axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "S.Uthaiyashankar (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (RAMPART-241) org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest ed exception is: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s ize or default parameters Original Exception was java.security.InvalidKeyException
Date Tue, 21 Dec 2010 12:02:02 GMT

     [ https://issues.apache.org/jira/browse/RAMPART-241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

S.Uthaiyashankar resolved RAMPART-241.
--------------------------------------

    Resolution: Not A Problem

You have to install JCE[1] to fix this problem. By default, java doesn't support encryption
using 256bit keys. In order to increase the key length, you have to install JCE. 


[1] https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=jce_policy-6-oth-JPR@CDS-CDS_Developer

> org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest ed exception is:
        org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s ize or default
parameters Original Exception was java.security.InvalidKeyException
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-241
>                 URL: https://issues.apache.org/jira/browse/RAMPART-241
>             Project: Rampart
>          Issue Type: Bug
>    Affects Versions: 1.4
>         Environment: rampart-1.4>mvn -e install
> Running org.apache.rampart.AsymmetricBindingBuilderTest
> org.apache.rampart.RampartException: Error in creating an encrypted key
>         at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
> g(AsymmetricBindingBuilder.java:164)
>         at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricB
> indingBuilder.java:91)
>         at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
>         at org.apache.rampart.AsymmetricBindingBuilderTest.testAsymmBindingWithD
> KEncrBeforeSig(AsymmetricBindingBuilderTest.java:148)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at junit.framework.TestCase.runTest(TestCase.java:164)
>         at junit.framework.TestCase.runBare(TestCase.java:130)
>         at junit.framework.TestResult$1.protect(TestResult.java:106)
>         at junit.framework.TestResult.runProtected(TestResult.java:124)
>         at junit.framework.TestResult.run(TestResult.java:109)
>         at junit.framework.TestCase.run(TestCase.java:120)
>         at junit.framework.TestSuite.runTest(TestSuite.java:230)
>         at junit.framework.TestSuite.run(TestSuite.java:225)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at org.apache.maven.surefire.junit.JUnitTestSet.execute(JUnitTestSet.jav
> a:213)
>         at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTes
> tSet(AbstractDirectoryTestSuite.java:140)
>         at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(Ab
> stractDirectoryTestSuite.java:127)
>         at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(Su
> refireBooter.java:345)
>         at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.j
> ava:1009)
> Caused by: org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest
> ed exception is:
>         org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s
> ize or default parameters
> Original Exception was java.security.InvalidKeyException: Illegal key size or de
> fault parameters
>         at org.apache.ws.security.message.WSSecDKEncrypt.doEncryption(WSSecDKEnc
> rypt.java:149)
>         at org.apache.ws.security.message.WSSecDKEncrypt.encryptForExternalRef(W
> SSecDKEncrypt.java:188)
>         at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
> g(AsymmetricBindingBuilder.java:161)
>         ... 29 more
> Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal ke
> y size or default parameters
> Original Exception was java.security.InvalidKeyException: Illegal key size or de
> fault parameters
>         at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
> ce)
>         at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
> ce)
>         at org.apache.xml.security.encryption.XMLCipher.encryptElementContent(Un
> known Source)
>         at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source)
>         at org.apache.ws.security.message.WSSecDKEncrypt.doEncryption(WSSecDKEnc
> rypt.java:147)
>         ... 31 more
> org.apache.rampart.RampartException: Error during encryption
>         at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
> g(AsymmetricBindingBuilder.java:192)
>         at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricB
> indingBuilder.java:91)
>         at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
>         at org.apache.rampart.AsymmetricBindingBuilderTest.testAsymmBindingEncrB
> eforeSig(AsymmetricBindingBuilderTest.java:178)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at junit.framework.TestCase.runTest(TestCase.java:164)
>         at junit.framework.TestCase.runBare(TestCase.java:130)
>         at junit.framework.TestResult$1.protect(TestResult.java:106)
>         at junit.framework.TestResult.runProtected(TestResult.java:124)
>         at junit.framework.TestResult.run(TestResult.java:109)
>         at junit.framework.TestCase.run(TestCase.java:120)
>         at junit.framework.TestSuite.runTest(TestSuite.java:230)
>         at junit.framework.TestSuite.run(TestSuite.java:225)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at org.apache.maven.surefire.junit.JUnitTestSet.execute(JUnitTestSet.jav
> a:213)
>         at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTes
> tSet(AbstractDirectoryTestSuite.java:140)
>         at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(Ab
> stractDirectoryTestSuite.java:127)
>         at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(Su
> refireBooter.java:345)
>         at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.j
> ava:1009)
> Caused by: org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest
> ed exception is:
>         org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s
> ize or default parameters
> Original Exception was java.security.InvalidKeyException: Illegal key size or de
> fault parameters
>         at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt
> .java:571)
>         at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt
> .java:458)
>         at org.apache.ws.security.message.WSSecEncrypt.encryptForExternalRef(WSS
> ecEncrypt.java:396)
>         at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
> g(AsymmetricBindingBuilder.java:189)
>         ... 29 more
> Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal ke
> y size or default parameters
> Original Exception was java.security.InvalidKeyException: Illegal key size or de
> fault parameters
>         at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
> ce)
>         at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
> ce)
>         at org.apache.xml.security.encryption.XMLCipher.encryptElementContent(Un
> known Source)
>         at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source)
>         at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt
> .java:564)
>         ... 32 more
>            Reporter: Martin Gainty
>            Assignee: S.Uthaiyashankar
