Re: [PR] [CXF-8970]ensure we can build and run without bouncycastle dependencies [cxf]

Fri, 19 Jan 2024 12:25:07 -0800 


ffang commented on code in PR #1645:
URL: https://github.com/apache/cxf/pull/1645#discussion_r1459708208


##########
rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java:
##########
@@ -592,6 +578,11 @@ public static Cipher initCipher(Key secretKey, 
KeyProperties keyProps, int mode)
         try {
             String algorithm = keyProps != null && keyProps.getKeyAlgo() != 
null
                 ? keyProps.getKeyAlgo() : secretKey.getAlgorithm();
+            if (algorithm.equals("AESWrap")) {
+                int keySize = secretKey.getEncoded().length;
+                algorithm = "AESWrap_" + keySize * 8;
+                secretKey = new SecretKeySpec(secretKey.getEncoded(), 0, 
keySize, "AES");
+            }

Review Comment:
   For this line
   ```
   algorithm = "AESWrap_" + keySize * 8;
   ```
   This is from java security API doc about AESWrap
   ```
   The AES key wrapping algorithm as described in [RFC 
3394](https://tools.ietf.org/html/rfc3394).
   
   To use the AESWrap cipher with only one valid key size, use the format 
AESWrap_<n>, where <n> can be 128, 192, 
   or 256.
   ```
   So I think determine the keySize dynamically and specify it for the 
algorithm is valid.
   
   For this line 
   ```
   secretKey = new SecretKeySpec(secretKey.getEncoded(), 0, keySize, "AES");
   ```
   This is because without it we get execption like
   ```
   Caused by: java.security.InvalidKeyException: Wrong algorithm: AES or 
Rijndael required
        at java.base/com.sun.crypto.provider.AESCrypt.init(AESCrypt.java:86)
        at 
java.base/com.sun.crypto.provider.AESKeyWrap.init(AESKeyWrap.java:102)
        at 
java.base/com.sun.crypto.provider.KeyWrapCipher.implInit(KeyWrapCipher.java:305)
        at 
java.base/com.sun.crypto.provider.KeyWrapCipher.engineInit(KeyWrapCipher.java:327)
        at java.base/javax.crypto.Cipher.implInit(Cipher.java:867)
        at java.base/javax.crypto.Cipher.chooseProvider(Cipher.java:929)
        at java.base/javax.crypto.Cipher.init(Cipher.java:1299)
        at java.base/javax.crypto.Cipher.init(Cipher.java:1236)
        at 
org.apache.cxf.rt.security.crypto.CryptoUtils.initCipher(CryptoUtils.java:588)
   ```
   
   And take a close look at the JDK impl com.sun.crypto.provider.AESCrypt class
   ```
   if (!algorithm.equalsIgnoreCase("AES")
                       && !algorithm.equalsIgnoreCase("Rijndael")) {
               throw new InvalidKeyException
                   ("Wrong algorithm: AES or Rijndael required");
           }
   
   ```
   So AES (AKA Rijndael) is required here



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to