[jira] [Created] (WSS-300) SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key

Thu, 14 Jul 2011 13:17:27 -0700 

SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key
-----------------------------------------------------------------------

                 Key: WSS-300
                 URL: https://issues.apache.org/jira/browse/WSS-300
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 1.6.1, 1.5.11
         Environment: Tomcat 5, Solaris 10, Java 1.4 and Tomcat 6, Win XP, Java 
6
            Reporter: Linton Miller
            Assignee: Colm O hEigeartaigh


The crypto function to get the SubjectKeyIdentifier from an X509Certificate has 
incorrect hard-coded assumptions about the size of the encoded information, 
meaning the calculation of the SKI from a 2048-bit RSA key is incorrect.

The method 
org.apache.ws.security.components.crypto.CryptoBase.getSKIBytesFromCert does 
not parse the DER encoding of information, but just tries to pick out the piece 
of the byte array that corresponds to the content of interest. However, that 
approach fails because the DER encoding is variable length, depending on the 
size of the data being encoded. e.g. a 1024-bit key in a DER BIT STRING takes 4 
bytes header +  140 bytes data to encode, whereas a 2048-bit key takes 5 bytes 
header + 270 bytes data; the header is one byte longer for the larger key, so 
the data starts at a different point in the array.

To fix this, the DER data structures should be properly processed, reading the 
DER header bytes to determine the length of each data element (that also allows 
the generalization of handling any X.509 encoded public key, rather than just 
RSA keys as currently coded).

Attached is a suggested patch (against WSS4J 1.6.1) that implements this idea: 
it processes the SubjectPublicKeyInfo and SubjectKeyIdentifier DER-encoded byte 
arrays according to their ASN.1 definitions from RFC 3280/5280 to pick out the 
desired data bytes.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Reply via email to