Re: [PR] [CXF-8970]ensure we can build and run without bouncycastle dependencies [cxf]

Tue, 16 Jan 2024 06:31:23 -0800 


ffang commented on code in PR #1645:
URL: https://github.com/apache/cxf/pull/1645#discussion_r1453510256


##########
rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java:
##########
@@ -88,9 +88,7 @@ public final class AlgorithmUtils {
     public static final String RS_SHA_256_JAVA = "SHA256withRSA";
     public static final String RS_SHA_384_JAVA = "SHA384withRSA";
     public static final String RS_SHA_512_JAVA = "SHA512withRSA";
-    public static final String PS_SHA_256_JAVA = "SHA256withRSAandMGF1";
-    public static final String PS_SHA_384_JAVA = "SHA384withRSAandMGF1";
-    public static final String PS_SHA_512_JAVA = "SHA512withRSAandMGF1";

Review Comment:
   They are not really removed. To adjust to use java default security provider 
API, I changed it to the java standard algo name "RSASSA-PSS" like this in code
   ```
   public static final String PS_SHA_JAVA = "RSASSA-PSS";
   ```
   And the java doc for "RSASSA-PSS" is
   ```
   The signature algorithm that uses the RSASSA-PSS signature scheme as defined 
in [PKCS #1 v2.2] (https://tools.ietf.org/html/rfc8017). Note that this 
signature algorithm needs parameters such as a digesting algorithm, salt length 
and MGF1 algorithm, to be supplied before performing the RSA operation.
   ```
   So I believe with the correct parameters such as digesting algorithm, salt 
length and MGF1 algorithm, this is the counterpart from java default security 
provider of  "SHA256withRSAandMGF1", "SHA384withRSAandMGF1", or 
"SHA512withRSAandMGF1"
   
   I actually give the PSSParameterSpec in 
[PublicKeyJwsSignatureVerifier.java](https://github.com/apache/cxf/pull/1645/files/bd38dde2edb2fe2e6fad8be3b97fb733ece20802#diff-e7d828c0b36c1ce3cf222247c8662de235189a1d028f87e4fcd045d179c67808)
   like
   ```
   String javaAlgoName = supportedAlgo.getJavaName();
           if (javaAlgoName.equals(AlgorithmUtils.PS_SHA_JAVA)
               && spec == null) {
               //must have spec in this case
               String size = supportedAlgo.getJwaName().substring(2);
               switch (size) {
               case "256" : 
                   spec = new PSSParameterSpec("SHA-1", "MGF1", 
MGF1ParameterSpec.SHA256, 20, 1);
                   break;
               case "384" : 
                   spec = new PSSParameterSpec("SHA-1", "MGF1", 
MGF1ParameterSpec.SHA384, 20, 1);
                   break;
               case "512" : 
                   spec = new PSSParameterSpec("SHA-1", "MGF1", 
MGF1ParameterSpec.SHA512, 20, 1);
                   break;
               default : 
                   spec = PSSParameterSpec.DEFAULT;
               }
   
   
           }
   ```
   
   I just realized that I need to revise the above code a bit,  not use "SHA-1" 
as messageDigest Algorithms for the first parameter of PSSParameterSpec, 
instead I need to use SHA-256, SHA-384, SHA-512 separately.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to