Skip to content

Commit 39f92e1

Browse files
author
gm2552
committed
Adding fix for OAEP decryption with HSMs.
Addressing Issue #7.
1 parent 5b17a9a commit 39f92e1

2 files changed

Lines changed: 30 additions & 2 deletions

File tree

src/main/java/org/nhindirect/stagent/cryptography/bc/DirectNamedJcaJceExtHelper.java

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@
44

55
import javax.crypto.SecretKey;
66

7+
import org.apache.commons.lang3.StringUtils;
8+
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
79
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
810
import org.bouncycastle.jcajce.util.NamedJcaJceHelper;
911
import org.bouncycastle.operator.SymmetricKeyUnwrapper;
@@ -20,7 +22,19 @@ public DirectNamedJcaJceExtHelper(String providerName)
2022

2123
public JceAsymmetricKeyUnwrapper createAsymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, PrivateKey keyEncryptionKey)
2224
{
23-
return new DirectJceAsymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey).setProvider(providerName);
25+
final JceAsymmetricKeyUnwrapper retVal = new DirectJceAsymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey);
26+
retVal.setProvider(providerName);
27+
28+
/*
29+
* For a non-BC provider, we need to map the OAEP algorithm OID to a name. Many HSMs do not recognized the algorithm OID and explicitly
30+
* need the name.
31+
*/
32+
if (!StringUtils.isEmpty(providerName) && !providerName.equalsIgnoreCase("BC"))
33+
{
34+
retVal.setAlgorithmMapping(PKCSObjectIdentifiers.id_RSAES_OAEP, "RSA/ECB/OAEP");
35+
}
36+
37+
return retVal;
2438
}
2539

2640
public JceKTSKeyUnwrapper createAsymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, PrivateKey keyEncryptionKey, byte[] partyUInfo, byte[] partyVInfo)

src/main/java/org/nhindirect/stagent/cryptography/bc/DirectProviderJcaJceExtHelper.java

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@
55

66
import javax.crypto.SecretKey;
77

8+
import org.apache.commons.lang3.StringUtils;
9+
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
810
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
911
import org.bouncycastle.jcajce.util.ProviderJcaJceHelper;
1012
import org.bouncycastle.operator.SymmetricKeyUnwrapper;
@@ -22,7 +24,19 @@ public DirectProviderJcaJceExtHelper(Provider provider)
2224

2325
public JceAsymmetricKeyUnwrapper createAsymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, PrivateKey keyEncryptionKey)
2426
{
25-
return new DirectJceAsymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey).setProvider(provider);
27+
final JceAsymmetricKeyUnwrapper retVal = new DirectJceAsymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey);
28+
retVal.setProvider(provider);
29+
30+
/*
31+
* For a non-BC provider, we need to map the OAEP algorithm OID to a name. Many HSMs do not recognized the algorithm OID and explicitly
32+
* need the name.
33+
*/
34+
if (provider != null && !StringUtils.isEmpty(provider.getName()) && !provider.getName().equalsIgnoreCase("BC"))
35+
{
36+
retVal.setAlgorithmMapping(PKCSObjectIdentifiers.id_RSAES_OAEP, "RSA/ECB/OAEP");
37+
}
38+
39+
return retVal;
2640
}
2741

2842
public JceKTSKeyUnwrapper createAsymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, PrivateKey keyEncryptionKey, byte[] partyUInfo, byte[] partyVInfo)

0 commit comments

Comments
 (0)