JDK-8017173 : XMLCipher with RSA_OAEP Key Transport algorithm can't be instantiated
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.xml.crypto
  • Affected Version: 6u51,7u25
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • Submitted: 2013-06-20
  • Updated: 2013-10-09
  • Resolved: 2013-07-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u75Fixed 7u40 b34Fixed
Related Reports
Relates :  
Relates :  
Description
FULL PRODUCT VERSION :
Java(TM) SE Runtime Environment (build 1.7.0_25-b16)
Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode sharing)

error present also in other versions java 7 update 25

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 8 64bit [Version 6.2.9200]

A DESCRIPTION OF THE PROBLEM :
I have the software based on jax-ws services that was built in NetBeans. Software uses Standard Encription  " Username Authentication with Symmetric key " , and algorithm site: Basic 128. Everything built like standard netbeans Sample  " Secured Calculator " , but with one difference: My client is standalone swing application.

Prior java7 update 25 everything worked fine but after update i got exception printed below. By the way, to reproduce exception you don't need server side of jax-ws, it appeared in the client part before connecting to the server side.

REGRESSION.  Last worked in version 7u21

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
use netbeans IDE
1) create sample existed in netbeans: secured calculator
2) delete client part.
3) Create standalone java application
4) add webservice client from secured calculator wsdl
5) activate security of web service client using standard login, pasword and glassfish cacerts file (you can get config from deleted secured calculator client)
6) run the client.
And you will get Exception !!!


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Please fix this bug in the next update of java !
ACTUAL -
  Program doesn't work !!!

ERROR MESSAGES/STACK TRACES THAT OCCUR :
[com.sun.xml.ws.policy.jaxws.PolicyConfigParser]  parse
INFO: WSP5018: Loaded WSIT configuration from file: file:/D:/Project/delCl/build/classes/META-INF/wsit-client.xml.
???? 20, 2013 8:00:25 AM com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor getCipherValueOfEK
SEVERE: WSS1904: Unable to compute Cipher Value / decrypt key as http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p algorithm is not supported for key encryption
java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at javax.crypto.Cipher.getInstance(Cipher.java:524)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.initCipher(CryptoProcessor.java:124)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:166)
at com.sun.xml.ws.security.opt.impl.enc.JAXBEncryptedKey.getCipherValue(JAXBEncryptedKey.java:274)
at com.sun.xml.ws.security.opt.impl.keyinfo.SymmetricTokenBuilder.process(SymmetricTokenBuilder.java:255)
at com.sun.xml.ws.security.opt.impl.dsig.TokenProcessor.process(TokenProcessor.java:190)
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:109)
at com.sun.xml.wss.impl.filter.SignatureFilter.sign(SignatureFilter.java:631)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:589)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:189)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:150)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:397)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:311)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:240)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at com.sun.proxy.$Proxy42.getSystemVersion(Unknown Source)
at delcl.DelCl.getSystemVersion(DelCl.java:23)
at delcl.DelCl.main(DelCl.java:17)

???? 20, 2013 8:00:25 AM com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor sign
SEVERE: WSS1701: Sign operation failed.
com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:172)
at com.sun.xml.ws.security.opt.impl.enc.JAXBEncryptedKey.getCipherValue(JAXBEncryptedKey.java:274)
at com.sun.xml.ws.security.opt.impl.keyinfo.SymmetricTokenBuilder.process(SymmetricTokenBuilder.java:255)
at com.sun.xml.ws.security.opt.impl.dsig.TokenProcessor.process(TokenProcessor.java:190)
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:109)
at com.sun.xml.wss.impl.filter.SignatureFilter.sign(SignatureFilter.java:631)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:589)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:189)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:150)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:397)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:311)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:240)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at com.sun.proxy.$Proxy42.getSystemVersion(Unknown Source)
at delcl.DelCl.getSystemVersion(DelCl.java:23)
at delcl.DelCl.main(DelCl.java:17)
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at javax.crypto.Cipher.getInstance(Cipher.java:524)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.initCipher(CryptoProcessor.java:124)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:166)
... 25 more

