[
https://issues.apache.org/jira/browse/WSS-300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-300.
-----------------------------------
> SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key
> -----------------------------------------------------------------------
>
> Key: WSS-300
> URL: https://issues.apache.org/jira/browse/WSS-300
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.11, 1.6.1
> Environment: Tomcat 5, Solaris 10, Java 1.4 and Tomcat 6, Win XP,
> Java 6
> Reporter: Linton Miller
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.12, 1.6.2
>
> Attachments: CryptoBase.java.patch, DERDecoder.java,
> X509SubjectPublicKeyInfo.java, X509SubjectPublicKeyInfo.java, broken.xml,
> client.wsdd, correct.xml, rsa2048.jks, rsa2048.jks, test.cypto.properties
>
>
> The crypto function to get the SubjectKeyIdentifier from an X509Certificate
> has incorrect hard-coded assumptions about the size of the encoded
> information, meaning the calculation of the SKI from a 2048-bit RSA key is
> incorrect.
> The method
> org.apache.ws.security.components.crypto.CryptoBase.getSKIBytesFromCert does
> not parse the DER encoding of information, but just tries to pick out the
> piece of the byte array that corresponds to the content of interest. However,
> that approach fails because the DER encoding is variable length, depending on
> the size of the data being encoded. e.g. a 1024-bit key in a DER BIT STRING
> takes 4 bytes header + 140 bytes data to encode, whereas a 2048-bit key
> takes 5 bytes header + 270 bytes data; the header is one byte longer for the
> larger key, so the data starts at a different point in the array.
> To fix this, the DER data structures should be properly processed, reading
> the DER header bytes to determine the length of each data element (that also
> allows the generalization of handling any X.509 encoded public key, rather
> than just RSA keys as currently coded).
> Attached is a suggested patch (against WSS4J 1.6.1) that implements this
> idea: it processes the SubjectPublicKeyInfo and SubjectKeyIdentifier
> DER-encoded byte arrays according to their ASN.1 definitions from RFC
> 3280/5280 to pick out the desired data bytes.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
