cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-3865) Asymmetric Encryption - alias is null during decryption using private key
Date Wed, 19 Oct 2011 14:28:10 GMT

    [ https://issues.apache.org/jira/browse/CXF-3865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13130651#comment-13130651
] 

Colm O hEigeartaigh commented on CXF-3865:
------------------------------------------


The certificate that the client is using to encrypt the request is in the client keystore,
but is not in the server keystore. So the server can't find the corresponding private key
to decrypt the request.

Colm.
                
> Asymmetric Encryption - alias is null during decryption using private key
> -------------------------------------------------------------------------
>
>                 Key: CXF-3865
>                 URL: https://issues.apache.org/jira/browse/CXF-3865
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>         Environment: actually 2.2.3 is the version
> running on mac osx lion and windows xp; java 1.6
>            Reporter: aman kohli
>         Attachments: cxf-wss4j-asym-crypto-soap.tgz
>
>
> as raised on mailing list, Colm suggested I upload the test case here.  This is the description
from the mailing list http://mail-archives.apache.org/mod_mbox/ws-users/201110.mbox/%3CCF458CB8-746A-4D98-A89F-9AD647AEE2D1@yahoo.com%3E

> Running into a problem on the server implementation (a cxf soap server) of asymmetric
encryption.
>  The intention is the soap body is to be encrypted with the server's public key. The
client
> (also using cxf) seems to be encrypting the message body ok.
> On receipt of the message, the server implementation raises an exception, with the reason
> the alias is null.  Here's the stack:
> org.apache.ws.security.WSSecurityException: The signature or decryption was invalid;
nested
> exception is: 
>        java.lang.Exception: alias is null
>        at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330)
>        at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104)
>        at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84)
>        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
>        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
>        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198)
>        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
>        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
>        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
>        at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302)
> �
>   Caused by: java.lang.Exception: alias is null
>        at org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207)
>        at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
>        ... 22 more
> I added some println statements to the password callback on the server side to print
out the
> type and id:
> 	*** password callback type 1 class org.apache.ws.security.WSPasswordCallback
> 	*** password callback id null
> The API is used to configure CXF and WSS4j and not the xml configuration. The messages
are
> not being signed, nor are timestamps being used, just encryption/decryption, ep is the
endpointimpl
> :
>         Map<String,Object> inProps1 = new HashMap<String,Object>();
>         inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
>         inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordCallbackHandler.class.getName());
>         inProps1.put(WSHandlerConstants.DEC_PROP_FILE, "server-security.properties");
>         inProps1.put(WSHandlerConstants.USER, "clientkey");
>         ep.getServer().getEndpoint().getInInterceptors().add(new WSS4JInInterceptor(inProps1));
> And the properties file is:
> 	org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> 	org.apache.ws.security.crypto.merlin.keystore.type=jks
> 	org.apache.ws.security.crypto.merlin.keystore.password=storepass
> 	org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
> 	org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks
> The server cert is self signed: 
> 	$ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA -keypass ump-pass
-storepass
> dummy-service -keystore server-encypt.jks -dname cn=localhost
> 	$ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA -keypass client-pass
-storepass
> dummy-service -keystore ump-stub-keystore.jks -dname cn=umpd
> and the certificate was exported using the following:
> 	$ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass dummy-service -keypass
> client-pass -alias clientkey -file client-cert.cer
> This is the WSDL extract:
>   <wsp:Policy wsu:Id="AsymEncryption" 
> 	      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> 	      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>     <wsp:ExactlyOne>
>       <wsp:All>
>         <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>           <wsp:Policy>
>             <sp:InitiatorToken>
>               <wsp:Policy>
>                 <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                   <wsp:Policy>
>                   <!-- <sp:RequireThumbprintReference/> -->
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:InitiatorToken>
>             <sp:RecipientToken>
>               <wsp:Policy>
>                 <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>                   <wsp:Policy>
>                     <!-- <sp:RequireThumbprintReference/> -->
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:RecipientToken>
>             <sp:AlgorithmSuite>
>               <wsp:Policy>
>                 <sp:TripleDesRsa15/>
>               </wsp:Policy>
>             </sp:AlgorithmSuite>
>             <sp:Layout>
>               <wsp:Policy>
>                 <sp:Strict/>
>               </wsp:Policy>
>             </sp:Layout>
> <!--            <sp:IncludeTimestamp/>
>             <sp:OnlySignEntireHeadersAndBody/>
> -->
>           </wsp:Policy>
>         </sp:AsymmetricBinding>
>         <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>           <sp:Body/>
>         </sp:EncryptedParts>
>       </wsp:All>
>     </wsp:ExactlyOne>
>   </wsp:Policy>
> �
>   <wsdl:binding name="CollectionImplServiceSoapBinding" type="tns:CollectionService">
>       <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>                            URI="#AsymEncryption"/>
> And this is the incoming message:
> <output>
> 	INFO: Inbound Message
> 	----------------------------
> 	ID: 1
> 	Address: /FooWS/services/Collection/
> 	Encoding: UTF-8
> 	Content-Type: text/xml; charset=UTF-8
> 	Headers: {content-type=[text/xml; charset=UTF-8], connection=[keep-alive], Host=[localhost:9198],
> Content-Length=[2549], SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml;
> charset=U
> TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
> 	Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><soap:Header><wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/
> 01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1"><xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe
> thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>CN=umpd</ds:X509IssuerName>
> <ds:X509SerialNumber>1316785867</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl
> +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
> URI="#EncDataId-1" /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen
> c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncDataId-1" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
> cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> 1-wss-wssecurity-secext-1.0.xsd" URI="#EncKeyId-A77755F726FB2C832813189733820252" /></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR
> WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F
> 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c
> LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz
> dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi
> tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/
> wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB
> XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
> </output>
> On the client side, the WSS4j is setup as:
>       Map<String,Object> outProps1 = new HashMap<String,Object>();
>         outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
>         outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientCallbackHandler.class.getName());
>         outProps1.put(WSHandlerConstants.ENC_PROP_FILE, "client-crypto.properties");
>         outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey");
>         cxfEndpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps1));   
   
>         
> and the properties file is:
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
> org.apache.ws.security.crypto.merlin.keystore.password=clientpass
> org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks
> and the cert was imported using the command:
> 	$ keytool -import -trustcacerts -keystore client-store.jks -storepass clientpass -alias
servicekey
> -file client-cert.cer
> Not sure what is going wrong, but there are a lot of steps, so maybe this is a simple
error
> on my part.
> The CXF version is 2.2.3, If I need to redirect this to the cxf-users list, please let
me
> know.  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message