AES256-CBC for encryption?

[Cantor, Scott]

I reviewed the code to make sure I wasn't offbase and I think it works like I thought it did, but I did find the log categories. A lot of it is at trace, but the targeted categories are:

org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver
org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver

Those two on trace I think should provide some insight into what it's seeing.

The way it's working, and Brent can confirm, but it basically builds up lists of algorithms and the way it walks the sources of the lists determines which ones end up "on top" and get used by default. It blocks algorithms only by cross-checking the values it adds to the list at the end with the various white/blacklist sets, so since none of those are relevant here, that part won't matter.

With the metadata extension present, it instead defers to that exclusively and just checks the elements in order to find one that's acceptable, and ends up ignoring what's in the config as a default or whatever.

So, I think I know how it works, and it appears to work correctly even with all those properties I defined in use, and that matches what I see my system doing. So I don't see any obvious traps/accidents that would be tripping you up.

Oh...one possibility, but it seems really unlikely. If you were on an ancient/dead Java that wasn't shipping the unlimited policy files, you don't get AES 256 because of key size. But that hasn't been a consideration for a while now.

-- Scott