Uploaded image for project: 'Santuario'
  1. Santuario
  2. SANTUARIO-282

RSA-OAEP key transport is limited to SHA-1 digests

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Java 1.4.5
    • Fix Version/s: Java 1.5
    • Component/s: Java
    • Security Level: Public (Public issues, viewable by everyone)
    • Labels:
      None

      Description

      The RSA-OAEP key transport usage in the Java code assumes use of SHA-1 as a digest. The API maps the XML algorithm identifier for OAEP to the SHA-1 version of the JCE algorithm. It needs to support arbitrary digests, and the XMLCipher API needs to expand to handle setting the digest separately from the key transport algorithm.

        Issue Links

          Activity

          Hide
          cantor.2@osu.edu Scott Cantor added a comment -

          Per Sean:
          The JCEMapper should actually map http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p to the "RSA/ECB/OAEPPadding" Cipher algorithm name, and then use the javax.crypto.spec.OAEPParameterSpec class to specify the digest and mgf algorithms (which would either be specified as XMLCipher API parameters when encrypting, or contained in the EncryptionMethod element when decrypting).

          Show
          cantor.2@osu.edu Scott Cantor added a comment - Per Sean: The JCEMapper should actually map http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p to the "RSA/ECB/OAEPPadding" Cipher algorithm name, and then use the javax.crypto.spec.OAEPParameterSpec class to specify the digest and mgf algorithms (which would either be specified as XMLCipher API parameters when encrypting, or contained in the EncryptionMethod element when decrypting).
          Hide
          cantor.2@osu.edu Scott Cantor added a comment -

          I would add that some changes occurred to XML Encryption 1.1 after I posted this issue, and I think a new algorithm string has been defined (and some new syntax IIRC) for handling non-SHA1 MGF options as well. Basically, we need to review the full set of changes needed if we're aiming for 1.1 support, whereas the original issue was confined to 1.0.

          Show
          cantor.2@osu.edu Scott Cantor added a comment - I would add that some changes occurred to XML Encryption 1.1 after I posted this issue, and I think a new algorithm string has been defined (and some new syntax IIRC) for handling non-SHA1 MGF options as well. Basically, we need to review the full set of changes needed if we're aiming for 1.1 support, whereas the original issue was confined to 1.0.
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          Hi Scott,

          I've added full support for non-SHA1 MGF as part of this issue. I'm not aiming for full 1.1 compliance as part of this release (1.5), but rather making sure that we can handle GCM algorithms and > SHA-1 digests properly.

          Colm.

          Show
          coheigea Colm O hEigeartaigh added a comment - Hi Scott, I've added full support for non-SHA1 MGF as part of this issue. I'm not aiming for full 1.1 compliance as part of this release (1.5), but rather making sure that we can handle GCM algorithms and > SHA-1 digests properly. Colm.
          Hide
          cantor.2@osu.edu Scott Cantor added a comment -

          Understood. For the record, that's not quite accurate: the MGF itself is locked in 1.0 to use SHA-1. There's a separate use of a digest in the algorithm that is parametrized and that's the one you fixed. The change in 1.1 is to add the ability to plug in a different MGF also.

          Show
          cantor.2@osu.edu Scott Cantor added a comment - Understood. For the record, that's not quite accurate: the MGF itself is locked in 1.0 to use SHA-1. There's a separate use of a digest in the algorithm that is parametrized and that's the one you fixed. The change in 1.1 is to add the ability to plug in a different MGF also.
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          The non SHA-1 MGF algorithms are also supported in the commits I did, i.e. (lines 1457-1466 of XMLCipher):

          MGF1ParameterSpec mgfParameterSpec = new MGF1ParameterSpec("SHA-1");
          if (XMLCipher.RSA_OAEP_11.equals(encryptionAlgorithm)) {
          if (EncryptionConstants.MGF1_SHA256.equals(mgfAlgorithm))

          { mgfParameterSpec = new MGF1ParameterSpec("SHA-256"); }

          else if (EncryptionConstants.MGF1_SHA384.equals(mgfAlgorithm))

          { mgfParameterSpec = new MGF1ParameterSpec("SHA-384"); }

          else if (EncryptionConstants.MGF1_SHA512.equals(mgfAlgorithm))

          { mgfParameterSpec = new MGF1ParameterSpec("SHA-512"); }

          }

          Colm.