>            Priority: Minor
>             Fix For: NextVersion
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> test-resources/keys/interop2.jks contents:
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 4 entries
> alice, Jun 4, 2005, PrivateKeyEntry,
> Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
> root, Jun 4, 2005, trustedCertEntry,
> Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
> ca, Jun 4, 2005, trustedCertEntry,
> Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
> bob, Jun 4, 2005, PrivateKeyEntry,
> Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC
> test-resources/policy/rampart-asymm-binding-1.xml:
> <wsp:Policy  wsu:Id="6" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> 	<wsp:ExactlyOne>
> 		<wsp:All>
> 			<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 				<wsp:Policy>
> 					<sp:InitiatorToken>
> 						<wsp:Policy>
> 							<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> 								<wsp:Policy>
> 									<sp:WssX509V3Token10/>
> 								</wsp:Policy>
> 							</sp:X509Token>
> 						</wsp:Policy>
> 					</sp:InitiatorToken>
> 					<sp:RecipientToken>
> 						<wsp:Policy>
> 							<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> 								<wsp:Policy>
> 									<sp:WssX509V3Token10/>
> 								</wsp:Policy>
> 							</sp:X509Token>
> 						</wsp:Policy>
> 					</sp:RecipientToken>
> 					<sp:AlgorithmSuite>
> 						<wsp:Policy>
> 							<sp:Basic256/>
> 						</wsp:Policy>
> 					</sp:AlgorithmSuite>
> 					<sp:Layout>
> 						<wsp:Policy>
> 							<sp:Lax/>
> 						</wsp:Policy>
> 					</sp:Layout>
> 					<sp:IncludeTimestamp/>
> 					<sp:OnlySignEntireHeadersAndBody/>
> 				</wsp:Policy>
> 			</sp:AsymmetricBinding>
> 			<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 				<wsp:Policy>
> 					<sp:MustSupportRefKeyIdentifier/>
> 					<sp:MustSupportRefIssuerSerial/>
> 				</wsp:Policy>
> 			</sp:Wss10>
> 			<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 				<wsp:Policy>
> 					<sp:MustSupportIssuedTokens/>
> 					<sp:RequireClientEntropy/>
> 					<sp:RequireServerEntropy/>
> 				</wsp:Policy>
> 			</sp:Trust10>
> 			
> 			<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 
> 				<ramp:user>alice</ramp:user>
> 				<ramp:encryptionUser>bob</ramp:encryptionUser>
> 				<ramp:passwordCallbackClass>org.apache.rampart.TestCBHandler</ramp:passwordCallbackClass>
> 				
> 				<ramp:signatureCrypto>
> 					<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> 						<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> 						<ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
> 						<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
> 					</ramp:crypto>
> 				</ramp:signatureCrypto>
> 				<ramp:encryptionCypto>
> 					<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> 						<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> 						<ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
> 						<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
> 					</ramp:crypto>
> 				</ramp:encryptionCypto>
> 			</ramp:RampartConfig>
> 	
> 		</wsp:All>
> 	</wsp:ExactlyOne>
> </wsp:Policy>
> org.apache.rampart.RampartMessageBuilderTest (which loads rampart-asymm-binding-1.xml
policy file)
> public void testAsymmBinding() {
>         try {
>             MessageContext ctx = getMsgCtx();
>             
>             String policyXml = "test-resources/policy/rampart-asymm-binding-1.xml";
>             Policy policy = this.loadPolicy(policyXml);
>             
>             ctx.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
>             
>             MessageBuilder builder = new MessageBuilder();
>             builder.build(ctx);
>  ........
>  }
>  
> org.apache.rampart.builder.AsymmetricBindingBuilder.java:
> //build method passes on the RampartMessageData
>     public void build(RampartMessageData rmd) throws RampartException {
>         log.debug("AsymmetricBindingBuilder build invoked");
>         RampartPolicyData rpd = rmd.getPolicyData();
>         if (rpd.isIncludeTimestamp()) {
>             this.addTimestamp(rmd);
>         }
>         if (SPConstants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
>         //doEncryptBeforeSig is called here
>             this.doEncryptBeforeSig(rmd);
>         } else {
>             this.doSignBeforeEncrypt(rmd);
>         }
>         log.debug("AsymmetricBindingBuilder build invoked : DONE");
>     }
> ..........
>   private void doEncryptBeforeSig(RampartMessageData rmd)
>             throws RampartException {
>     	
>     	long t0 = 0, t1 = 0, t2 = 0;
>     	if(dotDebug){
>     		t0 = System.currentTimeMillis();
>     	}
>         RampartPolicyData rpd = rmd.getPolicyData();
>         Document doc = rmd.getDocument();
>         RampartConfig config = rpd.getRampartConfig();
>         /*
>          * We need to hold on to these two element to use them as refence in the
>          * case of encypting the signature
>          */
>         Element encrDKTokenElem = null;
>         WSSecEncrypt encr = null;
>         Element refList = null;
>         WSSecDKEncrypt dkEncr = null;
>         /*
>          * We MUST use keys derived from the same token
>          */
>         Token encryptionToken = null;
>         if(rmd.isInitiator()) {
>             encryptionToken = rpd.getRecipientToken();
>         } else {
>             encryptionToken = rpd.getInitiatorToken();
>         }
>         Vector encrParts = RampartUtil.getEncryptedParts(rmd);
>         
>         //Signed parts are determined before encryption because encrypted signed  headers
>         //will not be included otherwise
>         this.sigParts = RampartUtil.getSignedParts(rmd);
>         
>         if(encryptionToken == null && encrParts.size() > 0) {
>             throw new RampartException("encryptionTokenMissing");
>         }
>         
>         if (encryptionToken != null && encrParts.size() > 0) {
>             
>             //Check for RampartConfig assertion
>             if(rpd.getRampartConfig() == null) {
>                 //We'er missing the extra info rampart needs
>                 throw new RampartException("rampartConigMissing");
>             }
>             
>             if (encryptionToken.isDerivedKeys()) {
>                 try {
>                     this.setupEncryptedKey(rmd, encryptionToken);
>                     // Create the DK encryption builder
>                     dkEncr = new WSSecDKEncrypt();
>                     dkEncr.setParts(encrParts);
>                     dkEncr.setExternalKey(this.encryptedKeyValue, 
>                             this.encryptedKeyId);
>                             
>                             /*********this rpd.getAlgorithmSuite() returns null causes
grief ******/
>                             /*****this is the AlgorithmSuite provided by policy file
>                             		<sp:AlgorithmSuite>
> 			    				<wsp:Policy>
> 			    					<sp:Basic256/>
> 			    				</wsp:Policy>
> 					</sp:AlgorithmSuite>
> 					<!-- safe to assume the key length is 256 -->
>                             *******/
>                             /****** rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()

