Skip to content

Comments

Add support for RSASSA-PSS (PS256) algorithm#612

Closed
randilt wants to merge 17 commits intoballerina-platform:masterfrom
randilt:feature/PS256_Support
Closed

Add support for RSASSA-PSS (PS256) algorithm#612
randilt wants to merge 17 commits intoballerina-platform:masterfrom
randilt:feature/PS256_Support

Conversation

@randilt
Copy link
Contributor

@randilt randilt commented Oct 1, 2025

Purpose

Fixes #8292

This PR implements RSASSA-PSS (PS256) signature support for the Ballerina crypto library, addressing the current limitation where only classic RSA signatures (PKCS#1 v1.5) are available.

Examples

Sign data

crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
byte[] signature = check crypto:signRsaSsaPss256(data, privateKey);

Verify signature

crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias");
boolean isValid = check crypto:verifyRsaSsaPss256Signature(data, signature, publicKey);

Checklist

  • Linked to an issue
  • Updated the changelog
  • Added tests
  • Updated the spec
  • Checked native-image compatibility

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 1, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link

codecov bot commented Oct 1, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 79.73856% with 62 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.14%. Comparing base (7210fa2) to head (21fde5f).
⚠️ Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
...mpiler/staticcodeanalyzer/CryptoAnalyzerUtils.java 71.17% 7 Missing and 25 partials ⚠️
...o/compiler/staticcodeanalyzer/FunctionContext.java 79.31% 6 Missing and 6 partials ⚠️
...ctionrules/AvoidReusingCounterModeVectorsRule.java 77.14% 2 Missing and 6 partials ⚠️
...zer/functionrules/AvoidFastHashAlgorithmsRule.java 86.27% 2 Missing and 5 partials ⚠️
...ticcodeanalyzer/CryptoCipherAlgorithmAnalyzer.java 90.00% 0 Missing and 1 partial ⚠️
.../staticcodeanalyzer/CryptoFunctionRulesEngine.java 93.75% 0 Missing and 1 partial ⚠️
...r/functionrules/AvoidWeakCipherAlgorithmsRule.java 92.85% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master     #612      +/-   ##
============================================
- Coverage     82.32%   82.14%   -0.19%     
- Complexity      241      371     +130     
============================================
  Files            29       41      +12     
  Lines          1375     1725     +350     
  Branches        191      268      +77     
============================================
+ Hits           1132     1417     +285     
- Misses          196      215      +19     
- Partials         47       93      +46

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@randilt randilt marked this pull request as ready for review October 1, 2025 08:18
ThisaruGuruge
ThisaruGuruge reviewed Oct 1, 2025
View reviewed changes
@randilt randilt mentioned this pull request Oct 3, 2025
Open
@TharmiganK
Refactor scan rule implementation (ballerina-platform#613)
cf1437f 
* Refactor static code rule implementation

* Update spec with scan rules

* Update changelog

* Address sonar cloud reported issues

* Add enable code coverage report for compiler plugin

* Bump to the next minor version

* [Automated] Update the native jar versions

* Improve code coverage

* Update AES encryption example from CCM to CBC

* Fix reference to SHA256 in password hashing function
@DimuthuMadushan
Copy link
Contributor

DimuthuMadushan commented Dec 3, 2025

@randilt, could you please update the PR with the requested changes?

@randilt @ThisaruGuruge
Update ballerina/sign_verify.bal
8c50f1e 
Co-authored-by: Thisaru Guruge <thisaru@wso2.com>
DimuthuMadushan
DimuthuMadushan reviewed Dec 3, 2025
View reviewed changes
randilt and others added 11 commits December 3, 2025 12:40
@randilt @DimuthuMadushan
Update ballerina/sign_verify.bal
9de770c 
Co-authored-by: DimuthuMadushan <35717653+DimuthuMadushan@users.noreply.github.com>
@randilt
Add RSASSA-PSS with SHA-256 signing and verification functions
1fbd9f4
@randilt
Add RSASSA-PSS (PS256) signature support proposal
c284768
@randilt
Add RSASSA-PSS-SHA256 signing and verification APIs to the specification
3acc044
@randilt
Update changelog
597c290
@randilt
Merge branch 'feature/PS256_Support' of https://github.com/randilt/mo…
4e1b82e 
…dule-ballerina-crypto into feature/PS256_Support
@randilt
Refactor signature section formatting in the specification
bec1a7d
@randilt @ThisaruGuruge
Update ballerina/sign_verify.bal
322347e 
Co-authored-by: Thisaru Guruge <thisaru@wso2.com>
@randilt @DimuthuMadushan
Update ballerina/sign_verify.bal
e64f995 
Co-authored-by: DimuthuMadushan <35717653+DimuthuMadushan@users.noreply.github.com>
@randilt
Refactor signature section formatting in the specification
1d6bcdd
@randilt
Merge branch 'feature/PS256_Support' of https://github.com/randilt/mo…
21fde5f 
…dule-ballerina-crypto into feature/PS256_Support
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 3, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@randilt
Copy link
Contributor Author

randilt commented Dec 3, 2025

@DimuthuMadushan it looks like the PR is showing more changes than expected because the feature branch has diverged from master. Should I create a clean branch from master and cherry-pick only my commits to keep the PR tidy, or is this okay as is?

@daneshk
Copy link
Member

daneshk commented Dec 3, 2025

@randilt, shall we remove scan tool-related changes from the PR? There are other commits as well Refactor scan rule implementation

@daneshk
Copy link
Member

daneshk commented Dec 3, 2025

@DimuthuMadushan it looks like the PR is showing more changes than expected because the feature branch has diverged from master. Should I create a clean branch from master and cherry-pick only my commits to keep the PR tidy, or is this okay as is?

Please create a clean branch. We should not have other commits in this PR

@randilt
Copy link
Contributor Author

randilt commented Dec 3, 2025

@DimuthuMadushan it looks like the PR is showing more changes than expected because the feature branch has diverged from master. Should I create a clean branch from master and cherry-pick only my commits to keep the PR tidy, or is this okay as is?

Please create a clean branch. We should not have other commits in this PR

yes I will do that

@randilt
Copy link
Contributor Author

randilt commented Dec 7, 2025

Closing this PR as a new clean PR is created with the changes related to this feature @DimuthuMadushan @daneshk
#616

@randilt randilt closed this Dec 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThisaruGuruge ThisaruGuruge ThisaruGuruge left review comments

@MohamedSabthar MohamedSabthar Awaiting requested review from MohamedSabthar MohamedSabthar is a code owner

@shafreenAnfar shafreenAnfar Awaiting requested review from shafreenAnfar shafreenAnfar is a code owner

@DimuthuMadushan DimuthuMadushan Awaiting requested review from DimuthuMadushan DimuthuMadushan is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for RSASSA-PSS (PS256) algorithm

5 participants

@randilt @DimuthuMadushan @daneshk @ThisaruGuruge @TharmiganK