You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Brent Putman (JIRA)" <ji...@apache.org> on 2014/06/04 22:59:04 UTC

[jira] [Updated] (SANTUARIO-392) In XMLCipher support use of GCMParameterSpec for AES GCM modes

     [ https://issues.apache.org/jira/browse/SANTUARIO-392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brent Putman updated SANTUARIO-392:
-----------------------------------

    Attachment: santuario-xmlcipher-gcmparameterspec.patch

Adding patch.

> In XMLCipher support use of GCMParameterSpec for AES GCM modes
> --------------------------------------------------------------
>
>                 Key: SANTUARIO-392
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-392
>             Project: Santuario
>          Issue Type: Improvement
>          Components: Java
>    Affects Versions: Java 2.0.0, Java 1.5.6
>            Reporter: Brent Putman
>            Assignee: Colm O hEigeartaigh
>         Attachments: santuario-xmlcipher-gcmparameterspec.patch
>
>
> XMLCipher currently unconditionally uses an IvParameterSpec to initialize the Java Cipher instance for data encryption and decryption. 
> In Java 1.7 a new AlgorithmParameterSpec was introduced to support GCM modes, GCMParameterSpec.  This is intended to be the way that GCM mode ciphers are initialized, as it allows supplying both the IV and the authentication tag length.
> In particular the security provider supplied with Oracle's Java 1.8 seems to require its use.  When handed an IvParameterSpec per the current XMLCipher behavior, it fails with:
> {code}
> java.security.InvalidAlgorithmParameterException: Unsupported parameter: javax.crypto.spec.IvParameterSpec@15bbf42f
>     at com.sun.crypto.provider.CipherCore.init(CipherCore.java:509)
>     at com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:339)
>     at javax.crypto.Cipher.implInit(Cipher.java:801)
>     at javax.crypto.Cipher.chooseProvider(Cipher.java:859)
>     at javax.crypto.Cipher.init(Cipher.java:1370)
>     at javax.crypto.Cipher.init(Cipher.java:1301)
>     at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1129)
>     at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1081)
>     at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1012)
> {code} 
> The BouncyCastle security provider on the other hand works fine with IvParameterSpec and current XMLCipher.  They did however add support for GCMParameterSpec in their 1.50 release (although due to an semi-related bug, it won't work properly with XMLCipher until their v1.51, which is not yet released.  See: http://www.bouncycastle.org/jira/browse/BJA-473)
> XMLCipher should ideally detect AES GCM mode algorithms and attempt to use GCMParameterSpec where possible, falling back to IvParameterSpec where it is not.
> Patch to follow shortly.



--
This message was sent by Atlassian JIRA
(v6.2#6252)