[jira] Created: (WSS-34) WSS4J Encryption Incompatible with PKI certificates specifying certain critical KeyUsage

Mon, 20 Feb 2006 10:03:18 -0800 

WSS4J Encryption Incompatible with PKI certificates specifying certain critical 
KeyUsage
----------------------------------------------------------------------------------------

         Key: WSS-34
         URL: http://issues.apache.org/jira/browse/WSS-34
     Project: WSS4J
        Type: Bug
 Environment: JRE 1.4.2_08, BEA WebLogic 8 sp4. wss4j 1.1.0
    Reporter: Scott Maxwell
 Assigned to: Davanum Srinivas 


[This issue was reported informally to the wss4j-dev list on Feb 3, 2006]

When using a PKI that specifies a certain critical KeyUsage (meaning those 
KeyUsage rules MUST be followed), wss4j encryption fails.  The KeyUsage of 
interest are keyEncipherment and dataEncipherment.  Specifically, when 
keyEncipherment is allowed, but dataEncipherment is not allowed, wss4j 
encryption fails, when it should succeed.  It should be successful because the 
public keys of the PKI are only being used to encrypt (wrap) random session 
keys, which in turn actually perform the data encipherment of the WSS body.

Using keys of this keyUsage results in an InvalidKeyException when initializing 
a javax.crypto.Cipher in the ENCRYPT_MODE as in WSEncryptBody.build:

cipher.init(Cipher.ENCRYPT_MODE, remoteCert);

To support all cases (certs with no keyUsage, and certificates with critical 
keyUsage allowing keyEncipherment but not dataEncipherment) the likely solution 
would be to use the WRAP_MODE, and changing the encryption of session keys with 
public keys from encryptedKey = cipher.doFinal(encKey); to encryptedKey = 
cipher.wrap(this.encryptionKey);  The unwrap/decrypt process also has to be 
handled appropriately (perform an UNWRAP) on the receiver's end in 
WSSecurityEngine.handleEncryptedKey.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to