???? 20, 2013 8:00:25 AM com.sun.xml.wss.jaxws.impl.SecurityTubeBase secureOutboundMessage
SEVERE: WSSTUBE0024: Error in Securing Outbound Message.
com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:140)
at com.sun.xml.wss.impl.filter.SignatureFilter.sign(SignatureFilter.java:631)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:589)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:189)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:150)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:397)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:311)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:240)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at com.sun.proxy.$Proxy42.getSystemVersion(Unknown Source)
at delcl.DelCl.getSystemVersion(DelCl.java:23)
at delcl.DelCl.main(DelCl.java:17)
Caused by: com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:172)
at com.sun.xml.ws.security.opt.impl.enc.JAXBEncryptedKey.getCipherValue(JAXBEncryptedKey.java:274)
at com.sun.xml.ws.security.opt.impl.keyinfo.SymmetricTokenBuilder.process(SymmetricTokenBuilder.java:255)
at com.sun.xml.ws.security.opt.impl.dsig.TokenProcessor.process(TokenProcessor.java:190)
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:109)
... 21 more
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at javax.crypto.Cipher.getInstance(Cipher.java:524)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.initCipher(CryptoProcessor.java:124)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:166)
... 25 more

???? 20, 2013 8:00:25 AM com.sun.xml.wss.jaxws.impl.SecurityClientTube processClientRequestPacket
SEVERE: WSSTUBE0024: Error in Securing Outbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:336)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:402)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:311)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:240)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at com.sun.proxy.$Proxy42.getSystemVersion(Unknown Source)
at delcl.DelCl.getSystemVersion(DelCl.java:23)
at delcl.DelCl.main(DelCl.java:17)
Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:140)
at com.sun.xml.wss.impl.filter.SignatureFilter.sign(SignatureFilter.java:631)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:589)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:189)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:150)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:397)
... 14 more
Caused by: com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:172)
at com.sun.xml.ws.security.opt.impl.enc.JAXBEncryptedKey.getCipherValue(JAXBEncryptedKey.java:274)
at com.sun.xml.ws.security.opt.impl.keyinfo.SymmetricTokenBuilder.process(SymmetricTokenBuilder.java:255)
at com.sun.xml.ws.security.opt.impl.dsig.TokenProcessor.process(TokenProcessor.java:190)
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:109)
... 21 more
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at javax.crypto.Cipher.getInstance(Cipher.java:524)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.initCipher(CryptoProcessor.java:124)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:166)
... 25 more

Exception in thread  " main "  javax.xml.ws.WebServiceException: WSSTUBE0024: Error in Securing Outbound Message.
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:316)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:240)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
at com.sun.xml.ws.client.Stub.process(Stub.java:319)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at com.sun.proxy.$Proxy42.getSystemVersion(Unknown Source)
at delcl.DelCl.getSystemVersion(DelCl.java:23)
at delcl.DelCl.main(DelCl.java:17)
Caused by: javax.xml.ws.soap.SOAPFaultException: com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:674)
... 14 more
Caused by: com.sun.xml.wss.impl.WssSoapFaultException: com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:336)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:402)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:311)
... 13 more
Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:140)
at com.sun.xml.wss.impl.filter.SignatureFilter.sign(SignatureFilter.java:631)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:589)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:189)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:150)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:397)
... 14 more
Caused by: com.sun.xml.wss.impl.XWSSecurityRuntimeException: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:172)
at com.sun.xml.ws.security.opt.impl.enc.JAXBEncryptedKey.getCipherValue(JAXBEncryptedKey.java:274)
at com.sun.xml.ws.security.opt.impl.keyinfo.SymmetricTokenBuilder.process(SymmetricTokenBuilder.java:255)
at com.sun.xml.ws.security.opt.impl.dsig.TokenProcessor.process(TokenProcessor.java:190)
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:109)
... 21 more
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at javax.crypto.Cipher.getInstance(Cipher.java:524)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.initCipher(CryptoProcessor.java:124)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.getCipherValueOfEK(CryptoProcessor.java:166)
... 25 more

