You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "S.Uthaiyashankar (JIRA)" <ji...@apache.org> on 2010/12/21 13:02:02 UTC
[jira] Resolved: (RAMPART-241)
org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest ed
exception is:
org.apache.xml.security.encryption.XMLEncryptionException: Illegal
key s ize or default parameters Original Exception was
java.security.InvalidKeyException
[ https://issues.apache.org/jira/browse/RAMPART-241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
S.Uthaiyashankar resolved RAMPART-241.
--------------------------------------
Resolution: Not A Problem
You have to install JCE[1] to fix this problem. By default, java doesn't support encryption using 256bit keys. In order to increase the key length, you have to install JCE.
[1] https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=jce_policy-6-oth-JPR@CDS-CDS_Developer
> org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest ed exception is: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s ize or default parameters Original Exception was java.security.InvalidKeyException
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-241
> URL: https://issues.apache.org/jira/browse/RAMPART-241
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.4
> Environment: rampart-1.4>mvn -e install
> Running org.apache.rampart.AsymmetricBindingBuilderTest
> org.apache.rampart.RampartException: Error in creating an encrypted key
> at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
> g(AsymmetricBindingBuilder.java:164)
> at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricB
> indingBuilder.java:91)
> at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
> at org.apache.rampart.AsymmetricBindingBuilderTest.testAsymmBindingWithD
> KEncrBeforeSig(AsymmetricBindingBuilderTest.java:148)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at junit.framework.TestCase.runTest(TestCase.java:164)
> at junit.framework.TestCase.runBare(TestCase.java:130)
> at junit.framework.TestResult$1.protect(TestResult.java:106)
> at junit.framework.TestResult.runProtected(TestResult.java:124)
> at junit.framework.TestResult.run(TestResult.java:109)
> at junit.framework.TestCase.run(TestCase.java:120)
> at junit.framework.TestSuite.runTest(TestSuite.java:230)
> at junit.framework.TestSuite.run(TestSuite.java:225)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.maven.surefire.junit.JUnitTestSet.execute(JUnitTestSet.jav
> a:213)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTes
> tSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(Ab
> stractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(Su
> refireBooter.java:345)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.j
> ava:1009)
> Caused by: org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest
> ed exception is:
> org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s
> ize or default parameters
> Original Exception was java.security.InvalidKeyException: Illegal key size or de
> fault parameters
> at org.apache.ws.security.message.WSSecDKEncrypt.doEncryption(WSSecDKEnc
> rypt.java:149)
> at org.apache.ws.security.message.WSSecDKEncrypt.encryptForExternalRef(W
> SSecDKEncrypt.java:188)
> at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
> g(AsymmetricBindingBuilder.java:161)
> ... 29 more
> Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal ke
> y size or default parameters
> Original Exception was java.security.InvalidKeyException: Illegal key size or de
> fault parameters
> at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
> ce)
> at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
> ce)
> at org.apache.xml.security.encryption.XMLCipher.encryptElementContent(Un
> known Source)
> at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source)
> at org.apache.ws.security.message.WSSecDKEncrypt.doEncryption(WSSecDKEnc
> rypt.java:147)
> ... 31 more
> org.apache.rampart.RampartException: Error during encryption
> at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
> g(AsymmetricBindingBuilder.java:192)
> at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricB
> indingBuilder.java:91)
> at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
> at org.apache.rampart.AsymmetricBindingBuilderTest.testAsymmBindingEncrB
> eforeSig(AsymmetricBindingBuilderTest.java:178)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at junit.framework.TestCase.runTest(TestCase.java:164)
