Re: [PR] [WSS-711]Introduce a system property "fips.enabled" so that WSS4J can… [ws-wss4j]

Fri, 31 May 2024 07:40:06 -0700 


ffang commented on PR #313:
URL: https://github.com/apache/ws-wss4j/pull/313#issuecomment-2142404454

   > I have a problem with making RSA 1.5 a default as it is not secure, see 
https://cxf.apache.org/note-on-cve-2011-2487.html
   
   Hi @coheigea ,
   
   Thanks for the feedback!
   
   I made RSA 1.5 as default because for the FIPS security provider
   ```
   Name: SunPKCS11-NSS-FIPS
   ```
   there is only
   ```
   Service Type: Cipher Algorithm RSA/ECB/PKCS1Padding (this is the RSA1_5 for 
key transport)
   ```
   And no 
   RSA/ECB/OAEPPadding
   
   Also in 
jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java(used in 
FIPS mode)
   There is code like
   ```
   protected void engineSetPadding(String padding)
               throws NoSuchPaddingException {
           String lowerPadding = padding.toLowerCase(Locale.ENGLISH);
           if (lowerPadding.equals("pkcs1padding")) {
               padType = PAD_PKCS1;
           } else if (lowerPadding.equals("nopadding")) {
               padType = PAD_NONE;
           } else {
               throw new NoSuchPaddingException("Unsupported padding " + 
padding);
           }
       }
   ```
   This is why I get 
   ```
   Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider 
supporting RSA/ECB/OAEPPadding
           at java.base/javax.crypto.Cipher.getInstance(Cipher.java:571)
           at 
org.apache.wss4j.common.util.KeyUtils.getCipherInstance(KeyUtils.java:181)
           ... 40 more
   Caused by: javax.crypto.NoSuchPaddingException: Unsupported padding 
OAEPPadding
           at 
jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineSetPadding(P11RSACipher.java:137)
           at 
java.base/javax.crypto.Cipher$Transform.setModePadding(Cipher.java:388)
           at java.base/javax.crypto.Cipher.getInstance(Cipher.java:564)
           ... 41 more
   ```
   If still use RSA-OAEP as default key transport algos.
   
   I'm double checking this concern from the related specs and asking the JDK 
expert why OAEPPadding isn't available in FIPS mode JDK/OS.
   
   Best Regards
   Freeman


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Reply via email to