Ecdsa Laravel Package

Technical Evaluation

Architecture Fit

• Pure PHP Implementation: Aligns with Laravel’s PHP-centric ecosystem, eliminating reliance on ext-openssl or system libraries. Ideal for environments where extensions are restricted (e.g., serverless, Docker, or shared hosting).
• OpenSSL Interoperability: Supports PEM/DER formats and OpenSSL-generated keys/signatures, enabling gradual migration from openssl_sign()/openssl_verify() in Laravel’s core or third-party packages (e.g., firephp/jwt).
• Curve Flexibility: Pre-configured for secp256k1 (blockchain) and prime256v1 (TLS), with extensibility for custom curves. Useful for:
  • Blockchain/DeFi: Signing Ethereum-style messages or Bitcoin transactions (e.g., via ellipsephp/bitcoin).
  • Custom Protocols: Adding niche curves (e.g., ed25519 via CurveFp::add()) for research or IoT.
• Security Compliance: RFC 6979 nonces, BIP-62 malleability fixes, and side-channel resistance meet financial/regulatory standards (e.g., Stark Bank’s use case). Critical for payment systems or identity verification.
• Performance: 0.3ms signing (vs. ~1ms+ with OpenSSL bindings) justifies replacing ext-openssl in high-throughput Laravel APIs (e.g., WebSocket handlers or batch processing).

Integration Feasibility

• Laravel-Specific:
  • Service Provider: Wrap the library in a Laravel service provider to bind EllipticCurve\Ecdsa as a singleton, enabling dependency injection (e.g., for signing middleware or console commands).
  • Facades: Create a facade (e.g., Ecdsa::sign()) to mimic Laravel’s Hash or Crypt facades, reducing boilerplate.
  • Caching: Cache PrivateKey/PublicKey objects in Laravel’s cache store (e.g., Redis) for repeated operations.
• Key Management:
  • Integrate with Laravel’s filesystem (e.g., store PEM keys in storage/app/crypto/) or use spatie/laravel-medialibrary for encrypted key storage.
  • Extend Laravel’s Encrypter to support ECDSA-signed payloads (e.g., for API authentication).
• Migration Path:
  • Step 1: Replace openssl_sign() calls in custom code with starkbank/ecdsa.
  • Step 2: Update third-party packages (e.g., web-token/jwt-framework) to use the new library for signing/verification.
  • Step 3: Deprecate ext-openssl in php.ini post-migration.
• Compatibility:
  • PHP 8.5+: Optimized for modern PHP (e.g., typed properties, JIT). Test downgrade compatibility if using PHP 8.1+.
  • GMP Dependency: Requires ext-gmp (not enabled by default). Document this in README and composer.json under require:

    "require": {
        "ext-gmp": "*"
    }
    

  • Laravel Packages: Check for conflicts with packages using ext-openssl (e.g., spatie/laravel-honeypot).

Key Questions

1. Environment Constraints:
   • Can ext-gmp be enabled in production/development environments? If not, evaluate fallback options (e.g., BCMath, but with degraded performance).
   • Are there existing openssl_sign() calls in Laravel core or third-party packages that must be migrated?
2. Use Case Prioritization:
   • Which Laravel features will use ECDSA? (e.g., API auth, blockchain interactions, or custom cryptographic workflows).
   • Is secp256k1 or prime256v1 sufficient, or are custom curves needed?
3. Security Review:
   • Has the library been audited for side channels or edge cases (e.g., invalid curve attacks)? If not, plan for a third-party audit.
   • Are deterministic nonces (RFC 6979) sufficient, or does the use case require additional entropy sources?
4. Performance Benchmarks:
   • Compare against ext-openssl in Laravel’s specific workload (e.g., signing 10,000 requests/sec). Use starkbank/ecdsa's benchmark script as a baseline.
5. Maintenance:
   • Who will handle updates (e.g., security patches like v2.2.0)? Consider forking if Stark Bank abandons the project.
   • Are there plans to add Schnorr signatures or multi-signature support (currently out of scope)?

