Skip to content

Restrict RSA paddings allowed through OpenJCEPlusFIPS #1036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
KostasTsiounis wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Restrict RSA paddings allowed through OpenJCEPlusFIPS #1036

KostasTsiounis wants to merge 2 commits into from
+64 −24

Conversation

@KostasTsiounis
Copy link
Member

@KostasTsiounis KostasTsiounis commented Dec 11, 2025
edited
Loading

This change adds attributes in the RSA service registration in the OpenJCEPlusFIPS provider to only support OAEP paddings.

It, also, update the engineSetPadding() method to only allow OAEP paddings to be set when the FIPS provider is used.

Tests are updated accordingly to skip invalid padding tests when running with OpenJCEPlusFIPS.

A temporary flag that allows the use of other paddings with OpenJCEPlusFIPS is introduced to facilitate migration of users utilizing the previous behaviour. The flag to be set to revert this behaviour is -Dcom.ibm.openjceplusfips.allowNonOAEP=true.

Signed-off-by: Kostas Tsiounis [email protected]

taoliult
taoliult reviewed Dec 19, 2025
View reviewed changes
taoliult
taoliult approved these changes Dec 19, 2025
View reviewed changes
Copy link
Collaborator

@taoliult taoliult left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jasonkatonica
jasonkatonica requested changes Jan 6, 2026
View reviewed changes
@KostasTsiounis
Restrict RSA paddings allowed through OpenJCEPlusFIPS
546a622 
This change adds attributes in the RSA service registration
in the OpenJCEPlusFIPS provider to only support OAEP paddings.

It, also, update the engineSetPadding() method to only allow
OAEP paddings to be set when the FIPS provider is used.

Tests are updated accordingly to skip invalid padding tests
when running with OpenJCEPlusFIPS.

A temporary flag that allows the use of other paddings with
OpenJCEPlusFIPS is introduced to facilitate migration of
users utilizing the previous behaviour. The flag to be set
to revert this behaviour is -Dcom.ibm.openjceplusfips.allowNonOAEP=true.

Signed-off-by: Kostas Tsiounis <[email protected]>
@KostasTsiounis
Remove ZeroPadding from service attrs
429e28d
jasonkatonica
jasonkatonica approved these changes Jan 9, 2026
View reviewed changes
Copy link
Member

@jasonkatonica jasonkatonica left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@taoliult taoliult taoliult approved these changes

@jasonkatonica jasonkatonica jasonkatonica approved these changes

@johnpeck-us-ibm johnpeck-us-ibm Awaiting requested review from johnpeck-us-ibm

@JinhangZhang JinhangZhang Awaiting requested review from JinhangZhang

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KostasTsiounis @taoliult @jasonkatonica