Thanks Sergey.

Best regards,
Behrang Saeedzadeh

On 10 August 2016 at 20:37, Sergey Beryozkin <[email protected]> wrote:

> Hi
>
> Thanks, let me look at it
>
> Cheers, Sergey
> On 10/08/16 10:03, Behrang Saeedzadeh wrote:
>
>> I had another look at the spec, and it says:
>>
>> *The RSA Key blinding operation [Kocher], which is a defense against some
>> timing attacks, requires all of the RSA key values "n", "e", and "d".
>> However, some RSA private key representations do not include the public
>> exponent "e", but only include the modulus "n" and the private exponent
>> "d".  This is true, for instance, of the Java RSAPrivateKeySpec API, which
>> does not include the public exponent "e" as a parameter.  So as to enable
>> RSA key blinding, such representations should be avoided.  For Java, the
>> RSAPrivateCrtKeySpec API can be used instead.  Section 8.2.2(i) of the
>> Handbook of Applied Cryptography [HAC] discusses how to compute the
>> remaining RSA private key parameters, if needed, using only "n", "e", and
>> "d".*
>>
>>
>> As the spec says says representations that do not have the value "e"
>> *should* be avoided, rather than *must* be avoided, I assume CXF should
>> allow such keys to be used. Also:
>>
>>    - If such keys must not be used, a more appropriate exception should be
>>    thrown rather than NPE.
>>    - Conversion of such keys to JWK should also throw an exception
>> (e.g. JwkUtils.fromRSAPrivateKey(privateKey,
>>    KeyAlgorithm.RSA_OAEP_256.getJwaName());).
>>
>> Finally, even when using an RSA key representation that has the public
>> exponent, I still get NPE:
>> https://gist.github.com/behrangsa/24dd165b89e5d4f9f2adee3be58b84f6
>>
>> *modulus* =
>> 271025078213488744740617478062526953866062108128482957171010
>> 259133074617782408090835347338911914691450188656398162487332
>> 528375768272471754355497771935458887680533616869644549909012
>> 004463369436911515146282350562986009361355370376607835496225
>> 480756710646845910445075748695376234272096985784379898418957
>> 430342001753977726968865257343494600721869492078494011096667
>> 987870485207979939214280061370866629976052642340717657130549
>> 849044304430367439294127952741888977148172851501994500132260
>> 069877176375430119160217963286642548835482562138381319988686
>> 074584934733987574293536867228034242744324221704093912026260
>> 90616600948989663
>> *publicExponent* = 65537
>> *privateExponent* =
>> 394232581688082793477319135506670957047953076397886389476363
>> 092652333846730807990895733125081600127194508210849395454741
>> 747868562635072285010140876125048381259216468501506247506387
>> 451141996252815581105254993044684014715626401239025664248518
>> 776882329462194190193769490869741007570670089488761092455852
>> 599821516292148453161425842529808969601235424798411920605172
>> 775776729898242957121521544998796092508964948197598432233733
>> 888784909926416561355507548765363094728439366104195206981310
>> 336273080313879884931851871630077404312193970751570537146278
>> 715108236977734695473225083893507140959837704030226807144519
>> 5912101145921985
>> *primeP* =
>> 168565645866321463721757359494893586965844048573965891421831
>> 251902170360925287024632232504341738302244181735765323813167
>> 912402262029828812818816064242449683202965956327874665437958
>> 752995615612700850215100753615532960278564880200378844344952
>> 016806003712378420741928422029122293440530685345579952819949419356577
>> *primeQ* =
>> 160783104303721082738621587159947127022228239307230113065333
>> 132379355836939142594478872416309748726303605740321007079622
>> 289527210126211593675937607269474776250841338770912932330909
>> 766189328519015086351662333905791173139568145018928588087790
>> 353257183867789540266903768114307418555716349558052766927945686741119
>> *prime* =
>> 141957598404779196877050096666648867842880582402220508710403
>> 443169272114381012885293836708723762460556035191729248392455
>> 611659148968526356670218292226822755318951082009369646685869
>> 348541038144806526467061977105276334645994672750039049347492
>> 129813036252705949274280383121462954049922480211075404062417387935489
>> *primeExponentQ* =
>> 810698945895671632680432480537780614378066156202972227328674
>> 391485086841273474073356171170019324451943581746022503157928
>> 888631865758374981006356444789934537926522733674842890104050
>> 112718977205373076047222458140724982284362932717471839321456
>> 92103447532097980653979202852393131302526004717119393367623864662103
>> *crtCoefficient* =
>>
>> 861513681064078028202912058802495465328339656182334240463237
>> 267352065245409489246880924730648006404636674165669465403087
>> 789442334526346319400850935685300524273893576599267764182635
>> 202892134989255634440659383572788210390172204190543089709492
>> 97813382895576848904365377490953604759526735834556224481913568643218
>> Exception in thread "main" java.lang.SecurityException:
>> java.lang.SecurityException: java.lang.NullPointerException
>> at
>> org.apache.cxf.rt.security.crypto.CryptoUtils.getRSAPrivateK
>> ey(CryptoUtils.java:184)
>> at
>> org.apache.cxf.rs.security.jose.jwk.JwkUtils.toRSAPrivateKey
>> (JwkUtils.java:414)
>> at org.apache.issues.Cxf7005.main(Cxf7005.java:73)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
>> Caused by: java.lang.SecurityException: java.lang.NullPointerException
>> at
>> org.apache.cxf.rt.security.crypto.CryptoUtils.decodeSequence
>> (CryptoUtils.java:629)
>> at
>> org.apache.cxf.rt.security.crypto.CryptoUtils.getRSAPrivateK
>> ey(CryptoUtils.java:175)
>> ... 7 more
>> Caused by: java.lang.NullPointerException
>> at org.apache.cxf.common.util.Base64Utility.decode(Base64Utilit
>> y.java:192)
>> at
>> org.apache.cxf.common.util.Base64UrlUtility.decode(Base64Url
>> Utility.java:41)
>> at
>> org.apache.cxf.rt.security.crypto.CryptoUtils.decodeSequence
>> (CryptoUtils.java:627)
>> ... 8 more
>>
>>
>>
>> On Wed, Aug 10, 2016 at 6:24 PM Behrang Saeedzadeh <[email protected]>
>> wrote:
>>
>> Hi,
>>>
>>> Am I using the CXF JOSE library in an incorrect way or is this a bug
>>> https://issues.apache.org/jira/browse/CXF-7005?
>>> --
>>> Best regards,
>>> Behrang Saeedzadeh
>>>
>>>
>>
>

Reply via email to