You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2010/06/23 16:56:54 UTC
DO NOT REPLY [Bug 49493] New: Cannot resolve PrivateKeys used in Key
Transport algorithms
https://issues.apache.org/bugzilla/show_bug.cgi?id=49493
Summary: Cannot resolve PrivateKeys used in Key Transport
algorithms
Product: Security
Version: unspecified
Platform: PC
OS/Version: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Encryption
AssignedTo: security-dev@xml.apache.org
ReportedBy: Clement_Pellerin@ibi.com
Created an attachment (id=25632)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25632)
source code patch with new junit
During decryption, XMLCipher needs to find the key to decrypt an encrypted key.
The kek can be provided by the caller, otherwise XMLCipher can call the
KeyResolvers to resolve the kek. The KeyResolvers work fine if the Key
Encryption Key is a symmetric key because the SecretKey can be returned by
KeyInfo.getSecretKey(). When the Key Transport algorithm is RSA-1.5 or
RSA-OAEP, the key we need is a PrivateKey and there are no calls that can
return an object of this type.
To reproduce use the junit included in the source patch attached to the bug.
The solution is to introduce a new method called
engineLookupAndResolvePrivateKey() in the KeyResolverSpi base class. The new
method returns a PrivateKey. In XMLCipher, we now check which algorithm was
used to encrypt the key, and if the kek type is RSA, we resolve a PrivateKey
instead of a SecretKey.
Notice the StorageResolvers have no way to return a PrivateKey either.
To avoid controversy, the proposed solution does not affect StorageResolver.
The custom KeyResolver implementing engineLookupAndResolvePrivateKey() must
know a source of PrivateKeys other than StorageResolver. This explains why the
StorageResolver argument of engineLookupAndResolvePrivateKey() is always null.
The hope is that one day new APIs will be added to StorageResolver and we'll be
able to pass StorageResolvers in the existing argument.
This solution does not depend on Bug 49465, but both are needed to allow
PrivateKey KeyResolvers per KeyInfo.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 49493] Cannot resolve PrivateKeys used in Key
Transport algorithms
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49493
coheigea <co...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from coheigea <co...@apache.org> 2010-09-30 14:41:10 EDT ---
Patch applied, thanks:
Sending CHANGELOG.txt
Sending src/org/apache/xml/security/encryption/XMLCipher.java
Sending src/org/apache/xml/security/keys/KeyInfo.java
Sending src/org/apache/xml/security/keys/keyresolver/KeyResolverSpi.java
Sending
src/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java
Sending src_unitTests/org/apache/xml/security/test/ModuleTest.java
Adding src_unitTests/org/apache/xml/security/test/keys/keyresolver
Adding
src_unitTests/org/apache/xml/security/test/keys/keyresolver/KeyResolverTest.java
Transmitting file data .......
Committed revision 1003198.
Colm.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.