ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dittmann, Werner" <werner.dittm...@siemens.com>
Subject AW: WSS4J and Kerberos signatures
Date Wed, 16 Nov 2005 16:26:31 GMT
Laurence,

IMO its not necessary. I'll report it to BC anyhow.

Regards,
Werner 

> -----Ursprüngliche Nachricht-----
> Von: Laurence Brockman [mailto:laurence.brockman@sjrb.ca] 
> Gesendet: Mittwoch, 16. November 2005 17:15
> An: Dittmann, Werner; dims@apache.org; wss4j-dev@ws.apache.org
> Betreff: RE: WSS4J and Kerberos signatures
> 
> Thanks so much! I am in fact running this (While developing) 
> on an XP Box, so your environment seems to match mine. As 
> soon as I started using jdk1.4 everything worked fine. Would 
> you like me to run the test program and send the results to 
> the list? (Seeing how we are running similar environments, 
> I'm not sure what benefit this would have, but I can if you'd like).
> 
> Thanks,
> Laurence
> 
> -----Original Message-----
> From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> Sent: November 16, 2005 5:09 AM
> To: Laurence Brockman; dims@apache.org; wss4j-dev@ws.apache.org
> Subject: AW: WSS4J and Kerberos signatures
> 
> Laurence, all,
> 
> this problem is very strange and pops up only if several
> conditions are met:
> 
> - Java 5 (I'm using 1.5.0_03), running with XP
> - using BouncyCastle
> - insert the BC provider at position 2 using the following
>   method: 
>   ...Security.insertProviderAt (new BouncyCasteProvider(), 2)
> 
>   using the method
>   ...Security.addProvider(new BouncyCasteProvider()) the 
>   problem don't show up
> 
> Well, during the last weeks I was modifiying the way a
> JCE provider is added to WSS4J. During that I overlooked
> one place to honor the provider to use (in the decryption
> process, EncryptedKeyProcessor). This caused XMLCipher
> to use "BC" to encrypt and to use another provider that
> provides the algorithm, in fact this is also "BC" - because
> it is on position 2, thuse before the SunJCE. If we
> use "addProvider" BC is somewhere behind the standard 
> providers.
> 
> Therefore, to me it seems it's problem between the BC JCE
> provider and the way the Java 5 Cipher implementation
> initializes the JCE (in this case BC) provider.
> 
> There was no such thing reported on the BC mailing list, 
> I'll inform them about this behaviour.
> 
> Attached a small test program. If somebody uses Java 5
> please try to run the test to get error reports (just 
> remove / modify the package name).
> 
> I'll fix the problem in "EncryptedKeyProcessor" to honor
> the provider setting - however, the error remains somewere
> deep inside the Java 5 security dungeons :-).
> 
> Regards,
> Werner
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Dittmann, Werner 
> > Gesendet: Mittwoch, 16. November 2005 08:02
> > An: Laurence Brockman; dims@apache.org; wss4j-dev@ws.apache.org
> > Betreff: AW: WSS4J and Kerberos signatures
> > 
> > Laurence,
> > 
> > I've the same problem here with jdk1.5, runing on a
> > XP box, no problems with jdk1.4 . I'm starting to investigate
> > the problem, but it seems to be burried somewhere in
> > the crypto code ... I'm not really sure what is wrong.
> > 
> > Regards,
> > Werner
> > 
> > > -----Ursprüngliche Nachricht-----
> > > Von: Laurence Brockman [mailto:laurence.brockman@sjrb.ca] 
> > > Gesendet: Dienstag, 15. November 2005 22:18
> > > An: dims@apache.org; wss4j-dev@ws.apache.org
> > > Betreff: RE: WSS4J and Kerberos signatures
> > > 
> > > Ok, I've done all that and it is processing more tests 
> then before,
> > > however, it is still failing with the following (Again, I am using
> > > jdk1.5 and have added the provider to java.security as well as
> > > downloading the unlimited strength crypto stuff from sun).
> > > 
> > > Any ideas would be awesome!
> > > 
> > > org.apache.ws.security.WSSecurityException: Cannot 
> > > encrypt/decrypt data;
> > > nested exception is: 
> > > 	org.apache.xml.security.encryption.XMLEncryptionException: pad
> > > block corrupted
> > > Original Exception was javax.crypto.BadPaddingException: pad block
> > > corrupted
> > > 	at
> > > org.apache.ws.security.processor.EncryptedKeyProcessor.decrypt
> > > DataRef(En
> > > cryptedKeyProcessor.java:388)
> > > 	at
> > > org.apache.ws.security.processor.EncryptedKeyProcessor.handleE
> > > ncryptedKe
> > > y(EncryptedKeyProcessor.java:313)
> > > 	at
> > > org.apache.ws.security.processor.EncryptedKeyProcessor.handleE
> > > ncryptedKe
> > > y(EncryptedKeyProcessor.java:81)
> > > 	at
