Ok, great, thanks for looking into it!
--Brent
On 8/4/23 3:12 PM, Sean Mullan wrote:
Yeah, I get it, I need to chat with some folks here first that worked
on this before I can give you a better response.
--Sean
On 8/4/23 2:55 PM, Brent Putman wrote:
Hi Sean,
I understood that was how to do the RSA PSS algorithm with explicit
parameters, which in Java is done with a PSSParameterSpec. For XML
Signature that corresponds with this RFC URI:
http://www.w3.org/2007/05/xmldsig-more#rsa-pss
I'm instead talking here about the ones that have implicit/defaulted
parameters, where the MGF, salt length and trailer field are
defaulted (and the digest method is carried as usual in the
algorithm ID). Such as this one:
http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1
So it's not my understanding that in Java one passes
PSSParameterSpec with those, such as "SHA256withRSAandMGF1". All
params are defaulted with those - that's the whole purpose of those
variants. (And it would be problematic I think to pass the param
spec with those, because you could specify in the params say SHA-512
as the digest method, which could be inconsistent with the JCA
algorithm ID, as the one above.)
But most importantly, I'm not doing any of this. It's Santuario
that specifies how the actual Java cryptography works, and for those
URIs it uses the Java algorithm ID variants in question, not
"RSASSA-PSS". When I attempt the #sha256-rsa-MGF1 URI, it throws
under Java 17 with NoSuchAlgorithm. I am merely observing from
additional testing that those algorithm IDs are in fact documented
in Java 17 for SunRsaSign, but yet do not actually work.
The code in Santuario's JCEMapper and SignatureBaseRSA agrees with
this understanding. Running with BC loaded works fine also, so they
have the same understanding.
Thanks
Brent
On 8/4/23 2:13 PM, Sean Mullan wrote:
Hi Brent,
You need to pass the MGF and other parameters in a PSSParameterSpec
to the Signature algorithm, like so:
Signature sig = Signature.getInstance("RSASSA-PSS", "SunRsaSign")
sig.setParameter(new PSSParameterSpec("SHA-256", "MGF1",
MGF1ParameterSpec.SHA256, 32, PSSParameterSpec.TRAILER_FIELD_BC));
I think the JDK docs could be improved to clarify this, so I'll
file a bug to have this fixed.
--Sean
On 8/4/23 12:27 AM, Brent Putman wrote:
This is not a Santuario issue per se, but it's sort of related and
there are people on the list like Colm and Sean who might have
info...
In OpenSAML was working on adding support for the RSASSA-PSS
algorithms (only those with implicit params) from RFC 9231:
https://shibboleth.atlassian.net/browse/OSJ-372
The TL/DR is: The docs for the SunRsaSign provider in at least
Java 17 claim to support algorithm IDs like
"SHA256withRSAandMGF1". But in practice they all throw
NoSuchAlgorithmException.
Iterating the providers in the JDK and the algorithm IDs supported
confirms that they are not listed.
Those are the algorithm IDs expected by Santuario in JCEMapper for
the corresponding URIs from RFC 9231, such as
http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1.
This seems like a huge discrepancy between the JDK docs and the
JDK behavior. Anyone know anything? Unless I'm missing
something, seems like a possible bug in the JDK, at least with
respect to the docs.
(Such algorithm IDs are supported and do work when using Bouncy
Castle as a security provider.)
Thanks,
Brent