Integration Approach

Stack Fit

• Laravel Ecosystem:
  • Core Integration: Replace openssl_sign()/openssl_verify() in Laravel’s Illuminate\Support\Facades\Crypt or custom auth logic.
  • API Authentication: Use for signing JWTs (via firebase/php-jwt) or custom tokens (e.g., tylerbrinks/laravel-jwt-auth).
  • Blockchain: Pair with web3p/web3.php or ellipsephp/bitcoin for transaction signing.
  • Console Commands: Sign files or messages in Laravel Artisan commands (e.g., php artisan crypto:sign).
• Dependency Graph:
  • Direct: starkbank/ecdsa (MIT license, no conflicts).
  • Indirect: Ensure no transitive dependencies require ext-openssl (e.g., ramsey/uuid uses OpenSSL by default; use ramsey/uuid-doctrine instead).
• Database: Store public keys as TEXT (PEM) or VARBINARY (compressed keys) in Laravel’s Illuminate\Database tables.

Migration Path

1. Assessment Phase:
   • Audit Laravel codebase for openssl_sign()/openssl_verify() usage.
   • Identify third-party packages using OpenSSL (e.g., spatie/laravel-activitylog, laravel/sanctum).
2. Pilot Phase:
   • Create a Laravel service provider to wrap starkbank/ecdsa:

     // app/Providers/EcdsaServiceProvider.php
     namespace App\Providers;
     use EllipticCurve\Ecdsa as StarkEcdsa;
     use Illuminate\Support\ServiceProvider;
     class EcdsaServiceProvider extends ServiceProvider {
         public function register() {
             $this->app->singleton('ecdsa', function () {
                 return new class {
                     public function sign(string $message, string $privateKeyPem): string {
                         $key = EllipticCurve\PrivateKey::fromPem($privateKeyPem);
                         $signature = StarkEcdsa::sign($message, $key);
                         return $signature->toBase64();
                     }
                     // Add verify(), key generation methods...
                 };
             });
         }
     }
     

   • Replace one openssl_sign() call in a non-critical module (e.g., a custom API endpoint).
3. Full Migration:
   • Update Laravel’s config/app.php to require ext-gmp.
   • Replace all openssl_sign() calls with the new service.
   • Deprecate OpenSSL usage in third-party packages (e.g., fork and patch or find alternatives).
4. Testing:
   • Verify signatures match OpenSSL outputs using:

     openssl dgst -sha256 -sign privateKey.pem -out signatureDer.txt message.txt
     php artisan crypto:verify signatureDer.txt message.txt publicKey.pem
     

   • Load-test with Laravel’s phpunit and symfony/stopwatch.

Compatibility

• OpenSSL Workflow:
  • Generate keys with OpenSSL (e.g., openssl ecparam -name secp256k1 -genkey -out privateKey.pem) and import into starkbank/ecdsa:

    $privateKey = EllipticCurve\PrivateKey::fromPem(file_get_contents('privateKey.pem'));
    

  • Convert OpenSSL DER signatures to starkbank/ecdsa format:

    $signature = EllipticCurve\Signature::fromDer(file_get_contents('signatureDer.txt'));
    

• Laravel-Specific:
  • File Storage: Use Laravel’s Storage facade to read/write PEM keys:

    $privateKeyPem = Storage::disk('local')->get('crypto/privateKey.pem');
    

  • Environment Config: Store key paths in .env:

    CRYPTO_PRIVATE_KEY_PATH=storage/app/crypto/privateKey.pem
    

  • Encryption: Combine with Laravel’s Illuminate/Encryption for key protection (e.g., encrypt PEM files at rest).

Sequencing

1. Phase 1: Key Generation/Management
   • Replace OpenSSL key generation with `starkbank/ecd