I've been trying to
configure the WSS4J samples using sender actions Signature and Encryption using
our PKI certificates. Our PKI poses strict rules on certificate
keyUsage. Basically, certificates are only ever given the keyUsages of
digitalSignature and keyEncipherment. The keyUsage dataEncipherment is not
allowed, presumably to avoid inefficient encryption using the public/private key
pairs instead of a symmetric session key.
Using these
certificates (with keyUsage) results in an InvalidKeyException when initializing
a javax.crypto.Cipher in the ENCRYPT_MODE as in
WSEncryptBody.build:
cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
To support both
cases (certs with no keyUsage, and certificates with critical keyUsage allowing
keyEncipherment but not dataEncipherment) I think a better solution would be to
use the WRAP_MODE, changing the encryption of session keys with public keys from
encryptedKey = cipher.doFinal(encKey); to encryptedKey =
cipher.wrap(this.encryptionKey); This also has to be handled appropriately
(perform an UNWRAP) on the receiver's end in
WSSecurityEngine.handleEncryptedKey.
Does this sound
correct?
--Scott
