Allow the RSA v1.5 Key Transport Algorithm for WildFly / JBossWS / CXF / WSS4J stack

Question

In response to a security advisory (see http://cxf.apache.org/note-on-cve-2011-1096.html) regarding the RSA v1.5 key transport algorithm, both CXF and WSS4J projects have disallowed use of all related algorithms by default.

They have however supplied a configuration tag "ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM" which should re-allow these algorithms (see https://ws.apache.org/wss4j/config.html)

Our problem is getting these frameworks (JBossWS / CXF / WSS4J) to accept/use this configuration setting. We have tried using:

jboss-webservice.xml
custom CXF interceptor (setting the param after CXF creates its WSS4J interceptor)
custom "hacked" WSS4J build (hardcoding the parameter to "true")

But none of these options seem to actually re-enable support for the RSA v1.5 key transport algorithms.

Does anyone have any idea as to how we could/should specify this configuration parameter?

score 0 · Answer 1 · answered Sep 16 '15 at 10:35

0

Here's a test I added to CXF:

https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=a73effb5

Note the server has set "allowRSA15KeyTransportAlgorithm" to "true".

answered Sep 16 '15 at 10:35

Colm O hEigeartaigh

1,882
1
12
7

score 0 · Answer 2 · answered Sep 27 '16 at 19:59

This setting is only applied if the WSHandlerConstants.ENCRYPT action is included in the actions for the interceptor.

For instance:

Map<String, Object> inProps = new HashMap<>();
inProps.put(WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM, "true");
inProps.put(WSHandlerConstants.ACTION, 
    WSHandlerConstants.ENCRYPT + " " +
    WSHandlerConstants.SIGNATURE);
WSS4JInInterceptor wss4JInInterceptor = new WSS4JInInterceptor(inProps);

Allow the RSA v1.5 Key Transport Algorithm for WildFly / JBossWS / CXF / WSS4J stack

2 Answers2

Linked