svn commit: r1559089 - /webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java

Fri, 17 Jan 2014 04:17:57 -0800 

Author: coheigea
Date: Fri Jan 17 12:16:14 2014
New Revision: 1559089

URL: http://svn.apache.org/r1559089
Log:
Fixing key derivation

Modified:
    
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java

Modified: 
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java?rev=1559089&r1=1559088&r2=1559089&view=diff
==============================================================================
--- 
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java
 (original)
+++ 
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java
 Fri Jan 17 12:16:14 2014
@@ -28,6 +28,7 @@ import org.apache.xml.security.algorithm
 public final class KeyUtils {
     private static final org.slf4j.Logger LOG =
             org.slf4j.LoggerFactory.getLogger(KeyUtils.class);
+    private static final int MAX_SYMMETRIC_KEY_SIZE = 1024;
 
     /**
      * Returns the length of the key in # of bytes
@@ -55,11 +56,17 @@ public final class KeyUtils {
         }
         String keyAlgorithm = JCEMapper.getJCEKeyAlgorithmFromURI(symEncAlgo);
         SecretKeySpec keySpec;
-        if (size > 0 && !symEncAlgo.endsWith("gcm")) {
+        if (size > 0 && !symEncAlgo.endsWith("gcm") && 
!symEncAlgo.contains("hmac-")) {
             keySpec = 
                 new SecretKeySpec(
                     rawKey, 0, rawKey.length > size ? size : rawKey.length, 
keyAlgorithm
                 );
+        } else if (rawKey.length > MAX_SYMMETRIC_KEY_SIZE) {
+            // Prevent a possible attack where a huge secret key is specified
+            keySpec = 
+                new SecretKeySpec(
+                    rawKey, 0, MAX_SYMMETRIC_KEY_SIZE, keyAlgorithm
+                );
         } else {
             keySpec = new SecretKeySpec(rawKey, keyAlgorithm);
         }

Reply via email to