Description
Problem
JceMasterKey is very poorly constrained when using RSA master keys. The current implementation only verifies that the wrapping algorithm name starts with "RSA/ECB/", leaving the padding algorithm open to whatever any given JCE provider makes available.
aws/aws-encryption-sdk-python#56
Without providing some constraints around the permitted padding algorithms for RSA master keys, we cannot guarantee full compatibility between this and any other implementation.
Proposed Solution
We should constrain the allowed padding algorithms to a whitelisted set. This does hold the risk of breaking existing usage if anyone is using an unusual padding algorithm not on this list.
Allow
RSA/ECB/PKCS1Padding- Required in the JCE Implementation RequirementsRSA/ECB/OAEPWithSHA-1AndMGF1Padding- Required in the JCE Implementation RequirementsRSA/ECB/OAEPWithSHA-256AndMGF1Padding- Required in the JCE Implementation RequirementsRSA/ECB/OAEPWithSHA-384AndMGF1Padding- Secure and reasonably common.RSA/ECB/OAEPWithSHA-512AndMGF1Padding- Secure and already used by at least one AWS service.
Consider for future
RSA/ECB/OAEPWithSHA-224AndMGF1Padding- Better thanSHA1, but based on consultation with algorithms team we should leave it off unless we receive requests for it.
Alternate Solution
Alternately, we could simply document the above as officially supported padding algorithms and raise a warning if an unsupported padding algorithm is used. I like this less from a "keep the foot-guns locked away" perspective, but it is the safer option considering how long the existing implementation has been in the wild.