Yeah, I get it, I need to chat with some folks here first that worked on
this before I can give you a better response.
--Sean
On 8/4/23 2:55 PM, Brent Putman wrote:
Hi Sean,
I understood that was how to do the RSA PSS algorithm with explicit
parameters, which in Java is done with a PSSParameterSpec. For XML
Signature that corresponds with this RFC URI:
http://www.w3.org/2007/05/xmldsig-more#rsa-pss
I'm instead talking here about the ones that have implicit/defaulted
parameters, where the MGF, salt length and trailer field are defaulted
(and the digest method is carried as usual in the algorithm ID). Such
as this one:
http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1
So it's not my understanding that in Java one passes PSSParameterSpec
with those, such as "SHA256withRSAandMGF1". All params are defaulted
with those - that's the whole purpose of those variants. (And it would
be problematic I think to pass the param spec with those, because you
could specify in the params say SHA-512 as the digest method, which
could be inconsistent with the JCA algorithm ID, as the one above.)
But most importantly, I'm not doing any of this. It's Santuario that
specifies how the actual Java cryptography works, and for those URIs it
uses the Java algorithm ID variants in question, not "RSASSA-PSS". When
I attempt the #sha256-rsa-MGF1 URI, it throws under Java 17 with
NoSuchAlgorithm. I am merely observing from additional testing that
those algorithm IDs are in fact documented in Java 17 for SunRsaSign,
but yet do not actually work.
The code in Santuario's JCEMapper and SignatureBaseRSA agrees with this
understanding. Running with BC loaded works fine also, so they have the
same understanding.
Thanks
Brent
On 8/4/23 2:13 PM, Sean Mullan wrote:
Hi Brent,
You need to pass the MGF and other parameters in a PSSParameterSpec to
the Signature algorithm, like so:
Signature sig = Signature.getInstance("RSASSA-PSS", "SunRsaSign")
sig.setParameter(new PSSParameterSpec("SHA-256", "MGF1",
MGF1ParameterSpec.SHA256, 32, PSSParameterSpec.TRAILER_FIELD_BC));
I think the JDK docs could be improved to clarify this, so I'll file a
bug to have this fixed.
--Sean
On 8/4/23 12:27 AM, Brent Putman wrote:
This is not a Santuario issue per se, but it's sort of related and
there are people on the list like Colm and Sean who might have info...
In OpenSAML was working on adding support for the RSASSA-PSS
algorithms (only those with implicit params) from RFC 9231:
https://shibboleth.atlassian.net/browse/OSJ-372
The TL/DR is: The docs for the SunRsaSign provider in at least Java
17 claim to support algorithm IDs like "SHA256withRSAandMGF1". But in
practice they all throw NoSuchAlgorithmException.
Iterating the providers in the JDK and the algorithm IDs supported
confirms that they are not listed.
Those are the algorithm IDs expected by Santuario in JCEMapper for
the corresponding URIs from RFC 9231, such as
http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1.
This seems like a huge discrepancy between the JDK docs and the JDK
behavior. Anyone know anything? Unless I'm missing something, seems
like a possible bug in the JDK, at least with respect to the docs.
(Such algorithm IDs are supported and do work when using Bouncy
Castle as a security provider.)
Thanks,
Brent
