santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mullan <>
Subject Re: RSA key transport w/ SHA-2
Date Tue, 21 Jun 2011 20:06:51 GMT
On 6/21/11 3:50 PM, Brent Putman wrote:
> On 6/21/11 3:41 PM, Cantor, Scott E. wrote:
>> On 6/21/11 3:36 PM, "Cantor, Scott E."<>  wrote:
>>> This is somewhat directed at Sean, but if somebody else knows...
>>> It looks like the RSA-OAEP key transport support is limited to SHA-1 as a
>>> digest right now in the Java code. It seemed as though Java might support
>>> the full range of SHA-2 options with that, but I guess the API here
>>> doesn't.
>> Correction: I guess just the algorithms are missing from the config file.
>> Should I file a RFE to add them?
> (Scott and I were just discussing this offline)
> The issue isn't really that they are missing, it's that there can be
> only one defined.  The RSA-OAEP algorithm URI maps to a (single) Java
> JCA algorithm identifier. So you could change the mapping to something
> else other than the default of SHA-1, but there's no real way to have
> multiple mappings for the same xmlenc algorithm URI, and additionally no
> way in the API to select the one that you want.  I think there would
> probably have to be some API work on XMLCipher to allow selection of the
> OAEP digest method (as well as the mask generation function).

Yes. Also, the JCEMapper should actually map to the "RSA/ECB/OAEPPadding" 
Cipher algorithm name, and then use the javax.crypto.spec.OAEPParameterSpec 
class to specify the digest and mgf algorithms (which would either be specified 
as XMLCipher API parameters when encrypting, or contained in the 
EncryptionMethod element when decrypting).


View raw message