Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 09095980C for ; Wed, 19 Oct 2011 14:40:34 +0000 (UTC) Received: (qmail 51789 invoked by uid 500); 19 Oct 2011 14:40:33 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 51762 invoked by uid 500); 19 Oct 2011 14:40:33 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 51754 invoked by uid 99); 19 Oct 2011 14:40:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Oct 2011 14:40:33 +0000 X-ASF-Spam-Status: No, hits=-2000.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Oct 2011 14:40:30 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id E484B310DFF for ; Wed, 19 Oct 2011 14:40:10 +0000 (UTC) Date: Wed, 19 Oct 2011 14:40:10 +0000 (UTC) From: "aman kohli (Commented) (JIRA)" To: issues@cxf.apache.org Message-ID: <1496122781.10623.1319035210937.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <1088767673.10366.1319029810791.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (CXF-3865) Asymmetric Encryption - alias is null during decryption using private key MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CXF-3865?page=3Dcom.atlassian.j= ira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D131306= 52#comment-13130652 ]=20 aman kohli commented on CXF-3865: --------------------------------- i have tried this on 2.4.3 and it still does not work, the server gives a s= lightly different error. NOTE: the keystores in the tarball maynot be right, but the steps to rebuil= d them are in the src/main/keystores/k*txt file. Server log: [INFO] Scanning for projects... [INFO] = =20 [INFO] --------------------------------------------------------------------= ---- [INFO] Building stub 1.0-SNAPSHOT [INFO] --------------------------------------------------------------------= ---- [INFO]=20 [INFO] >>> exec-maven-plugin:1.2.1:java (default-cli) @ crypto-stub-problem= >>> [INFO]=20 [INFO] <<< exec-maven-plugin:1.2.1:java (default-cli) @ crypto-stub-problem= <<< [INFO]=20 [INFO] --- exec-maven-plugin:1.2.1:java (default-cli) @ crypto-stub-problem= --- 19-Oct-2011 15:36:15 org.apache.cxf.service.factory.ReflectionServiceFactor= yBean buildServiceFromClass INFO: Creating Service {http://collection.blah.com/}CollectionImplService f= rom class com.blah.collection.CollectionService 19-Oct-2011 15:36:15 org.apache.cxf.endpoint.ServerImpl initDestination INFO: Setting the server's publish address to be http://localhost:9198/WS/s= ervices/Collection SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further d= etails. Server ready... 19-Oct-2011 15:36:19 org.apache.cxf.interceptor.AbstractLoggingInterceptor = log INFO: Inbound Message ---------------------------- ID: 1 Address: http://localhost:9198/WS/services/Collection/?wsdl Http-Method: GET Content-Type: text/xml Headers: {Accept=3D[*/*], Cache-Control=3D[no-cache], connection=3D[keep-al= ive], content-type=3D[text/xml], Host=3D[localhost:9198], Pragma=3D[no-cach= e], User-Agent=3D[Apache CXF 2.4.3]} -------------------------------------- 19-Oct-2011 15:36:20 org.apache.cxf.interceptor.AbstractLoggingInterceptor = log INFO: Inbound Message ---------------------------- ID: 2 Address: http://localhost:9198/WS/services/Collection/ Encoding: UTF-8 Http-Method: POST Content-Type: text/xml; charset=3DUTF-8 Headers: {Accept=3D[*/*], Cache-Control=3D[no-cache], connection=3D[keep-al= ive], Content-Length=3D[2202], content-type=3D[text/xml; charset=3DUTF-8], = Host=3D[localhost:9198], Pragma=3D[no-cache], SOAPAction=3D[""], User-Agent= =3D[Apache CXF 2.4.3]} Payload: CN=3Dumpd1319034400MzkrKke0mtMf/PFM7HafgX1qrIULWSjzaPRTrxRrUqu= mUf0vvhsAulIlbYQyGp9t9MGy3+8BIPyv4UNgulgJp2HLGxp0bXZL8c3e/dNfFN10ASmqZIqkBv= mgiZCRZcX10Ij9WKIs4o2/KXSUcssiWXivOhqDtywAH+GzUN2TECc=3D= YnEeXUGjJ6qppL9/Sv3cb= gjGLAUdcv5/ueuhVbDc8Idw4iyrEU1nZmo/j7UN0CbV2gxB1GJDol5JLyghGLYjPr6GCpshL9V9= CfGv19CpzQqZjruoZTv9WCsDPPKQ2w+ONj9z5eS23tSfCoyi2qZHfcpXQFH/V82WNK7ujybCdBt= 0+hoPgVQUzdbEt6pro0KiTBvhw2xFOTfjnULapVs8Q3Uwa+kDOHfcJ9GkxvGTZHk=3D -------------------------------------- 19-Oct-2011 15:36:21 org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor ha= ndleMessage WARNING:=20 org.apache.ws.security.WSSecurityException: General security error (No cert= ificates were found for decryption (KeyId)) =09at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificate= sFromEncryptedKey(EncryptedKeyProcessor.java:241) =09at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(En= cryptedKeyProcessor.java:99) =09at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur= ityEngine.java:396) =09at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS= 4JInInterceptor.java:249) =09at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS= 4JInInterceptor.java:85) =09at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercept= orChain.java:263) =09at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainIniti= ationObserver.java:121) =09at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceReque= st(JettyHTTPDestination.java:319) =09at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(Je= ttyHTTPDestination.java:287) =09at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTP= Handler.java:72) =09at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandl= er.java:939) =09at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandle= r.java:875) =09at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.j= ava:117) =09at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(Cont= extHandlerCollection.java:247) =09at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper= .java:110) =09at org.eclipse.jetty.server.Server.handle(Server.java:346) =09at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.