>                                    if (SPConstants.ALGO_SUITE_BASIC256.equals(algoSuite))
{
> 			                this.digest = SPConstants.SHA1;
> 			                this.encryption = SPConstants.AES256;
> 			                this.symmetricKeyWrap = SPConstants.KW_AES256;
> 			                this.asymmetricKeyWrap = SPConstants.KW_RSA_OAEP;
> 			                this.encryptionKeyDerivation = SPConstants.P_SHA1_L256;
> 			                this.signatureKeyDerivation = SPConstants.P_SHA1_L192;
> 			                this.encryptionDerivedKeyLength = 256;
> 			                this.signatureDerivedKeyLength = 192;
> 			                this.minimumSymmetricKeyLength = 256;
> 			                this.encryptionDerivedKeyLength = 256;
>         } 
>         ********/
>                             /***** rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8
256/8 produces 32 ******/
>                             
>                             /*** lets take the root key 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
*******/
>                             /****this is 16 bytes */
>                             /****16 != 32 so the Assymetric TestCase will always fail**/
>                     dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8);
>                     dkEncr.prepare(doc);
>                     // Get and add the DKT element
>                     this.encrDKTElement = dkEncr.getdktElement();
>                     encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
>                     refList = dkEncr.encryptForExternalRef(null, encrParts);
>                 } catch (WSSecurityException e) {
>                     throw new RampartException("errorCreatingEncryptedKey", e);
>                 } catch (ConversationException e) {
>                     throw new RampartException("errorInDKEncr", e);
>                 }
>             } else {
>                 try {
>                     encr = new WSSecEncrypt();
>                     encr.setParts(encrParts);
>                     encr.setWsConfig(rmd.getConfig());
>                     encr.setDocument(doc);
>                     RampartUtil.setEncryptionUser(rmd, encr);
>                     encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
>                     RampartUtil.setKeyIdentifierType(rpd,encr, encryptionToken);
>                     encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
>                     encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
>                     Element bstElem = encr.getBinarySecurityTokenElement();
>                     if (bstElem != null) {
>                         RampartUtil.appendChildToSecHeader(rmd, bstElem);
>                     }
>                     this.encrTokenElement = encr.getEncryptedKeyElement();
>                     this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
>                             encrTokenElement);
>                     refList = encr.encryptForExternalRef(null, encrParts);
>                 } catch (WSSecurityException e) {
>                     throw new RampartException("errorInEncryption", e);
>                 }
>             }
>             
>             SOLUTION:
>             repackage a 32  byte long keystore (test-resources/keys/interop2.jks contents:)
file
>            
>            i would propose a change in AlgorithmSuite to 128 in
>             test-resources/policy/rampart-asymm-binding-1.xml should use a 128 AlgorithmSuite
>             but the schema defined at
>             http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
>             does not support 128 Byte Encryption..minimum size for AlgorithmSuite is
256 byte 
>             					

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message