1. Brian Campbell Avatar Brian Campbell
  2. Untitled project
  3. jose4j
  4. Issues

RSASSA-PSS support with IBM JDK

Issue #180 closed
Adrian Sasmita created an issue

Hi Brian,

I recently saw that JWS PS256/384/512 signature can be supported using Java8 u251 and above. The product that I’m working on is using IBM JDK. When I tried it, it always give me this error:

Exception in thread "main" org.jose4j.lang.InvalidAlgorithmException: PS256 is an unknown, unsupported or unavailable alg algorithm (not one of [none, HS256, HS384, HS512, ES256, ES384, ES512, RS256, RS384, RS512]).

Then I saw your fix for using RSASSA-PSS support in Java 11 here https://bitbucket.org/b_c/jose4j/issues/129/rsassa-pss-support-in-java-11. So I did try to upgrade my jose4j to 0.6.5 (which contain the fix). When I tried using Oracle Java8u251, it works. However it’s still not working for IBM JDK.

In the end I found out from https://www.ibm.com/support/knowledgecenter/vi/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/JceDocs/algorithms.html that IBM JDK using the algo name RSAPSS .

If I compared with your solution at https://bitbucket.org/b_c/jose4j/src/master/src/main/java/org/jose4j/jws/RsaUsingShaAlgorithm.java, you are looking for algo name RSASSA-PSS.

So I think that’s why it doesn’t work. I confirmed that with IBM JDK, when I do Security.getAlgorithms("Signature"), it returns SHA384WITHECDSA, SHA3WITHRSA, SHA1WITHRSA, SHA5WITHRSA, SHA512WITHRSA, RSAPSS, SHA2WITHRSA, RSAFORSSL, SHA3WITHECDSA, SHA224WITHECDSA, SHA512WITHECDSA, SHA1WITHDSA, NONEWITHDSA, DSAFORSSL, SHA224WITHDSA, SHA256WITHRSA, ECDSAFORSSL, SHA5WITHECDSA, MD5WITHRSA, SHA2WITHECDSA, MD2WITHRSA, SHA256WITHDSA, SHA1WITHECDSA, NONEWITHECDSA, SHA224WITHRSA, SHA384WITHRSA.

Is it possible for you to add a fix and looking for String RSAPSS or RSASSA-PSS?

Another info, using IBM JDK, both of these code doesn’t throw exception.

Signature.getInstance("RSAPSS");

Signature.getInstance("RSASSA-PSS");

Thanks,

Adrian

Comments (4)

  1. Brian Campbell repo owner

    To be honest, I’m hesitant to further complicate the code that deals with the JCA API and PSS, which is already pretty funky, to support some naming inconstancies from the IBM stuff.

    You could, however, implement your own simple PSS classes that extend RsaUsingShaAlgorithm and use the RSAPSS alg name (see below for example of PS256 and interpolate from https://bitbucket.org/b_c/jose4j/src/master/src/main/java/org/jose4j/jws/RsaUsingShaAlgorithm.java for the others). Then, In initialization somewhere, get the JWS AlgorithmFactory from AlgorithmFactoryFactory and register your PSS classes jwsAlgorithmFactory.registerAlgorithm(new SpecialRsaPssSha256());, which will override the default ones.

        public class IBMSpecialRsaPssSha256 extends RsaUsingShaAlgorithm {
        public IBMSpecialRsaPssSha256() {
            super(AlgorithmIdentifiers.RSA_PSS_USING_SHA256, "RSAPSS");
            MGF1ParameterSpec mgf1pec = MGF1ParameterSpec.SHA256;
            PSSParameterSpec pssSpec = new PSSParameterSpec(mgf1pec.getDigestAlgorithm(), MGF1, mgf1pec, 32, TRAILER);
            setAlgorithmParameterSpec(pssSpec);
        }
    }

  5. Log in to comment
Assignee
Type
bug
Priority
critical
Status
closed
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!