[
https://issues.apache.org/jira/browse/WSS-726?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on WSS-726 started by Colm O hEigeartaigh.
-----------------------------------------------
> Allow overriding EncryptedKeyProcessor#getAsymmetricDecryptedByte (Pkcs#11
> example)
> -----------------------------------------------------------------------------------
>
> Key: WSS-726
> URL: https://issues.apache.org/jira/browse/WSS-726
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 2.4.3, 4.0.1
> Environment: Java version: 21.0.9, vendor: Eclipse Adoptium
> Tomcat 10.1.54 (Wss4j 4.0.1) or WebLogic (Wss4j 2.4.3)
> Reporter: Gabriel Mair
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 2.4.4, 3.0.6, 4.0.2
>
>
> While testing the integration with PKCS#11 for Java 21 we found a couple of
> blocking issues that would be easily fixed if it were possible to override
> org.apache.wss4j.dom.processor.EncryptedKeyProcessor#getAsymmetricDecryptedBytes
> in our project. This is not possible currently because the method is private
> static and also because getRandomKey method in the same class is private.
>
> Problem 1:
> PKCS#11 doesn't support OAEPPadding based on the javadoc of
> sun.security.pkcs11.P11RSACipher ("We currently only support PKCS#1 v1.5
> padding on top of CKM_RSA_PKCS"). With a dynamically initialized security
> provider from Java SE, during decryption, Wss4j 4.0.2 (and 2.4.4) throws the
> exception:
> java.security.InvalidKeyException: No installed provider supports this key:
> sun.security.pkcs11.P11Key$P11RSAPrivateKeyInternal
> at java.base/javax.crypto.Cipher.chooseProvider(Cipher.java:963)
> at java.base/javax.crypto.Cipher.init(Cipher.java:1466)
> at java.base/javax.crypto.Cipher.init(Cipher.java:1393)
> at
> org.apache.wss4j.dom.processor.EncryptedKeyProcessor.getAsymmetricDecryptedBytes(EncryptedKeyProcessor.java:389)
> ... 66 common frames omitted
> Caused by: javax.crypto.NoSuchPaddingException: Unsupported padding
> OAEPPadding
> at
> jdk.crypto.cryptoki/sun.security.pkcs11.P11RSACipher.engineSetPadding(P11RSACipher.java:138)
> at java.base/javax.crypto.Cipher$Transform.setModePadding(Cipher.java:396)
> at java.base/javax.crypto.Cipher.chooseProvider(Cipher.java:932)
>
> By overriding the
> org.apache.wss4j.dom.processor.EncryptedKeyProcessor#getAsymmetricDecryptedBytes
> method we could perform the private-key operation as raw RSA (CKM_RSA_X_509,
> "RSA/ECB/NoPadding") on the HSM token, and the OAEP padding removal could be
> done programmatically with BouncyCastle for eg.
>
> Problem 2:
> A work around for the above issue was to initialize the security provider
> statically using a customized jar like LunaProvider for the Luna Cloud HSM.
> While trying to unwrap the AES key from the Soap header the Luna security
> provider throws com.safenetinc.luna.exception.LunaException: Key algorithm
> 'RSA/ECB/OAEPPadding' unknown at
> com.safenetinc.luna.provider.key.LunaKey.GetKeyType(LunaKey.java:736) when
> the underlying cipher is initialized in UNWRAP_MODE. The operation succeeds
> when the cipher initialization is using DECRYPT_MODE.
> This can be done by overriding the
> org.apache.wss4j.dom.processor.EncryptedKeyProcessor#getAsymmetricDecryptedBytes
> method and handling the initialization and decryption in our code.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