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
**To download source:** please go to the link bellow and select file menu after select download, you will download archive delCl.zip. it consists three folders 1)delCl -client part 2)delServ - server part 3)certs - certificates
Standard NetBeans project:

https://docs.google.com/file/d/0Bxah0w_hE4JZTy16YUZGREgzN2s/edit?usp=sharing
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
I didn't find the solution !
Comments
Verified with jdk 7u40 b34 on Windows x64 with regression test
29-07-2013

Hi Sean, I am OK to take it to 7u40 I see there is a test for the bug: http://cr.openjdk.java.net/~mullan/webrevs/8017173/webrev.00/ <http://cr.openjdk.java.net/%7Emullan/webrevs/8017173/webrev.00/>
11-07-2013

Need SQE-OK before approving
09-07-2013

I found a much simpler workaround. Before calling Init.init(), do the following: System.setProperty("com.sun.org.apache.xml.internal.security.resource.config", "resource/config.xml"); This overrides the builtin JCE algorithm mappings with those in the XML configuration file, which contain the proper mapping for our providers.
09-07-2013

7u40-critical-request justification: This bug fix is needed because it is a serious regression introduced in 7u25 and affects JAX-WS Metro applications. There is a workaround, but it requires modifications to the application code or Metro runtime. It is a one-line fix and is very low risk. It has been reviewed by Xuelei Fan and Vincent Ryan. A new regression test has been added. Pointer to review thread: http://mail.openjdk.java.net/pipermail/security-dev/2013-July/008112.html
09-07-2013

The code in JDK 8 handles this by first trying to instantiate a Cipher with "RSA/ECB/OAEPPadding", and then falls back to "RSA/ECB/OAEPWithSHA1AndMGF1Padding" if the algorithm can't be found. According to the standard algorithm names document at http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Cipher, "If OAEPPadding is used, Cipher objects are initialized with a javax.crypto.spec.OAEPParameterSpec object to supply values needed for OAEPPadding." However, this doesn't seem to work -- you must still also specify the full padding name, ex - OAEPWithSHA1AndMGF1Padding, so I will file a separate bug for that. For the 7u40 fix, it is much simpler to simply revert to always mapping the algorithm as "RSA/ECB/OAEPWithSHA1AndMGF1Padding". The JDK 8 code is a bit more involved and riskier to backport.
08-07-2013

A workaround for this issue: an application can invoke the following method to override the default JCE mapping, after Init.init is invoked, ex: com.sun.org.apache.xml.internal.security.Init.init(); com.sun.org.apache.xml.internal.security.algorithms.JCEMapper.register( com.sun.org.apache.xml.internal.security.encryption.XMLCipher.RSA_OAEP, new com.sun.org.apache.xml.internal.security.algorithms.JCEMapper.Algorithm( "RSA", "RSA/ECB/OAEPWithSHA1AndMGF1Padding", "KeyTransport")); com.sun.org.apache.xml.internal.security.encryption.XMLCipher.getInstance("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
08-07-2013

Added 7u40-critical-watch label. Justification: serious regression introduced in 7u21, affects JAXWS Metro applications Workaround: none known as of yet Risk: low risk. Size of fix: small Test: new regression test to be added
08-07-2013

The fix for JDK-8011547 resolves this issue, but since that was only fixed in JDK 8, we need to extract the code from Apache Santuario 1.5.4 that just fixes this issue.
08-07-2013

This issue does not affect JDK 8. The fix for JDK-8011547 pulled in additional code from Apache Santuario release that resolved this issue.
08-07-2013

The Apache code that was pulled in as part of JDK-6741606 changed the mapping of the Cipher algorithm name of RSA/ECB/OAEPWithSHA1AndMGF1Padding to RSA/ECB/OAEPPadding. The latter algorithm is not supported by our provider. This change was made by one of the Apache committers. I don't know why this change was made yet but it needs to be reverted back to fix this issue.
20-06-2013