如何正确使用 Bouncy Castle 的 OAEPEncoding for RSA(轻量级 API)
我一直在尝试 Bouncy Castle 的 RSA(轻量级 API)实现并了解了基础知识。查看他们的 JCE 提供程序实现的 spec,我注意到不同的填充方案可以与 RSA 一起使用。据我了解,默认情况下使用空填充。因此我开始探索 OAEP 填充,特别是 OAEPWithSHA512AndMGF1Padding。使用Google搜索并不是很有帮助,所以我开始挖掘BC的源代码并发现org.bouncycastle.jce.provider.JCERSACipher 类。但是看着 initFromSpec 很快就让我头疼了……具体来说,我不明白可以传递给 OAEPEncoding 构造函数的最后两个参数是什么。根据 BC 的 API,OAEPEncoding 构造函数允许四个参数接受 Digest mgf1Hash 和 byte[]encodingParams 作为最后两个参数。这让我很困惑,因为我不知道如何获取掩码生成算法的实例,也不了解称为 encodingParams 的字节数组背后的目的。下面代码中 arg3 和 arg4 的值应该是多少?
RSABlindedEngine rsa = new RSABlindedEngine();
SHA512Diges sha512 = new SHA512Digest();
Digest arg3 = ???;
byte[] arg4 = ???;
AsymmetricBlockCipher cipher = new OAEPEncoding(rsa, sha512, arg3, arg4);
I've been playing around with Bouncy Castle's implementation of RSA (Lightweight API) and got the basics figured out. Looking at their spec for JCE provider implementation I noticed that different padding schemes can be used with RSA. From what I understand, by default null padding is used. So I began exploring OAEP padding, particularly OAEPWithSHA512AndMGF1Padding. Searching with Google wasn't very helpful so I began digging through BC's source code and found org.bouncycastle.jce.provider.JCERSACipher class. But looking at initFromSpec quickly gave me a headache... Specifically, I don't understand what the last two parameters that can be passed to the OAEPEncoding constructor are. According to BC's API the OAEPEncoding constructor that allows four parameters accepts Digest mgf1Hash and byte[] encodingParams as the last two arguments. This stumped me because I have no idea how to get a hold of an instance of the mask generation algorithm nor do I understand the purpose behind the byte array referred to as encodingParams. What should be the values of arg3 and arg4 in the code below?
RSABlindedEngine rsa = new RSABlindedEngine();
SHA512Diges sha512 = new SHA512Digest();
Digest arg3 = ???;
byte[] arg4 = ???;
AsymmetricBlockCipher cipher = new OAEPEncoding(rsa, sha512, arg3, arg4);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
OAEP 由 PKCS#1 第 7.1 节 指定。
OAEP 需要以下参数:
只有一个定义的掩码生成函数,称为 MGF1,并且该函数是基于哈希函数构建的。因此,您的 arg3 是 MGF1 将使用的哈希函数。它可能是与第一个哈希函数相同的哈希函数(我不确定它可能是 Bouncy Castle API 中的相同
Digest实例;我在这里用数学方法进行讨论)。它也可能是另一个哈希函数。标签可以用作实例之间的一种区分器(例如,您可以使用标签中编码的明确“目的”来加密数据)。它在一些数学证明中很方便,但现在 PKCS#1 建议使用空字符串并用它来完成。出于 PKCS#1 中描述的目的,空标签与任何标签一样好。
解密过程必须知道这些参数才能进行操作。通常将它们编码在加密消息附带的结构中,并表示“这是使用 RSA/OAEP 加密的”;这就是 CMS 中发生的情况。
如有疑问,请对 MGF1 使用与第一个参数相同的哈希函数,并使用空标签。
OAEP is specified by PKCS#1, section 7.1.
OAEP requires the following parameters:
There is only one defined mask generation function, called MGF1, and that function is built over a hash function. So your
arg3is the hash function which MGF1 will use. It may be the same hash function than the first one (I am not sure it may be the sameDigestinstance in the Bouncy Castle API; I am talking mathematically here). It may also be another hash function.The label can be used as a kind of distinguishers between instances (e.g. you could encrypt data with an explicit "purpose" encoded in the label). It is handy in some mathematical proofs, but right now PKCS#1 recommends using an empty string and be done with it. For the purposes described in PKCS#1, an empty label is as good as any.
The decryption process must know those parameters to operate. It is customary to encode them in the structure which comes along with the encrypted message and says "this is encrypted with RSA/OAEP"; that's how it happens in CMS.
When in doubt, use the same hash function as first parameter and for MGF1, and use an empty label.