You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Scott Maxwell (JIRA)" <ji...@apache.org> on 2006/02/20 19:02:53 UTC
[jira] Created: (WSS-34) WSS4J Encryption Incompatible with PKI
certificates specifying certain critical KeyUsage
WSS4J Encryption Incompatible with PKI certificates specifying certain critical KeyUsage
----------------------------------------------------------------------------------------
Key: WSS-34
URL: http://issues.apache.org/jira/browse/WSS-34
Project: WSS4J
Type: Bug
Environment: JRE 1.4.2_08, BEA WebLogic 8 sp4. wss4j 1.1.0
Reporter: Scott Maxwell
Assigned to: Davanum Srinivas
[This issue was reported informally to the wss4j-dev list on Feb 3, 2006]
When using a PKI that specifies a certain critical KeyUsage (meaning those KeyUsage rules MUST be followed), wss4j encryption fails. The KeyUsage of interest are keyEncipherment and dataEncipherment. Specifically, when keyEncipherment is allowed, but dataEncipherment is not allowed, wss4j encryption fails, when it should succeed. It should be successful because the public keys of the PKI are only being used to encrypt (wrap) random session keys, which in turn actually perform the data encipherment of the WSS body.
Using keys of this keyUsage results in an InvalidKeyException when initializing a javax.crypto.Cipher in the ENCRYPT_MODE as in WSEncryptBody.build:
cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
To support all cases (certs with no keyUsage, and certificates with critical keyUsage allowing keyEncipherment but not dataEncipherment) the likely solution would be to use the WRAP_MODE, and changing the encryption of session keys with public keys from encryptedKey = cipher.doFinal(encKey); to encryptedKey = cipher.wrap(this.encryptionKey); The unwrap/decrypt process also has to be handled appropriately (perform an UNWRAP) on the receiver's end in WSSecurityEngine.handleEncryptedKey.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-34) WSS4J Encryption Incompatible with PKI
certificates specifying certain critical KeyUsage
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-34?page=all ]
Werner Dittmann closed WSS-34:
------------------------------
Resolution: Won't Fix
After diging into this topic the WSS4J is according to the specification. The W3C specification
for XML encryption specifies a key transport mechanism based on RSA with different padding
modes (PKCS1_5 and OAEP). Both perform some padding and use plain RSA encrypt and
decrypt. The key transport is _not_ qualified as "key wrapping" (key wrapping would impose
additional PKCS#8 or X509 data handling). Thus the use of ENCRYPT and DECRYPT in WSS4J
is correct.
For real key wrapping the W3C specs define specific algorithms (pls refer to the according W3C
spec), these are based on symmetrical algorithms.
> WSS4J Encryption Incompatible with PKI certificates specifying certain critical KeyUsage
> ----------------------------------------------------------------------------------------
>
> Key: WSS-34
> URL: http://issues.apache.org/jira/browse/WSS-34
> Project: WSS4J
> Type: Bug
> Environment: JRE 1.4.2_08, BEA WebLogic 8 sp4. wss4j 1.1.0
> Reporter: Scott Maxwell
> Assignee: Davanum Srinivas
>
> [This issue was reported informally to the wss4j-dev list on Feb 3, 2006]
> When using a PKI that specifies a certain critical KeyUsage (meaning those KeyUsage rules MUST be followed), wss4j encryption fails. The KeyUsage of interest are keyEncipherment and dataEncipherment. Specifically, when keyEncipherment is allowed, but dataEncipherment is not allowed, wss4j encryption fails, when it should succeed. It should be successful because the public keys of the PKI are only being used to encrypt (wrap) random session keys, which in turn actually perform the data encipherment of the WSS body.
> Using keys of this keyUsage results in an InvalidKeyException when initializing a javax.crypto.Cipher in the ENCRYPT_MODE as in WSEncryptBody.build:
> cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
> To support all cases (certs with no keyUsage, and certificates with critical keyUsage allowing keyEncipherment but not dataEncipherment) the likely solution would be to use the WRAP_MODE, and changing the encryption of session keys with public keys from encryptedKey = cipher.doFinal(encKey); to encryptedKey = cipher.wrap(this.encryptionKey); The unwrap/decrypt process also has to be handled appropriately (perform an UNWRAP) on the receiver's end in WSSecurityEngine.handleEncryptedKey.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-34) WSS4J Encryption Incompatible with PKI
certificates specifying certain critical KeyUsage
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-34?page=all ]
Werner Dittmann closed WSS-34:
------------------------------
Resolution: Won't Fix
After diging into this topic the WSS4J is according to the specification. The W3C specification
for XML encryption specifies a key transport mechanism based on RSA with different padding
modes (PKCS1_5 and OAEP). Both perform some padding and use plain RSA encrypt and
decrypt. The key transport is _not_ qualified as "key wrapping" (key wrapping would impose
additional PKCS#8 or X509 data handling). Thus the use of ENCRYPT and DECRYPT in WSS4J
is correct.
For real key wrapping the W3C specs define specific algorithms (pls refer to the according W3C
spec), these are based on symmetrical algorithms.
> WSS4J Encryption Incompatible with PKI certificates specifying certain critical KeyUsage
> ----------------------------------------------------------------------------------------
>
> Key: WSS-34
> URL: http://issues.apache.org/jira/browse/WSS-34
> Project: WSS4J
> Type: Bug
> Environment: JRE 1.4.2_08, BEA WebLogic 8 sp4. wss4j 1.1.0
> Reporter: Scott Maxwell
> Assignee: Davanum Srinivas
>
> [This issue was reported informally to the wss4j-dev list on Feb 3, 2006]
> When using a PKI that specifies a certain critical KeyUsage (meaning those KeyUsage rules MUST be followed), wss4j encryption fails. The KeyUsage of interest are keyEncipherment and dataEncipherment. Specifically, when keyEncipherment is allowed, but dataEncipherment is not allowed, wss4j encryption fails, when it should succeed. It should be successful because the public keys of the PKI are only being used to encrypt (wrap) random session keys, which in turn actually perform the data encipherment of the WSS body.
> Using keys of this keyUsage results in an InvalidKeyException when initializing a javax.crypto.Cipher in the ENCRYPT_MODE as in WSEncryptBody.build:
> cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
> To support all cases (certs with no keyUsage, and certificates with critical keyUsage allowing keyEncipherment but not dataEncipherment) the likely solution would be to use the WRAP_MODE, and changing the encryption of session keys with public keys from encryptedKey = cipher.doFinal(encKey); to encryptedKey = cipher.wrap(this.encryptionKey); The unwrap/decrypt process also has to be handled appropriately (perform an UNWRAP) on the receiver's end in WSSecurityEngine.handleEncryptedKey.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org