Guest

Preview Tool

Cisco Bug: CSCvu18005 - Checking for CiscoJ(CiscoJCEProvider.jar) support for Stronger algorithms like sha256

Last Modified

Jun 16, 2020

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

12.5(1.13000.75)

Description (partial)

Symptom:
SSO login is getting failed while using Stronger encryption algorithm during SSO Login.

Log trace as per below :
2020-02-21 13:08:37,043 INFO  [http-bio-8443-exec-77] filter.SSOAuthAgentFilter - Relay url does not contain /oauth/authorize, redirecting to /ssosp/pages/userconfirmation.jsp?redirectUrl=/ssosp/saml/login?relayurl=%2Fccmadmin%2FshowHome.do
2020-02-21 13:08:37,116 INFO  [http-bio-443-exec-84] utils.PropertiesFileUtil - No need, it's already loaded :ssoconfig.properties
2020-02-21 13:08:37,117 INFO  [http-bio-443-exec-84] utils.PropertiesFileUtil - Loading the properties file content :ssoconfig.properties
2020-02-21 13:08:37,117 INFO  [http-bio-443-exec-84] api.SAMLSSOManager - from properties file samlPlatformManagerImplClassName: com.cisco.vos.platform.api.manager.SAMLPlatformManager
2020-02-21 13:08:37,117 INFO  [http-bio-443-exec-84] api.SAMLSSOManager - loaded samlPlatformManagerImplClassName: com.cisco.vos.platform.api.manager.SAMLPlatformManager
2020-02-21 13:08:37,118 INFO  [http-bio-443-exec-84] utils.PropertiesFileUtil - No need, it's already loaded :ssoconfig.properties
2020-02-21 13:08:37,118 INFO  [http-bio-443-exec-84] utils.PropertiesFileUtil - Loading the properties file content :ssoconfig.properties
2020-02-21 13:08:37,125 INFO  [http-bio-443-exec-84] app.SSOConfigManager - Operation :getAcsUrlIndex
2020-02-21 13:08:37,125 INFO  [http-bio-443-exec-84] api.SAMLSSOManager - successfully executed executeCommand for API - getAcsUrlIndex
2020-02-21 13:08:37,125 INFO  [http-bio-443-exec-84] authentication.SAMLAuthenticator - SAMLAuthenticator:validateIDPXMLForExpiredCertificate:Begin
2020-02-21 13:08:37,126 INFO  [http-bio-443-exec-84] utils.PropertiesFileUtil - No need, it's already loaded :ssoconfig.properties
2020-02-21 13:08:37,126 INFO  [http-bio-443-exec-84] utils.PropertiesFileUtil - Loading the properties file content :ssoconfig.properties
2020-02-21 13:08:37,129 INFO  [http-bio-443-exec-84] authentication.SAMLAuthenticator - SAMLAuthenticator:validateIDPXML:Begin
2020-02-21 13:08:37,129 INFO  [http-bio-443-exec-84] authentication.SAMLAuthenticator - SAMLAuthenticator:validateIDPXML:End
2020-02-21 13:08:37,129 INFO  [http-bio-443-exec-84] authentication.SAMLAuthenticator - SAMLAuthenticator:validateIDPXMLForExpiredCertificate:End
2020-02-21 13:08:44,766 ERROR [http-bio-8443-exec-89] authentication.SAMLAuthenticator - Error while processing saml responseCipher failed in Final
java.lang.RuntimeException: Cipher failed in Final
	at com.cisco.ciscossl.provider.ciscojce.ciphers.CiscoSSLAsymmetricCipher.doFinal(Native Method)
	at com.cisco.ciscossl.provider.ciscojce.ciphers.CiscoSSLAsymmetricCipher.engineDoFinal(CiscoSSLAsymmetricCipher.java:133)
	at com.cisco.ciscossl.provider.ciscojce.ciphers.CiscoSSLAsymmetricCipher.engineUnwrap(CiscoSSLAsymmetricCipher.java:340)
	at javax.crypto.Cipher.unwrap(Cipher.java:2341)
	at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1478)
	at com.sun.identity.saml2.xmlenc.FMEncProvider.decrypt(FMEncProvider.java:663)
	at com.sun.identity.saml2.assertion.impl.EncryptedAssertionImpl.decrypt(EncryptedAssertionImpl.java:123)
	at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:514)
	at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1051)
	at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(SPACSUtils.java:2108)
	at com.cisco.cpi.sso.saml.sp.security.authentication.SAMLAuthenticator.processResponse(SAMLAuthenticator.java:96)
	at com.cisco.cpi.sso.saml.sp.security.authentication.SAMLAuthenticator.process(SAMLAuthenticator.java:80)
	at com.cisco.cpi.sso.saml.sp.security.filter.SamlFilter.doFilter(SamlFilter.java:63)

Conditions:
SSO fail when using Key Transport Algorithm other than http://www.w3.org/2001/04/xmlenc#rsa-1_5 . I have attached the log trace where we are getting exceptoin from CiscoJCEProvider.jar while decrypting the key. Also attched a CUCM metadata file where we are adding encryption algorithms.

Please see the below scenario -

We have tried adding the "rsa-oaep-mgf1p" as below to my CUCM metadata. This works fine.

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</EncryptionMethod>

However, I also tried adding the "rsa-oaep" with the same digest and mask generation function as below to my CUCM metadata. This too, works fine.

<EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<xenc11:MGF Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"/>
</EncryptionMethod>

If I change either digest or mask generation function to stronger one e.g. digest to sha256 and/or mask generation function to mgf1sha256, I will get "Cipher failed in Final".
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.