W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2020

ISSUE --encrypt key operation with BCFIPS Provider and using XML-Sec library

From: Samba Kumar Burugu <sambakumar.burugu@broadcom.com>
Date: Wed, 8 Jul 2020 22:42:04 +0530
Message-ID: <CAKi09onmehQmn0sGKVnmKkK-xv5miXANhtaEa-qA_vj91keuPw@mail.gmail.com>
To: w3c-ietf-xmldsig@w3.org
Cc: Venkata Swamy Karukuri <venky.karukuri@broadcom.com>, Kannaiah Englae <kannaiah.englae@broadcom.com>, Jagan Kona <jagan.kona@broadcom.com>, Sreenivas Somavarapu <Sreenivas.Somavarapu@ca.com>, Sapthapathi Bondili <bondili.spathi@broadcom.com>
Hi Team,

We are facing the following issue while performing encrypt key operation
with BCFIPS Provider and using XML-Sec library

Following is the code snippet:

            // Generate a traffic key
            javax.crypto.KeyGenerator keyGenerator =
KeyGenerator.getInstance("AES", "BCFIPS");
            keyGenerator.init(256, sRandom);
            javax.crypto.SecretKey dek = keyGenerator.generateKey();

            java.security.PublicKey pk = jsCert.getPublicKey(); //this is
publickey of cert generated with 1024 key length

            org.apache.xml.security.encryption,XMLCipher cipher = null;
             cipher = org.apache.xml.security.encryption.
"BCFIPS", org.apache.xml.security.c14n.Canonicalize.ALGO_ID_C14N_PHYSICAL,
          * // The above line
will basically call javax.crypto.Cipher.getInstance("RSA/ECB/OAEPPadding",
"BCFIPS"); to fetch the XMLCipher Instance*

            cipher.init(XMLCipher.WRAP_MODE, pk);
            org.apache.xml.security.encryption.EncryptedKey encryptedKey =

            encryptedKey = cipher.encryptKey(xmlDoc, dek, "
http://www.w3.org/2009/xmlenc11#mgf1sha384", null);// *I am facing
exception( javax.crypto.IllegalBlockSizeException: Unable to wrap key:
input data too long.) here *

*Our Observations:*
*When using 1024 key length certificate, 1024+(key algorithm length)+(block
algorithm) > 1600, we are getting this error*
*For example 1024(certificate length)+256(key algorithm length)+384(block
algorithm length)  which is greater than  1600, we are facing this issue*
*When using 1024+ 256 +256+ 256 which is less than 1600 we are not facing
this issue*

Is our observation valid?

Could you please help us to understand any limitations while using
rsa-oaep  encryption alogrithms. Also please let us know if you have any
further information or reproduction.


Received on Thursday, 9 July 2020 17:50:37 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 9 July 2020 17:50:39 UTC