cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "aman kohli (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-3865) Asymmetric Encryption - alias is null during decryption using private key
Date Wed, 19 Oct 2011 13:10:10 GMT
Asymmetric Encryption - alias is null during decryption using private key
-------------------------------------------------------------------------

                 Key: CXF-3865
                 URL: https://issues.apache.org/jira/browse/CXF-3865
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.2.10
         Environment: actually 2.2.3 is the version
running on mac osx lion and windows xp; java 1.6
            Reporter: aman kohli
         Attachments: cxf-wss4j-asym-crypto-soap.tgz

as raised on mailing list, Colm suggested I upload the test case here.  This is the description
from the mailing list http://mail-archives.apache.org/mod_mbox/ws-users/201110.mbox/%3CCF458CB8-746A-4D98-A89F-9AD647AEE2D1@yahoo.com%3E


Running into a problem on the server implementation (a cxf soap server) of asymmetric encryption.
 The intention is the soap body is to be encrypted with the server's public key. The client
(also using cxf) seems to be encrypting the message body ok.

On receipt of the message, the server implementation raises an exception, with the reason
the alias is null.  Here's the stack:

org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested
exception is: 
       java.lang.Exception: alias is null
       at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330)
       at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104)
       at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84)
       at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
       at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
       at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198)
       at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
       at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
       at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302)
�
  Caused by: java.lang.Exception: alias is null
       at org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207)
       at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
       ... 22 more

I added some println statements to the password callback on the server side to print out the
type and id:
	*** password callback type 1 class org.apache.ws.security.WSPasswordCallback
	*** password callback id null

The API is used to configure CXF and WSS4j and not the xml configuration. The messages are
not being signed, nor are timestamps being used, just encryption/decryption, ep is the endpointimpl
:

        Map<String,Object> inProps1 = new HashMap<String,Object>();
        inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
        inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordCallbackHandler.class.getName());
        inProps1.put(WSHandlerConstants.DEC_PROP_FILE, "server-security.properties");
        inProps1.put(WSHandlerConstants.USER, "clientkey");

        ep.getServer().getEndpoint().getInInterceptors().add(new WSS4JInInterceptor(inProps1));


And the properties file is:
	org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
	org.apache.ws.security.crypto.merlin.keystore.type=jks
	org.apache.ws.security.crypto.merlin.keystore.password=storepass
	org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
	org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks

The server cert is self signed: 

	$ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA -keypass ump-pass -storepass
dummy-service -keystore server-encypt.jks -dname cn=localhost
	$ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA -keypass client-pass -storepass
dummy-service -keystore ump-stub-keystore.jks -dname cn=umpd

and the certificate was exported using the following:

	$ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass dummy-service -keypass
client-pass -alias clientkey -file client-cert.cer

This is the WSDL extract:

  <wsp:Policy wsu:Id="AsymEncryption" 
	      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

	      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
      <wsp:All>
        <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <wsp:Policy>
            <sp:InitiatorToken>
              <wsp:Policy>
                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                  <wsp:Policy>
                  <!-- <sp:RequireThumbprintReference/> -->
                  </wsp:Policy>
                </sp:X509Token>
              </wsp:Policy>
            </sp:InitiatorToken>

            <sp:RecipientToken>
              <wsp:Policy>
                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                  <wsp:Policy>
                    <!-- <sp:RequireThumbprintReference/> -->
                  </wsp:Policy>
                </sp:X509Token>
              </wsp:Policy>
            </sp:RecipientToken>

            <sp:AlgorithmSuite>
              <wsp:Policy>
                <sp:TripleDesRsa15/>
              </wsp:Policy>
            </sp:AlgorithmSuite>

            <sp:Layout>
              <wsp:Policy>
                <sp:Strict/>
              </wsp:Policy>
            </sp:Layout>

<!--            <sp:IncludeTimestamp/>
            <sp:OnlySignEntireHeadersAndBody/>
-->
          </wsp:Policy>
        </sp:AsymmetricBinding>

        <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <sp:Body/>
        </sp:EncryptedParts>
      </wsp:All>
    </wsp:ExactlyOne>
  </wsp:Policy>

�
  <wsdl:binding name="CollectionImplServiceSoapBinding" type="tns:CollectionService">
      <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
                           URI="#AsymEncryption"/>


And this is the incoming message:

<output>

	INFO: Inbound Message
	----------------------------
	ID: 1
	Address: /FooWS/services/Collection/
	Encoding: UTF-8
	Content-Type: text/xml; charset=UTF-8
	Headers: {content-type=[text/xml; charset=UTF-8], connection=[keep-alive], Host=[localhost:9198],
Content-Length=[2549], SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml;
charset=U
TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
	Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/
01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1"><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe
thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=umpd</ds:X509IssuerName>
<ds:X509SerialNumber>1316785867</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl
+7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#EncDataId-1" /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen
c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncDataId-1" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
1-wss-wssecurity-secext-1.0.xsd" URI="#EncKeyId-A77755F726FB2C832813189733820252" /></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR
WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F
7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c
LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz
dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi
tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/
wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB
XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>


</output>


On the client side, the WSS4j is setup as:

      Map<String,Object> outProps1 = new HashMap<String,Object>();
        outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
        outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientCallbackHandler.class.getName());
        outProps1.put(WSHandlerConstants.ENC_PROP_FILE, "client-crypto.properties");
        outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey");

        cxfEndpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps1));       
        
and the properties file is:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
org.apache.ws.security.crypto.merlin.keystore.password=clientpass
org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks

and the cert was imported using the command:
	$ keytool -import -trustcacerts -keystore client-store.jks -storepass clientpass -alias servicekey
-file client-cert.cer

Not sure what is going wrong, but there are a lot of steps, so maybe this is a simple error
on my part.

The CXF version is 2.2.3, If I need to redirect this to the cxf-users list, please let me
know.  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message