https://issues.apache.org/bugzilla/show_bug.cgi?id=47539
Summary: EncryptedKeyResolver doesn't allow specifying a
provider
Product: Security
Version: Java 1.4.2
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Encryption
AssignedTo: security-dev@xml.apache.org
ReportedBy: aditya_muralidha...@mastercard.com
When decrypting as follows:
XMLCipher keyCipher;
keyCipher.init(XMLCipher.DECRYPT_MODE, null);
keyCipher.setKEK(keyDecryptorKey);
keyCipher.doFinal(document, element, false);
... the code path uses the EncryptedKeyResolver, which doesn't allow explicitly
specifying a provider.
I got the following response from Sean on security-dev:
<response>
We need to add a ctor to the EncryptedKeyResolver class that takes an
additional
provider parameter, and then change XMLCipher to call this new ctor and pass it
the provider it is using.
</response>
While I agree that this would allow us to explicitly set the provider, I think
the more complete solution would be to allow distinct providers for key
decryption (unwrap) versus content decryption. For the specific context in
which I am using XML Security, private keys are stored on an HSM (hardware
device) and requires us to use that vendor's JCE provider for the key unwrap.
There is no such limitation for decryption with symmetric keys, so we end up
using a software provider for decrypting the content. The upshot is that we
need to be able to specify two different providers for the key unwrap versus
the content decryption.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
