-
CSR
-
Resolution: Approved
-
P4
-
None
-
behavioral
-
minimal
-
Java API
-
SE
Summary
Deprecating the static field "DEFAULT" of the javax.crypto.spec.OAEPParameterSpec class since it uses the default values in the ASN.1 encoding from the PKCS #1 standard (RFC 8017) which have become obsolete as time has progressed.
Problem
SHA-1 is the default algorithm specified by the PKCS #1 standard which is weak and not recommended anymore. Using this field without understanding the security risks or that SHA-1 is the default is not recommended. Thus, it should be deprecated with an appropriate warning.
Solution
Deprecating the static field, callers should construct the OAEPParameterSpec object with their desired values and algorithms.
Specification
Update the javadoc of javax.crypto.spec.OAEPParameterSpec class as below. Besides deprecating the DEFAULT field, the rest are minor cleanups such as replacing with {@code }
@@ -70,17 +70,10 @@
* { OID id-pSpecified PARAMETERS EncodingParameters },
* ... -- Allows for future expansion --
* }
* EncodingParameters ::= OCTET STRING(SIZE(0..MAX))
* </pre>
- * <p>Note: the OAEPParameterSpec.DEFAULT uses the following:
- * <pre>
- * message digest -- "SHA-1"
- * mask generation function (mgf) -- "MGF1"
- * parameters for mgf -- MGF1ParameterSpec.SHA1
- * source of encoding input -- PSource.PSpecified.DEFAULT
- * </pre>
*
* @see java.security.spec.MGF1ParameterSpec
* @see PSource
*
* @author Valerie Peng
@@ -87,43 +80,58 @@
*
* @since 1.5
*/
public class OAEPParameterSpec implements AlgorithmParameterSpec {
/**
- * The OAEP parameter set with all default values.
+ * The OAEP parameter set with all default values, i.e. "SHA-1" as message
+ * digest algorithm, "MGF1" as mask generation function (mgf) algorithm,
+ * {@code MGF1ParameterSpec.SHA1} as parameters for the mask generation
+ * function, and {@code PSource.PSpecified.DEFAULT} as the source of the
+ * encoding input.
+ *
+ * @deprecated This field uses the default values defined in the PKCS #1
+ * standard. Some of these defaults are no longer recommended due
+ * to advances in cryptanalysis -- see
+ * <a href="https://www.rfc-editor.org/rfc/rfc8017#appendix-B.1">Appendix B.1 of PKCS #1</a>
+ * for more details. Thus, it is recommended to create
+ * a new {@code OAEPParameterSpec} with the desired parameter values
+ * using the
+ * {@link #OAEPParameterSpec(String, String, AlgorithmParameterSpec, PSource)} constructor.
+ *
*/
- public static final OAEPParameterSpec DEFAULT = new OAEPParameterSpec();
+ @Deprecated(since="19")
+ public static final OAEPParameterSpec DEFAULT = new OAEPParameterSpec(
+ "SHA-1", "MGF1", MGF1ParameterSpec.SHA1,
+ PSource.PSpecified.DEFAULT);
/**
* Constructs a parameter set for OAEP padding as defined in
* the PKCS #1 standard using the specified message digest
- * algorithm <code>mdName</code>, mask generation function
- * algorithm <code>mgfName</code>, parameters for the mask
- * generation function <code>mgfSpec</code>, and source of
- * the encoding input P <code>pSrc</code>.
+ * algorithm {@code mdName}, mask generation function
+ * algorithm {@code mgfName}, parameters for the mask
+ * generation function {@code mgfSpec}, and source of
+ * the encoding input P {@code pSrc}.
*
- * @param mdName the algorithm name for the message digest.
- * @param mgfName the algorithm name for the mask generation
- * function.
- * @param mgfSpec the parameters for the mask generation function.
- * If null is specified, null will be returned by getMGFParameters().
- * @param pSrc the source of the encoding input P.
- * @exception NullPointerException if <code>mdName</code>,
- * <code>mgfName</code>, or <code>pSrc</code> is null.
+ * @param mdName the algorithm name for the message digest
+ * @param mgfName the algorithm name for the mask generation function
+ * @param mgfSpec the parameters for the mask generation function;
+ * if {@code null} is specified, {@code null} will be returned by
+ * {@link #getMGFParameters()}
+ * @param pSrc the source of the encoding input P
+ * @throws NullPointerException if {@code mdName},
+ * {@code mgfName}, or {@code pSrc} is {@code null}
*/
public OAEPParameterSpec(String mdName, String mgfName,
AlgorithmParameterSpec mgfSpec,
PSource pSrc) {
- csr of
-
JDK-8284553 Deprecate the DEFAULT static field of OAEPParameterSpec
-
- Resolved
-