AlgorithmRegistry indexes signing algorithms only by key type + digest

Description

AlgorithmRegistry indexes signing algorithms by key type + digest only. With the appearance of more modern algorithms, this does not result in a unique index. For example see:

http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1

vs.

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Possibly can fix by adding in more info to the indexing key class + an overloaded lookup method that takes an optional params arg.

But also consider whether we still need/want this indexing. We aren’t currently using. Consider adding support for this indexing in metadata-based signing params resolution.

If we don’t wind up using the indexing, I suppose consider just deprecating and removing the indexing.

Environment

None

Activity

Brent Putman 
August 4, 2023 at 4:07 AM

Don’t have a workable solution yet for how to uniquely index signature algorithms. There are many permutations of possible additional indexable criteria. One approach might involve supporting an additional passed AlgorithmParameters object, or something like that. But I think it’s likely very complex and a lot of work. For example, we’d probably have to have wrappers for all the Java ones to implement #hashcode()and #equals() to make it all work.

Given that we aren’t even using this currently, what I’ve done is deprecate the existing SignatureAlgorithm #getSignatureAlgorithm(...) method, and added a new Set<SignatureAlgorithm> get SignatureAlgorithms(...)method (plural). So the caller can just get all matching ones and filter on them from there if there are multiple.

This seems like a good middle ground unless/until we have a more concrete use case and a better solution.

(As an aside I realized that in addition to the RSA vs RSASSA-PSS conflict, there was already an existing conflict with the JOSE/OAuth2/OIDC stuff from those plugins if present. Those have the same key and digest algos as existing SAML ones, but different URIs (or “URIs” in the OIDC case, since they aren’t really URIs. frowning face ).

Completed

Details

Assignee

Reporter

Components

Fix versions

Created February 2, 2023 at 2:32 AM
Updated August 4, 2023 at 4:07 AM
Resolved August 4, 2023 at 4:07 AM