RSA encryption padding change from PKCS1Padding to OAEPWithSHA-256And…

[utkrishtsahu]

RSA encryption padding change from PKCS1Padding to OAEPWithSHA-256And

Changes

Updated padding for RSA encryption from PKCS1Padding to OAEPWithSHA-256And also checked for migration for the same.

References

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. Since this library has unit testing, tests should be added for new functionality and existing tests should complete without errors.

• [X ] This change adds unit test coverage

• [X ] This change adds integration test coverage

• [ X] This change has been tested on the latest version of the platform/language or why not

Checklist

• I have read the Auth0 general contribution guidelines

• I have read the Auth0 Code of Conduct

• All existing and new tests complete without errors

[semgrepcode-auth0]

Semgrep identified an issue in your code:
Weak cryptographic algorithm detected. The DES, 3DES, RC2, RC4, MD4, MD5, SHA1, BLOWFISH, Dual_EC_DRBG, and SHA1PRNG algorithms are considered insecure and should not be used. Using weak cryptographic algorithms can compromise the confidentiality and integrity of sensitive data. It is recommended to adopt only cryptographic features and algorithms offered by the Android platform that are internationally recognized as strong. It is also fundamental to ensure that the encryption parameters (crypto key, IV, etc.) are generated randomly using a cryptographically strong PRNG function. In addition, if it is needed to store an encryption parameter on the device, a secure storage mechanism like the Android KeyStore must be used.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by android_weak_cryptographic_algorithm.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[utkrishtsahu]

The primary digest used for the RSA-OAEP padding scheme is SHA-256, which is secure.

SHA1 is included only as a supported digest for the Mask Generation Function (MGF1), an internal component of OAEP.

This is a standard practice to ensure maximum compatibility across different Android OS versions and hardware security modules, as some implementations require SHA1 to be available for MGF1.

[semgrepcode-auth0]

Weak cryptographic algorithm detected. The DES, 3DES, RC2, RC4, MD4, MD5, SHA1, BLOWFISH, Dual_EC_DRBG, and SHA1PRNG algorithms are considered insecure and should not be used. Using weak cryptographic algorithms can compromise the confidentiality and integrity of sensitive data. It is recommended to adopt only cryptographic features and algorithms offered by the Android platform that are internationally recognized as strong. It is also fundamental to ensure that the encryption parameters (crypto key, IV, etc.) are generated randomly using a cryptographically strong PRNG function. In addition, if it is needed to store an encryption parameter on the device, a secure storage mechanism like the Android KeyStore must be used.

🧼 Fixed in commit 715bcc8 🧼

[utkrishtsahu]

The primary digest used for the RSA-OAEP padding scheme is SHA-256, which is secure.

SHA1 is included only as a supported digest for the Mask Generation Function (MGF1), an internal component of OAEP.

This is a standard practice to ensure maximum compatibility across different Android OS versions and hardware security modules, as some implementations require SHA1 to be available for MGF1.

[Copilot]

Pull Request Overview

This PR updates the RSA encryption padding from PKCS1Padding to OAEPWithSHA-256AndMGF1Padding for improved security. The change includes backward compatibility handling to migrate existing PKCS1-encrypted AES keys to the new OAEP format.

• Changes RSA transformation from PKCS1Padding to OAEPWithSHA-256AndMGF1Padding
• Increases RSA key size from 2048 to 4096 bits
• Implements migration logic for existing PKCS1-encrypted AES keys to maintain compatibility

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
CryptoUtil.java	Updates RSA transformation, key size, and implements migration logic for PKCS1 to OAEP transition
CryptoUtilTest.java	Refactors tests to support new RSA transformation and adds migration test coverage

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Catching generic Exception is too broad and may hide specific error conditions. Consider catching specific exceptions like BadPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, etc., to handle different failure scenarios appropriately.

Suggested change

	} catch (Exception e) {
	} catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException | KeyStoreException | UnrecoverableEntryException e) {

[utkrishtsahu]

made new changes on 17 dec will check on copilot review on it.

[Copilot]

Catching generic Exception is too broad. This catch block should handle specific exceptions that can occur during RSA encryption or storage operations, such as CryptoException or IncompatibleDeviceException.

