Description
Problem
RawMasterKey provides a compatible implementation of the behavior exhibited by the JceMasterKey provided in the AWS Encryption SDK for Java. Unfortunately, because we did not define constraints for JceMasterKey, when used with an RSA keypair it will accept any JCE Standard Name wrapping algorithm for RSA. This is only constrained by the Standard Names that your JCE Provider supports.
RawMasterKey, by way of WrappingAlgorithm, is much more opinionated and will only accept the specific algorithms that we have pre-defined. This list was defined as PKCS1v15, OAEP-MGF1-SHA1, and OAEP-MGF1-SHA256 because those are the only algorithms defined in the JCE implementation requirements.
We will explicitly not be supporting all possible algorithms for several reasons, including but not limited to:
- No constraints are set in the JCE specification, so any JCE Provider could in theory support any names that they want to, including fully custom names/algorithms.
- Some commonly supported algorithms, such as some supported by the SunJCE Provider, we explicitly will never support. These include
NoPaddingandOAEP-MGF1-MD5. - We do need to at some point better define the constraints of algorithms allowed be
JceMasterKey. What exactly that will look like, especially considering compatibility requirements, remains to be seen and requires discussion.
Solution
We should add allowed WrappingAlgorithm definitions for RSA-OAEP-MGF1 with additional valid SHA2 algorithms. We should at least add SHA512. Whether we should add SHA384/etc is pending discussion.