ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: WS-Security RSA Excrytion exception..
Date Thu, 11 Jun 2009 17:06:56 GMT


On Thu June 11 2009 12:26:21 pm bharath thippireddy wrote:
> Is there a way to specify the modes/padding using some
> configuration(serverKeyStore.properties)?

Nope.  An updated wss4j jar is the only option.   The cipher ID is burned into 
the java code.  :-(

> What I don't understand is that
> the encryption works fine and the issue below is when the UT is being
> decrypted back on the server side.

Basically, on the encryption side, xmlsec handles that and it is mapping it to 
the Sun provider built into the JDK.   Thus, encryption works.   However, on 
the decryption side, wss4j has the bouncycastle ID burned into the Java code.   
I just changed wss4j to use the xmlsec JCEMapper object to allow it to use the 
same mapping that xmlsec uses.   Thus, it SHOULD now work.   I just deployed a 
new 1.5.8-SNAPSHOT to:

http://people.apache.org/repo/m2-snapshot-
repository/org/apache/ws/security/wss4j/1.5.8-SNAPSHOT/

If you could grab that and give that a try, the would be great.   

Dan



> Thanks,
> Bharath
>
>
>
> -----Original Message-----
> From: Daniel Kulp [mailto:dkulp@apache.org]
> Sent: Wednesday, June 10, 2009 10:22 PM
> To: users@cxf.apache.org; wss4j-dev@ws.apache.org
> Cc: bharath thippireddy
> Subject: Re: WS-Security RSA Excrytion exception..
>
> On Wed June 10 2009 5:21:17 pm bharath thippireddy wrote:
> > I could get the User Token encryption working using BountyCastle.But as
> > we cannot use bounty castle
>
> Any particular reason why?   I'm pretty sure a lot of things WS-Security
> related won't work with BouncyCastle.   The JDK just doesn't have the
> algorithms that are needed.  (although java 6 does have a lot more)
>
> > can you please let me know if the exception below
> > can be fixed with a setting in jdk/jce.When I try a different algorithm
> > like DES instead of RSA I get  a nullpointer exception on the CXF Client.
> >
> >
> >         java.security.NoSuchAlgorithmException: Cannot find any provider
> > supporting RSA/NONE/PKCS1PADDING
>
> I did a little digging and I THINK this particular exception could be fixed
> with a simple change in WSS4J.   If the line:
>
> cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");
>
> was surrounded with a try/catch that would then try:
>
> cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
>
> I THINK it would work.   Bouncycastle uses "NONE" for the mode whereas the
> Sun provider uses ECB.   Not sure what the Sun setting for
> "RSA/NONE/OAEPPADDING" is.  That would need to be investigated more.  It
> would be one of: OAEPWITHMD5ANDMGF1PADDING, OAEPWITHSHA1ANDMGF1PADDING,
> OAEPWITHSHA-1ANDMGF1PADDING, OAEPWITHSHA-256ANDMGF1PADDING,
> OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING
> but cryptography is definitely not my area.
>
> In any case, that would require you to patch WSS4J.  If that's an option
> for you, you could give that a try.
>
> To the WSS4j folks:  why is this method not calling XMLCipher.getInstance
> like every other cipher related thing?  Should it be?   Would that alone
> fix it?
>
>
> Dan
>
> > Jun 10, 2009 5:11:04 PM
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
> >
> > WARNING:
> >
> > org.apache.ws.security.WSSecurityException: An unsupported signature or
> > encryption algorithm was used (unsupported key t
> >
> > ransport encryption algorithm: No such algorithm:
> > http://www.w3.org/2001/04/xmlenc#rsa-1_5); nested exception is:
> >
> >         java.security.NoSuchAlgorithmException: Cannot find any provider
> > supporting RSA/NONE/PKCS1PADDING
> >
> >         at
> > org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUt
> >il .java:690)
> >
> >         at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey
> >(E ncryptedKeyProcessor.java:145)
> >
> >         at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey
> >(E ncryptedKeyProcessor.java:107)
> >
> >         at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encryp
> >te dKeyProcessor.java:87)
> >
> >
> >
> > thanks and regards,
> >
> > Bharath
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog

-- 
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message