Define constraints on JceMasterKey RSA wrapping algorithms

[mattsb42-aws]

Problem

JceMasterKey is very poorly constrained when using RSA master keys. The current implementation only verifies that the wrapping algorithm name starts with "RSA/ECB/", leaving the padding algorithm open to whatever any given JCE provider makes available.

aws/aws-encryption-sdk-python#56

Without providing some constraints around the permitted padding algorithms for RSA master keys, we cannot guarantee full compatibility between this and any other implementation.

Proposed Solution

We should constrain the allowed padding algorithms to a whitelisted set. This does hold the risk of breaking existing usage if anyone is using an unusual padding algorithm not on this list.

Allow

• RSA/ECB/PKCS1Padding - Required in the JCE Implementation Requirements
• RSA/ECB/OAEPWithSHA-1AndMGF1Padding - Required in the JCE Implementation Requirements
• RSA/ECB/OAEPWithSHA-256AndMGF1Padding - Required in the JCE Implementation Requirements
• RSA/ECB/OAEPWithSHA-384AndMGF1Padding - Secure and reasonably common.
• RSA/ECB/OAEPWithSHA-512AndMGF1Padding - Secure and already used by at least one AWS service.

Consider for future

• RSA/ECB/OAEPWithSHA-224AndMGF1Padding - Better than SHA1, but based on consultation with algorithms team we should leave it off unless we receive requests for it.

Alternate Solution

Alternately, we could simply document the above as officially supported padding algorithms and raise a warning if an unsupported padding algorithm is used. I like this less from a "keep the foot-guns locked away" perspective, but it is the safer option considering how long the existing implementation has been in the wild.

[SalusaSecondus]

I support the Alternate Solution (warning) to avoid breaking existing customers. Future format changes may further restrict the algorithm selection, but backwards compatibility is very important.