Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8325166

Allow creation of RSAKeyValue for "RSASSA-PSS" keys

XMLWordPrintable

      ADDITIONAL SYSTEM INFORMATION :
      This is generic. Has no tie to any OS. Enhancement is not yet available on any JDK version yet.

      A DESCRIPTION OF THE PROBLEM :
      0

      I need to sign XML in Java using Digital Signatures.

      I have a key pair using signature algorithm RSASSA-PSS:

      SunRsaSign RSASSA-PSS private CRT key, 2048 bits
      Sun RSASSA-PSS public key, 2048 bits
      See this code here from the OpenJDK test framework: https://github.com/openjdk/jdk/blob/master/test/lib/jdk/test/lib/security/XMLUtils.java

      I'm using this utility to load the value:

          Document doc = XMLUtils.string2doc("<a><b>Text</b>Raw</a>");
          KeyPairGenerator instance = KeyPairGenerator.getInstance("RSASSA-PSS");
          instance.initialize(2048);
          KeyPair keyPair = instance.generateKeyPair();

          PSSParameterSpec pspec = new PSSParameterSpec("SHA-384", "MGF1",
                  MGF1ParameterSpec.SHA512, 48, TRAILER_FIELD_BC);

          Document signed = XMLUtils.signer(keyPair.getPrivate(), keyPair.getPublic())
                  .dm(DigestMethod.SHA384)
                  .sm(SignatureMethod.RSA_PSS, new RSAPSSParameterSpec(pspec))
                  .sign(doc);
          System.out.println(XMLUtils.doc2string(signed));

          System.out.println("Good? " + XMLUtils.validator().validate(signed, keyPair.getPublic()));
      Unfortunately, this is not working

      Exception in thread "main" java.security.KeyException: unsupported key algorithm: RSASSA-PSS
          at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMKeyInfoFactory.newKeyValue(DOMKeyInfoFactory.java:85)
      because:

      https://github.com/openjdk/jdk/blob/master/src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/DOMKeyInfoFactory.java#L82

      It does not allow "RSASSA-PSS".

      It appears that if it were to be changed to:

              } else if ("RSA".equals(algorithm) || "RSASSA-PSS".equals(algorithm)) {
                  return new DOMKeyValue.RSA((RSAPublicKey) key);

      That appears to work.

      Is this something we can put in place or is there some other way to do this?


            mullan Sean Mullan
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: