Re: [PR] [CXF-8970]ensure we can build and run without bouncycastle dependencies [cxf]

Tue, 16 Jan 2024 05:41:09 -0800 


coheigea commented on code in PR #1645:
URL: https://github.com/apache/cxf/pull/1645#discussion_r1453442244


##########
rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java:
##########
@@ -65,7 +65,7 @@ public final class AlgorithmUtils {
     public static final String A256GCM_ALGO = "A256GCM";
     // Java
     public static final String AES_GCM_ALGO_JAVA = AES + "/GCM/NoPadding";
-    public static final String AES_CBC_ALGO_JAVA = AES + "/CBC/PKCS7Padding";
+    public static final String AES_CBC_ALGO_JAVA = AES + "/CBC/PKCS5Padding";

Review Comment:
   What's the explanation for this change please?



##########
rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java:
##########
@@ -88,9 +88,7 @@ public final class AlgorithmUtils {
     public static final String RS_SHA_256_JAVA = "SHA256withRSA";
     public static final String RS_SHA_384_JAVA = "SHA384withRSA";
     public static final String RS_SHA_512_JAVA = "SHA512withRSA";
-    public static final String PS_SHA_256_JAVA = "SHA256withRSAandMGF1";
-    public static final String PS_SHA_384_JAVA = "SHA384withRSAandMGF1";
-    public static final String PS_SHA_512_JAVA = "SHA512withRSAandMGF1";

Review Comment:
   Why are these removed?



##########
rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/SignatureAlgorithm.java:
##########
@@ -31,9 +31,9 @@ public enum SignatureAlgorithm {
     RS384(AlgorithmUtils.RS_SHA_384_ALGO, AlgorithmUtils.RS_SHA_384_JAVA, -1),
     RS512(AlgorithmUtils.RS_SHA_512_ALGO, AlgorithmUtils.RS_SHA_512_JAVA, -1),
 
-    PS256(AlgorithmUtils.PS_SHA_256_ALGO, AlgorithmUtils.PS_SHA_256_JAVA, -1),
-    PS384(AlgorithmUtils.PS_SHA_384_ALGO, AlgorithmUtils.PS_SHA_384_JAVA, -1),
-    PS512(AlgorithmUtils.PS_SHA_512_ALGO, AlgorithmUtils.PS_SHA_512_JAVA, -1),
+    PS256(AlgorithmUtils.PS_SHA_256_ALGO, AlgorithmUtils.PS_SHA_JAVA, -1),
+    PS384(AlgorithmUtils.PS_SHA_384_ALGO, AlgorithmUtils.PS_SHA_JAVA, -1),
+    PS512(AlgorithmUtils.PS_SHA_512_ALGO, AlgorithmUtils.PS_SHA_JAVA, -1),

Review Comment:
   Is it correct to be downgrading from SHA2 to SHA-1 like this?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to