[
https://issues.apache.org/jira/browse/CXF-3865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13130651#comment-13130651
]
Colm O hEigeartaigh commented on CXF-3865:
------------------------------------------
The certificate that the client is using to encrypt the request is in the
client keystore, but is not in the server keystore. So the server can't find
the corresponding private key to decrypt the request.
Colm.
> Asymmetric Encryption - alias is null during decryption using private key
> -------------------------------------------------------------------------
>
> Key: CXF-3865
> URL: https://issues.apache.org/jira/browse/CXF-3865
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Environment: actually 2.2.3 is the version
> running on mac osx lion and windows xp; java 1.6
> Reporter: aman kohli
> Attachments: cxf-wss4j-asym-crypto-soap.tgz
>
>
> as raised on mailing list, Colm suggested I upload the test case here. This
> is the description from the mailing list
> http://mail-archives.apache.org/mod_mbox/ws-users/201110.mbox/%3ccf458cb8-746a-4d98-a89f-9ad647aee...@yahoo.com%3E
>
> Running into a problem on the server implementation (a cxf soap server) of
> asymmetric encryption.
> The intention is the soap body is to be encrypted with the server's public
> key. The client
> (also using cxf) seems to be encrypting the message body ok.
> On receipt of the message, the server implementation raises an exception,
> with the reason
> the alias is null. Here's the stack:
> org.apache.ws.security.WSSecurityException: The signature or decryption was
> invalid; nested
> exception is:
> java.lang.Exception: alias is null
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330)
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104)
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
> at
> org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302)
> �
> Caused by: java.lang.Exception: alias is null
> at
> org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207)
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
> ... 22 more
> I added some println statements to the password callback on the server side
> to print out the
> type and id:
> *** password callback type 1 class
> org.apache.ws.security.WSPasswordCallback
> *** password callback id null
> The API is used to configure CXF and WSS4j and not the xml configuration. The
> messages are
> not being signed, nor are timestamps being used, just encryption/decryption,
> ep is the endpointimpl
> :
> Map<String,Object> inProps1 = new HashMap<String,Object>();
> inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
> inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> PasswordCallbackHandler.class.getName());
> inProps1.put(WSHandlerConstants.DEC_PROP_FILE,
> "server-security.properties");
> inProps1.put(WSHandlerConstants.USER, "clientkey");
> ep.getServer().getEndpoint().getInInterceptors().add(new
> WSS4JInInterceptor(inProps1));
> And the properties file is:
>
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.password=storepass
> org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
>
> org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks
> The server cert is self signed:
> $ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA
> -keypass ump-pass -storepass
> dummy-service -keystore server-encypt.jks -dname cn=localhost
> $ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA
> -keypass client-pass -storepass
> dummy-service -keystore ump-stub-keystore.jks -dname cn=umpd
> and the certificate was exported using the following:
> $ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass
> dummy-service -keypass
> client-pass -alias clientkey -file client-cert.cer
> This is the WSDL extract:
> <wsp:Policy wsu:Id="AsymEncryption"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <!-- <sp:RequireThumbprintReference/> -->
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
> <wsp:Policy>
> <!-- <sp:RequireThumbprintReference/> -->
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <!-- <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> -->
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:EncryptedParts
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> �
> <wsdl:binding name="CollectionImplServiceSoapBinding"
> type="tns:CollectionService">
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> URI="#AsymEncryption"/>
> And this is the incoming message:
> <output>
> INFO: Inbound Message
> ----------------------------
> ID: 1
> Address: /FooWS/services/Collection/
> Encoding: UTF-8
> Content-Type: text/xml; charset=UTF-8
> Headers: {content-type=[text/xml; charset=UTF-8],
> connection=[keep-alive], Host=[localhost:9198],
> Content-Length=[2549], SOAPAction=[""], User-Agent=[Apache CXF 2.2.3],
> Content-Type=[text/xml;
> charset=U
> TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><soap:Header><wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/
> 01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soap:mustUnderstand="1"><xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe
> thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>CN=umpd</ds:X509IssuerName>
> <ds:X509SerialNumber>1316785867</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl
> +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
> URI="#EncDataId-1"
> /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen
> c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> Id="EncDataId-1"
> Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
> cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> 1-wss-wssecurity-secext-1.0.xsd"
> URI="#EncKeyId-A77755F726FB2C832813189733820252"
> /></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR
> WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F
> 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c
> LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz
> dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi
> tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/
> wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB
> XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
> </output>
> On the client side, the WSS4j is setup as:
> Map<String,Object> outProps1 = new HashMap<String,Object>();
> outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
> outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> ClientCallbackHandler.class.getName());
> outProps1.put(WSHandlerConstants.ENC_PROP_FILE,
> "client-crypto.properties");
> outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey");
> cxfEndpoint.getOutInterceptors().add(new
> WSS4JOutInterceptor(outProps1));
>
> and the properties file is:
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
> org.apache.ws.security.crypto.merlin.keystore.password=clientpass
> org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks
> and the cert was imported using the command:
> $ keytool -import -trustcacerts -keystore client-store.jks -storepass
> clientpass -alias servicekey
> -file client-cert.cer
> Not sure what is going wrong, but there are a lot of steps, so maybe this is
> a simple error
> on my part.
> The CXF version is 2.2.3, If I need to redirect this to the cxf-users list,
> please let me
> know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