= java:589) =09at org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpCo= nnection.java:1065) =09at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:823) =09at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:220) =09at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:41= 1) =09at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEn= dPoint.java:535) =09at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEnd= Point.java:40) =09at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool= .java:529) =09at java.lang.Thread.run(Thread.java:619) 19-Oct-2011 15:36:21 org.apache.cxf.phase.PhaseInterceptorChain doDefaultLo= gging WARNING: Interceptor for {http://collection.blah.com/}CollectionImplService= has thrown exception, unwinding now org.apache.cxf.binding.soap.SoapFault: General security error (No certifica= tes were found for decryption (KeyId)) =09at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(W= SS4JInInterceptor.java:643) =09at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS= 4JInInterceptor.java:308) =09at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS= 4JInInterceptor.java:85) =09at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercept= orChain.java:263) =09at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainIniti= ationObserver.java:121) =09at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceReque= st(JettyHTTPDestination.java:319) =09at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(Je= ttyHTTPDestination.java:287) =09at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTP= Handler.java:72) =09at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandl= er.java:939) =09at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandle= r.java:875) =09at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.j= ava:117) =09at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(Cont= extHandlerCollection.java:247) =09at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper= .java:110) =09at org.eclipse.jetty.server.Server.handle(Server.java:346) =09at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.= java:589) =09at org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpCo= nnection.java:1065) =09at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:823) =09at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:220) =09at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:41= 1) =09at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEn= dPoint.java:535) =09at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEnd= Point.java:40) =09at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool= .java:529) =09at java.lang.Thread.run(Thread.java:619) Caused by: org.apache.ws.security.WSSecurityException: General security err= or (No certificates were found for decryption (KeyId)) =09at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificate= sFromEncryptedKey(EncryptedKeyProcessor.java:241) =09at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(En= cryptedKeyProcessor.java:99) =09at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur= ityEngine.java:396) =09at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS= 4JInInterceptor.java:249) =09... 21 more =20 > Asymmetric Encryption - alias is null during decryption using private key > ------------------------------------------------------------------------- > > Key: CXF-3865 > URL: https://issues.apache.org/jira/browse/CXF-3865 > Project: CXF > Issue Type: Bug > Components: WS-* Components > Affects Versions: 2.2.10 > Environment: actually 2.2.3 is the version > running on mac osx lion and windows xp; java 1.6 > Reporter: aman kohli > Attachments: cxf-wss4j-asym-crypto-soap.tgz > > > as raised on mailing list, Colm suggested I upload the test case here. T= his is the description from the mailing list http://mail-archives.apache.or= g/mod_mbox/ws-users/201110.mbox/%3CCF458CB8-746A-4D98-A89F-9AD647AEE2D1@yah= oo.com%3E=20 > Running into a problem on the server implementation (a cxf soap server) o= f asymmetric encryption. > The intention is the soap body is to be encrypted with the server's publ= ic key. The client > (also using cxf) seems to be encrypting the message body ok. > On receipt of the message, the server implementation raises an exception,= with the reason > the alias is null. Here's the stack: > org.apache.ws.security.WSSecurityException: The signature or decryption w= as invalid; nested > exception is:=20 > java.lang.Exception: alias is null > at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEn= cryptedKey(EncryptedKeyProcessor.java:330) > at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEn= cryptedKey(EncryptedKeyProcessor.java:104) > at org.apache.ws.security.processor.EncryptedKeyProcessor.handleTo= ken(EncryptedKeyProcessor.java:84) > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(W= SSecurityEngine.java:326) > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(W= SSecurityEngine.java:243) > at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessa= ge(WSS4JInInterceptor.java:198) > at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessa= ge(WSS4JInInterceptor.java:77) > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInt= erceptorChain.java:236) > at org.apache.cxf.transport.ChainInitiationObserver.onMessage(Chai= nInitiationObserver.java:104) > at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.servic= eRequest(JettyHTTPDestination.java:302) > =EF=BF=BD > Caused by: java.lang.Exception: alias is null > at org.apache.ws.security.components.crypto.CryptoBase.getPrivateK= ey(CryptoBase.java:207) > at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEn= cryptedKey(EncryptedKeyProcessor.java:328) > ... 