[ https://issues.apache.org/jira/browse/CXF-8178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16999187#comment-16999187 ]
Frederik Libert commented on CXF-8178: -------------------------------------- [~coheigea] Any news on my pull request for this issue (and CXF-8177)? > ECDH KeyAgreement with Key Wrapping is not in line with the specification > ------------------------------------------------------------------------- > > Key: CXF-8178 > URL: https://issues.apache.org/jira/browse/CXF-8178 > Project: CXF > Issue Type: Bug > Components: JAX-RS Security > Affects Versions: 3.3.4 > Reporter: Frederik Libert > Assignee: Colm O hEigeartaigh > Priority: Blocker > > Key Derivation for ECDH Key Agreement is different if Direct mode or KeyWrap > mode is used: key length and algorithmid are calculated in a different way. > However, the code of apache cxf uses the same code block for both. > This makes it correct for Direct mode but wrong for KeyWrap mode as the > algorithmID and keydatalen is always based on the value of the "enc" field, > which is wrong for KeyWrap. > See extract specs below. > RFC JWA (https://tools.ietf.org/html/rfc7518#page-15) > {panel} > keydatalen > This is set to the number of bits in the desired output key. For > "ECDH-ES", this is length of the key used by the "enc" algorithm. > For "ECDH-ES+A128KW", "ECDH-ES+A192KW", and "ECDH-ES+A256KW", this > is 128, 192, and 256, respectively. > AlgorithmID > The AlgorithmID value is of the form Datalen || Data, where Data > is a variable-length string of zero or more octets, and Datalen is > a fixed-length, big-endian 32-bit counter that indicates the > length (in octets) of Data. In the Direct Key Agreement case, > Data is set to the octets of the ASCII representation of the "enc" > Header Parameter value. In the Key Agreement with Key Wrapping > case, Data is set to the octets of the ASCII representation of the > "alg" (algorithm) Header Parameter value. > {panel} -- This message was sent by Atlassian Jira (v8.3.4#803005)