> at junit.framework.TestCase.runBare(TestCase.java:130)
> at junit.framework.TestResult$1.protect(TestResult.java:106)
> at junit.framework.TestResult.runProtected(TestResult.java:124)
> at junit.framework.TestResult.run(TestResult.java:109)
> at junit.framework.TestCase.run(TestCase.java:120)
> at junit.framework.TestSuite.runTest(TestSuite.java:230)
> at junit.framework.TestSuite.run(TestSuite.java:225)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.maven.surefire.junit.JUnitTestSet.execute(JUnitTestSet.jav
> a:213)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTes
> tSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(Ab
> stractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(Su
> refireBooter.java:345)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.j
> ava:1009)
> Caused by: org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest
> ed exception is:
> org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s
> ize or default parameters
> Original Exception was java.security.InvalidKeyException: Illegal key size or de
> fault parameters
> at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt
> .java:571)
> at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt
> .java:458)
> at org.apache.ws.security.message.WSSecEncrypt.encryptForExternalRef(WSS
> ecEncrypt.java:396)
> at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
> g(AsymmetricBindingBuilder.java:189)
> ... 29 more
> Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal ke
> y size or default parameters
> Original Exception was java.security.InvalidKeyException: Illegal key size or de
> fault parameters
> at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
> ce)
> at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
> ce)
> at org.apache.xml.security.encryption.XMLCipher.encryptElementContent(Un
> known Source)
> at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source)
> at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt
> .java:564)
> ... 32 more
> Reporter: Martin Gainty
> Assignee: S.Uthaiyashankar
> Priority: Minor
> Fix For: NextVersion
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> test-resources/keys/interop2.jks contents:
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 4 entries
> alice, Jun 4, 2005, PrivateKeyEntry,
> Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
> root, Jun 4, 2005, trustedCertEntry,
> Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
> ca, Jun 4, 2005, trustedCertEntry,
> Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
> bob, Jun 4, 2005, PrivateKeyEntry,
> Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC
> test-resources/policy/rampart-asymm-binding-1.xml:
> <wsp:Policy wsu:Id="6" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> </wsp:Policy>
> </sp:Wss10>
> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:user>alice</ramp:user>
> <ramp:encryptionUser>bob</ramp:encryptionUser>
> <ramp:passwordCallbackClass>org.apache.rampart.TestCBHandler</ramp:passwordCallbackClass>
>
> <ramp:signatureCrypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> <ramp:encryptionCypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
> </ramp:crypto>
> </ramp:encryptionCypto>
> </ramp:RampartConfig>
>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> org.apache.rampart.RampartMessageBuilderTest (which loads rampart-asymm-binding-1.xml policy file)
> public void testAsymmBinding() {
> try {
> MessageContext ctx = getMsgCtx();
>
> String policyXml = "test-resources/policy/rampart-asymm-binding-1.xml";
> Policy policy = this.loadPolicy(policyXml);
>
> ctx.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
>
> MessageBuilder builder = new MessageBuilder();
> builder.build(ctx);
> ........
> }
>
> org.apache.rampart.builder.AsymmetricBindingBuilder.java:
> //build method passes on the RampartMessageData
> public void build(RampartMessageData rmd) throws RampartException {
> log.debug("AsymmetricBindingBuilder build invoked");
> RampartPolicyData rpd = rmd.getPolicyData();
> if (rpd.isIncludeTimestamp()) {
> this.addTimestamp(rmd);
> }
> if (SPConstants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
> //doEncryptBeforeSig is called here
> this.doEncryptBeforeSig(rmd);
> } else {
> this.doSignBeforeEncrypt(rmd);
> }
> log.debug("AsymmetricBindingBuilder build invoked : DONE");
> }
> ..........
