Mastercard
diff --git a/‎README.md‎
Lines changed: 20 additions & 0 deletions b/‎README.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎pom.xml‎
Lines changed: 1 addition & 1 deletion b/‎pom.xml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/main/java/com/mastercard/developer/oauth/OAuth.java‎
Lines changed: 107 additions & 33 deletions b/‎src/main/java/com/mastercard/developer/oauth/OAuth.java‎
Lines changed: 107 additions & 33 deletions
@@ -90,6 +90,26 @@ Charset charset = StandardCharsets.UTF_8;
 String authHeader = OAuth.getAuthorizationHeader(uri, method, payload, charset, consumerKey, signingKey);
 ```
 
+#### RSA-PSS support
+
+This library signs requests using OAuth 1.0a with an RSA + SHA-256 digest.
+
+* When the runtime/provider supports the JCA algorithm `SHA256withRSA`, the library uses it (RSA PKCS#1 v1.5).
+  In this case, the Authorization header contains `oauth_signature_method="RSA-SHA256"`.
+* If `SHA256withRSA` is not usable and RSA-PSS is, the library falls back to the JCA algorithm `RSASSA-PSS` using
+  `SHA-256 / MGF1(SHA-256) / saltLen=32 / trailerField=1`.
+  In this case, the Authorization header contains `oauth_signature_method="RSA-PSS"`.
+
+Notes:
+* The RSA signature scheme (PKCS#1 v1.5 vs PSS) cannot be inferred from an RSA `PrivateKey`.
+  The selection is based on provider capabilities.
+* If you want to know which JCA algorithm will be used on the current runtime/provider, you can call:
+
+```java
+String alg = OAuth.signSignatureBaseStringAlgName("baseString", signingKey, StandardCharsets.UTF_8);
+System.out.println(alg); // "SHA256withRSA" or "RSASSA-PSS"
+```
+
 ### Signing HTTP Client Request Objects <a name="signing-http-client-request-objects"></a>
 
 Alternatively, you can use helper classes for some of the commonly used HTTP clients.
 
@@ -150,7 +150,7 @@
             <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
-                <version>0.8.7</version>
+                <version>0.8.12</version>
                 <executions>
                     <execution>
                         <id>pre-unit-test</id>
 
@@ -3,6 +3,8 @@
 import java.net.URI;
 import java.nio.charset.Charset;
 import java.security.*;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -19,16 +21,21 @@
  */
 public class OAuth {
 
-  private OAuth() {
-  }
-
   public static final String EMPTY_STRING = "";
   public static final String AUTHORIZATION_HEADER_NAME = "Authorization";
-
+  private static final String SHA_256_WITH_RSA = "SHA256withRSA";
+  private static final String RSASSA_PSS = "RSASSA-PSS";
+  private static final String MGF_1 = "MGF1";
+  private static final int RSAPSS_SALT_LENGTH = 32;
+  private static final int TRAILER_FIELD = 1;
   private static final Logger LOG = Logger.getLogger(OAuth.class.getName());
   private static final String HASH_ALGORITHM = "SHA-256";
   private static final int NONCE_LENGTH = 16;
   private static final String ALPHA_NUMERIC_CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+  private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+
+  private OAuth() {
+  }
 
   /**
    * Creates a Mastercard API compliant OAuth Authorization header
@@ -42,12 +49,15 @@ private OAuth() {
    * @return Valid OAuth1.0a signature with a body hash when payload is present
    */
   public static String getAuthorizationHeader(URI uri, String method, String payload, Charset charset, String consumerKey, PrivateKey signingKey) {
+    if (uri == null || method == null || charset == null || consumerKey == null || signingKey == null) {
+      throw new IllegalArgumentException("Required parameters (uri, method, charset, consumerKey, signingKey) must not be null");
+    }
+
     TreeMap<String, List<String>> queryParams = extractQueryParams(uri, charset);
 
     HashMap<String, String> oauthParams = new HashMap<>();
     oauthParams.put("oauth_consumer_key", consumerKey);
     oauthParams.put("oauth_nonce", getNonce());
