You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by bu...@apache.org on 2010/06/23 16:56:54 UTC

DO NOT REPLY [Bug 49493] New: Cannot resolve PrivateKeys used in Key Transport algorithms

https://issues.apache.org/bugzilla/show_bug.cgi?id=49493

           Summary: Cannot resolve PrivateKeys used in Key Transport
                    algorithms
           Product: Security
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Encryption
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: Clement_Pellerin@ibi.com


Created an attachment (id=25632)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25632)
source code patch with new junit

During decryption, XMLCipher needs to find the key to decrypt an encrypted key.
The kek can be provided by the caller, otherwise XMLCipher can call the
KeyResolvers to resolve the kek. The KeyResolvers work fine if the Key
Encryption Key is a symmetric key because the SecretKey can be returned by
KeyInfo.getSecretKey(). When the Key Transport algorithm is RSA-1.5 or
RSA-OAEP, the key we need is a PrivateKey and there are no calls that can
return an object of this type.

To reproduce use the junit included in the source patch attached to the bug.

The solution is to introduce a new method called
engineLookupAndResolvePrivateKey() in the KeyResolverSpi base class. The new
method returns a PrivateKey. In XMLCipher, we now check which algorithm was
used to encrypt the key, and if the kek type is RSA, we resolve a PrivateKey
instead of a SecretKey.

Notice the StorageResolvers have no way to return a PrivateKey either.
To avoid controversy, the proposed solution does not affect StorageResolver.
The custom KeyResolver implementing engineLookupAndResolvePrivateKey() must
know a source of PrivateKeys other than StorageResolver. This explains why the
StorageResolver argument of engineLookupAndResolvePrivateKey() is always null.
The hope is that one day new APIs will be added to StorageResolver and we'll be
able to pass StorageResolvers in the existing argument.

This solution does not depend on Bug 49465, but both are needed to allow
PrivateKey KeyResolvers per KeyInfo.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 49493] Cannot resolve PrivateKeys used in Key Transport algorithms

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49493

coheigea <co...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #1 from coheigea <co...@apache.org> 2010-09-30 14:41:10 EDT ---

Patch applied, thanks:

Sending        CHANGELOG.txt
Sending        src/org/apache/xml/security/encryption/XMLCipher.java
Sending        src/org/apache/xml/security/keys/KeyInfo.java
Sending        src/org/apache/xml/security/keys/keyresolver/KeyResolverSpi.java
Sending       
src/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java
Sending        src_unitTests/org/apache/xml/security/test/ModuleTest.java
Adding         src_unitTests/org/apache/xml/security/test/keys/keyresolver
Adding        
src_unitTests/org/apache/xml/security/test/keys/keyresolver/KeyResolverTest.java
Transmitting file data .......
Committed revision 1003198.

Colm.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.