          Show
          coheigea Colm O hEigeartaigh added a comment - The non SHA-1 MGF algorithms are also supported in the commits I did, i.e. (lines 1457-1466 of XMLCipher): MGF1ParameterSpec mgfParameterSpec = new MGF1ParameterSpec("SHA-1"); if (XMLCipher.RSA_OAEP_11.equals(encryptionAlgorithm)) { if (EncryptionConstants.MGF1_SHA256.equals(mgfAlgorithm)) { mgfParameterSpec = new MGF1ParameterSpec("SHA-256"); } else if (EncryptionConstants.MGF1_SHA384.equals(mgfAlgorithm)) { mgfParameterSpec = new MGF1ParameterSpec("SHA-384"); } else if (EncryptionConstants.MGF1_SHA512.equals(mgfAlgorithm)) { mgfParameterSpec = new MGF1ParameterSpec("SHA-512"); } } Colm.
          Hide
          cantor.2@osu.edu Scott Cantor added a comment -

          Ok, but just to be clear...you're not setting that algorithm based on the digest algorithm used with OAEP? That would be incorrect based on the spec, you'd need two additional algorithm specifiers somewhere, one for the digest alone and one for the MGF.

          Show
          cantor.2@osu.edu Scott Cantor added a comment - Ok, but just to be clear...you're not setting that algorithm based on the digest algorithm used with OAEP? That would be incorrect based on the spec, you'd need two additional algorithm specifiers somewhere, one for the digest alone and one for the MGF.
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          > Ok, but just to be clear...you're not setting that algorithm based on the digest algorithm used with OAEP?

          No, I'm not doing that. On the inbound side the "mgfAlgorithm" specified above is what is read in the xenc11:MGF field (defaults to MGF1 with SHA-1 as per the spec). The digest algorithm is read separately from the ds:DigestMethod field (defaults to SHA-1). On the outbound side you can specify a digestMethod when constructing the XMLCipher object, and the mgfAlgorithm is specified when using it to construct an EncryptedKey. So they're both separate.

          Colm.

          Show
          coheigea Colm O hEigeartaigh added a comment - > Ok, but just to be clear...you're not setting that algorithm based on the digest algorithm used with OAEP? No, I'm not doing that. On the inbound side the "mgfAlgorithm" specified above is what is read in the xenc11:MGF field (defaults to MGF1 with SHA-1 as per the spec). The digest algorithm is read separately from the ds:DigestMethod field (defaults to SHA-1). On the outbound side you can specify a digestMethod when constructing the XMLCipher object, and the mgfAlgorithm is specified when using it to construct an EncryptedKey. So they're both separate. Colm.
          Hide
          ashundi Anli Shundi added a comment -

          Sun/Oracle lists RSA/ECB/OAEPPadding (2048) indeed at http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html but later at http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html the only supported transformation for Cipher is RSA/ECB/OAEPWithSHA1AndMGF1Padding . You can however change the SHA at init through the parameters though. In other words, the code is fine but not the config file.

          Show
          ashundi Anli Shundi added a comment - Sun/Oracle lists RSA/ECB/OAEPPadding (2048) indeed at http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html but later at http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html the only supported transformation for Cipher is RSA/ECB/OAEPWithSHA1AndMGF1Padding . You can however change the SHA at init through the parameters though. In other words, the code is fine but not the config file.
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          Hi Anli,

          What exactly is the problem with the config file? Are you running into an exception somewhere in the Santuario code with RSA/ESB/OAEPPadding?

          Colm.

          Show
          coheigea Colm O hEigeartaigh added a comment - Hi Anli, What exactly is the problem with the config file? Are you running into an exception somewhere in the Santuario code with RSA/ESB/OAEPPadding? Colm.

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              cantor.2@osu.edu Scott Cantor
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development