How to create a CSR with RSA-OAEP (opensaml) using KeyTool

Question

I'm pretty familiar with the java keytool command, but I can't seem to figure out how to generate an OAEP padded RSA certificate. I'm trying to generate one to secure a SAML channel. I get the feeling I'm misunderstanding how specifying the padding approach works.

Ideally I end up with a channel that is signed with RSA SHA256, encrypted with AES256 and the key transport algorithm has OAEP padding.

As a side question, would this work with an opensaml implementation? I don't see why not since it's just a valid X509 certificate as far as it should be concerned.

keytool -genkey -alias myalias -keyalg RSA -keysize 512 -sigalg SHA256withRSA -keystore sample.jks -dname "CN=C, O=O, L=L, ST=S, C=US" -storepass changeit

Answer 1

The OAEP padding will apply to your ciphertext and not your certificate.

Your certificate should use SHA256 from the keytool parameters. But I think your SAML DSig parameters will need SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256

Modifying the OpenSaml example here I think you can change the Encryption parameters to use AES256 & RSAOAEP using:

Assertion assertion = createAssertion(); 

// Assume this contains a recipient's RSA public key
Credential keyEncryptionCredential = getKEKCredential();

EncryptionParameters encParams = new EncryptionParameters();
encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);

KeyEncryptionParameters kekParams = new KeyEncryptionParameters();
kekParams.setEncryptionCredential(keyEncryptionCredential);
kekParams.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
KeyInfoGeneratorFactory kigf =
    Configuration.getGlobalSecurityConfiguration()
    .getKeyInfoGeneratorManager().getDefaultManager()
    .getFactory(keyEncryptionCredential);
kekParams.setKeyInfoGenerator(kigf.newInstance());

Encrypter samlEncrypter = new Encrypter(encParams, kekParams);
samlEncrypter.setKeyPlacement(KeyPlacement.PEER);