Description
The PBES1 class in mapper/src/main/java/com/ibm/mapper/model/PBES1.java does not resolve OIDs for any of its algorithm combinations. This means CBOM output for PBES1-based encryption will always be missing the oid field, making it non-compliant with the CycloneDX CBOM spec.
Expected behavior
When a PBES1 node has a known digest + cipher combination, the corresponding OID should be set automatically.
Affected combinations (from RFC 2898 Appendix A.3 and PKCS#12)
| Digest |
Cipher |
Key length |
OID |
| MD2 |
DES-CBC |
— |
1.2.840.113549.1.5.1 |
| MD5 |
DES-CBC |
— |
1.2.840.113549.1.5.3 |
| MD2 |
RC2-CBC |
— |
1.2.840.113549.1.5.4 |
| MD5 |
RC2-CBC |
— |
1.2.840.113549.1.5.6 |
| SHA1 |
DES-CBC |
— |
1.2.840.113549.1.5.10 |
| SHA1 |
RC2-CBC |
— |
1.2.840.113549.1.5.11 |
| SHA1 |
RC4 |
128-bit |
1.2.840.113549.1.12.1.1 |
| SHA1 |
RC4 |
40-bit |
1.2.840.113549.1.12.1.2 |
| SHA1 |
TripleDES |
3-key |
1.2.840.113549.1.12.1.3 |
| SHA1 |
TripleDES |
2-key |
1.2.840.113549.1.12.1.4 |
| SHA1 |
RC2-CBC |
128-bit |
1.2.840.113549.1.12.1.5 |
| SHA1 |
RC2-CBC |
40-bit |
1.2.840.113549.1.12.1.6 |
References
This issue was added as a TODO in the source code.
I am happy to work on a fix for this if the maintainers are open to it.
Description
The
PBES1class inmapper/src/main/java/com/ibm/mapper/model/PBES1.javadoes not resolve OIDs for any of its algorithm combinations. This means CBOM output for PBES1-based encryption will always be missing theoidfield, making it non-compliant with the CycloneDX CBOM spec.Expected behavior
When a
PBES1node has a known digest + cipher combination, the corresponding OID should be set automatically.Affected combinations (from RFC 2898 Appendix A.3 and PKCS#12)
References
This issue was added as a TODO in the source code.
I am happy to work on a fix for this if the maintainers are open to it.