3
votes

As you know, OAuth can support RSA-SHA1 Signature. I have an OAuthSignature interface that has the following method

public String sign(String data, String consumerSecret, String tokenSecret) throws GeneralSecurityException;

I successfully implemented and tested HMAC-SHA1 Signature (which OAuth Supports) as well as the PLAINTEXT "signature".

I have searched google and I have to create a private key if I need to use SHA1withRSA signature: Sample code:

  /**
   * Signs the data with the given key and the provided algorithm.
   */
  private static byte[] sign(PrivateKey key,
                             String data)
      throws GeneralSecurityException {

    Signature signature = Signature.getInstance("SHA1withRSA");
    signature.initSign(key);
    signature.update(data.getBytes());
    return signature.sign();
  }

Now, How can I take the OAuth key (which is key = consumerSecret&tokenSecret) and create a PrivateKey to use with SHA1withRSA signature?

Thanks


From OAuth Core

9.3. RSA-SHA1

The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in [RFC3447] (Jonsson, J. and B. Kaliski, “Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography; Specifications Version 2.1,” .) section 8.2 (more simply known as PKCS#1), using SHA-1 as the hash function for EMSA-PKCS1-v1_5. It is assumed that the Consumer has provided its RSA public key in a verified way to the Service Provider, in a manner which is beyond the scope of this specification.

And I'm now using this (http://code.google.com/apis/gdata/docs/auth/oauth.html) as a reference to doing RSA-SHA1 signature.

2

2 Answers

1
votes

What API is the OAuthSignature interface from? Is it possible that the tokenSecret parameter is not necessary for RSA signatures?

1
votes

Seems the RSA-SHA1 does't need the consumer secret, you can refer the Jersey implement here https://svn.java.net/svn/jersey~svn/trunk/jersey/contribs/jersey-oauth/oauth-signature/src/main/java/, the class com.sun.jersey.oauth.signature.RSA_SHA1.