Scott, untils now we never had such a problem :-). In fact the WS Security does not use the public/private keys to encrypt / decrypt the data but uses a random session key and encrypts the data using a symmetrical cipher. The public key is used the encrypt this random session key. Thus, in fact we use a KeyWarp. But for RSA the ENCRYPT_MODE and WRAP_MODE are identical. Which vesion of Java do you use?
We'll need to test if the WRAP/UNWARP modes works as expected. Regrads, Werner yes and no. Maxwell Scott wrote: > I've been trying to configure the WSS4J samples using sender actions > Signature and Encryption using our PKI certificates. Our PKI poses > strict rules on certificate keyUsage. Basically, certificates are only > ever given the keyUsages of digitalSignature and keyEncipherment. The > keyUsage dataEncipherment is not allowed, presumably to avoid > inefficient encryption using the public/private key pairs instead of a > symmetric session key. > > Using these certificates (with keyUsage) results in an > InvalidKeyException when initializing a javax.crypto.Cipher in the > ENCRYPT_MODE as in WSEncryptBody.build: > > cipher.init(Cipher.ENCRYPT_MODE, remoteCert); > > > To support both cases (certs with no keyUsage, and certificates with > critical keyUsage allowing keyEncipherment but not dataEncipherment) I > think a better solution would be to use the WRAP_MODE, changing the > encryption of session keys with public keys from encryptedKey = > cipher.doFinal(encKey); to encryptedKey = > cipher.wrap(this.encryptionKey); This also has to be handled > appropriately (perform an UNWRAP) on the receiver's end in > WSSecurityEngine.handleEncryptedKey. > > Does this sound correct? > > --Scott --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
