org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest ed
exception is:
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s ize or
default parameters Original Exception was java.security.InvalidKeyException
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Key: RAMPART-241
URL: https://issues.apache.org/jira/browse/RAMPART-241
Project: Rampart
Issue Type: Bug
Affects Versions: 1.4
Environment: rampart-1.4>mvn -e install
Running org.apache.rampart.AsymmetricBindingBuilderTest
org.apache.rampart.RampartException: Error in creating an encrypted key
at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
g(AsymmetricBindingBuilder.java:164)
at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricB
indingBuilder.java:91)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
at org.apache.rampart.AsymmetricBindingBuilderTest.testAsymmBindingWithD
KEncrBeforeSig(AsymmetricBindingBuilderTest.java:148)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at junit.framework.TestCase.runTest(TestCase.java:164)
at junit.framework.TestCase.runBare(TestCase.java:130)
at junit.framework.TestResult$1.protect(TestResult.java:106)
at junit.framework.TestResult.runProtected(TestResult.java:124)
at junit.framework.TestResult.run(TestResult.java:109)
at junit.framework.TestCase.run(TestCase.java:120)
at junit.framework.TestSuite.runTest(TestSuite.java:230)
at junit.framework.TestSuite.run(TestSuite.java:225)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.maven.surefire.junit.JUnitTestSet.execute(JUnitTestSet.jav
a:213)
at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTes
tSet(AbstractDirectoryTestSuite.java:140)
at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(Ab
stractDirectoryTestSuite.java:127)
at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(Su
refireBooter.java:345)
at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.j
ava:1009)
Caused by: org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest
ed exception is:
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s
ize or default parameters
Original Exception was java.security.InvalidKeyException: Illegal key size or de
fault parameters
at org.apache.ws.security.message.WSSecDKEncrypt.doEncryption(WSSecDKEnc
rypt.java:149)
at org.apache.ws.security.message.WSSecDKEncrypt.encryptForExternalRef(W
SSecDKEncrypt.java:188)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
g(AsymmetricBindingBuilder.java:161)
... 29 more
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal ke
y size or default parameters
Original Exception was java.security.InvalidKeyException: Illegal key size or de
fault parameters
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
ce)
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
ce)
at org.apache.xml.security.encryption.XMLCipher.encryptElementContent(Un
known Source)
at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source)
at org.apache.ws.security.message.WSSecDKEncrypt.doEncryption(WSSecDKEnc
rypt.java:147)
... 31 more
org.apache.rampart.RampartException: Error during encryption
at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
g(AsymmetricBindingBuilder.java:192)
at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricB
indingBuilder.java:91)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
at org.apache.rampart.AsymmetricBindingBuilderTest.testAsymmBindingEncrB
eforeSig(AsymmetricBindingBuilderTest.java:178)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at junit.framework.TestCase.runTest(TestCase.java:164)
at junit.framework.TestCase.runBare(TestCase.java:130)
at junit.framework.TestResult$1.protect(TestResult.java:106)
at junit.framework.TestResult.runProtected(TestResult.java:124)
at junit.framework.TestResult.run(TestResult.java:109)
at junit.framework.TestCase.run(TestCase.java:120)
at junit.framework.TestSuite.runTest(TestSuite.java:230)
at junit.framework.TestSuite.run(TestSuite.java:225)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.maven.surefire.junit.JUnitTestSet.execute(JUnitTestSet.jav
a:213)
at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTes
tSet(AbstractDirectoryTestSuite.java:140)
at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(Ab
stractDirectoryTestSuite.java:127)
at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(Su
refireBooter.java:345)
at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.j
ava:1009)
Caused by: org.apache.ws.security.WSSecurityException: Cannot encrypt data; nest
ed exception is:
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key s
ize or default parameters
Original Exception was java.security.InvalidKeyException: Illegal key size or de
fault parameters
at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt
.java:571)
at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt
.java:458)
at org.apache.ws.security.message.WSSecEncrypt.encryptForExternalRef(WSS
ecEncrypt.java:396)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doEncryptBeforeSi
g(AsymmetricBindingBuilder.java:189)
... 29 more
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal ke
y size or default parameters
Original Exception was java.security.InvalidKeyException: Illegal key size or de
fault parameters
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
ce)
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Sour
ce)
at org.apache.xml.security.encryption.XMLCipher.encryptElementContent(Un
known Source)
at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source)
at org.apache.ws.security.message.WSSecEncrypt.doEncryption(WSSecEncrypt
.java:564)
... 32 more
Reporter: Martin Gainty
Assignee: Ruchith Udayanga Fernando
Priority: Minor
Fix For: 1.4
test-resources/keys/interop2.jks contents:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
alice, Jun 4, 2005, PrivateKeyEntry,
Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
root, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
ca, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
bob, Jun 4, 2005, PrivateKeyEntry,
Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC
test-resources/policy/rampart-asymm-binding-1.xml:
<wsp:Policy wsu:Id="6"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:Trust10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>alice</ramp:user>
<ramp:encryptionUser>bob</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.apache.rampart.TestCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
org.apache.rampart.RampartMessageBuilderTest (which loads
rampart-asymm-binding-1.xml policy file)
public void testAsymmBinding() {
try {
MessageContext ctx = getMsgCtx();
String policyXml =
"test-resources/policy/rampart-asymm-binding-1.xml";
Policy policy = this.loadPolicy(policyXml);
ctx.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
MessageBuilder builder = new MessageBuilder();
builder.build(ctx);
........
