Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm
Precedence: bulk
Reply-To: security-dev@xml.apache.org
Received-SPF: pass (athena.apache.org: local policy)
Message-ID: <48A0970D.2060403@georgetown.edu>
Date: Mon, 11 Aug 2008 15:46:21 -0400
From: Brent Putman <putmanb@georgetown.edu>
User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707)
MIME-Version: 1.0
To: security-dev@xml.apache.org
Subject: Re: JCEID to Service mapping
References: 
 <OF71258E08.93A740F5-ON862574A2.006AA70D-852574A2.006B05FB@notes.wachovia.com>
In-Reply-To: 
 <OF71258E08.93A740F5-ON862574A2.006AA70D-852574A2.006B05FB@notes.wachovia.com>
Content-Type: multipart/alternative;
 boundary="------------080207050105000909010205"

This is a multi-part message in MIME format.
--------------080207050105000909010205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

The JCEID algorithm identifier gets looked up by the relevant security 
provider class (e.g. Cipher), and is based on all 3 parameters: the 
cipher, mode and padding.

This is highly platform vendor and version specific but as far as I 
remember, support for the ISO10126 padding for XML Encryption was only 
available in later versions of the default provider stacks that ships 
with the Java runtimes.  With Sun's, for example, I believe 1.4 did 
*not* include support for that padding.  1.5 does now, although not sure 
about the initial patch revs.  I  seem to remember we had an issue in 
our project with someone using IBM's 1.5 JRE about a year and a half 
ago, and at that time they did not support that padding in the 
then-current rev of 1.5.  Not sure about now. In their 1.4 I'm guessing 
most likely not supported either.

If you can use recent Bouncy Castle security provider, that should get 
you support for that padding (and larger AES encryption keys) for any of 
the runtime platforms.  FYI, depending on what other crypto things 
you're doing, you may have to fiddle with the registered order of the 
providers in order to get everything to work as expected.

--Brent


edward.thompson@wachovia.com wrote:
>
> This isn't technically an XML Security issue, I know, but any help 
> appreciated.
>
> Under Java 1.5 when I try to create a, XMLCipher, XMLCipher.AES_128 is 
> mapped to a JCEID of AES/CBC/ISO10126Padding , whihc is then mapped to 
> a bouncycastle service of AES.  All is well.
>
> Under Java 1.4, XMLCipher.AES_128 is mapped to a JCEID of 
> AES/CBC/ISO10126Padding, but  no service provider can be found with 
> trhat JCEID, even though I can dump the service providers and see 3 
> AES providers.
>
> When I say under 1.5/1.4, its actually Websphere 6.0 (which uses 1.4) 
> and 6.1 (whihc uses 1.5).   I am going to try to isolate the code 
> outside of websphere to see if the behavior chnages, but trying to 
> understand what maps  AES/CBC/ISO10126Padding to a service...
>
> Ed Thompson
>
>

--------------080207050105000909010205
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
The JCEID algorithm identifier gets looked up by the relevant security
provider class (e.g. Cipher), and is based on all 3 parameters: the
cipher, mode and padding.<br>
<br>
This is highly platform vendor and version specific but as far as I
remember, support for the ISO10126 padding for XML Encryption was only
available in later versions of the default provider stacks that ships
with the Java runtimes.&nbsp; With Sun's, for example, I believe 1.4 did
*not* include support for that padding.&nbsp; 1.5 does now, although not
sure about the initial patch revs.&nbsp; I&nbsp; seem to remember we had an issue
in our project with someone using IBM's 1.5 JRE about a year and a half
ago, and at that time they did not support that padding in the
then-current rev of 1.5.&nbsp; Not sure about now. In their 1.4 I'm guessing
most likely not supported either.<br>
<br>
If you can use recent Bouncy Castle security provider, that should get
you support for that padding (and larger AES encryption keys) for any
of the runtime platforms.&nbsp; FYI, depending on what other crypto things
you're doing, you may have to fiddle with the registered order of the
providers in order to get everything to work as expected.<br>
<br>
--Brent<br>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:edward.thompson@wachovia.com">edward.thompson@wachovia.com</a> wrote:
<blockquote
 cite="mid:OF71258E08.93A740F5-ON862574A2.006AA70D-852574A2.006B05FB@notes.wachovia.com"
 type="cite"><br>
  <font face="sans-serif" size="2">This isn't technically an XML
Security
issue, I know, but any help appreciated.</font>
  <br>
  <br>
  <font face="sans-serif" size="2">Under Java 1.5 when I try to create
a, XMLCipher, XMLCipher.AES_128 is mapped to a JCEID of </font><font
 size="3">AES/CBC/ISO10126Padding
  </font><font face="sans-serif" size="2">, whihc is then mapped to a
bouncycastle
service of AES. &nbsp;All is well.</font>
  <br>
  <br>
  <font face="sans-serif" size="2">Under Java 1.4, XMLCipher.AES_128 is
mapped to a JCEID of </font><font size="3">AES/CBC/ISO10126Padding</font><font
 face="sans-serif" size="2">,
but &nbsp;no service provider can be found with trhat JCEID, even though
I can dump the service providers and see 3 AES providers.</font>
  <br>
  <br>
  <font face="sans-serif" size="2">When I say under 1.5/1.4, its
actually
Websphere 6.0 (which uses 1.4) and 6.1 (whihc uses 1.5). &nbsp; I am going
to try to isolate the code outside of websphere to see if the behavior
chnages, but trying to understand what maps &nbsp;</font><font size="3">AES/CBC/ISO10126Padding
to a service...</font>
  <br>
  <br>
  <font size="3">Ed Thompson</font>
  <br>
  <br>
  <font face="sans-serif" size="2"><br>
  </font>
</blockquote>
</body>
</html>

--------------080207050105000909010205--