LinkedIn
Twitter
1 ACCEPTED SOLUTION
No, the VerifyJWT policy that is builtin to Apigee does not support RSA-OAEP.
Currently, for the RSA family, the built-in policy supports RSA-OAEP-256. But not RSA-OAEP, which is defined as RSA with OAEP using default parameters, including SHA-1 for the hash function.
About 5 years ago, Google announced the first known collision-generation approach for SHA-1. At the time of that announcement, the Google security researchers wrote:
When we released support for JWE in Apigee, during security review, we explicitly decided to not support RSA-OAEP in the builtin function, because of its dependence on SHA-1. We encourage you to use RSA-OAEP-256 if you would like to continue to use RSA algorithms. Or, use an elliptic curve algorithm for better efficiency.
If you MUST use RSA-OAEP, then you can use this java callout.
No, the VerifyJWT policy that is builtin to Apigee does not support RSA-OAEP.
Currently, for the RSA family, the built-in policy supports RSA-OAEP-256. But not RSA-OAEP, which is defined as RSA with OAEP using default parameters, including SHA-1 for the hash function.
About 5 years ago, Google announced the first known collision-generation approach for SHA-1. At the time of that announcement, the Google security researchers wrote:
When we released support for JWE in Apigee, during security review, we explicitly decided to not support RSA-OAEP in the builtin function, because of its dependence on SHA-1. We encourage you to use RSA-OAEP-256 if you would like to continue to use RSA algorithms. Or, use an elliptic curve algorithm for better efficiency.
If you MUST use RSA-OAEP, then you can use this java callout.