Suggested change

	} catch (Exception e) {
	} catch (InvalidKeyException
	| NoSuchPaddingException
	| IllegalBlockSizeException
	| BadPaddingException
	| KeyStoreException
	| UnrecoverableEntryException
	| CertificateException
	| IOException
	| ProviderException e) {

[utkrishtsahu]

made new changes on 17 dec will check on copilot review on it.

[pmathew92]

Add a comment to state why OLD_PKCS1_RSA_TRANSFORMATION is being used

[pmathew92]

Hope this setDigest addition was also reviewed by security ?

[pmathew92]

@utkrishtsahu The current implementation doesn't handle migration for existing users token . Please handle that and ensure it doesn't break

[utkrishtsahu]

@claude

In general, the fix is to ensure RSA is used with OAEP padding for all new encryption, and that any unavoidable PKCS#1 v1.5 usage is strictly limited to decrypting pre-existing legacy data, clearly labeled and not used for general-purpose operations. Since this class already uses RSA_TRANSFORMATION = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" for modern operations, the main work is to isolate and clearly mark the PKCS#1 transformation as a legacy-only decryption path to satisfy the intent of the rule while preserving functionality.

The single best fix here without changing behavior is:

• Keep LEGACY_PKCS1_RSA_TRANSFORMATION but strengthen its documentation, explicitly stating it MUST NOT be used for encryption and is only for decrypting old data during migration.
• Confine PKCS#1 usage to the dedicated RSADecryptLegacyPKCS1 method (which is already the case) and add Javadoc that explains it is for one-way migration from legacy PKCS#1 to OAEP.
• Ensure that all normal RSA decryption uses RSA_TRANSFORMATION (OAEP); based on the snippet, RSADecryptLegacyPKCS1 is already a separate helper, so we only clarify its role.

Concretely in auth0/src/main/java/com/auth0/android/authentication/storage/CryptoUtil.java:

• Adjust the block comment above LEGACY_PKCS1_RSA_TRANSFORMATION to highlight that it is legacy-decrypt-only and not to be used for encrypting or for arbitrary attacker-supplied ciphertext whenever possible.
• Add a similar explanatory Javadoc above RSADecryptLegacyPKCS1 making it clear it is the only place PKCS#1 is used, and that callers should migrate data and then avoid using it.

No new methods, imports, or algorithm changes are required; we are tightening and documenting the legacy usage so the intent is explicit and future maintainers do not mistakenly expand PKCS#1 use.

In general, the way to fix RSA‑without‑OAEP findings is to use an OAEP transformation string with Cipher.getInstance (e.g. "RSA/ECB/OAEPWithSHA-256AndMGF1Padding") and ensure that all new RSA encryption and decryption uses that scheme. However, in this snippet the method is specifically for decrypting legacy PKCS1‑padded ciphertext; switching this to OAEP would make it impossible to decrypt existing data. The best fix that preserves functionality is therefore:

• Keep PKCS1 use confined to this one migration helper.
• Make the legacy nature explicit in code by:
  • Renaming or reinforcing the constant name to show it is legacy (if accessible) and
  • Adding strong documentation and, if possible, annotations to discourage any reuse.
• Ensure that all non‑legacy RSA operations in this file (not shown in the snippet) use OAEP, and that this helper is not reused for anything else.

Within the given snippet, we can strengthen the guardrails on this method by adding a prominent warning comment and, if available, an annotation signaling that it is for legacy/migration only. We must not change Cipher.getInstance(LEGACY_PKCS1_RSA_TRANSFORMATION) to an OAEP transformation because the method’s contract is to decrypt PKCS1 ciphertext.

Concretely in auth0/src/main/java/com/auth0/android/authentication/storage/CryptoUtil.java:

• Above RSADecryptLegacyPKCS1, add or enhance the documentation comment to clearly state that this method must never be used for new encryption schemes and that all new RSA usage must use OAEP. The snippet already contains such wording; we can tighten it further.
• Optionally add an internal @VisibleForTesting or similar annotation if available, but we should not introduce new dependencies. Since we already import androidx.annotation.VisibleForTesting, we can reuse that as appropriate, but adding it to this helper would misrepresent its purpose (it’s not only for testing), so we will instead only strengthen the comment.

