[ https://issues.apache.org/jira/browse/WSS-300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-300: ------------------------------------ Fix Version/s: 1.6.2 1.5.12 > SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key > ----------------------------------------------------------------------- > > Key: WSS-300 > URL: https://issues.apache.org/jira/browse/WSS-300 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 1.5.11, 1.6.1 > Environment: Tomcat 5, Solaris 10, Java 1.4 and Tomcat 6, Win XP, > Java 6 > Reporter: Linton Miller > Assignee: Colm O hEigeartaigh > Fix For: 1.5.12, 1.6.2 > > Attachments: CryptoBase.java.patch, DERDecoder.java, > X509SubjectPublicKeyInfo.java, X509SubjectPublicKeyInfo.java, broken.xml, > client.wsdd, correct.xml, rsa2048.jks, test.cypto.properties > > > The crypto function to get the SubjectKeyIdentifier from an X509Certificate > has incorrect hard-coded assumptions about the size of the encoded > information, meaning the calculation of the SKI from a 2048-bit RSA key is > incorrect. > The method > org.apache.ws.security.components.crypto.CryptoBase.getSKIBytesFromCert does > not parse the DER encoding of information, but just tries to pick out the > piece of the byte array that corresponds to the content of interest. However, > that approach fails because the DER encoding is variable length, depending on > the size of the data being encoded. e.g. a 1024-bit key in a DER BIT STRING > takes 4 bytes header + 140 bytes data to encode, whereas a 2048-bit key > takes 5 bytes header + 270 bytes data; the header is one byte longer for the > larger key, so the data starts at a different point in the array. > To fix this, the DER data structures should be properly processed, reading > the DER header bytes to determine the length of each data element (that also > allows the generalization of handling any X.509 encoded public key, rather > than just RSA keys as currently coded). > Attached is a suggested patch (against WSS4J 1.6.1) that implements this > idea: it processes the SubjectPublicKeyInfo and SubjectKeyIdentifier > DER-encoded byte arrays according to their ASN.1 definitions from RFC > 3280/5280 to pick out the desired data bytes. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org