQAVY6PZmcPQ8P1Y0cBAC9STRmzvTvDQcOocLhVy2ZlcXTu39oOGLNra8_LQsaMA386lO_qMW4-uY6DbGZY4vHkScvAC9FIZYDPafqWBEQUNV2QOFMH5VPoihCTKHwMGXnZBatYObg57xSOUX-bvhO_sFMm3k4RvsXcr3MFojAhLfwutu_jK9k7N9KR_mNc5IpiOyhZw_sUmF6SamRqsSPp42KD10hPMW0YJTDMYxBdHrMFeSMHYIMY4oBBT43__a55zILI_CnIk4241wOvGvw" + "crv": "P-256", + "kty": "EC", + "x": "qrJrj3Af_B57sbOIRrcBM7br7wOc8ynj7lHFPTeffUk", + "y": "1H0cWDyGgvU8w-kPKU_xycOCUNT2o0bwslIQtnPU6iM", + "kid": "5t5YYpBhN-EgIEEI5iUzr6r0MR02LnVQ0OmekmNKcjY" } }, "type": "HealthInsuranceData", diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index d4a87a50b..6093ce5c3 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -130,7 +130,7 @@ Below a non-normative example of the PAR. &client_id=$thumprint-of-the-jwk-in-the-cnf-wallet-attestation$ &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 - &request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ew0KIC Jpc3MiOiAiczZCaGRSa3F0MyIsDQogImF1ZCI6ICJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsDQo gInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsDQogImNsaWVudF9pZCI6ICJzNkJoZFJrcXQz IiwNCiAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vY2xpZW50LmV4YW1... + &request=$SIGNED-JWT &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation &client_assertion=$WIA~WIA-PoP @@ -901,7 +901,7 @@ Below is a non-normative example of an Entity Configuration containing an `openi { - "alg": "RS256", + "alg": "ES256", "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs", "typ": "entity-statement+jwt" @@ -913,13 +913,15 @@ Below is a non-normative example of an Entity Configuration containing an `openi "iss": "https://pid-provider.example.org", "sub": "https://pid-provider.example.org", "jwks": { - "keys": [{ - "kty": "RSA", - "use": "sig", - "n": "1Ta-sE …", - "e": "AQAB", - "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs" - }] + "keys": [ + { + "crv": "P-256", + "kty": "EC", + "x": "qrJrj3Af_B57sbOIRrcBM7br7wOc8ynj7lHFPTeffUk", + "y": "1H0cWDyGgvU8w-kPKU_xycOCUNT2o0bwslIQtnPU6iM", + "kid": "5t5YYpBhN-EgIEEI5iUzr6r0MR02LnVQ0OmekmNKcjY" + } + ] }, "authority_hints": ["https://superior-entity.example.org/federation"], "metadata": { @@ -928,7 +930,7 @@ Below is a non-normative example of an Entity Configuration containing an `openi "authorization_endpoint": "https://pid-provider.example.org/connect/authorize", "token_endpoint": "https://pid-provider.example.org/connect/token", "pushed_authorization_request_endpoint": "https://pid-provider.example.org/connect/par", - "dpop_signing_alg_values_supported": ["RS256", "RS512", "ES256", "ES512"], + "dpop_signing_alg_values_supported": ["ES256", "ES512"], "credential_endpoint": "https://pid-provider.example.org/credential", "jwks": { "keys": [ @@ -945,7 +947,7 @@ Below is a non-normative example of an Entity Configuration containing an `openi "format": "vc+sd-jwt", "id": "eudiw.pid.it", "cryptographic_binding_methods_supported": ["jwk"], - "cryptographic_suites_supported": ["RS256", "RS512", "ES256", "ES512"], + "cryptographic_suites_supported": ["ES256", "ES512"], "display": [{ "name": "PID Provider Italiano di esempio", "locale": "it-IT", diff --git a/docs/en/relying-party-solution.rst b/docs/en/relying-party-solution.rst index 4b71a1c97..31e4900fb 100644 --- a/docs/en/relying-party-solution.rst +++ b/docs/en/relying-party-solution.rst @@ -506,7 +506,7 @@ Below is a non-normative response example: .. code-block:: text { - "alg": "RS256", + "alg": "ES256", "kid": "2HnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs", "typ": "entity-statement+jwt" } @@ -519,9 +519,11 @@ Below is a non-normative response example: "jwks": { "keys": [ { - "kty": "RSA", - "n": "5s4qi …", - "e": "AQAB", + "kty": "EC", + "crv": "P-256", + "x": "1kNR9Ar3MzMokYTY8BRvRIue85NIXrYX4XD3K4JW7vI", + "y": "slT14644zbYXYF-xmw7aPdlbMuw3T1URwI4nafMtKrY", + "x5c": [ ] "kid": "2HnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs" } ] @@ -534,10 +536,11 @@ Below is a non-normative response example: "jwks": { "keys": [ { - "kty": "RSA", + "kty": "EC", "use": "sig", - "n": "1Ta-sE …", - "e": "AQAB", + "crv": "P-256", + "x": "1kNR9Ar3MzMokYTY8BRvRIue85NIXrYX4XD3K4JW7vI", + "y": "slT14644zbYXYF-xmw7aPdlbMuw3T1URwI4nafMtKrY", "kid": "YhNFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs", "x5c": [ "..." ] } @@ -676,8 +679,8 @@ Below is a non-normative response example: // JARM related "authorization_signed_response_alg": [[ - "RS256", - "ES256" + "ES256", + "ES384" ], "authorization_encrypted_response_alg": [ "RSA-OAEP", @@ -696,8 +699,8 @@ Below is a non-normative response example: "subject_type": "pairwise", "require_auth_time": true, "id_token_signed_response_alg": [ - "RS256", - "ES256" + "ES256", + "ES384" ], "id_token_encrypted_response_alg": [ "RSA-OAEP", diff --git a/docs/en/trust.rst b/docs/en/trust.rst index 4f90eb96c..464c86860 100644 --- a/docs/en/trust.rst +++ b/docs/en/trust.rst @@ -186,7 +186,7 @@ Below is a non-normative example of a Trust Anchor Entity Configuration, where e .. code-block:: text { - "alg": "RS256", + "alg": "ES256", "kid": "FifYx03bnosD8m6gYQIfNHNP9cM_Sam9Tc5nLloIIrc", "typ": "entity-statement+jwt" } @@ -198,13 +198,6 @@ Below is a non-normative example of a Trust Anchor Entity Configuration, where e "sub": "https://registry.eidas.trust-anchor.example.eu", "jwks": { "keys": [ - { - "kty": "RSA", - "n": "3i5vV-_ …", - "e": "AQAB", - "kid": "FifYx03bnosD8m6gYQIfNHNP9cM_Sam9Tc5nLloIIrc", - "x5c": [ ] - }, { "kty": "EC", "kid": "X2ZOMHNGSDc4ZlBrcXhMT3MzRmRZOG9Jd3o2QjZDam51cUhhUFRuOWd0WQ", @@ -400,7 +393,7 @@ Below there is a non-normative example of an Entity Statement issued by an Accre .. code-block:: text { - "alg": "RS256", + "alg": "ES256", "kid": "em3cmnZgHIYFsQ090N6B3Op7LAAqj8rghMhxGmJstqg", "typ": "entity-statement+jwt" }