cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Freeman Fang <>
Subject Re: Receiving and Decrypting Encrypted MTOM Attachments
Date Fri, 30 Aug 2013 02:47:03 GMT

WSS4J and MTOM doesn't really work well in CXF currently, please see the related discussion
[1] &[2], the coming WSS4J 2.0 should be the final solution

Freeman(Yue) Fang

Red Hat, Inc. 
FuseSource is now part of Red Hat
Web: |
Twitter: freemanfang
weibo: @Freeman小屋

On 2013-8-30, at 上午1:05, Jennifer Ruttan wrote:

> Hi all,
> I have a web service that responds to me with an encrypted MTOM attachment. The MTOM
attachment is a complex type that contains several fields (base64-encoded data, a string,
integer, and another complex type).
> The response is encrypted as follows (I received this from the web service supplier):
> - The response is encrypted using the public key of the certificate that was used to
sign the incoming message
> - All bits of the public key are used
> - The secret key is encrypted using an RSA cipher with PKCS1 padding; the secret key
itself is 128 bits long, but encrypts to 128 bytes then base64 encodes to 172 bytes
> - The initialization vector is the first 16 bytes of the cipher value in the body; to
recover the IV, base64 decode the CipherValue and take the first 16 bytes from it; the remainder
is the decrypted message
> - The response message encryption scheme is AES cipher with CBC block mechanism and PKCS5
> With all of that said, I have configured the bindingprovider on the client to enable
MTOM support, as follows:
> BindingProvider bp = (BindingProvider)port;
> SOAPBinding binding = (SOAPBinding) bp.getBinding();
> binding.setMTOMEnabled(true);
> All of the responses that this web service delivers are encrypted, but this is the only
type that I can't decrypt automatically via CXF's built-in logic. I receive a WSSecurityException
("The signature or decryption was invalid") when I run the method on the port that responds
with an encrypted MTOM attachment.
> By any chance if anybody knows the best way to proceed and configure the service so that
it decrypts this message type properly, I would appreciate any suggestions.
> Thanks
> Jennifer

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message