AlgorithmRegistry indexes signing algorithms only by key type + digest
Description
Environment
is blocked by
Activity
Brent Putman August 4, 2023 at 4:07 AM
Donât have a workable solution yet for how to uniquely index signature algorithms. There are many permutations of possible additional indexable criteria. One approach might involve supporting an additional passed AlgorithmParameters
object, or something like that. But I think itâs likely very complex and a lot of work. For example, weâd probably have to have wrappers for all the Java ones to implement #hashcode()
and #equals()
to make it all work.
Given that we arenât even using this currently, what Iâve done is deprecate the existing SignatureAlgorithm #getSignatureAlgorithm(...)
method, and added a new Set<SignatureAlgorithm> get SignatureAlgorithms(...)
method (plural). So the caller can just get all matching ones and filter on them from there if there are multiple.
This seems like a good middle ground unless/until we have a more concrete use case and a better solution.
(As an aside I realized that in addition to the RSA vs RSASSA-PSS conflict, there was already an existing conflict with the JOSE/OAuth2/OIDC stuff from those plugins if present. Those have the same key and digest algos as existing SAML ones, but different URIs (or âURIsâ in the OIDC case, since they arenât really URIs. ).
AlgorithmRegistry
indexes signing algorithms by key type + digest only. With the appearance of more modern algorithms, this does not result in a unique index. For example see:http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1
vs.
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Possibly can fix by adding in more info to the indexing key class + an overloaded lookup method that takes an optional params arg.
But also consider whether we still need/want this indexing. We arenât currently using. Consider adding support for this indexing in metadata-based signing params resolution.
If we donât wind up using the indexing, I suppose consider just deprecating and removing the indexing.