}
org.apache.rampart.builder.AsymmetricBindingBuilder.java:
//build method passes on the RampartMessageData
public void build(RampartMessageData rmd) throws RampartException {
log.debug("AsymmetricBindingBuilder build invoked");
RampartPolicyData rpd = rmd.getPolicyData();
if (rpd.isIncludeTimestamp()) {
this.addTimestamp(rmd);
}
if
(SPConstants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
//doEncryptBeforeSig is called here
this.doEncryptBeforeSig(rmd);
} else {
this.doSignBeforeEncrypt(rmd);
}
log.debug("AsymmetricBindingBuilder build invoked : DONE");
}
..........
private void doEncryptBeforeSig(RampartMessageData rmd)
throws RampartException {
long t0 = 0, t1 = 0, t2 = 0;
if(dotDebug){
t0 = System.currentTimeMillis();
}
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
RampartConfig config = rpd.getRampartConfig();
/*
* We need to hold on to these two element to use them as refence in the
* case of encypting the signature
*/
Element encrDKTokenElem = null;
WSSecEncrypt encr = null;
Element refList = null;
WSSecDKEncrypt dkEncr = null;
/*
* We MUST use keys derived from the same token
*/
Token encryptionToken = null;
if(rmd.isInitiator()) {
encryptionToken = rpd.getRecipientToken();
} else {
encryptionToken = rpd.getInitiatorToken();
}
Vector encrParts = RampartUtil.getEncryptedParts(rmd);
//Signed parts are determined before encryption because encrypted
signed headers
//will not be included otherwise
this.sigParts = RampartUtil.getSignedParts(rmd);
if(encryptionToken == null && encrParts.size() > 0) {
throw new RampartException("encryptionTokenMissing");
}
if (encryptionToken != null && encrParts.size() > 0) {
//Check for RampartConfig assertion
if(rpd.getRampartConfig() == null) {
//We'er missing the extra info rampart needs
throw new RampartException("rampartConigMissing");
}
if (encryptionToken.isDerivedKeys()) {
try {
this.setupEncryptedKey(rmd, encryptionToken);
// Create the DK encryption builder
dkEncr = new WSSecDKEncrypt();
dkEncr.setParts(encrParts);
dkEncr.setExternalKey(this.encryptedKeyValue,
this.encryptedKeyId);
/*********this rpd.getAlgorithmSuite() returns null
causes grief ******/
/*****this is the AlgorithmSuite provided by policy
file
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- safe to assume the key length is
256 -->
*******/
/******
rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()
if
(SPConstants.ALGO_SUITE_BASIC256.equals(algoSuite)) {
this.digest = SPConstants.SHA1;
this.encryption = SPConstants.AES256;
this.symmetricKeyWrap =
SPConstants.KW_AES256;
this.asymmetricKeyWrap =
SPConstants.KW_RSA_OAEP;
this.encryptionKeyDerivation =
SPConstants.P_SHA1_L256;
this.signatureKeyDerivation =
SPConstants.P_SHA1_L192;
this.encryptionDerivedKeyLength = 256;
this.signatureDerivedKeyLength = 192;
this.minimumSymmetricKeyLength = 256;
this.encryptionDerivedKeyLength = 256;
}
********/
/*****
rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8 256/8 produces 32
******/
/*** lets take the root key
0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14 *******/
/****this is 16 bytes */
/****16 != 32 so the Assymetric TestCase will
always fail**/
dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8);
dkEncr.prepare(doc);
// Get and add the DKT element
this.encrDKTElement = dkEncr.getdktElement();
encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd,
this.encrDKTElement);
refList = dkEncr.encryptForExternalRef(null, encrParts);
} catch (WSSecurityException e) {
throw new RampartException("errorCreatingEncryptedKey", e);
} catch (ConversationException e) {
throw new RampartException("errorInDKEncr", e);
}
} else {
try {
encr = new WSSecEncrypt();
encr.setParts(encrParts);
encr.setWsConfig(rmd.getConfig());
encr.setDocument(doc);
RampartUtil.setEncryptionUser(rmd, encr);
encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
RampartUtil.setKeyIdentifierType(rpd,encr, encryptionToken);
encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
encr.prepare(doc, RampartUtil.getEncryptionCrypto(config,
rmd.getCustomClassLoader()));
Element bstElem = encr.getBinarySecurityTokenElement();
if (bstElem != null) {
RampartUtil.appendChildToSecHeader(rmd, bstElem);
}
this.encrTokenElement = encr.getEncryptedKeyElement();
this.encrTokenElement =
RampartUtil.appendChildToSecHeader(rmd,
encrTokenElement);
refList = encr.encryptForExternalRef(null, encrParts);
} catch (WSSecurityException e) {
throw new RampartException("errorInEncryption", e);
}
}
SOLUTION:
repackage a 32 byte long keystore
(test-resources/keys/interop2.jks contents:) file
i would propose a change in AlgorithmSuite to 128 in
test-resources/policy/rampart-asymm-binding-1.xml should use a 128
AlgorithmSuite
but the schema defined at
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
does not support 128 Byte Encryption..minimum size for
AlgorithmSuite is 256 byte
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
