Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15768

Use of 1024-bit RSA in docs sample code

    XMLWordPrintable

    Details

    • Rank:
      1|hzzm87:

      Description

      The documentation for OIDC encryption for older versions contains a snippet for generating an RSA key pair:

      KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
      keyPairGenerator.initialize(1024);
      StringWriter writer = new StringWriter();
      PEMWriter pemWriter = new PEMWriter(writer);
      pemWriter.writeObject(keyPairGenerator.generateKeyPair().getPublic());
      pemWriter.flush();
      return writer.toString(); 

      1024-bit RSA is no longer considered secure and OAuth requires keys of at least 2048 bits.

      The 6.5 docs have removed this example, but it would be great it we could update it to 2048-bit keys for the older versions.

      A secondary note is that this code discards the private key, which will be needed by the client if it wants to decrypt the id token so perhaps a comment to this effect would be useful

        Attachments

          Activity

            People

            laetitia.ellison Laetitia Ellison [X] (Inactive)
            neil.madden Neil Madden
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: