Support ES256 JWK Algo

[joshuarubin]

It looks like support for ES256 is available (jwk/generator_ecdsa256.go), but that the JWK handler doesn't support it (https://github.com/ory/hydra/blob/master/jwk/handler.go#L27-L38).

Go's P-256 is implementation is constant-time (which prevents certain types of attacks) while its P-384 and P-521 are not (https://github.com/gtank/cryptopasta).

[joshuarubin]

closed in favor of #628

[aeneasr]

I think we should disable the P521 generator for now, as it's not safe to use them for repeated use in private keys.

[joshuarubin]

RFC7518 lists ES256 as "Recommended+" meaning:

The use of "+" in the Implementation Requirements column indicates
that the requirement strength is likely to be increased in a future
version of the specification.

I think that the stronger algorithm should continue to be supported.

Also, the webcrypto spec has renamed ES521 to ES512:

If the "alg" field is equal to the string "ES512":
Let algNamedCurve be the string "P-521".

[aeneasr]

Ok, let's keep them then. As long as JWK/JWT spec talk of ES521 I think we should keep it that way. Definitely doesn't help though that there are naming inconsistencies now.

[joshuarubin]

Can you link to the spec which still references ES521?

[aeneasr]

My bad, looks like I got mixed up, it's definitely ES512

[aeneasr]

I closed this because ES512 is now tracked in #651