-    oauthParams.put("oauth_signature_method", "RSA-" + HASH_ALGORITHM.replace("-", ""));
     oauthParams.put("oauth_timestamp", getTimestamp());
     oauthParams.put("oauth_version", "1.0");
     oauthParams.put("oauth_body_hash", getBodyHash(payload, charset, HASH_ALGORITHM));
@@ -60,10 +70,7 @@ public static String getAuthorizationHeader(URI uri, String method, String paylo
 
     // Signature base string
     String sbs = getSignatureBaseString(method, baseUri, paramString, charset);
-
-    // Signature
-    String signature = signSignatureBaseString(sbs, signingKey, charset);
-    oauthParams.put("oauth_signature", Util.percentEncode(signature, charset));
+    String signature = signSignatureBaseString(sbs, signingKey, charset, oauthParams);
 
     return getAuthorizationString(oauthParams);
   }
@@ -165,9 +172,8 @@ static String toOauthParamString(SortedMap<String, List<String>> queryParamsMap,
     }
 
     // Remove trailing ampersand
-    int stringLength = oauthParams.length() - 1;
-    if (oauthParams.charAt(stringLength) == '&') {
-      oauthParams.deleteCharAt(stringLength);
+    if (oauthParams.length() > 0 && oauthParams.charAt(oauthParams.length() - 1) == '&') {
+      oauthParams.deleteCharAt(oauthParams.length() - 1);
     }
 
     return oauthParams.toString();
@@ -177,13 +183,12 @@ static String toOauthParamString(SortedMap<String, List<String>> queryParamsMap,
    * Generates a random string for replay protection as per
    * https://tools.ietf.org/html/rfc5849#section-3.3
    *
-   * @return random string of 16 characters.
+   * @return Random string of 16 characters
    */
   static String getNonce() {
-    SecureRandom rnd = new SecureRandom();
     StringBuilder sb = new StringBuilder(NONCE_LENGTH);
     for (int i = 0; i < NONCE_LENGTH; i++) {
-      sb.append(ALPHA_NUMERIC_CHARS.charAt(rnd.nextInt(ALPHA_NUMERIC_CHARS.length())));
+      sb.append(ALPHA_NUMERIC_CHARS.charAt(SECURE_RANDOM.nextInt(ALPHA_NUMERIC_CHARS.length())));
     }
     return sb.toString();
   }
@@ -207,8 +212,15 @@ private static String getTimestamp() {
    */
   static String getBaseUriString(URI uri) {
     // Lowercase scheme and authority
-    String scheme = uri.getScheme().toLowerCase();
-    String authority = uri.getAuthority().toLowerCase();
+    String scheme = uri.getScheme();
+    String authority = uri.getAuthority();
+
+    if (scheme == null || authority == null) {
+      throw new IllegalArgumentException("URI must have both scheme and authority");
+    }
+
+    scheme = scheme.toLowerCase();
+    authority = authority.toLowerCase();
 
     // Remove port if it matches the default for scheme
     if (("http".equals(scheme) && uri.getPort() == 80)
@@ -233,6 +245,7 @@ static String getBaseUriString(URI uri) {
    *
    * @param payload Request payload
    * @param charset Charset encoding of the request
+   * @param hashAlg Hash algorithm name (e.g., "SHA-256")
    * @return Base64 encoded cryptographic hash of the given payload
    */
   static String getBodyHash(String payload, Charset charset, String hashAlg) {
@@ -246,35 +259,96 @@ static String getBodyHash(String payload, Charset charset, String hashAlg) {
 
     digest.reset();
     // "If the request does not have an entity body, the hash should be taken over the empty string"
-    byte[] byteArray = null == payload ? "".getBytes() : payload.getBytes(charset);
+    byte[] byteArray = (payload == null) ? "".getBytes(charset) : payload.getBytes(charset);
     byte[] hash = digest.digest(byteArray);
 
     return Util.b64Encode(hash);
   }
 
   /**
-   * Signs the signature base string using an RSA private key. The methodology is described at
-   * https://tools.ietf.org/html/rfc5849#section-3.4.3 but Mastercard uses the stronger SHA-256 algorithm
-   * as a replacement for the described SHA1 which is no longer considered secure.
+   * Signs the OAuth signature base string using an RSA private key.
