Bug 49493 - Cannot resolve PrivateKeys used in Key Transport algorithms
Summary: Cannot resolve PrivateKeys used in Key Transport algorithms
Alias: None
Product: Security - Now in JIRA
Classification: Unclassified
Component: Encryption (show other bugs)
Version: unspecified
Hardware: PC Windows NT
: P2 normal
Target Milestone: ---
Assignee: XML Security Developers Mailing List
Depends on:
Reported: 2010-06-23 10:56 UTC by Clement Pellerin
Modified: 2010-09-30 14:41 UTC (History)
0 users

source code patch with new junit (20.38 KB, patch)
2010-06-23 10:56 UTC, Clement Pellerin
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Clement Pellerin 2010-06-23 10:56:51 UTC
Created attachment 25632 [details]
source code patch with new junit

During decryption, XMLCipher needs to find the key to decrypt an encrypted key. The kek can be provided by the caller, otherwise XMLCipher can call the KeyResolvers to resolve the kek. The KeyResolvers work fine if the Key Encryption Key is a symmetric key because the SecretKey can be returned by KeyInfo.getSecretKey(). When the Key Transport algorithm is RSA-1.5 or RSA-OAEP, the key we need is a PrivateKey and there are no calls that can return an object of this type.

To reproduce use the junit included in the source patch attached to the bug.

The solution is to introduce a new method called engineLookupAndResolvePrivateKey() in the KeyResolverSpi base class. The new method returns a PrivateKey. In XMLCipher, we now check which algorithm was used to encrypt the key, and if the kek type is RSA, we resolve a PrivateKey instead of a SecretKey.

Notice the StorageResolvers have no way to return a PrivateKey either.
To avoid controversy, the proposed solution does not affect StorageResolver. The custom KeyResolver implementing engineLookupAndResolvePrivateKey() must know a source of PrivateKeys other than StorageResolver. This explains why the StorageResolver argument of engineLookupAndResolvePrivateKey() is always null.
The hope is that one day new APIs will be added to StorageResolver and we'll be able to pass StorageResolvers in the existing argument.

This solution does not depend on Bug 49465, but both are needed to allow PrivateKey KeyResolvers per KeyInfo.
Comment 1 coheigea 2010-09-30 14:41:10 UTC
Patch applied, thanks:

Sending        CHANGELOG.txt
Sending        src/org/apache/xml/security/encryption/XMLCipher.java
Sending        src/org/apache/xml/security/keys/KeyInfo.java
Sending        src/org/apache/xml/security/keys/keyresolver/KeyResolverSpi.java
Sending        src/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java
Sending        src_unitTests/org/apache/xml/security/test/ModuleTest.java
Adding         src_unitTests/org/apache/xml/security/test/keys/keyresolver
Adding         src_unitTests/org/apache/xml/security/test/keys/keyresolver/KeyResolverTest.java
Transmitting file data .......
Committed revision 1003198.