ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dittmann, Werner" <werner.dittm...@siemens.com>
Subject AW: WSS4J and Kerberos signatures
Date Wed, 16 Nov 2005 09:15:26 GMT
Laurence,

it is a problem of BC together with JDK1.5. I tested
the whole setup but without using BC for encryption the
elements.

If you are using the SVN version then you are able
to switch off the usage of BC during encryption of an
element. Plaese have a look at the attached WSEncryptBody,
doEncryption() method. As a hack I forced to used the
first provider that implements the required algo - usually
this is the Sun provider as this is the first in the
security provider list.

I'll have a look at the BC mailing list archive to see if
this is a known problem.

Regards,
Werner

> -----Urspr√ľngliche Nachricht-----
> Von: Dittmann, Werner 
> Gesendet: Mittwoch, 16. November 2005 08:02
> An: Laurence Brockman; dims@apache.org; wss4j-dev@ws.apache.org
> Betreff: AW: WSS4J and Kerberos signatures
> 
> Laurence,
> 
> I've the same problem here with jdk1.5, runing on a
> XP box, no problems with jdk1.4 . I'm starting to investigate
> the problem, but it seems to be burried somewhere in
> the crypto code ... I'm not really sure what is wrong.
> 
> Regards,
> Werner
> 
> > -----Urspr√ľngliche Nachricht-----
> > Von: Laurence Brockman [mailto:laurence.brockman@sjrb.ca] 
> > Gesendet: Dienstag, 15. November 2005 22:18
> > An: dims@apache.org; wss4j-dev@ws.apache.org
> > Betreff: RE: WSS4J and Kerberos signatures
> > 
> > Ok, I've done all that and it is processing more tests then before,
> > however, it is still failing with the following (Again, I am using
> > jdk1.5 and have added the provider to java.security as well as
> > downloading the unlimited strength crypto stuff from sun).
> > 
> > Any ideas would be awesome!
> > 
> > org.apache.ws.security.WSSecurityException: Cannot 
> > encrypt/decrypt data;
> > nested exception is: 
> > 	org.apache.xml.security.encryption.XMLEncryptionException: pad
> > block corrupted
> > Original Exception was javax.crypto.BadPaddingException: pad block
> > corrupted
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.decrypt
> > DataRef(En
> > cryptedKeyProcessor.java:388)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleE
> > ncryptedKe
> > y(EncryptedKeyProcessor.java:313)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleE
> > ncryptedKe
> > y(EncryptedKeyProcessor.java:81)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleT
> > oken(Encry
> > ptedKeyProcessor.java:75)
> > 	at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > WSSecurity
> > Engine.java:252)
> > 	at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > WSSecurity
> > Engine.java:179)
> > 	at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > WSSecurity
> > Engine.java:132)
> > 	at wssec.TestWSSecurity2.verify(TestWSSecurity2.java:234)
> > 	at
> > wssec.TestWSSecurity2.testEncryptionDecryptionRSA15(TestWSSecu
> > rity2.java
> > :162)
> > 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > 	at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
> > orImpl.jav
> > a:39)
> > 	at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
> > odAccessor
> > Impl.java:25)
> > 	at java.lang.reflect.Method.invoke(Method.java:585)
> > 	at junit.framework.TestCase.runTest(TestCase.java:154)
> > 	at junit.framework.TestCase.runBare(TestCase.java:127)
> > 	at junit.framework.TestResult$1.protect(TestResult.java:106)
> > 	at junit.framework.TestResult.runProtected(TestResult.java:124)
> > 	at junit.framework.TestResult.run(TestResult.java:109)
> > 	at junit.framework.TestCase.run(TestCase.java:118)
> > 	at junit.framework.TestSuite.runTest(TestSuite.java:208)
> > 	at junit.framework.TestSuite.run(TestSuite.java:203)
> > 	at junit.framework.TestSuite.runTest(TestSuite.java:208)
> > 	at junit.framework.TestSuite.run(TestSuite.java:203)
> > 	at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTest
> > s(RemoteTe
> > stRunner.java:478)
> > 	at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(Rem
> > oteTestRun
> > ner.java:344)
> > 	at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(Re
> > moteTestRu
> > nner.java:196)
> > Caused by: 
> org.apache.xml.security.encryption.XMLEncryptionException:
> > pad block corrupted
> > Original Exception was javax.crypto.BadPaddingException: pad block
> > corrupted
> > 	at
> > org.apache.xml.security.encryption.XMLCipher.decryptToByteArra
> > y(Unknown
> > Source)
> > 	at
> > org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown
> > Source)
> > 	at
> > org.apache.xml.security.encryption.XMLCipher.decryptElementCon
> > tent(Unkno
> > wn Source)
> > 	at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown
> > Source)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.decrypt
> > DataRef(En
> > cryptedKeyProcessor.java:386)
> > 	... 25 more
> > 
> > 
> > -----Original Message-----
> > From: Davanum Srinivas [mailto:davanum@gmail.com] 
> > Sent: November 15, 2005 1:47 PM
> > To: Laurence Brockman; wss4j-dev@ws.apache.org
> > Subject: Re: WSS4J and Kerberos signatures
> > 
> > http://www.bouncycastle.org/documentation.html
> > http://www.bouncycastle.org/specifications.html#install
> > 
> > scroll down a bit on the second link and look for java.security
> > 
> > -- dims
> > 
> > PS: Please post directly to the list. So that others may 
> > answer as well
> > :)
> > 
> > On 11/15/05, Laurence Brockman <laurence.brockman@sjrb.ca> wrote:
> > > Thanks for such a quick reply! I think the problem is that 
> > I am using
> > > jdk1.5... Does the bouncycastle.org site have information about
> > > installing the bouncycastle provider or is there any other 
> > sites I can
> > > get documentation about this?
> > >
> > > Thanks again!
> > > Laurence
> > >
> > > -----Original Message-----
> > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > Sent: November 15, 2005 1:40 PM
> > > To: Laurence Brockman; wss4j-dev@ws.apache.org
> > > Subject: Re: WSS4J and Kerberos signatures
> > >
> > > All the code needed is in the svn itself. you should not need any
> > > additional jars. just get the stuff from SVN. make sure 
> you have the
> > > strong crypto stuff installed in your JDK (check the 
> > download site for
> > > the jdk and it is available as a separate download) and 
> > then run "ant
> > > test". Are u using JDK1.4? (better to use that version, there is
> > > additional steps for jdk1.5 - namely installing the boucnycastle
> > > provider)
> > >
> > > NOTE: don't use the maven build :)
> > >
> > > thanks,
> > > dims
> > >
> > > On 11/15/05, Laurence Brockman <laurence.brockman@sjrb.ca> wrote:
> > > > Sounds good.
> > > >
> > > > Quick question... I've checked out the latest source 
> from SVN and
> > I'm
> > > > trying to run the Ant JUnit tests and they keep failing. 
> > When I run
> > > the
> > > > JUnit tests through eclipse directly they are throwing a 
> > connection
> > > > denied exception. I have installed Axis 1.2.1 here but 
> I have not
> > > > deployed any test web services so even if I start that up 
> > they still
> > > > fail with service not found exceptions. Is there a way to easily
> > > either
> > > > test this stuff without deploying the test web services 
> > or to bypass
> > > > these tests? I've also installed maven and tried to compile that
> > way,
> > > > but it is failing as well.
> > > >
> > > > I also noticed in the project.xml file that you have 
> excluded the
> > > > wssec/PackageTests.java and the 
> interop/PackageTests.java. Is that
> > > > because of the above mentioned errors?
> > > >
> > > > After looking through the source code, I believe what I 
> would want
> > to
> > > do
> > > > would be to create Kerberos token processor and action 
> classes and
> > add
> > > a
> > > > case into both getAction and getProcessor to point to these new
> > > classes.
> > > >
> > > > Sorry for the barrage of questions.
> > > >
> > > > Thanks,
> > > > Laurence
> > > >
> > > > -----Original Message-----
> > > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > > Sent: November 14, 2005 3:02 PM
> > > > To: Laurence Brockman
> > > > Cc: wss4j-dev@ws.apache.org
> > > > Subject: Re: WSS4J and Kerberos signatures
> > > >
> > > > Please see what is being done for SAML and use that as 
> a template
> > for
> > > > Kerberos.
> > > >
> > > > thanks,
> > > > dims
> > > >
> > > > On 11/14/05, Laurence Brockman 
> <laurence.brockman@sjrb.ca> wrote:
> > > > > Correct me if I'm wrong here, but this is what I'm thinking:
> > > > >
> > > > > After grabbing the source from SVN and looking at the
> > documentation,
> > > I
> > > > > believe the right place for me to start would be to extend the
> > > > > org.apache.ws.axis.security class to handle the Kerberos
> > > requirements
> > > > > specified in the OASIS document.
> > > > >
> > > > > Forgive me for so many questions, but I'm new to 
> > Axis/WSS4J and I
> > > want
> > > > > to make sure that I'm heading down the right path.
> > > > >
> > > > > Specifically, what we are looking to implement is just the
> > > > > authentication portion of Kerberos and not the 
> > encryption portion
> > > (We
> > > > > want to authenticate incoming SOAP requests against a 
> KDC). Down
> > the
> > > > > road we will likely look at the encryption portion, but 
> > that won't
> > > > > likely be for a few months at least.
> > > > >
> > > > > Thanks again!!
> > > > > Laurence
> > > > >
> > > > > -----Original Message-----
> > > > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > > > Sent: November 11, 2005 8:18 PM
> > > > > To: Laurence Brockman
> > > > > Cc: wss4j-dev@ws.apache.org
> > > > > Subject: Re: WSS4J and Kerberos signatures
> > > > >
> > > > > Laurence,
> > > > >
> > > > > I believe you start with taking a look at the Kerberos Token
> > Profile
> > > > > at the OASIS WSS TC web site:
> > > > >
> > > > > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
> > > > >
> > > > > There's lots of refactoring in the latest SVN, which 
> > makes it easy
> > > to
> > > > > plugin a new token profile. So please get the latest 
> > SVN code and
> > > > > start asking more questions :)
> > > > >
> > > > > thanks,
> > > > > dims
> > > > >
> > > > > On 11/10/05, Laurence Brockman 
> > <laurence.brockman@sjrb.ca> wrote:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > >
> > > > > >
> > > > > > Sorry if this is a FAQ but I have been looking for 
> answers to
> > this
> > > > > high and
> > > > > > low and have not seen this on the list.
> > > > > >
> > > > > >
> > > > > >
> > > > > > We are going to try and use Kerberos to 
> authenticate users on
> > our
> > > > SOAP
> > > > > > server. What we envision is having the client send 
> > down the SOAP
> > > > > request
> > > > > > with a service ticket from a KDC. The server (Axis 
> using WSS4J
> > on
> > > > > Tomcat)
> > > > > > would then authenticate this user against said KDC. After
> > briefly
> > > > > looking at
> > > > > > the documentation within the WSS4J code I think 
> what we would
> > want
> > > > to
> > > > > do is
> > > > > > extend the WSDoAllHandler class (From the
> > > > > > org.apache.axis.security.handler package). Is this the
> > > > > > right direction to be going in? Has anybody looked at 
> > this? I'm
> > > > > relatively
> > > > > > new to Axis/WSS4J and some guidance would be awesome!
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Laurence
> > > > > >
> > > > > >
> > > > > >
> > > > > > Laurence Brockman
> > > > > >  Server Specialist, Shaw Operations Centre
> > > > > >  Shaw Communications Inc.
> > > > > >  Phone : (403) 303-4805
> > > > > >  E-mail : laurence.brockman@sjrb.ca
> > > > > >
> > > > > >
> > > > > >
> > > > > > ACCOUNTABLE    BALANCE    CUSTOMER FOCUSED    INTEGRITY
> > LOYALTY
> > > > > > POSITIVE, CAN DO ATTITUDE    TEAM PLAYER
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Davanum Srinivas : http://wso2.com/blogs/
> > > > >
> > > > >
> > > 
> > 
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > > > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Davanum Srinivas : http://wso2.com/blogs/
> > > >
> > >
> > >
> > > --
> > > Davanum Srinivas : http://wso2.com/blogs/
> > >
> > 
> > 
> > --
> > Davanum Srinivas : http://wso2.com/blogs/
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 

Mime
View raw message