Changing keyfile format of OnlineUnlockStatus

General JUCE discussion
21

hi Richie - sort of, I would just do:

The main differences being that there’s not a separate “key” element, just the signature. And, RSA signing involves padding a hash of the content, and given the importance of getting those details right it’s the kind of thing best left to an RSA library that has RSA signature/verification functions already built in. It’s not something to roll your own version of, unless you are a crypto master.

If you already have a keyfile system in place using your prior method, I wouldn’t lose sleep over it, as it’s not likely to be the point of attack for a plug-in. However, going forward, why not do things in the most secure way?

1 Like
22

Gut feel was right then :slight_smile:

I still don’t quite understand where the padding comes into play, I think I understood that you sign a hash of the message with RSA and the private key, then to verify you check that the signature put through RSA with the public key matches the hash of the message. I also didn’t quite follow which hashing algorithm would be suitable. This is exactly why “It’s not something to roll your own version of, unless you are a crypto master.” is the best advice anyone can give, unfortunately not taken on board by everyone.