RE: Incompatibility of WSS4J encryption with PKI certificates specifying critical keyUsage

[Maxwell Scott]

Title: Re: Incompatibility of WSS4J encryption with PKI certificates specifying critical keyUsage

I do understand that WS-Security uses random (symmetric) session keys for the actual encryption of body elements.  And of course these keys are encrypted with the receiver's public key so that it can be decrypted with the private key.

 

However, strictly speaking, I don't think wss4j is using the key wrapping mode (Cipher.WRAP_MODE) in WSEncryptBody.build.  The source code of wss4j 1.1.0 shows that you init the cipher in ENCRYPT_MODE in order to encrypt the session key.

 

Based on my admittedly limited knowledge of javax.crypto.Cipher, I believe the Cipher.ENCRYPT_MODE can be used to encrypt any byte[] (which could be a session key), while Cipher.WRAP_MODE can only be used to encrypt keys.  The difference being that the public key used to init the cipher must either 1) have no critical keyUsages set (as is the case with the provided test certificates) and therefore could be used in either mode, or 2) have the proper critical keyUsage setting that corresponds to the mode/action (dataEncipherment for ENCRYPT_MODE and keyEncipherment for WRAP_MODE).

 

We have tested with JRE 1.4.2_08 and wss4j 1.1.0 using the wss4j provided certificates (no keyUsages), and ones created using OpenSSL with only the digitalSignature and keyEncipherment critical keyUsages set.  With the latter set of keys, we encounter the InvalidKeyException in WSEncryptBody.build at the line "cipher.init(Cipher.ENCRYPT_MODE, remoteCert);"  If, however, this is changed to cipher.init(Cipher.WRAP_MODE, remoteCert);, no exception is thrown with either set of keys and encryption works as expected.

 

When you say for RSA both ENCRYPT_MODE and WRAP_MODE are identical, do you mean a specific Provider?  It is my belief that the javax.crypto.Cipher class is performing the check of critical keyUsages, and is therefore independent of any specific Provider?

 

Thanks,

--Scott

---

From: Werner Dittmann [mailto:[EMAIL PROTECTED]
Sent: Sat 2/4/2006 12:51 AM
To: Maxwell Scott
Cc: wss4j-dev@ws.apache.org
Subject: Re: Incompatibility of WSS4J encryption with PKI certificates specifying critical keyUsage

Scott,

untils now we never had such a problem :-). In fact the WS Security does
not use the public/private keys to encrypt / decrypt the data but uses
a random session key and encrypts the data using a symmetrical cipher.
The public key is used the encrypt this random session key. Thus, in
fact we use a KeyWarp. But for RSA the ENCRYPT_MODE and WRAP_MODE are
identical. Which vesion of Java do you use?

We'll need to test if the WRAP/UNWARP modes works as expected.

Regrads,
Werner


yes and no.
Maxwell Scott wrote:
> I've been trying to configure the WSS4J samples using sender actions
> Signature and Encryption using our PKI certificates.  Our PKI poses
> strict rules on certificate keyUsage.  Basically, certificates are only
> ever given the keyUsages of digitalSignature and keyEncipherment.  The
> keyUsage dataEncipherment is not allowed, presumably to avoid
> inefficient encryption using the public/private key pairs instead of a
> symmetric session key.
> 
> Using these certificates (with keyUsage) results in an
> InvalidKeyException when initializing a javax.crypto.Cipher in the
> ENCRYPT_MODE as in WSEncryptBody.build:
> 
> cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
> 
> 
> To support both cases (certs with no keyUsage, and certificates with
> critical keyUsage allowing keyEncipherment but not dataEncipherment) I
> think a better solution would be to use the WRAP_MODE, changing the
> encryption of session keys with public keys from encryptedKey =
> cipher.doFinal(encKey); to encryptedKey =
> cipher.wrap(this.encryptionKey);  This also has to be handled
> appropriately (perform an UNWRAP) on the receiver's end in
> WSSecurityEngine.handleEncryptedKey.
> 
> Does this sound correct?
> 
> --Scott