santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47539] New: EncryptedKeyResolver doesn't allow specifying a provider
Date Wed, 15 Jul 2009 20:39:26 GMT

           Summary: EncryptedKeyResolver doesn't allow specifying a
           Product: Security
           Version: Java 1.4.2
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Encryption

When decrypting as follows:
XMLCipher keyCipher;
keyCipher.init(XMLCipher.DECRYPT_MODE, null);
keyCipher.doFinal(document, element, false);

... the code path uses the EncryptedKeyResolver, which doesn't allow explicitly
specifying a provider.

I got the following response from Sean on security-dev:
We need to add a ctor to the EncryptedKeyResolver class that takes an
provider parameter, and then change XMLCipher to call this new ctor and pass it 
the provider it is using.

While I agree that this would allow us to explicitly set the provider, I think
the more complete solution would be to allow distinct providers for key
decryption (unwrap) versus content decryption. For the specific context in
which I am using XML Security, private keys are stored on an HSM (hardware
device) and requires us to use that vendor's JCE provider for the key unwrap.
There is no such limitation for decryption with symmetric keys, so we end up
using a software provider for decrypting the content. The upshot is that we
need to be able to specify two different providers for the key unwrap versus
the content decryption.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

View raw message