I'm pretty familiar with the java keytool command, but I can't seem to figure out how to generate an OAEP padded RSA certificate. I'm trying to generate one to secure a SAML channel. I get the feeling I'm misunderstanding how specifying the padding approach works.
Ideally I end up with a channel that is signed with RSA SHA256, encrypted with AES256 and the key transport algorithm has OAEP padding.
As a side question, would this work with an opensaml implementation? I don't see why not since it's just a valid X509 certificate as far as it should be concerned.
keytool -genkey -alias myalias -keyalg RSA -keysize 512 -sigalg SHA256withRSA -keystore sample.jks -dname "CN=C, O=O, L=L, ST=S, C=US" -storepass changeit
The OAEP padding will apply to your ciphertext and not your certificate.
Your certificate should use SHA256 from the keytool parameters. But I think your SAML DSig parameters will need SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256
Modifying the OpenSaml example here I think you can change the Encryption parameters to use AES256 & RSAOAEP using:
Assertion assertion = createAssertion();
// Assume this contains a recipient's RSA public key
Credential keyEncryptionCredential = getKEKCredential();
EncryptionParameters encParams = new EncryptionParameters();
encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
KeyEncryptionParameters kekParams = new KeyEncryptionParameters();
kekParams.setEncryptionCredential(keyEncryptionCredential);
kekParams.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
KeyInfoGeneratorFactory kigf =
Configuration.getGlobalSecurityConfiguration()
.getKeyInfoGeneratorManager().getDefaultManager()
.getFactory(keyEncryptionCredential);
kekParams.setKeyInfoGenerator(kigf.newInstance());
Encrypter samlEncrypter = new Encrypter(encParams, kekParams);
samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.