[
https://issues.apache.org/jira/browse/CXF-8178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved CXF-8178.
--------------------------------------
Resolution: Fixed
> ECDH KeyAgreement with Key Wrapping is not in line with the specification
> -------------------------------------------------------------------------
>
> Key: CXF-8178
> URL: https://issues.apache.org/jira/browse/CXF-8178
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.3.4
> Reporter: Frederik Libert
> Assignee: Colm O hEigeartaigh
> Priority: Blocker
> Fix For: 3.4.0, 3.3.5
>
>
> Key Derivation for ECDH Key Agreement is different if Direct mode or KeyWrap
> mode is used: key length and algorithmid are calculated in a different way.
> However, the code of apache cxf uses the same code block for both.
> This makes it correct for Direct mode but wrong for KeyWrap mode as the
> algorithmID and keydatalen is always based on the value of the "enc" field,
> which is wrong for KeyWrap.
> See extract specs below.
> RFC JWA (https://tools.ietf.org/html/rfc7518#page-15)
> {panel}
> keydatalen
> This is set to the number of bits in the desired output key. For
> "ECDH-ES", this is length of the key used by the "enc" algorithm.
> For "ECDH-ES+A128KW", "ECDH-ES+A192KW", and "ECDH-ES+A256KW", this
> is 128, 192, and 256, respectively.
> AlgorithmID
> The AlgorithmID value is of the form Datalen || Data, where Data
> is a variable-length string of zero or more octets, and Datalen is
> a fixed-length, big-endian 32-bit counter that indicates the
> length (in octets) of Data. In the Direct Key Agreement case,
> Data is set to the octets of the ASCII representation of the "enc"
> Header Parameter value. In the Key Agreement with Key Wrapping
> case, Data is set to the octets of the ASCII representation of the
> "alg" (algorithm) Header Parameter value.
> {panel}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
