You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Closed) (JIRA)" <ji...@apache.org> on 2011/10/03 11:04:36 UTC

[jira] [Closed] (WSS-72) WSSecEncryptedKey rejects a conformant cipher when its getBlockSize() returns 0

     [ https://issues.apache.org/jira/browse/WSS-72?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed WSS-72.
----------------------------------

    
> WSSecEncryptedKey rejects a conformant cipher when its getBlockSize() returns 0
> -------------------------------------------------------------------------------
>
>                 Key: WSS-72
>                 URL: https://issues.apache.org/jira/browse/WSS-72
>             Project: WSS4J
>          Issue Type: Bug
>         Environment: Windows XP
> Axis 1.4
> WSS4J 1.5.0
>            Reporter: Aki Yoshida
>            Assignee: Davanum Srinivas
>
> Method prepareInternal of WSSecEncrptedKey has the following code fragment:
>         Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
>         try {
>             cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
>         } catch (InvalidKeyException e) {
>             throw new WSSecurityException(WSSecurityException.FAILED_ENC_DEC,
>                     null, null, e);
>         }
>         if (doDebug) {
>             log.debug("cipher blksize: " + cipher.getBlockSize()
>                     + ", symm key length: " + keyBytes.length);
>         }
>         if (cipher.getBlockSize() < keyBytes.length) {
>             throw new WSSecurityException(WSSecurityException.FAILURE,
>                     "unsupportedKeyTransp",
>                     new Object[] { "public key algorithm too weak to encrypt "
>                             + "symmetric key" });
>         }
> The getCipherInstance(keyEncAlgo) instantiates a cipher using Cipher.getInstance("RSA/NONE/PKCS1PADDING").
> When the cipher is an RSA cipher, as in this case, some securiy providers may return 0 for its getBlockSize() method because RSA is not a block cipher.  In particular, we found out that the IAIK 3.12 has this behavior of returing 0 for this method.
> This causes the above code to throws the WSSecurityException.
> The documentation at
> http://java.sun.com/j2se/1.4.2/docs/api/javax/crypto/Cipher.html#getBlockSize()
> states that this method should return 0 for non-block ciphers. 
> Therefore, we consider this problem to be a bug in WSSecEncrptedKey and request that the above if block to be commented out as:
>         // RSA is not a block cipher and cipher.getBlockSize() may return 0
> //        if (cipher.getBlockSize() < keyBytes.length) {
> //            throw new WSSecurityException(WSSecurityException.FAILURE,
> //                    "unsupportedKeyTransp",
> //                    new Object[] { "public key algorithm too weak to encrypt "
> //                            + "symmetric key" });
> //        }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org