> private void doEncryptBeforeSig(RampartMessageData rmd)
> throws RampartException {
>
> long t0 = 0, t1 = 0, t2 = 0;
> if(dotDebug){
> t0 = System.currentTimeMillis();
> }
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> RampartConfig config = rpd.getRampartConfig();
> /*
> * We need to hold on to these two element to use them as refence in the
> * case of encypting the signature
> */
> Element encrDKTokenElem = null;
> WSSecEncrypt encr = null;
> Element refList = null;
> WSSecDKEncrypt dkEncr = null;
> /*
> * We MUST use keys derived from the same token
> */
> Token encryptionToken = null;
> if(rmd.isInitiator()) {
> encryptionToken = rpd.getRecipientToken();
> } else {
> encryptionToken = rpd.getInitiatorToken();
> }
> Vector encrParts = RampartUtil.getEncryptedParts(rmd);
>
> //Signed parts are determined before encryption because encrypted signed headers
> //will not be included otherwise
> this.sigParts = RampartUtil.getSignedParts(rmd);
>
> if(encryptionToken == null && encrParts.size() > 0) {
> throw new RampartException("encryptionTokenMissing");
> }
>
> if (encryptionToken != null && encrParts.size() > 0) {
>
> //Check for RampartConfig assertion
> if(rpd.getRampartConfig() == null) {
> //We'er missing the extra info rampart needs
> throw new RampartException("rampartConigMissing");
> }
>
> if (encryptionToken.isDerivedKeys()) {
> try {
> this.setupEncryptedKey(rmd, encryptionToken);
> // Create the DK encryption builder
> dkEncr = new WSSecDKEncrypt();
> dkEncr.setParts(encrParts);
> dkEncr.setExternalKey(this.encryptedKeyValue,
> this.encryptedKeyId);
>
> /*********this rpd.getAlgorithmSuite() returns null causes grief ******/
> /*****this is the AlgorithmSuite provided by policy file
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <!-- safe to assume the key length is 256 -->
> *******/
> /****** rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()
> if (SPConstants.ALGO_SUITE_BASIC256.equals(algoSuite)) {
> this.digest = SPConstants.SHA1;
> this.encryption = SPConstants.AES256;
> this.symmetricKeyWrap = SPConstants.KW_AES256;
> this.asymmetricKeyWrap = SPConstants.KW_RSA_OAEP;
> this.encryptionKeyDerivation = SPConstants.P_SHA1_L256;
> this.signatureKeyDerivation = SPConstants.P_SHA1_L192;
> this.encryptionDerivedKeyLength = 256;
> this.signatureDerivedKeyLength = 192;
> this.minimumSymmetricKeyLength = 256;
> this.encryptionDerivedKeyLength = 256;
> }
> ********/
> /***** rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8 256/8 produces 32 ******/
>
> /*** lets take the root key 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14 *******/
> /****this is 16 bytes */
> /****16 != 32 so the Assymetric TestCase will always fail**/
> dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8);
> dkEncr.prepare(doc);
> // Get and add the DKT element
> this.encrDKTElement = dkEncr.getdktElement();
> encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
> refList = dkEncr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorCreatingEncryptedKey", e);
> } catch (ConversationException e) {
> throw new RampartException("errorInDKEncr", e);
> }
> } else {
> try {
> encr = new WSSecEncrypt();
> encr.setParts(encrParts);
> encr.setWsConfig(rmd.getConfig());
> encr.setDocument(doc);
> RampartUtil.setEncryptionUser(rmd, encr);
> encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
> RampartUtil.setKeyIdentifierType(rpd,encr, encryptionToken);
> encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
> encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
> Element bstElem = encr.getBinarySecurityTokenElement();
> if (bstElem != null) {
> RampartUtil.appendChildToSecHeader(rmd, bstElem);
> }
> this.encrTokenElement = encr.getEncryptedKeyElement();
> this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
> encrTokenElement);
> refList = encr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorInEncryption", e);
> }
> }
>
> SOLUTION:
> repackage a 32 byte long keystore (test-resources/keys/interop2.jks contents:) file
>
> i would propose a change in AlgorithmSuite to 128 in
> test-resources/policy/rampart-asymm-binding-1.xml should use a 128 AlgorithmSuite
> but the schema defined at
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
> does not support 128 Byte Encryption..minimum size for AlgorithmSuite is 256 byte
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org