MGF element and http://www.w3.org/2009/xmlenc11#rsa-oaep

[timlegge]

Hi

Does xmlsec support the optional MGF element of EncryptionMethod if the Algorithm is http://www.w3.org/2009/xmlenc11#rsa-oaep

I don't beliebe it does but I just wanted to check.

Tim

[lsh123]

Not sure what exactly do you mean. In the XMLEnc spec, the RSA OAEP is defined as follows:

Schema Definition:
     <!-- use these element types as children of EncryptionMethod
          when used with RSA-OAEP -->
     <element name='OAEPparams' minOccurs='0' type='base64Binary'/>
     <element ref='ds:DigestMethod' minOccurs='0'/>

The XMLSec source code parses both OAEPparams and DigestMethod elements and uses is for RSA OAEP.

[timlegge]

Sorry, I should have been clearer. According to:

https://www.w3.org/TR/xmlenc-core1/#sec-RSA-OAEP

The http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p identifier defines the mask generation function as the fixed value of MGF1 with SHA1. In this case the optional xenc11:MGF element of the xenc:EncryptionMethod element must not be provided.

The http://www.w3.org/2009/xmlenc11#rsa-oaep identifier defines the mask generation function using the optional xenc11:MGF element of the xenc:EncryptionMethod element. If not present, the default of MGF1 with SHA1 is to be used.

Several examples are included including:

<EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
  <OAEPparams>9lWu3Q==</OAEPparams>
  <xenc11:MGF Algorithm="http://www.w3.org/2001/04/xmlenc#MGF1withSHA1" />
  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<EncryptionMethod>

[lsh123]

Thanks, that makes total sense. I did check and it seems that at least for openssl this should be trivial change. Do you know if there are any test vectors to verify implementation?

[timlegge]

Hi

It was reported to me that someone was testing XML::Enc with samltest.id and XML::Enc did not support http://www.w3.org/2009/xmlenc11#rsa-oaep. As I was implementing that I obviously looked to xmlsec as a way to verify my implementation :-)

I have not yet been able to configure samltest.id to return rsa-oaep and I don't know if it used MGF or simply defaulted to mgf1sha1. I am hoping to have the xml files from that reporter later today.

I did add support to https://metacpan.org/release/TIMLEGGE/XML-Enc-0.07-TRIAL/view/lib/XML/Enc.pm (see https://metacpan.org/release/TIMLEGGE/XML-Enc-0.07-TRIAL/source/t/06-test-encryption-methods.t#L54). But unless I can test it against a known implementation that may be suspect at best)...

Tim

[timlegge]

me too. Once you add support I will add a test using xmlsec :-) but if you find anything keep me posted.

I do have permission to pass along the encrypted xml file and test private key from the reporter if that helps at all

[lsh123]

me too. Once you add support I will add a test using xmlsec :-) but if you find anything keep me posted.
I do have permission to pass along the encrypted xml file and test private key from the reporter if that helps at all

The openssl and (limited) mscng support for MGF1 param is added. I found some test vectors but would appreciate if you can try ones you have as well.

[timlegge]

Will try a build in the next few days

[timlegge]

Initial tests look good. I was able to test successfully against the original file from samltest.id and mgf1sha1 through mfg1sha512 that was encrypted using XML::Enc.

[lsh123]

Initial tests look good. I was able to test successfully against the original file from samltest.id and mgf1sha1 through mfg1sha512 that was encrypted using XML::Enc.

Fantastic! Meantime I added RSA OAEP support to NSS (including MGF) in PR #443 (which is going to get issue #2 closed! :) ).

[lsh123]

I created issue #439 and plan to add it in the next release in Spring 2023