[
https://issues.apache.org/jira/browse/CXF-3865?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
aman kohli updated CXF-3865:
----------------------------
Attachment: cxf-wss4j-asym-crypto-soap.tgz
What's included:
* source code, keystores
* I removed the WS-Security elements from the WSDL as the problem still
exists without it
* error log from client
$mvn package
run server:
$ mvn exec:java -Dexec.mainClass=asymmetric.stub.StubCollectionService
> log 2>&1
Client
$ mvn exec:java -Dexec.mainClass=asymmetric.client.RegisterCollection
-Dexec.args="http://localhost:9198/CitiWS/services/Collection/?wsdl";
> Asymmetric Encryption - alias is null during decryption using private key
> -------------------------------------------------------------------------
>
> Key: CXF-3865
> URL: https://issues.apache.org/jira/browse/CXF-3865
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Environment: actually 2.2.3 is the version
> running on mac osx lion and windows xp; java 1.6
> Reporter: aman kohli
> Attachments: cxf-wss4j-asym-crypto-soap.tgz
>
>
> as raised on mailing list, Colm suggested I upload the test case here. This
> is the description from the mailing list
> http://mail-archives.apache.org/mod_mbox/ws-users/201110.mbox/%3ccf458cb8-746a-4d98-a89f-9ad647aee...@yahoo.com%3E
>
> Running into a problem on the server implementation (a cxf soap server) of
> asymmetric encryption.
> The intention is the soap body is to be encrypted with the server's public
> key. The client
> (also using cxf) seems to be encrypting the message body ok.
> On receipt of the message, the server implementation raises an exception,
> with the reason
> the alias is null. Here's the stack:
> org.apache.ws.security.WSSecurityException: The signature or decryption was
> invalid; nested
> exception is:
> java.lang.Exception: alias is null
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330)
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104)
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
> at
> org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302)
> �
> Caused by: java.lang.Exception: alias is null
> at
> org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207)
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
> ... 22 more
> I added some println statements to the password callback on the server side
> to print out the
> type and id:
> *** password callback type 1 class
> org.apache.ws.security.WSPasswordCallback
> *** password callback id null
> The API is used to configure CXF and WSS4j and not the xml configuration. The
> messages are
> not being signed, nor are timestamps being used, just encryption/decryption,
> ep is the endpointimpl
> :
> Map<String,Object> inProps1 = new HashMap<String,Object>();
> inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
> inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> PasswordCallbackHandler.class.getName());
> inProps1.put(WSHandlerConstants.DEC_PROP_FILE,
> "server-security.properties");
> inProps1.put(WSHandlerConstants.USER, "clientkey");
> ep.getServer().getEndpoint().getInInterceptors().add(new
> WSS4JInInterceptor(inProps1));
> And the properties file is:
>
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.password=storepass
> org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
>
> org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks
> The server cert is self signed:
> $ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA
> -keypass ump-pass -storepass
> dummy-service -keystore server-encypt.jks -dname cn=localhost
> $ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA
> -keypass client-pass -storepass
> dummy-service -keystore ump-stub-keystore.jks -dname cn=umpd
> and the certificate was exported using the following:
> $ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass
> dummy-service -keypass
> client-pass -alias clientkey -file client-cert.cer
> This is the WSDL extract:
> <wsp:Policy wsu:Id="AsymEncryption"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <!-- <sp:RequireThumbprintReference/> -->
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
> <wsp:Policy>
> <!-- <sp:RequireThumbprintReference/> -->
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <!-- <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> -->
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:EncryptedParts
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> �
> <wsdl:binding name="CollectionImplServiceSoapBinding"
> type="tns:CollectionService">
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> URI="#AsymEncryption"/>
> And this is the incoming message:
> <output>
> INFO: Inbound Message
> ----------------------------
> ID: 1
> Address: /FooWS/services/Collection/
> Encoding: UTF-8
> Content-Type: text/xml; charset=UTF-8
> Headers: {content-type=[text/xml; charset=UTF-8],
> connection=[keep-alive], Host=[localhost:9198],
> Content-Length=[2549], SOAPAction=[""], User-Agent=[Apache CXF 2.2.3],
> Content-Type=[text/xml;
> charset=U
> TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><soap:Header><wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/
> 01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soap:mustUnderstand="1"><xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe
> thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>CN=umpd</ds:X509IssuerName>
> <ds:X509SerialNumber>1316785867</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl
> +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
> URI="#EncDataId-1"
> /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen
> c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> Id="EncDataId-1"
> Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
> cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> 1-wss-wssecurity-secext-1.0.xsd"
> URI="#EncKeyId-A77755F726FB2C832813189733820252"
> /></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR
> WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F
> 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c
> LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz
> dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi
> tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/
> wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB
> XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
> </output>
> On the client side, the WSS4j is setup as:
> Map<String,Object> outProps1 = new HashMap<String,Object>();
> outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
> outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> ClientCallbackHandler.class.getName());
> outProps1.put(WSHandlerConstants.ENC_PROP_FILE,
> "client-crypto.properties");
> outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey");
> cxfEndpoint.getOutInterceptors().add(new
> WSS4JOutInterceptor(outProps1));
>
> and the properties file is:
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
> org.apache.ws.security.crypto.merlin.keystore.password=clientpass
> org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks
> and the cert was imported using the command:
> $ keytool -import -trustcacerts -keystore client-store.jks -storepass
> clientpass -alias servicekey
> -file client-cert.cer
> Not sure what is going wrong, but there are a lot of steps, so maybe this is
> a simple error
> on my part.
> The CXF version is 2.2.3, If I need to redirect this to the cxf-users list,
> please let me
> know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
