Thanks Sergey. Best regards, Behrang Saeedzadeh
On 10 August 2016 at 20:37, Sergey Beryozkin <[email protected]> wrote: > Hi > > Thanks, let me look at it > > Cheers, Sergey > On 10/08/16 10:03, Behrang Saeedzadeh wrote: > >> I had another look at the spec, and it says: >> >> *The RSA Key blinding operation [Kocher], which is a defense against some >> timing attacks, requires all of the RSA key values "n", "e", and "d". >> However, some RSA private key representations do not include the public >> exponent "e", but only include the modulus "n" and the private exponent >> "d". This is true, for instance, of the Java RSAPrivateKeySpec API, which >> does not include the public exponent "e" as a parameter. So as to enable >> RSA key blinding, such representations should be avoided. For Java, the >> RSAPrivateCrtKeySpec API can be used instead. Section 8.2.2(i) of the >> Handbook of Applied Cryptography [HAC] discusses how to compute the >> remaining RSA private key parameters, if needed, using only "n", "e", and >> "d".* >> >> >> As the spec says says representations that do not have the value "e" >> *should* be avoided, rather than *must* be avoided, I assume CXF should >> allow such keys to be used. Also: >> >> - If such keys must not be used, a more appropriate exception should be >> thrown rather than NPE. >> - Conversion of such keys to JWK should also throw an exception >> (e.g. JwkUtils.fromRSAPrivateKey(privateKey, >> KeyAlgorithm.RSA_OAEP_256.getJwaName());). >> >> Finally, even when using an RSA key representation that has the public >> exponent, I still get NPE: >> https://gist.github.com/behrangsa/24dd165b89e5d4f9f2adee3be58b84f6 >> >> *modulus* = >> 271025078213488744740617478062526953866062108128482957171010 >> 259133074617782408090835347338911914691450188656398162487332 >> 528375768272471754355497771935458887680533616869644549909012 >> 004463369436911515146282350562986009361355370376607835496225 >> 480756710646845910445075748695376234272096985784379898418957 >> 430342001753977726968865257343494600721869492078494011096667 >> 987870485207979939214280061370866629976052642340717657130549 >> 849044304430367439294127952741888977148172851501994500132260 >> 069877176375430119160217963286642548835482562138381319988686 >> 074584934733987574293536867228034242744324221704093912026260 >> 90616600948989663 >> *publicExponent* = 65537 >> *privateExponent* = >> 394232581688082793477319135506670957047953076397886389476363 >> 092652333846730807990895733125081600127194508210849395454741 >> 747868562635072285010140876125048381259216468501506247506387 >> 451141996252815581105254993044684014715626401239025664248518 >> 776882329462194190193769490869741007570670089488761092455852 >> 599821516292148453161425842529808969601235424798411920605172 >> 775776729898242957121521544998796092508964948197598432233733 >> 888784909926416561355507548765363094728439366104195206981310 >> 336273080313879884931851871630077404312193970751570537146278 >> 715108236977734695473225083893507140959837704030226807144519 >> 5912101145921985 >> *primeP* = >> 168565645866321463721757359494893586965844048573965891421831 >> 251902170360925287024632232504341738302244181735765323813167 >> 912402262029828812818816064242449683202965956327874665437958 >> 752995615612700850215100753615532960278564880200378844344952 >> 016806003712378420741928422029122293440530685345579952819949419356577 >> *primeQ* = >> 160783104303721082738621587159947127022228239307230113065333 >> 132379355836939142594478872416309748726303605740321007079622 >> 289527210126211593675937607269474776250841338770912932330909 >> 766189328519015086351662333905791173139568145018928588087790 >> 353257183867789540266903768114307418555716349558052766927945686741119 >> *prime* = >> 141957598404779196877050096666648867842880582402220508710403 >> 443169272114381012885293836708723762460556035191729248392455 >> 611659148968526356670218292226822755318951082009369646685869 >> 348541038144806526467061977105276334645994672750039049347492 >> 129813036252705949274280383121462954049922480211075404062417387935489 >> *primeExponentQ* = >> 810698945895671632680432480537780614378066156202972227328674 >> 391485086841273474073356171170019324451943581746022503157928 >> 888631865758374981006356444789934537926522733674842890104050 >> 112718977205373076047222458140724982284362932717471839321456 >> 92103447532097980653979202852393131302526004717119393367623864662103 >> *crtCoefficient* = >> >> 861513681064078028202912058802495465328339656182334240463237 >> 267352065245409489246880924730648006404636674165669465403087 >> 789442334526346319400850935685300524273893576599267764182635 >> 202892134989255634440659383572788210390172204190543089709492 >> 97813382895576848904365377490953604759526735834556224481913568643218 >> Exception in thread "main" java.lang.SecurityException: >> java.lang.SecurityException: java.lang.NullPointerException >> at >> org.apache.cxf.rt.security.crypto.CryptoUtils.getRSAPrivateK >> ey(CryptoUtils.java:184) >> at >> org.apache.cxf.rs.security.jose.jwk.JwkUtils.toRSAPrivateKey >> (JwkUtils.java:414) >> at org.apache.issues.Cxf7005.main(Cxf7005.java:73) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144) >> Caused by: java.lang.SecurityException: java.lang.NullPointerException >> at >> org.apache.cxf.rt.security.crypto.CryptoUtils.decodeSequence >> (CryptoUtils.java:629) >> at >> org.apache.cxf.rt.security.crypto.CryptoUtils.getRSAPrivateK >> ey(CryptoUtils.java:175) >> ... 7 more >> Caused by: java.lang.NullPointerException >> at org.apache.cxf.common.util.Base64Utility.decode(Base64Utilit >> y.java:192) >> at >> org.apache.cxf.common.util.Base64UrlUtility.decode(Base64Url >> Utility.java:41) >> at >> org.apache.cxf.rt.security.crypto.CryptoUtils.decodeSequence >> (CryptoUtils.java:627) >> ... 8 more >> >> >> >> On Wed, Aug 10, 2016 at 6:24 PM Behrang Saeedzadeh <[email protected]> >> wrote: >> >> Hi, >>> >>> Am I using the CXF JOSE library in an incorrect way or is this a bug >>> https://issues.apache.org/jira/browse/CXF-7005? >>> -- >>> Best regards, >>> Behrang Saeedzadeh >>> >>> >> >
