cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "aman kohli (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-3865) Asymmetric Encryption - alias is null during decryption using private key
Date Wed, 19 Oct 2011 13:10:10 GMT

     [ https://issues.apache.org/jira/browse/CXF-3865?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

aman kohli updated CXF-3865:
----------------------------

    Attachment: cxf-wss4j-asym-crypto-soap.tgz

What's included:
	* source code, keystores
	* I removed the WS-Security elements from the WSDL as the problem still exists without it
	* error log from client 

$mvn package

run server:  
	$ mvn  exec:java -Dexec.mainClass=asymmetric.stub.StubCollectionService > log 2>&1

Client
	$  mvn  exec:java -Dexec.mainClass=asymmetric.client.RegisterCollection -Dexec.args="http://localhost:9198/CitiWS/services/Collection/?wsdl"



                
> Asymmetric Encryption - alias is null during decryption using private key
> -------------------------------------------------------------------------
>
>                 Key: CXF-3865
>                 URL: https://issues.apache.org/jira/browse/CXF-3865
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>         Environment: actually 2.2.3 is the version
> running on mac osx lion and windows xp; java 1.6
>            Reporter: aman kohli
>         Attachments: cxf-wss4j-asym-crypto-soap.tgz
>
>
> as raised on mailing list, Colm suggested I upload the test case here.  This is the description
from the mailing list http://mail-archives.apache.org/mod_mbox/ws-users/201110.mbox/%3CCF458CB8-746A-4D98-A89F-9AD647AEE2D1@yahoo.com%3E

> Running into a problem on the server implementation (a cxf soap server) of asymmetric
encryption.
>  The intention is the soap body is to be encrypted with the server's public key. The
client
> (also using cxf) seems to be encrypting the message body ok.
> On receipt of the message, the server implementation raises an exception, with the reason
> the alias is null.  Here's the stack:
> org.apache.ws.security.WSSecurityException: The signature or decryption was invalid;
nested
> exception is: 
>        java.lang.Exception: alias is null
>        at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330)
>        at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104)
>        at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84)
>        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
>        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
>        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198)
>        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
>        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
>        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
>        at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302)
> �
>   Caused by: java.lang.Exception: alias is null
>        at org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207)
>        at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
>        ... 22 more
> I added some println statements to the password callback on the server side to print
out the
> type and id:
> 	*** password callback type 1 class org.apache.ws.security.WSPasswordCallback
> 	*** password callback id null
> The API is used to configure CXF and WSS4j and not the xml configuration. The messages
are
> not being signed, nor are timestamps being used, just encryption/decryption, ep is the
endpointimpl
> :
>         Map<String,Object> inProps1 = new HashMap<String,Object>();
>         inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
>         inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordCallbackHandler.class.getName());
>         inProps1.put(WSHandlerConstants.DEC_PROP_FILE, "server-security.properties");
>         inProps1.put(WSHandlerConstants.USER, "clientkey");
>         ep.getServer().getEndpoint().getInInterceptors().add(new WSS4JInInterceptor(inProps1));
> And the properties file is:
> 	org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> 	org.apache.ws.security.crypto.merlin.keystore.type=jks
> 	org.apache.ws.security.crypto.merlin.keystore.password=storepass
> 	org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
> 	org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks
> The server cert is self signed: 
> 	$ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA -keypass ump-pass
-storepass
> dummy-service -keystore server-encypt.jks -dname cn=localhost
> 	$ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA -keypass client-pass
-storepass
> dummy-service -keystore ump-stub-keystore.jks -dname cn=umpd
> and the certificate was exported using the following:
> 	$ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass dummy-service -keypass
> client-pass -alias clientkey -file client-cert.cer
> This is the WSDL extract:
>   <wsp:Policy wsu:Id="AsymEncryption" 
> 	      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> 	      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>     <wsp:ExactlyOne>
>       <wsp:All>
>         <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>           <wsp:Policy>
>             <sp:InitiatorToken>
>               <wsp:Policy>
>                 <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                   <wsp:Policy>
>                   <!-- <sp:RequireThumbprintReference/> -->
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:InitiatorToken>
>             <sp:RecipientToken>
>               <wsp:Policy>
>                 <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>                   <wsp:Policy>
>                     <!-- <sp:RequireThumbprintReference/> -->
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:RecipientToken>
>             <sp:AlgorithmSuite>
>               <wsp:Policy>
>                 <sp:TripleDesRsa15/>
>               </wsp:Policy>
>             </sp:AlgorithmSuite>
>             <sp:Layout>
>               <wsp:Policy>
>                 <sp:Strict/>
>               </wsp:Policy>
>             </sp:Layout>
> <!--            <sp:IncludeTimestamp/>
>             <sp:OnlySignEntireHeadersAndBody/>
> -->
>           </wsp:Policy>
>         </sp:AsymmetricBinding>
>         <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>           <sp:Body/>
>         </sp:EncryptedParts>
>       </wsp:All>
>     </wsp:ExactlyOne>
>   </wsp:Policy>
> �
>   <wsdl:binding name="CollectionImplServiceSoapBinding" type="tns:CollectionService">
>       <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>                            URI="#AsymEncryption"/>
> And this is the incoming message:
> <output>
> 	INFO: Inbound Message
> 	----------------------------
> 	ID: 1
> 	Address: /FooWS/services/Collection/
> 	Encoding: UTF-8
> 	Content-Type: text/xml; charset=UTF-8
> 	Headers: {content-type=[text/xml; charset=UTF-8], connection=[keep-alive], Host=[localhost:9198],
> Content-Length=[2549], SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml;
> charset=U
> TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
> 	Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><soap:Header><wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/
> 01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1"><xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe
> thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>CN=umpd</ds:X509IssuerName>
> <ds:X509SerialNumber>1316785867</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl
> +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
> URI="#EncDataId-1" /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen
> c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncDataId-1" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
> cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> 1-wss-wssecurity-secext-1.0.xsd" URI="#EncKeyId-A77755F726FB2C832813189733820252" /></wsse:SecurityTokenReference>
> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR
> WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F
> 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c
> LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz
> dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi
> tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/
> wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB
> XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
> </output>
> On the client side, the WSS4j is setup as:
>       Map<String,Object> outProps1 = new HashMap<String,Object>();
>         outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
>         outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientCallbackHandler.class.getName());
>         outProps1.put(WSHandlerConstants.ENC_PROP_FILE, "client-crypto.properties");
>         outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey");
>         cxfEndpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps1));   
   
>         
> and the properties file is:
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
> org.apache.ws.security.crypto.merlin.keystore.password=clientpass
> org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks
> and the cert was imported using the command:
> 	$ keytool -import -trustcacerts -keystore client-store.jks -storepass clientpass -alias
servicekey
> -file client-cert.cer
> Not sure what is going wrong, but there are a lot of steps, so maybe this is a simple
error
> on my part.
> The CXF version is 2.2.3, If I need to redirect this to the cxf-users list, please let
me
> know.  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message