santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Hendry <peter.hen...@capeclear.com>
Subject Re: Issue moving from JDK 1.4 to 1.5
Date Thu, 11 Jan 2007 07:36:26 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<tt>Thanks for the response. Changing to<br>
</tt><br>
&nbsp;&nbsp;&nbsp; final SecretKey unwrappedKey =
(SecretKey)cipher.decryptKey(encryptedKey, XMLCipher.TRIPLEDES);<br>
<pre wrap="">does make it work! This leads onto the issue of how the receiver knows
the symmetric key algorithm? This information is not transmitted in the EncryptedKey. The
code I am seeing this problem in is for WS-Security and there is no indication in the EncryptedKey
sent (example below) of this algorithm. Does it have to be supplied out of band?

  &lt;xenc:EncryptedKey xmlns:xenc=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/04/xmlenc#">"http://www.w3.org/2001/04/xmlenc#"</a>&gt;
    &lt;xenc:EncryptionMethod
        xmlns:xenc=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/04/xmlenc#">"http://www.w3.org/2001/04/xmlenc#"</a>
        Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/04/xmlenc#rsa-1_5">"http://www.w3.org/2001/04/xmlenc#rsa-1_5"</a>/&gt;
    &lt;xenc:CipherData xmlns:xenc=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/04/xmlenc#">"http://www.w3.org/2001/04/xmlenc#"</a>&gt;
      &lt;xenc:CipherValue xmlns:xenc=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/04/xmlenc#">"http://www.w3.org/2001/04/xmlenc#"</a>&gt;op+6IqOzXDvnnRJnibidFEre1nC5km6+1vkzM7mD4yR9r
nVYFo3SWq6t8r3s0jJj9HR6J4y4EQHW
ay7Qhat8gMd8q9L9YStf5lNroSC3Co1HNOWokJ7aL759a0ifN3fT5djYIEVwzwwgpZHtsJjz+j99
Ot+s+Tk6Kfhd5oe+I9Q=&lt;/xenc:CipherValue&gt;
    &lt;/xenc:CipherData&gt;
    &lt;ds:KeyInfo xmlns:ds=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>&gt;
      &lt;wsse:SecurityTokenReference
          xmlns:wsse=<a class="moz-txt-link-rfc2396E" href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"</a>
          wsu:Id="id19351067"
          xmlns:wsu=<a class="moz-txt-link-rfc2396E" href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"</a>&gt;
        &lt;wsse:KeyIdentifier
            EncodingType=<a class="moz-txt-link-rfc2396E" href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"</a>
            ValueType=<a class="moz-txt-link-rfc2396E" href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"</a>&gt;
Xeg55vRyK3ZhAEhEf+YT0z986L0=&lt;/wsse:KeyIdentifier&gt;
      &lt;/wsse:SecurityTokenReference&gt;
    &lt;/ds:KeyInfo&gt;
    &lt;xenc:ReferenceList&gt;
      &lt;xenc:DataReference URI="#id16134229"/&gt;
    &lt;/xenc:ReferenceList&gt;
  &lt;/xenc:EncryptedKey&gt; 

Pete
</pre>
<br>
Vishal Mahajan wrote:
<blockquote cite="mid45A5D390.20604@amberpoint.com" type="cite">
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
Problem seems to be in this line:<br>
  <br>
  <pre wrap="">final SecretKey unwrappedKey = (SecretKey)cipher.decryptKey(encryptedKey,
XMLCipher.RSA_v1dot5);</pre>
  <br>
The second parameter to decryptKey method needs to be the symmetric key
algorithm.<br>
  <br>
Vishal<br>
  <br>
Peter Hendry wrote:
  <blockquote cite="mid45A5558B.7080609@capeclear.com" type="cite">
    <meta content="text/html;charset=ISO-8859-1"
 http-equiv="Content-Type">
    <title></title>
    <tt>Sorry, I forgot the error produced in JDK 1.5<br>
    <br>
Original Exception was java.security.InvalidKeyException: Wrong
algorithm: DESede or TripleDES required<br>
&nbsp;&nbsp;&nbsp; at
org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown
Source)<br>
&nbsp;&nbsp;&nbsp; at
org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown
Source)<br>
&nbsp;&nbsp;&nbsp; at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown
Source)<br>
&nbsp;&nbsp;&nbsp; at
com.capeclear.pgh.stuff.SecurityKeyTests.main(SecurityKeyTests.java:98)<br>
&nbsp;&nbsp;&nbsp; at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>
&nbsp;&nbsp;&nbsp; at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)<br>
&nbsp;&nbsp;&nbsp; at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)<br>
&nbsp;&nbsp;&nbsp; at java.lang.reflect.Method.invoke(Method.java:585)<br>
&nbsp;&nbsp;&nbsp; at
com.intellij.rt.execution.application.AppMain.main(AppMain.java:90)<br>
java.security.InvalidKeyException: Wrong algorithm: DESede or TripleDES
required<br>
&nbsp;&nbsp;&nbsp; at com.sun.crypto.provider.SunJCE_aa.a(DashoA12275)<br>
&nbsp;&nbsp;&nbsp; at com.sun.crypto.provider.SunJCE_m.a(DashoA12275)<br>
&nbsp;&nbsp;&nbsp; at com.sun.crypto.provider.SunJCE_h.a(DashoA12275)<br>
&nbsp;&nbsp;&nbsp; at com.sun.crypto.provider.DESedeCipher.engineInit(DashoA12275)<br>
&nbsp;&nbsp;&nbsp; at javax.crypto.Cipher.init(DashoA12275)<br>
&nbsp;&nbsp;&nbsp; at javax.crypto.Cipher.init(DashoA12275)<br>
&nbsp;&nbsp;&nbsp; at
org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown
Source)<br>
&nbsp;&nbsp;&nbsp; at
org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown
Source)<br>
&nbsp;&nbsp;&nbsp; at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown
Source)<br>
&nbsp;&nbsp;&nbsp; at
com.capeclear.pgh.stuff.SecurityKeyTests.main(SecurityKeyTests.java:98)<br>
&nbsp;&nbsp;&nbsp; at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>
&nbsp;&nbsp;&nbsp; at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)<br>
&nbsp;&nbsp;&nbsp; at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)<br>
&nbsp;&nbsp;&nbsp; at java.lang.reflect.Method.invoke(Method.java:585)<br>
&nbsp;&nbsp;&nbsp; at
com.intellij.rt.execution.application.AppMain.main(AppMain.java:90)<br>
    <br>
Pete<br>
    </tt><br>
Peter Hendry wrote:
    <blockquote cite="mid45A552CA.1020906@capeclear.com" type="cite">The
class attached contains test code that works Ok under JDK 1.4 but has
never worked under 1.5. The scenario is where the secret key is to be
included with the message and encrypted using a public key then
decrypted by the recipient using their private key. When the key is
decrypted an instance of SecretKeySpec is returned with its algorithm
set to RSA (the original key is DESEde). This happens on both 1.4 and
1.5 but it only fails to decrypt the data in 1.5. <br>
      <br>
Any help/pointers appreciated. <br>
      <br>
Pete <br>
      <br>
      <br>
      <br>
      <pre wrap=""><hr size="4" width="90%">
package pgh;

