wsit
  1. wsit
  2. WSIT-1662

com.sun.xml.ws.security.impl.PasswordDerivedKey's generate160BitKey() not hardcoding use of UTF-8

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 2.2.1-1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None
    • Environment:

      JDK 7 on Ubuntu Linux.

      Description

      Hi, we're testing interoperability between CXF and Metro w.r.t. UsernameToken password-derived keys (http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption). Dan Kulp of the CXF team noticed that PasswordDerivedKey's generate160BitKey() method is not hardcoding use of UTF-8 when calling password.getBytes(), it looks like it should be password.getBytes("UTF-8") instead, as getBytes() by itself is platform-dependent (http://docs.oracle.com/javase/6/docs/api/java/lang/String.html#getBytes()).

      According to line 386 of the UsernameToken profile spec: http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf, the password is always UTF-8 encoded.

        Activity

        Hide
        symonchang added a comment -

        Same as WSIT-1663, UsernameToken auth w/password derived keys is not a prefer scenario in the real world. Use Encrypted UsernameToken is recommanded instead.

        Show
        symonchang added a comment - Same as WSIT-1663 , UsernameToken auth w/password derived keys is not a prefer scenario in the real world. Use Encrypted UsernameToken is recommanded instead.
        Hide
        Martin Grebac added a comment -

        Symon, this as well appears well digested and simple to fix - could we address this? The scenario is one of the metro-default-defined ones, also exposed within NetBeans.

        Show
        Martin Grebac added a comment - Symon, this as well appears well digested and simple to fix - could we address this? The scenario is one of the metro-default-defined ones, also exposed within NetBeans.

          People

          • Assignee:
            symonchang
            Reporter:
            gmazza
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated: