Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15768

Use of 1024-bit RSA in docs sample code

    Details

      Description

      The documentation for OIDC encryption for older versions contains a snippet for generating an RSA key pair:

      KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
      keyPairGenerator.initialize(1024);
      StringWriter writer = new StringWriter();
      PEMWriter pemWriter = new PEMWriter(writer);
      pemWriter.writeObject(keyPairGenerator.generateKeyPair().getPublic());
      pemWriter.flush();
      return writer.toString(); 

      1024-bit RSA is no longer considered secure and OAuth requires keys of at least 2048 bits.

      The 6.5 docs have removed this example, but it would be great it we could update it to 2048-bit keys for the older versions.

      A secondary note is that this code discards the private key, which will be needed by the client if it wants to decrypt the id token so perhaps a comment to this effect would be useful

        Attachments

          Activity

            People

            • Assignee:
              laetitia.ellison Laetitia Ellison [X] (Inactive)
              Reporter:
              neil.madden Neil Madden
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: