You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Alexey <Al...@schwab.com> on 2005/10/22 00:23:05 UTC

how to specify JCE provider for XML encryption

Hello,
Can anybody please, navigate me through the process? We're using various JCE
providers, such as SunJCE, IBMJCE. How do I specify particaluar provider and/or
cipher algorithm? Any changes I make to config.xml are ignored and, after
checking the source code I don't see how the following element can be processed
(ProviderAlgo). Browsing CVS I came across a file called provider.properties. Is
this a way to specify my provider? If so where should I put it, please?

<Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
   Description="Key Transport RSA-v1.5">
  <ProviderAlgo ProviderId="IBMJCE" JCEName="RSA"/>
</Algorithm>

Javadocs say that I can get an instance of an XML cipher via
XMLCipher.getInstance() and use it as a "generic" cipher for decryption. But
when I try to initialize it with my key (which carries algorithm information) I
am getting exception:

org.apache.xml.security.encryption.XMLEncryptionException: No message with ID
"XMLCipher instance without transformation specified" found in resource bundle
"org/apache/xml/security/resource/xmlsecurity"

Is it possible to re-use a cipher for different algorithms?

Thanks,
Alexey

Re: how to specify JCE provider for XML encryption

Posted by Werner Dittmann <We...@t-online.de>.

Raul,

is there any better way to do it or will you introduce a new
method to specify a provider?

Regards,
Werner

Raul Benito wrote:
> This way of setting the Provider using the JCEMapper, has some bugs(it
> works for digesting/signing but not for crypt/decrypt).
> Anyway I was thinking of deprecating/removing this methods.
> So if more people use it please raise your hands, soon.
> 
> 
> On 10/22/05, Werner Dittmann <We...@t-online.de> wrote:
> 
>>In WSS4J I use the follwing way to define the provider to XML-SEC:
>>
>>JCEMapper.setProviderId(id)
>>
>>This static method sets the Id to use for SIgnature etc. For
>>XMLCipher you must use different methods, look at that:
>>
>>if (provider == null) {
>>    xmlCipher = XMLCipher.getInstance(symEncAlgo);
>>}
>>else {
>>    xmlCipher = XMLCipher.getProviderInstance(symEncAlgo, provider);
>>}
>>
>>If you like to specify a provider for XMLCipher you have
>>to use a specific getInstance method - see above. The provider
>>in this case is the provider id string, e.g. "BC" for
>>BouncyCastle.
>>
>>regards,
>>Werner
>>
>>
>>
>>Raul Benito wrote:
>>
>>>This provider.properties is a relic of the old days. Right now is not
>>>used anymore. (TODO: remove it from the CVS).
>>>Right now the xml-sec use the standard java way of getting a JCE Provider.
>>>Look at http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#Provider
>>>for more info.
>>>
>>>Regards,
>>>
>>>Raul
>>>
>>>On 10/22/05, Alexey <Al...@schwab.com> wrote:
>>>
>>>
>>>>Hello,
>>>>Can anybody please, navigate me through the process? We're using various JCE
>>>>providers, such as SunJCE, IBMJCE. How do I specify particaluar provider and/or
>>>>cipher algorithm? Any changes I make to config.xml are ignored and, after
>>>>checking the source code I don't see how the following element can be processed
>>>>(ProviderAlgo). Browsing CVS I came across a file called provider.properties. Is
>>>>this a way to specify my provider? If so where should I put it, please?
>>>>
>>>><Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
>>>>  Description="Key Transport RSA-v1.5">
>>>> <ProviderAlgo ProviderId="IBMJCE" JCEName="RSA"/>
>>>></Algorithm>
>>>>
>>>>Javadocs say that I can get an instance of an XML cipher via
>>>>XMLCipher.getInstance() and use it as a "generic" cipher for decryption. But
>>>>when I try to initialize it with my key (which carries algorithm information) I
>>>>am getting exception:
>>>>
>>>>org.apache.xml.security.encryption.XMLEncryptionException: No message with ID
>>>>"XMLCipher instance without transformation specified" found in resource bundle
>>>>"org/apache/xml/security/resource/xmlsecurity"
>>>>
>>>>Is it possible to re-use a cipher for different algorithms?
>>>>
>>>>Thanks,
>>>>Alexey
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>--
>>>http://r-bg.com
>>>
>>
>>
> 
> 
> --
> http://r-bg.com
>

Re: how to specify JCE provider for XML encryption

Posted by Alexey <Al...@schwab.com>.

Werner Dittmann <Werner.Dittmann <at> t-online.de> writes:

> 
> Alexey,
> 
> I've used such a mechansims in Apache's WSS4J project:
> 
> - generate a symmetric key, e.g. for 3DES
> - encrypt some data with this key
> - uses RSA/ECB/PKCS1Padding to encrypt this symmetric
>   key (not DESedeWarp, this would be used if you encrypt
>   - wrap - a key with e.g. 3DES). Alternatively you may
>   use RSA-OAEP (also provided by BC) to encrypt the
>   generated symmetric key.
> 
> The module in WSS4J that uses and implements this is
> WSEncryptEnvelop.java
> 
> Regards,
> Werner

Hi Werner,
My fault - I misspelled. I actually meant "DESede/CBC/ISO10126Padding", which is
not a valid cipher in IBMJCE (wrong padding). "RSA/ECB/PKCS1Padding" is not a
supported cipher either. BouncyCastle can not be used as a JCE provider in my
environment.
Thanks,
Alexey

Re: how to specify JCE provider for XML encryption

Posted by Werner Dittmann <We...@t-online.de>.

Alexey,

I've used such a mechansims in Apache's WSS4J project:

- generate a symmetric key, e.g. for 3DES
- encrypt some data with this key
- uses RSA/ECB/PKCS1Padding to encrypt this symmetric
  key (not DESedeWarp, this would be used if you encrypt
  - wrap - a key with e.g. 3DES). Alternatively you may
  use RSA-OAEP (also provided by BC) to encrypt the
  generated symmetric key.

The module in WSS4J that uses and implements this is
WSEncryptEnvelop.java

Regards,
Werner

Alexey wrote:
> Werner Dittmann <Werner.Dittmann <at> t-online.de> writes:
> 
> 
>>Alexey,
>>
>>with XMLCipher you can only encrypt/decrypt XML documents
>>according to the W3c standard, using symmetric ciphers.
>>
>>You try to use a public key cipher (assymmetric), such a cipher
>>is used to wrap the symmetric key.
>>
>>Regards,
>>Werner
>>
> 
> 
> Hi Werner,
> Actually I tried symmetric (3DES) with the same result. If I were to code to
> standard, I'd still need to get an instance of RSA (assymetric) cipher, would I
> not? To "wrap" the symmetric key. I understand, that BC defined RSA cipher as
> "RSA/ECB/PKCS1Padding" and triple-DES as "DESedeWrap", which can't be found in
> my provider, so the question is has anybody worked around the same issue?
> Thanks,
> Alexey
> 
>

Re: how to specify JCE provider for XML encryption

Posted by Alexey <Al...@schwab.com>.

Werner Dittmann <Werner.Dittmann <at> t-online.de> writes:

> 
> Alexey,
> 
> with XMLCipher you can only encrypt/decrypt XML documents
> according to the W3c standard, using symmetric ciphers.
> 
> You try to use a public key cipher (assymmetric), such a cipher
> is used to wrap the symmetric key.
> 
> Regards,
> Werner
> 

Hi Werner,
Actually I tried symmetric (3DES) with the same result. If I were to code to
standard, I'd still need to get an instance of RSA (assymetric) cipher, would I
not? To "wrap" the symmetric key. I understand, that BC defined RSA cipher as
"RSA/ECB/PKCS1Padding" and triple-DES as "DESedeWrap", which can't be found in
my provider, so the question is has anybody worked around the same issue?
Thanks,
Alexey

Re: how to specify JCE provider for XML encryption

Posted by Werner Dittmann <We...@t-online.de>.

Alexey,

with XMLCipher you can only encrypt/decrypt XML documents
according to the W3c standard, using symmetric ciphers.

You try to use a public key cipher (assymmetric), such a cipher
is used to wrap the symmetric key.

Regards,
Werner

Alexey wrote:
> Raul Benito <raul <at> apache.org> writes:
> 
> 
>>This way of setting the Provider using the JCEMapper, has some bugs(it
>>works for digesting/signing but not for crypt/decrypt).
>>Anyway I was thinking of deprecating/removing this methods.
>>So if more people use it please raise your hands, soon.
>>
>>On 10/22/05, Werner Dittmann <Werner.Dittmann <at> t-online.de> wrote:
>>
>>>In WSS4J I use the follwing way to define the provider to XML-SEC:
>>>
>>>JCEMapper.setProviderId(id)
>>>
>>>This static method sets the Id to use for SIgnature etc. For
>>>XMLCipher you must use different methods, look at that:
>>>
>>>if (provider == null) {
>>>    xmlCipher = XMLCipher.getInstance(symEncAlgo);
>>>}
>>>else {
>>>    xmlCipher = XMLCipher.getProviderInstance(symEncAlgo, provider);
>>>}
>>>
>>>If you like to specify a provider for XMLCipher you have
>>>to use a specific getInstance method - see above. The provider
>>>in this case is the provider id string, e.g. "BC" for
>>>BouncyCastle.
>>>
>>>regards,
>>>Werner
> 
> 
> 
> I could not find a way to specify that, for example, algorithm defined as 
> http://www.w3.org/2001/04/xmlenc#rsa-1_5, should be instantiated with IBMJCE's 
> cipher "RSA". I tried to modify config.xml according to DTD but it doesn't 
> seem to work. And I used the method XMLCipher.getProviderInstance(algorithm, 
> provider).
> Cheers,
> Alex
> 
> 
> 
>

Re: how to specify JCE provider for XML encryption

Posted by Alexey <al...@schwab.com>.

Raul Benito <raul <at> apache.org> writes:

> 
> This way of setting the Provider using the JCEMapper, has some bugs(it
> works for digesting/signing but not for crypt/decrypt).
> Anyway I was thinking of deprecating/removing this methods.
> So if more people use it please raise your hands, soon.
> 
> On 10/22/05, Werner Dittmann <Werner.Dittmann <at> t-online.de> wrote:
> > In WSS4J I use the follwing way to define the provider to XML-SEC:
> >
> > JCEMapper.setProviderId(id)
> >
> > This static method sets the Id to use for SIgnature etc. For
> > XMLCipher you must use different methods, look at that:
> >
> > if (provider == null) {
> >     xmlCipher = XMLCipher.getInstance(symEncAlgo);
> > }
> > else {
> >     xmlCipher = XMLCipher.getProviderInstance(symEncAlgo, provider);
> > }
> >
> > If you like to specify a provider for XMLCipher you have
> > to use a specific getInstance method - see above. The provider
> > in this case is the provider id string, e.g. "BC" for
> > BouncyCastle.
> >
> > regards,
> > Werner


I could not find a way to specify that, for example, algorithm defined as 
http://www.w3.org/2001/04/xmlenc#rsa-1_5, should be instantiated with IBMJCE's 
cipher "RSA". I tried to modify config.xml according to DTD but it doesn't 
seem to work. And I used the method XMLCipher.getProviderInstance(algorithm, 
provider).
Cheers,
Alex

Re: how to specify JCE provider for XML encryption

Posted by Raul Benito <ra...@apache.org>.

This way of setting the Provider using the JCEMapper, has some bugs(it
works for digesting/signing but not for crypt/decrypt).
Anyway I was thinking of deprecating/removing this methods.
So if more people use it please raise your hands, soon.


On 10/22/05, Werner Dittmann <We...@t-online.de> wrote:
> In WSS4J I use the follwing way to define the provider to XML-SEC:
>
> JCEMapper.setProviderId(id)
>
> This static method sets the Id to use for SIgnature etc. For
> XMLCipher you must use different methods, look at that:
>
> if (provider == null) {
>     xmlCipher = XMLCipher.getInstance(symEncAlgo);
> }
> else {
>     xmlCipher = XMLCipher.getProviderInstance(symEncAlgo, provider);
> }
>
> If you like to specify a provider for XMLCipher you have
> to use a specific getInstance method - see above. The provider
> in this case is the provider id string, e.g. "BC" for
> BouncyCastle.
>
> regards,
> Werner
>
>
>
> Raul Benito wrote:
> > This provider.properties is a relic of the old days. Right now is not
> > used anymore. (TODO: remove it from the CVS).
> > Right now the xml-sec use the standard java way of getting a JCE Provider.
> > Look at http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#Provider
> > for more info.
> >
> > Regards,
> >
> > Raul
> >
> > On 10/22/05, Alexey <Al...@schwab.com> wrote:
> >
> >>Hello,
> >>Can anybody please, navigate me through the process? We're using various JCE
> >>providers, such as SunJCE, IBMJCE. How do I specify particaluar provider and/or
> >>cipher algorithm? Any changes I make to config.xml are ignored and, after
> >>checking the source code I don't see how the following element can be processed
> >>(ProviderAlgo). Browsing CVS I came across a file called provider.properties. Is
> >>this a way to specify my provider? If so where should I put it, please?
> >>
> >><Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
> >>   Description="Key Transport RSA-v1.5">
> >>  <ProviderAlgo ProviderId="IBMJCE" JCEName="RSA"/>
> >></Algorithm>
> >>
> >>Javadocs say that I can get an instance of an XML cipher via
> >>XMLCipher.getInstance() and use it as a "generic" cipher for decryption. But
> >>when I try to initialize it with my key (which carries algorithm information) I
> >>am getting exception:
> >>
> >>org.apache.xml.security.encryption.XMLEncryptionException: No message with ID
> >>"XMLCipher instance without transformation specified" found in resource bundle
> >>"org/apache/xml/security/resource/xmlsecurity"
> >>
> >>Is it possible to re-use a cipher for different algorithms?
> >>
> >>Thanks,
> >>Alexey
> >>
> >>
> >>
> >
> >
> >
> > --
> > http://r-bg.com
> >
>
>


--
http://r-bg.com

Re: how to specify JCE provider for XML encryption

Posted by Werner Dittmann <We...@t-online.de>.

In WSS4J I use the follwing way to define the provider to XML-SEC:

JCEMapper.setProviderId(id)

This static method sets the Id to use for SIgnature etc. For
XMLCipher you must use different methods, look at that:

if (provider == null) {
    xmlCipher = XMLCipher.getInstance(symEncAlgo);
}
else {
    xmlCipher = XMLCipher.getProviderInstance(symEncAlgo, provider);
}

If you like to specify a provider for XMLCipher you have
to use a specific getInstance method - see above. The provider
in this case is the provider id string, e.g. "BC" for
BouncyCastle.

regards,
Werner



Raul Benito wrote:
> This provider.properties is a relic of the old days. Right now is not
> used anymore. (TODO: remove it from the CVS).
> Right now the xml-sec use the standard java way of getting a JCE Provider.
> Look at http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#Provider
> for more info.
> 
> Regards,
> 
> Raul
> 
> On 10/22/05, Alexey <Al...@schwab.com> wrote:
> 
>>Hello,
>>Can anybody please, navigate me through the process? We're using various JCE
>>providers, such as SunJCE, IBMJCE. How do I specify particaluar provider and/or
>>cipher algorithm? Any changes I make to config.xml are ignored and, after
>>checking the source code I don't see how the following element can be processed
>>(ProviderAlgo). Browsing CVS I came across a file called provider.properties. Is
>>this a way to specify my provider? If so where should I put it, please?
>>
>><Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
>>   Description="Key Transport RSA-v1.5">
>>  <ProviderAlgo ProviderId="IBMJCE" JCEName="RSA"/>
>></Algorithm>
>>
>>Javadocs say that I can get an instance of an XML cipher via
>>XMLCipher.getInstance() and use it as a "generic" cipher for decryption. But
>>when I try to initialize it with my key (which carries algorithm information) I
>>am getting exception:
>>
>>org.apache.xml.security.encryption.XMLEncryptionException: No message with ID
>>"XMLCipher instance without transformation specified" found in resource bundle
>>"org/apache/xml/security/resource/xmlsecurity"
>>
>>Is it possible to re-use a cipher for different algorithms?
>>
>>Thanks,
>>Alexey
>>
>>
>>
> 
> 
> 
> --
> http://r-bg.com
>

Re: how to specify JCE provider for XML encryption

Posted by Raul Benito <ra...@apache.org>.

This provider.properties is a relic of the old days. Right now is not
used anymore. (TODO: remove it from the CVS).
Right now the xml-sec use the standard java way of getting a JCE Provider.
Look at http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#Provider
for more info.

Regards,

Raul

On 10/22/05, Alexey <Al...@schwab.com> wrote:
> Hello,
> Can anybody please, navigate me through the process? We're using various JCE
> providers, such as SunJCE, IBMJCE. How do I specify particaluar provider and/or
> cipher algorithm? Any changes I make to config.xml are ignored and, after
> checking the source code I don't see how the following element can be processed
> (ProviderAlgo). Browsing CVS I came across a file called provider.properties. Is
> this a way to specify my provider? If so where should I put it, please?
>
> <Algorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
>    Description="Key Transport RSA-v1.5">
>   <ProviderAlgo ProviderId="IBMJCE" JCEName="RSA"/>
> </Algorithm>
>
> Javadocs say that I can get an instance of an XML cipher via
> XMLCipher.getInstance() and use it as a "generic" cipher for decryption. But
> when I try to initialize it with my key (which carries algorithm information) I
> am getting exception:
>
> org.apache.xml.security.encryption.XMLEncryptionException: No message with ID
> "XMLCipher instance without transformation specified" found in resource bundle
> "org/apache/xml/security/resource/xmlsecurity"
>
> Is it possible to re-use a cipher for different algorithms?
>
> Thanks,
> Alexey
>
>
>


--
http://r-bg.com