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Security;
import java.security.spec.KeySpec;

import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;

import org.apache.xml.security.encryption.EncryptedKey;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.transforms.Transforms;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;


public class SecurityKeyTests {

    static {
        Security.addProvider(new BouncyCastleProvider());
        org.apache.xml.security.Init.init();
    }

    public static void main( String[] args )
        throws Exception {

        // the secret key to encrypt/decrypt our data
        final byte[] keyBytes = { (byte)0xA2, (byte) 0x15,
            (byte) 0x37, (byte) 0x07, (byte) 0xCB, (byte) 0x62, (byte) 0xC1,
            (byte) 0xD3, (byte) 0xF8, (byte) 0xF1, (byte) 0x97, (byte) 0xDF,
            (byte) 0xD0, (byte) 0x13, (byte) 0x4F, (byte) 0x79, (byte) 0x01,
            (byte) 0x67, (byte) 0x7A, (byte) 0x85, (byte) 0x94, (byte) 0x16,
            (byte) 0x31, (byte) 0x92 };

        final String dataToEncrypt = "Hello World";

        // use DESEde as the key algorithm
        final SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESEde");
        final KeySpec spec = new DESedeKeySpec(keyBytes);
        final SecretKey secretKey = keyFactory.generateSecret(spec);

        // generate key pair for encrypting/decrypting the shared key
        final KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
        final KeyPair keyPair = generator.generateKeyPair();

        final Document doc = newDocument();

        // encrypt the secret key with RSA 1.5 and output the EncryptedKey
        XMLCipher cipher = XMLCipher.getInstance(XMLCipher.RSA_v1dot5);
        cipher.init(XMLCipher.WRAP_MODE, keyPair.getPublic());
        final EncryptedKey encryptedKey = cipher.encryptKey(doc, secretKey);
        final Element encKeyElement = cipher.martial(encryptedKey);

        writeNode("EncryptedKey:", encKeyElement);

        // encode some data with the secret key
        final Element element = doc.createElement("test");
        element.appendChild(doc.createTextNode(dataToEncrypt));
        doc.appendChild(element);

        cipher = XMLCipher.getInstance(XMLCipher.TRIPLEDES, Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
        cipher.init(XMLCipher.ENCRYPT_MODE, secretKey);
        cipher.doFinal(doc, element, false);

        final Element encryptedElement = (Element)doc.getDocumentElement();
        writeNode("\nEncryptedData: ", encryptedElement);

        // get the key back from the EncryptedKey (i.e. don't use the original key)
        cipher = XMLCipher.getInstance(XMLCipher.RSA_v1dot5);
        cipher.init(XMLCipher.UNWRAP_MODE, keyPair.getPrivate());
        final SecretKey unwrappedKey = (SecretKey)cipher.decryptKey(encryptedKey, XMLCipher.RSA_v1dot5);

        if ( unwrappedKey instanceof SecretKeySpec ) {
            final SecretKeySpec sks = (SecretKeySpec)unwrappedKey;
            System.out.println("\nUnwrapped Key: algorithm=" + sks.getAlgorithm());
        }
        else {
            System.out.println("\nUnwrapped Key: " + unwrappedKey);
        }

        // and use it to decrypt the element
        cipher = XMLCipher.getInstance(XMLCipher.TRIPLEDES, Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
        cipher.init(XMLCipher.DECRYPT_MODE, unwrappedKey);

        // the error occurs here in JDK1.5 because the unwrapped key is marked as "RSA" but
the
        // decryption algorithm is TripleDES?
        cipher.doFinal(doc, encryptedElement, false);

        writeNode("\nDecrypted: ", doc);
    }


    private static void writeNode( String msg, Node element )
        throws Exception {

        System.out.println(msg);
        final Transformer transformer = TransformerFactory.newInstance().newTransformer();
        transformer.transform(new DOMSource(element), new StreamResult(System.out));
    }


    private static Document newDocument()
        throws Exception {

        return DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
    }
}
  </pre>
    </blockquote>
  </blockquote>
  <br>
</blockquote>
</body>
</html>

Mime
View raw message