11

I found the hard way that in Oracle's Java standard crypto provider

Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");

uses MFG1 instanciated with SHA-1; SHA-256 is only used to hash the label (in practice empty). The only solution that I found to actually use SHA-256 in MFG1 (helped by that answer and comment) was using an alternate form of Cipher.init:

cipher.init(Cipher.DECRYPT_MODE, privKey, new OAEPParameterSpec(
    "SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT
));

Question: is there a transformation that Cipher.getInstance will recognize, with effect similar to "RSA/ECB/OAEPWithSHA-256AndMGF1Padding", except with MGF1 using SHA-256?

Community
  • 1
  • 1
fgrieu
  • 2,724
  • 1
  • 23
  • 53
  • 1
    Note that this works only since Java7u55 (see https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8058549). Previous java versions throw an Exception doing it the described way. – Heri Apr 15 '19 at 13:50

1 Answers1

11

No, there isn't.

Java is open source. If unsure you can take a look at the sources for the OpenJDK.

In the init method of com.sun.crypto.provider.RSACipher it reads:

            spec = new OAEPParameterSpec(oaepHashAlgorithm, "MGF1",
                MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT);

I've checked this up to Java 8 update 60 for the OpenJDK. As you can see, you need to use the algorithm parameters.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Convincing demonstration, thanks. This is a serious oversight IMHO. One of the justification of the complexity of the Java standard crypto provider is to allow specifying a _transformation_ in a unified way, as implicit in the [specification of Cipher](https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html): "A _transformation_ is a string that describes the operation (or set of operations) to be performed on the given input, to produce some output." – fgrieu Nov 07 '15 at 08:07
  • 3
    I agree with that, it also hampers the replacement of e.g. RSA/PKCS1 or OAEP with one that uses SHA-256. There have been more of such oversights, such as AES not having a `SecretKeyFactory`, which would be required for use with e.g. HSM's. GCM has not been handled gracefully either. Still one of the best API's around none-the-less. – Maarten Bodewes Nov 07 '15 at 10:30
  • 1
    Old post, but just for the record, it looks like Java 8 parses the MD from the transformation string now: http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/com/sun/crypto/provider/RSACipher.java/#147 – eckes Dec 08 '15 at 05:17
  • @eckes: I do not see the code around the line that you mention choosing the hash for MGF1. Plus, if it does, there must be a specification somewhere, right? – fgrieu Oct 19 '16 at 06:32
  • @fgrieu I thought it is `oaepHashAlgorithm`, but maybe I am wrong (it might be the label hash). BTW: I suspect it is not specified as it is not a JCE standard but implemented for JSSE, but I could be wrong. – eckes Oct 19 '16 at 18:31