On 8/8/23 3:33 PM, Brent Putman wrote:
Hi Sean,
If that's the answer, then I guess we'll have to live with it. It would
have been nicer to see the opposite resolution - make the impl fit the
docs, esp since the JDK does already fundamentally support the
underlying algorithm. Is there any notion that these will be
implemented in a future JDK release?
I suppose what this means going forward is that right now, Santuario
will only be able to support the corresponding algorithm URIs via Bouncy
Castle.
As mentioned before, you can implement this in the Santuario layer by
instantiating the algorithms as "RSASSA-PSS" and passing in an
appropriate PSSParameterSpec with the default values as specified by RFC
6931. I recommend this technique as it should work for either BC or JDK
providers that support the RSASSA-PSS algorithm and the particular
parameters of those algorithms. It isn't a lot of code to do that.
Further discussion needs to be made in the JDK area as to whether
algorithms like "SHA256withRSAandMGF1" are standard and what that means;
ex - it isn't clear that it is for RSASSA-PSS and not RSA. RFC 6931 is
at a higher layer than the RSA specifications, so it is not the standard
we necessarily adhere to at the JCE layer. Thus, more discussion on that
is needed.
--Sean
Thanks,
Brent
On 8/8/23 2:35 PM, Sean Mullan wrote:
Hi Brent,
The JDK docs for the SunRsaSign provider are incorrect, and we don't
support those algorithm names. A bug has been filed to correct that:
https://bugs.openjdk.org/browse/JDK-8313797
I am still looking into your other questions, will get back to you
when I have more info.
--Sean
On 8/4/23 3:26 PM, Brent Putman wrote:
Ok, great, thanks for looking into it!
--Brent
On 8/4/23 3:12 PM, Sean Mullan wrote:
Yeah, I get it, I need to chat with some folks here first that worked
on this before I can give you a better response.
--Sean
On 8/4/23 2:55 PM, Brent Putman wrote:
Hi Sean,
I understood that was how to do the RSA PSS algorithm with explicit
parameters, which in Java is done with a PSSParameterSpec. For XML
Signature that corresponds with this RFC URI:
http://www.w3.org/2007/05/xmldsig-more#rsa-pss
I'm instead talking here about the ones that have implicit/defaulted
parameters, where the MGF, salt length and trailer field are
defaulted (and the digest method is carried as usual in the
algorithm ID). Such as this one:
http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1
So it's not my understanding that in Java one passes
PSSParameterSpec with those, such as "SHA256withRSAandMGF1". All
params are defaulted with those - that's the whole purpose of those
variants. (And it would be problematic I think to pass the param
spec with those, because you could specify in the params say SHA-512
as the digest method, which could be inconsistent with the JCA
algorithm ID, as the one above.)
But most importantly, I'm not doing any of this. It's Santuario
that specifies how the actual Java cryptography works, and for those
URIs it uses the Java algorithm ID variants in question, not
"RSASSA-PSS". When I attempt the #sha256-rsa-MGF1 URI, it throws
under Java 17 with NoSuchAlgorithm. I am merely observing from
additional testing that those algorithm IDs are in fact documented
in Java 17 for SunRsaSign, but yet do not actually work.
The code in Santuario's JCEMapper and SignatureBaseRSA agrees with
this understanding. Running with BC loaded works fine also, so they
have the same understanding.
Thanks
Brent
On 8/4/23 2:13 PM, Sean Mullan wrote:
Hi Brent,
You need to pass the MGF and other parameters in a PSSParameterSpec
to the Signature algorithm, like so:
Signature sig = Signature.getInstance("RSASSA-PSS", "SunRsaSign")
sig.setParameter(new PSSParameterSpec("SHA-256", "MGF1",
MGF1ParameterSpec.SHA256, 32, PSSParameterSpec.TRAILER_FIELD_BC));
I think the JDK docs could be improved to clarify this, so I'll
file a bug to have this fixed.
--Sean
On 8/4/23 12:27 AM, Brent Putman wrote:
This is not a Santuario issue per se, but it's sort of related and
there are people on the list like Colm and Sean who might have
info...
In OpenSAML was working on adding support for the RSASSA-PSS
algorithms (only those with implicit params) from RFC 9231:
https://shibboleth.atlassian.net/browse/OSJ-372
The TL/DR is: The docs for the SunRsaSign provider in at least
Java 17 claim to support algorithm IDs like
"SHA256withRSAandMGF1". But in practice they all throw
NoSuchAlgorithmException.
Iterating the providers in the JDK and the algorithm IDs supported
confirms that they are not listed.
Those are the algorithm IDs expected by Santuario in JCEMapper for
the corresponding URIs from RFC 9231, such as
http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1.
This seems like a huge discrepancy between the JDK docs and the
JDK behavior. Anyone know anything? Unless I'm missing
something, seems like a possible bug in the JDK, at least with
respect to the docs.
(Such algorithm IDs are supported and do work when using Bouncy
Castle as a security provider.)
Thanks,
Brent