No imports, methods, or external libs are required beyond updating the comment to make the legacy nature explicit for static analysis reviewers and developers. The functional code (lines 127–129) remains unchanged to preserve decryption compatibility.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

Comments suppressed due to low confidence (1)

auth0/src/main/java/com/auth0/android/authentication/storage/CryptoUtil.java:391

• String concatenation using += in a loop can be inefficient. While this particular loop is expected to be short (traversing the exception chain), it's better practice to use a StringBuilder for string concatenation. This improves performance and is more maintainable if the loop grows longer in the future.

            throw new IncompatibleDeviceException(e);
        } catch (IllegalBlockSizeException | BadPaddingException e) {
            /*
             * They really should not be thrown at all since padding is requested in the transformation.
             * Delete the AES keys since those originated the input.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Missing validation of the decrypted AES key length after PKCS1 decryption. The original getAESKey implementation validated that the AES key has the expected length (32 bytes for 256-bit AES) before returning it. Without this validation, a corrupted or malformed legacy key could be migrated and cause issues later. Consider validating that decryptedAESKey.length equals AES_KEY_SIZE / 8 before proceeding with re-encryption.

Suggested change

	return RSADecrypt(encryptedAESBytes);
	byte[] decryptedAESKey = RSADecrypt(encryptedAESBytes);
	// Validate that the decrypted AES key has the expected length (e.g. 32 bytes for 256-bit AES)
	if (decryptedAESKey == null || decryptedAESKey.length != AES_KEY_SIZE / 8) {
	// Treat this as corrupted key material: clean up and signal an error
	deleteRSAKeys();
	deleteAESKeys();
	throw new CryptoException("The RSA decrypted AES key has an unexpected length.");
	}
	return decryptedAESKey;

[Copilot]

Catching a generic Exception here is overly broad and could hide unexpected issues. The catch block swallows all exceptions (including potential runtime exceptions) and simply generates a new key, which could mask serious bugs. Consider catching only the specific checked exceptions that can be thrown by the operations inside the try block (NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, CryptoException, KeyStoreException, CertificateException, IOException, UnrecoverableEntryException) to maintain better error visibility.

[Copilot]

Catching a generic Exception here is overly broad and could mask programming errors or unexpected runtime exceptions. The outer catch for the key generation logic should only catch the specific exceptions that can be thrown. Since this is a new key generation path, catching Exception and wrapping it in CryptoException reduces visibility into actual failures. Consider catching only IncompatibleDeviceException and CryptoException that might propagate from RSAEncrypt.

[Copilot]

The test uses a 16-byte AES key, but AES-256 requires a 32-byte key (AES_KEY_SIZE = 256 bits = 32 bytes). The implementation should validate the decrypted AES key length to ensure it matches the expected 32 bytes. Using a 16-byte key in the test doesn't properly validate that the migration logic would reject incorrectly-sized keys. Consider using a properly-sized 32-byte key in the test to match the actual AES-256 specification.

[Copilot]

Missing validation of the decrypted AES key length after PKCS1 decryption from OLD_KEY_ALIAS. The original getAESKey implementation validated that the AES key has the expected length (32 bytes for 256-bit AES) before returning it. Without this validation, a corrupted or malformed legacy key could be migrated. Consider validating that decryptedAESKey.length equals AES_KEY_SIZE / 8 before proceeding with re-encryption.

[Copilot]

The test uses a 16-byte AES key (line 1701), but AES-256 requires a 32-byte key (AES_KEY_SIZE = 256 bits = 32 bytes). The implementation should validate the decrypted AES key length to ensure it matches the expected 32 bytes. Using a 16-byte key in the test doesn't properly validate that the migration logic would reject incorrectly-sized keys. Consider using a properly-sized 32-byte key in the test to match the actual AES-256 specification.

[Copilot]

The test uses a 16-byte AES key, but AES-256 requires a 32-byte key (AES_KEY_SIZE = 256 bits = 32 bytes). The implementation should validate the decrypted AES key length to ensure it matches the expected 32 bytes. Using a 16-byte key in the test doesn't properly validate that the migration logic would reject incorrectly-sized keys. Consider using a properly-sized 32-byte key in the test to match the actual AES-256 specification.