[jira] [Updated] (WSS-300) SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key

Thu, 28 Jul 2011 03:58:23 -0700 

     [ 
https://issues.apache.org/jira/browse/WSS-300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-300:
------------------------------------

    Fix Version/s: 1.6.2
                   1.5.12

> SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key
> -----------------------------------------------------------------------
>
>                 Key: WSS-300
>                 URL: https://issues.apache.org/jira/browse/WSS-300
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.5.11, 1.6.1
>         Environment: Tomcat 5, Solaris 10, Java 1.4 and Tomcat 6, Win XP, 
> Java 6
>            Reporter: Linton Miller
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.5.12, 1.6.2
>
>         Attachments: CryptoBase.java.patch, DERDecoder.java, 
> X509SubjectPublicKeyInfo.java, X509SubjectPublicKeyInfo.java, broken.xml, 
> client.wsdd, correct.xml, rsa2048.jks, test.cypto.properties
>
>
> The crypto function to get the SubjectKeyIdentifier from an X509Certificate 
> has incorrect hard-coded assumptions about the size of the encoded 
> information, meaning the calculation of the SKI from a 2048-bit RSA key is 
> incorrect.
> The method 
> org.apache.ws.security.components.crypto.CryptoBase.getSKIBytesFromCert does 
> not parse the DER encoding of information, but just tries to pick out the 
> piece of the byte array that corresponds to the content of interest. However, 
> that approach fails because the DER encoding is variable length, depending on 
> the size of the data being encoded. e.g. a 1024-bit key in a DER BIT STRING 
> takes 4 bytes header +  140 bytes data to encode, whereas a 2048-bit key 
> takes 5 bytes header + 270 bytes data; the header is one byte longer for the 
> larger key, so the data starts at a different point in the array.
> To fix this, the DER data structures should be properly processed, reading 
> the DER header bytes to determine the length of each data element (that also 
> allows the generalization of handling any X.509 encoded public key, rather 
> than just RSA keys as currently coded).
> Attached is a suggested patch (against WSS4J 1.6.1) that implements this 
> idea: it processes the SubjectPublicKeyInfo and SubjectKeyIdentifier 
> DER-encoded byte arrays according to their ASN.1 definitions from RFC 
> 3280/5280 to pick out the desired data bytes.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Reply via email to