    *
-   * @param sbs Signature base string formatted as per https://tools.ietf.org/html/rfc5849#section-3.4.1
-   * @param signingKey Private key of the RSA key pair that was established with the service provider
-   * @param charset Charset encoding of the request
-   * @return RSA signature matching the contents of signature base string
+   * <p>This method detects which signature algorithm is supported by the current provider:
+   * <ol>
+   *   <li>Probes if {@code SHA256withRSA} supports PSS parameters (it shouldn't, triggering an exception)</li>
+   *   <li>On expected failure, attempts {@code SHA256withRSA} (RSA PKCS#1 v1.5) signing first</li>
+   *   <li>If {@code SHA256withRSA} fails, falls back to {@code RSASSA-PSS} with parameters:
+   *       SHA-256 / MGF1(SHA-256) / saltLen=32 / trailerField=1</li>
+   * </ol>
+   *
+   * <p>The method sets {@code oauth_signature_method} in the provided {@code oauthParams} map:
+   * <ul>
+   *   <li>{@code "RSA-SHA256"} when using SHA256withRSA (PKCS#1 v1.5)</li>
+   *   <li>{@code "RSA-PSS"} when using RSASSA-PSS</li>
+   * </ul>
+   *
+   * @param sbs         Signature base string formatted as per RFC 5849 section 3.4.1
+   * @param signingKey  Private key of the RSA key pair that was established with the service provider
+   * @param charset     Charset encoding of the request
+   * @param oauthParams Map of OAuth parameters where {@code oauth_signature_method} will be set based on the algorithm used
+   * @return Base64-encoded RSA signature of the signature base string
    */
-  static String signSignatureBaseString(String sbs, PrivateKey signingKey, Charset charset) {
+  static String signSignatureBaseString(String sbs, PrivateKey signingKey, Charset charset, HashMap<String, String> oauthParams) {
+    // Probe algorithm support: SHA256withRSA should reject PSS parameters, triggering fallback to standard RSA signing first
+    String signature = null;
     try {
-      Signature signer = Signature.getInstance("SHA256withRSA");
-      signer.initSign(signingKey);
-      byte[] sbsBytes = sbs.getBytes(charset);
-      signer.update(sbsBytes);
-      byte[] signatureBytes = signer.sign();
-      return Util.b64Encode(signatureBytes);
+      Signature signer = Signature.getInstance(SHA_256_WITH_RSA);
+      signer.setParameter(new PSSParameterSpec(
+              HASH_ALGORITHM,
+              MGF_1,
+              MGF1ParameterSpec.SHA256,
+              RSAPSS_SALT_LENGTH,
+              TRAILER_FIELD));
     } catch (GeneralSecurityException e) {
-      throw new IllegalStateException("Unable to RSA-SHA256 sign the given string with the provided key", e);
+      try {
+        signature = doSignSHA256(sbs, signingKey, charset);
+        oauthParams.put("oauth_signature_method", "RSA-SHA256");
+      } catch (Exception ex) { // Catch any exception from SHA256withRSA signing and fall back to PSS
+        signature = doSignWithPss(sbs, signingKey, charset);
+        oauthParams.put("oauth_signature_method", "RSA-PSS");
+      }
+    }
+    oauthParams.put("oauth_signature", Util.percentEncode(signature, charset));
+    return  signature;
+  }
+
+  static String doSignWithPss(String sbs, PrivateKey signingKey, Charset charset) {
+    if (signingKey == null) {
+      throw new IllegalArgumentException("signingKey must not be null");
+    }
+
+    try {
+      Signature signer = Signature.getInstance(RSASSA_PSS);
+      signer.setParameter(new PSSParameterSpec(
+          HASH_ALGORITHM,
+          MGF_1,
+          MGF1ParameterSpec.SHA256,
+          RSAPSS_SALT_LENGTH,
+          TRAILER_FIELD));
+      return doSign(sbs, signingKey, charset, signer);
+    } catch (GeneralSecurityException e) {
+      throw new IllegalStateException("Unable to sign OAuth signature base string", e);
     }
   }
 
+  static String doSignSHA256(String sbs, PrivateKey signingKey, Charset charset) {
+    if (signingKey == null) {
+      throw new IllegalArgumentException("signingKey must not be null");
+    }
+    try {
+      Signature signer = Signature.getInstance(SHA_256_WITH_RSA);
+      return doSign(sbs, signingKey, charset, signer);
+    } catch (GeneralSecurityException e) {
+      throw new IllegalStateException("Unable to sign OAuth signature base string using " + SHA_256_WITH_RSA, e);
+    }
+  }
+
+  static String doSign(String sbs, PrivateKey signingKey, Charset charset, Signature signer) throws GeneralSecurityException {
+    signer.initSign(signingKey);
+    signer.update(sbs.getBytes(charset));
+    return Util.b64Encode(signer.sign());
+  }
+
   /**
    * Constructs a valid Authorization header as per
    * https://tools.ietf.org/html/rfc5849#section-3.5.1