i did look around - and everywhere on google - for the direct and clear answer to this question, but got nowhere. so here plain and simple yes or no would be awesome...
i have been asked to create an "AES-256 symmetric (also called "session") key" - not encryption, just the key - to use to sign data within a soap message headers. the requirement is that the key is 256 "in size"... yea, i know...
i know that the MCRYPT_RIJNDAEL_128 size 32 is really the AES-256 cipher in php. i read all of that.
i know that the people asking me that have an implementation in java that works for them. i have to work with php. i have the following code: `
$keysize = mcrypt_module_get_algo_key_size(MCRYPT_RIJNDAEL_128);
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '',MCRYPT_MODE_CBC, '');
$keysize = 32;
while (strlen($key) < $keysize) $key = mcrypt_create_iv(mcrypt_enc_get_iv_size ($td),MCRYPT_RAND);
this does give me a raw "key".
the question: is the raw key above an "AES-256 session/symmetric key" that can be used to sign soap security headers?
after the raw key is used for the signature, it gets encrypted using a key from a public certificate (using rsa-oaep-mgf1p) and embedded within the headers (EncryptedKey tag). it has to be decrypted on the other end and used to verify the digests of the signed headers... and then gandalf shows up...
i'm asking because i have been told from the other side (using java) that "there is something wrong how the symmetric key is being generated" but without a clear explanation of what is wrong about it and how to right that wrong.
can anybody help? i'd appreciate it...
thanks.
