ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: WS-Security RSA Excrytion exception..
Date Thu, 11 Jun 2009 11:31:19 GMT
On Thu June 11 2009 7:08:31 am Werner Dittmann wrote:
> Daniel Kulp schrieb:
> ....
>
> > I did a little digging and I THINK this particular exception could be
> > fixed with a simple change in WSS4J.   If the line:
> >
> > cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");
> >
> > was surrounded with a try/catch that would then try:
> >
> > cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
> >
> > I THINK it would work.   Bouncycastle uses "NONE" for the mode whereas
> > the Sun provider uses ECB.   Not sure what the Sun setting for
> > "RSA/NONE/OAEPPADDING" is.  That would need to be investigated more.  It
> > would be one of: OAEPWITHMD5ANDMGF1PADDING, OAEPWITHSHA1ANDMGF1PADDING,
> > OAEPWITHSHA-1ANDMGF1PADDING, OAEPWITHSHA-256ANDMGF1PADDING,
> > OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING
> > but cryptography is definitely not my area.
> >
> > In any case, that would require you to patch WSS4J.  If that's an option
> > for you, you could give that a try.
>
> The notation of a "cipher mode" is not common for public key crypto
> algorithms because you can use it in one way only (usually), that's why
> "NONE" is used here. (Maybe Sun has invented other modes too ;-) ?)

If you look at the Sun docs for their provider at:
http://java.sun.com:80/javase/6/docs/technotes/guides/security/SunProviders.html#SunJCEProvider

you can see what modes and Paddings they support.   It would be good if it 
would be possible to fallback to the Sun provider if BC isn't found.    Not 
having BC may not work in all cases, but it should work for many, especially 
on the latest JDK's.


> For symmetric crypto algorithms you can choose between several modes
> (ECB - Electronic Code Book, CFB - Cipher Feedback, and a lot of others).
>
> > To the WSS4j folks:  why is this method not calling XMLCipher.getInstance
> > like every other cipher related thing?  Should it be?   Would that alone
> > fix it?
>
> XMLCipher is a specific instance that wraps (or unwraps) the cipher data
> (or plain data) according to W3C xmlenc specification. In the above case we
> need the plain public key algorithm to encrypt (or decrypt) the ephemeral
> symmetric key with the public (private) key of the receiver.
>
> No - it won't fix this particular problem.

Ah.  Ok.   But do they have a method someplace (dont have the code right now) 
that would map the WS keys (like http://www.w3.org/2001/04/xmlenc#rsa-1_5) 
into Cipher objects?    Not a big deal.

Dan

>
> Regards,
> Werner
>
> > Dan
> >
> >> Jun 10, 2009 5:11:04 PM
> >> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
> >>
> >> WARNING:
> >>
> >> org.apache.ws.security.WSSecurityException: An unsupported signature or
> >> encryption algorithm was used (unsupported key t
> >>
> >> ransport encryption algorithm: No such algorithm:
> >> http://www.w3.org/2001/04/xmlenc#rsa-1_5); nested exception is:
> >>
> >>         java.security.NoSuchAlgorithmException: Cannot find any provider
> >> supporting RSA/NONE/PKCS1PADDING
> >>
> >>         at
> >> org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityU
> >>til .java:690)
> >>
> >>         at
> >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
> >>y(E ncryptedKeyProcessor.java:145)
> >>
> >>         at
> >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
> >>y(E ncryptedKeyProcessor.java:107)
> >>
> >>         at
> >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encry
> >>pte dKeyProcessor.java:87)
> >>
> >>
> >>
> >> thanks and regards,
> >>
> >> Bharath

-- 
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message