swift-crypto icon indicating copy to clipboard operation
swift-crypto copied to clipboard
verified publisher icon apple

Support for basic RSA encrypt/decrypt operation

Open gwynne opened this issue 3 years ago • 0 comments

New API Proposal: RSA encrypt/decrypt support in _CryptoExtras

Motivation:

While it is always desirable to encourage motion away from outdated and security-questionable algorithms like RSA, in practical usage it is not always possible to avoid requiring them. In the case of a MySQL protocol client, support for the caching_sha2_password auth plugin (the default in MySQL 8.0) on a non-TLS connection (often desired for speed in secure environments such as a LAN) requires the ability to perform an RSA encrypt operation using a public key provided by the MySQL server. (I propose including the corresponding RSA "decrypt with private key" operation as a matter of symmetry.)

Importance:

It is not possible to implement this functionality with existing API short of embedding an entire copy of BoringSSL in the protocol client package, which negates the usefulness of the swift-crypto package outright (to say nothing of the cost in duplicated code and build times).

A working implementation is available here.

gwynne avatar Jul 21 '22 10:07 gwynne