[jira] Created: (WSS-72) WSSecEncryptedKey rejects a conformant cipher when its getBlockSize() returns 0

Tue, 30 Jan 2007 09:26:56 -0800 

WSSecEncryptedKey rejects a conformant cipher when its getBlockSize() returns 0
-------------------------------------------------------------------------------

                 Key: WSS-72
                 URL: https://issues.apache.org/jira/browse/WSS-72
             Project: WSS4J
          Issue Type: Bug
         Environment: Windows XP
Axis 1.4
WSS4J 1.5.0
            Reporter: Akitoshi Yoshida
         Assigned To: Davanum Srinivas


Method prepareInternal of WSSecEncrptedKey has the following code fragment:

        Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
        try {
            cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
        } catch (InvalidKeyException e) {
            throw new WSSecurityException(WSSecurityException.FAILED_ENC_DEC,
                    null, null, e);
        }
        if (doDebug) {
            log.debug("cipher blksize: " + cipher.getBlockSize()
                    + ", symm key length: " + keyBytes.length);
        }
        if (cipher.getBlockSize() < keyBytes.length) {
            throw new WSSecurityException(WSSecurityException.FAILURE,
                    "unsupportedKeyTransp",
                    new Object[] { "public key algorithm too weak to encrypt "
                            + "symmetric key" });
        }

The getCipherInstance(keyEncAlgo) instantiates a cipher using 
Cipher.getInstance("RSA/NONE/PKCS1PADDING").
When the cipher is an RSA cipher, as in this case, some securiy providers may 
return 0 for its getBlockSize() method because RSA is not a block cipher.  In 
particular, we found out that the IAIK 3.12 has this behavior of returing 0 for 
this method.

This causes the above code to throws the WSSecurityException.

The documentation at
http://java.sun.com/j2se/1.4.2/docs/api/javax/crypto/Cipher.html#getBlockSize()
states that this method should return 0 for non-block ciphers. 

Therefore, we consider this problem to be a bug in WSSecEncrptedKey and request 
that the above if block to be commented out as:

        // RSA is not a block cipher and cipher.getBlockSize() may return 0
//        if (cipher.getBlockSize() < keyBytes.length) {
//            throw new WSSecurityException(WSSecurityException.FAILURE,
//                    "unsupportedKeyTransp",
//                    new Object[] { "public key algorithm too weak to encrypt "
//                            + "symmetric key" });
//        }



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to