22 more > I added some println statements to the password callback on the server si= de to print out the > type and id: > =09*** password callback type 1 class org.apache.ws.security.WSPasswordCa= llback > =09*** password callback id null > The API is used to configure CXF and WSS4j and not the xml configuration.= The messages are > not being signed, nor are timestamps being used, just encryption/decrypti= on, ep is the endpointimpl > : > Map inProps1 =3D new HashMap(); > inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYP= T); > inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordCallba= ckHandler.class.getName()); > inProps1.put(WSHandlerConstants.DEC_PROP_FILE, "server-security.p= roperties"); > inProps1.put(WSHandlerConstants.USER, "clientkey"); > ep.getServer().getEndpoint().getInInterceptors().add(new WSS4JInI= nterceptor(inProps1)); > And the properties file is: > =09org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.compon= ents.crypto.Merlin > =09org.apache.ws.security.crypto.merlin.keystore.type=3Djks > =09org.apache.ws.security.crypto.merlin.keystore.password=3Dstorepass > =09org.apache.ws.security.crypto.merlin.keystore.alias=3Dclientkey > =09org.apache.ws.security.crypto.merlin.keystore.file=3Dsrc/main/keystore= s/server-encypt.jks > The server cert is self signed:=20 > =09$ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA -k= eypass ump-pass -storepass > dummy-service -keystore server-encypt.jks -dname cn=3Dlocalhost > =09$ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA -ke= ypass client-pass -storepass > dummy-service -keystore ump-stub-keystore.jks -dname cn=3Dumpd > and the certificate was exported using the following: > =09$ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass dumm= y-service -keypass > client-pass -alias clientkey -file client-cert.cer > This is the WSDL extract: > =09 xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401= -wss-wssecurity-utility-1.0.xsd" > =09 xmlns:wsp=3D"http://schemas.xmlsoap.org/ws/2004/09/policy"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > =EF=BF=BD > > URI=3D"#AsymEncryption"/> > And this is the incoming message: > > =09INFO: Inbound Message > =09---------------------------- > =09ID: 1 > =09Address: /FooWS/services/Collection/ > =09Encoding: UTF-8 > =09Content-Type: text/xml; charset=3DUTF-8 > =09Headers: {content-type=3D[text/xml; charset=3DUTF-8], connection=3D[ke= ep-alive], Host=3D[localhost:9198], > Content-Length=3D[2549], SOAPAction=3D[""], User-Agent=3D[Apache CXF 2.2.= 3], Content-Type=3D[text/xml; > charset=3DU > TF-8], Accept=3D[*/*], Pragma=3D[no-cache], Cache-Control=3D[no-cache]} > =09Payload: xmlns:wsse=3D"http://docs.oasis-open.org/wss/2004/ > 01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand=3D"1">= xmlns:xenc=3D"http://www.w3.org/2001/04/xmlenc#" Id=3D"EncKeyId-A77755F72= 6FB2C832813189733820252"> thod Algorithm=3D"http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> > > > CN=3Dumpd > 1316785867 > > > FlnDsQHOdVw0AOZualC9D6HvN= Il7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxsh= hz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl > +7XW5XtxGHihzs5Zw=3D URI=3D"#EncDataId-1" /> c:EncryptedData xmlns:xenc=3D"http://www.w3.org/2001/04/xmlenc#" Id=3D"En= cDataId-1" Type=3D"http://www.w3.org/2001/04/xmlenc#Content"> Algorithm=3D"http://www.w3.org/2001/04/xmlenc#aes128- > cbc" /> > xmlns:wsse=3D"http://docs.oasis-open.org/wss/2004/01/oasis-20040 > 1-wss-wssecurity-secext-1.0.xsd" URI=3D"#EncKeyId-A77755F726FB2C832813189= 733820252" /> > Gbc/CYA8k1XJhCRYO8lA7rdxo= UB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR > WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJK= a/F > 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4da= q0c > LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/W= Htz > dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qg= MYi > tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2a= BU/ > wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vS= IlB > XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk > > On the client side, the WSS4j is setup as: > Map outProps1 =3D new HashMap(); > outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRY= PT); > outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientCallbac= kHandler.class.getName()); > outProps1.put(WSHandlerConstants.ENC_PROP_FILE, "client-crypto.pr= operties"); > outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey"); > cxfEndpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outP= rops1)); =20 > =20 > and the properties file is: > org.apache.ws.security.crypto.provider=3Dorg.apache.ws.security.component= s.crypto.Merlin > org.apache.ws.security.crypto.merlin.keystore.type=3Djks > org.apache.ws.security.crypto.merlin.keystore.alias=3Dservicekey > org.apache.ws.security.crypto.merlin.keystore.password=3Dclientpass > org.apache.ws.security.crypto.merlin.file=3Dsrc/main/keystores/client-sto= re.jks > and the cert was imported using the command: > =09$ keytool -import -trustcacerts -keystore client-store.jks -storepass = clientpass -alias servicekey > -file client-cert.cer > Not sure what is going wrong, but there are a lot of steps, so maybe this= is a simple error > on my part. > The CXF version is 2.2.3, If I need to redirect this to the cxf-users lis= t, please let me > know. =20 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrato= rs: https://issues.apache.org/jira/secure/ContactAdministrators!default.jsp= a For more information on JIRA, see: http://www.atlassian.com/software/jira