ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacobo Fernandez (JIRA)" <>
Subject [jira] [Commented] (WSS-574) IllegalArgumentException thrown in WSSecEncryptedKey due to incorrect keyAlgorithm
Date Wed, 16 Mar 2016 10:24:33 GMT


Jacobo Fernandez commented on WSS-574:

For my is not possible to provide a test-case that reproduces this issue right now, sorry.

The workaround I put in the description solved my problem in this particular project and I
don't have the time to start doing tests again.

I provide all the information I have in order to help you deal with this exception, that maybe
is not due to this library itself, but that I think you should try to prevent.

In your own WSSecurityUtil you have this piece of code:

        } catch (NoSuchAlgorithmException ex) {
            // Check to see if an RSA OAEP MGF-1 with SHA-1 algorithm was requested
            // Some JDKs don't support RSA/ECB/OAEPPadding

and it was the hint that I followed to solve my problem. It's the same case, but different
exception. Maybe in some versions or due to third-party things instead of NoSuchAlgorithmException,
Cipher.getInstance continues and the original exception (IllegalArgumentException) is thrown.

Hope it helps.

> IllegalArgumentException thrown in WSSecEncryptedKey due to incorrect keyAlgorithm
> ----------------------------------------------------------------------------------
>                 Key: WSS-574
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>         Environment: Windows 7 64 bit, java jdk 7.0_79, wss4j 1.6.18
>            Reporter: Jacobo Fernandez
>            Assignee: Colm O hEigeartaigh
> This is hard to explain to me because I'm not expert in WSS, but this is what I found:
> In {{WSSecEncryptedKey.prepareInternal}}, when {{WSSecurityUtil.getCipherInstance(keyEncAlgo)}}
is called, and {{keyEncAlgo}} value is {{WSConstants.KEYTRANSPORT_RSAOEP}}, the {{JCEMapper.translateURItoJCEID(cipherAlgo)}}
is returning (in my case) {{"RSA/ECB/OAEPPadding"}}. Then, oaepParameterSpec is not null and
it leads to the else, where it calls to {{cipher.init(Cipher.WRAP_MODE, remoteCert.getPublicKey(),
oaepParameterSpec)}}. This method call throws the following exception:
> {{Caused by: java.lang.IllegalArgumentException: unknown parameter type.}}
> 	{{at org.bouncycastle.jce.provider.JCERSACipher.engineInit(Unknown Source)}}
> 	{{at javax.crypto.Cipher.implInit(}}
> 	{{at javax.crypto.Cipher.chooseProvider(}}
> 	{{at javax.crypto.Cipher.init(}}
> 	{{at javax.crypto.Cipher.init(}}
> 	{{at}}
> If I modify the first lines of {{getCipherInstance}} to this:
> 	public static Cipher getCipherInstance(String cipherAlgo)
> 			throws WSSecurityException {
> 		try {
> 			String keyAlgorithm = JCEMapper.translateURItoJCEID(cipherAlgo);
>             if (WSConstants.KEYTRANSPORT_RSAOEP.equals(cipherAlgo)) {
> 				try {
> 					return Cipher.getInstance("RSA/ECB/OAEPWithSHA1AndMGF1Padding");
> 				} catch (Exception e) {
> 					throw new WSSecurityException(
> 						WSSecurityException.UNSUPPORTED_ALGORITHM, "unsupportedKeyTransp",
>                         new Object[] { "No such algorithm: " + cipherAlgo }, e);
>                 }
>             }
>             String provider = JCEMapper.getProviderId();
>             if (provider == null) {
>                 return Cipher.getInstance(keyAlgorithm);
>             }
> 		...
> it works. Don't know if this is a problem with the JCEMapper or wss4j itself.
> Sorry for the bad explanation. Hope it helps.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message