RSASSA-PSS support with IBM JDK
Hi Brian,
I recently saw that JWS PS256/384/512 signature can be supported using Java8 u251 and above. The product that I’m working on is using IBM JDK. When I tried it, it always give me this error:
Exception in thread "main" org.jose4j.lang.InvalidAlgorithmException: PS256 is an unknown, unsupported or unavailable alg algorithm (not one of [none, HS256, HS384, HS512, ES256, ES384, ES512, RS256, RS384, RS512]).
Then I saw your fix for using RSASSA-PSS support in Java 11 here https://bitbucket.org/b_c/jose4j/issues/129/rsassa-pss-support-in-java-11. So I did try to upgrade my jose4j to 0.6.5 (which contain the fix). When I tried using Oracle Java8u251, it works. However it’s still not working for IBM JDK.
In the end I found out from https://www.ibm.com/support/knowledgecenter/vi/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/JceDocs/algorithms.html that IBM JDK using the algo name RSAPSS
.
If I compared with your solution at https://bitbucket.org/b_c/jose4j/src/master/src/main/java/org/jose4j/jws/RsaUsingShaAlgorithm.java, you are looking for algo name RSASSA-PSS
.
So I think that’s why it doesn’t work. I confirmed that with IBM JDK, when I do Security.getAlgorithms("Signature")
, it returns SHA384WITHECDSA, SHA3WITHRSA, SHA1WITHRSA, SHA5WITHRSA, SHA512WITHRSA, RSAPSS, SHA2WITHRSA, RSAFORSSL, SHA3WITHECDSA, SHA224WITHECDSA, SHA512WITHECDSA, SHA1WITHDSA, NONEWITHDSA, DSAFORSSL, SHA224WITHDSA, SHA256WITHRSA, ECDSAFORSSL, SHA5WITHECDSA, MD5WITHRSA, SHA2WITHECDSA, MD2WITHRSA, SHA256WITHDSA, SHA1WITHECDSA, NONEWITHECDSA, SHA224WITHRSA, SHA384WITHRSA
.
Is it possible for you to add a fix and looking for String RSAPSS
or RSASSA-PSS
?
Another info, using IBM JDK, both of these code doesn’t throw exception.
Signature.getInstance("RSAPSS");
Signature.getInstance("RSASSA-PSS");
Thanks,
Adrian
Comments (4)
-
repo owner -
reporter Hi Brian,
Your suggestion does work!
Thanks a lot,
Adrian
-
repo owner - changed status to resolved
workaround worked
-
repo owner - changed status to closed
- Log in to comment
To be honest, I’m hesitant to further complicate the code that deals with the JCA API and PSS, which is already pretty funky, to support some naming inconstancies from the IBM stuff.
You could, however, implement your own simple PSS classes that extend
RsaUsingShaAlgorithm
and use theRSAPSS
alg name (see below for example ofPS256
and interpolate from https://bitbucket.org/b_c/jose4j/src/master/src/main/java/org/jose4j/jws/RsaUsingShaAlgorithm.java for the others). Then, In initialization somewhere, get the JWSAlgorithmFactory
fromAlgorithmFactoryFactory
and register your PSS classesjwsAlgorithmFactory.registerAlgorithm(new SpecialRsaPssSha256());
, which will override the default ones.