> > > org.apache.ws.security.processor.EncryptedKeyProcessor.handleT
> > > oken(Encry
> > > ptedKeyProcessor.java:75)
> > > 	at
> > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > > WSSecurity
> > > Engine.java:252)
> > > 	at
> > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > > WSSecurity
> > > Engine.java:179)
> > > 	at
> > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > > WSSecurity
> > > Engine.java:132)
> > > 	at wssec.TestWSSecurity2.verify(TestWSSecurity2.java:234)
> > > 	at
> > > wssec.TestWSSecurity2.testEncryptionDecryptionRSA15(TestWSSecu
> > > rity2.java
> > > :162)
> > > 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > 	at
> > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
> > > orImpl.jav
> > > a:39)
> > > 	at
> > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
> > > odAccessor
> > > Impl.java:25)
> > > 	at java.lang.reflect.Method.invoke(Method.java:585)
> > > 	at junit.framework.TestCase.runTest(TestCase.java:154)
> > > 	at junit.framework.TestCase.runBare(TestCase.java:127)
> > > 	at junit.framework.TestResult$1.protect(TestResult.java:106)
> > > 	at junit.framework.TestResult.runProtected(TestResult.java:124)
> > > 	at junit.framework.TestResult.run(TestResult.java:109)
> > > 	at junit.framework.TestCase.run(TestCase.java:118)
> > > 	at junit.framework.TestSuite.runTest(TestSuite.java:208)
> > > 	at junit.framework.TestSuite.run(TestSuite.java:203)
> > > 	at junit.framework.TestSuite.runTest(TestSuite.java:208)
> > > 	at junit.framework.TestSuite.run(TestSuite.java:203)
> > > 	at
> > > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTest
> > > s(RemoteTe
> > > stRunner.java:478)
> > > 	at
> > > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(Rem
> > > oteTestRun
> > > ner.java:344)
> > > 	at
> > > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(Re
> > > moteTestRu
> > > nner.java:196)
> > > Caused by: 
> > org.apache.xml.security.encryption.XMLEncryptionException:
> > > pad block corrupted
> > > Original Exception was javax.crypto.BadPaddingException: pad block
> > > corrupted
> > > 	at
> > > org.apache.xml.security.encryption.XMLCipher.decryptToByteArra
> > > y(Unknown
> > > Source)
> > > 	at
> > > 
> org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown
> > > Source)
> > > 	at
> > > org.apache.xml.security.encryption.XMLCipher.decryptElementCon
> > > tent(Unkno
> > > wn Source)
> > > 	at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown
> > > Source)
> > > 	at
> > > org.apache.ws.security.processor.EncryptedKeyProcessor.decrypt
> > > DataRef(En
> > > cryptedKeyProcessor.java:386)
> > > 	... 25 more
> > > 
> > > 
> > > -----Original Message-----
> > > From: Davanum Srinivas [mailto:davanum@gmail.com] 
> > > Sent: November 15, 2005 1:47 PM
> > > To: Laurence Brockman; wss4j-dev@ws.apache.org
> > > Subject: Re: WSS4J and Kerberos signatures
> > > 
> > > http://www.bouncycastle.org/documentation.html
> > > http://www.bouncycastle.org/specifications.html#install
> > > 
> > > scroll down a bit on the second link and look for java.security
> > > 
> > > -- dims
> > > 
> > > PS: Please post directly to the list. So that others may 
> > > answer as well
> > > :)
> > > 
> > > On 11/15/05, Laurence Brockman <laurence.brockman@sjrb.ca> wrote:
> > > > Thanks for such a quick reply! I think the problem is that 
> > > I am using
> > > > jdk1.5... Does the bouncycastle.org site have information about
> > > > installing the bouncycastle provider or is there any other 
> > > sites I can
> > > > get documentation about this?
> > > >
> > > > Thanks again!
> > > > Laurence
> > > >
> > > > -----Original Message-----
> > > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > > Sent: November 15, 2005 1:40 PM
> > > > To: Laurence Brockman; wss4j-dev@ws.apache.org
> > > > Subject: Re: WSS4J and Kerberos signatures
> > > >
> > > > All the code needed is in the svn itself. you should 
> not need any
> > > > additional jars. just get the stuff from SVN. make sure 
> > you have the
> > > > strong crypto stuff installed in your JDK (check the 
> > > download site for
> > > > the jdk and it is available as a separate download) and 
> > > then run "ant
> > > > test". Are u using JDK1.4? (better to use that version, there is
> > > > additional steps for jdk1.5 - namely installing the boucnycastle
> > > > provider)
> > > >
> > > > NOTE: don't use the maven build :)
> > > >
> > > > thanks,
> > > > dims
> > > >
> > > > On 11/15/05, Laurence Brockman 
> <laurence.brockman@sjrb.ca> wrote:
> > > > > Sounds good.
> > > > >
> > > > > Quick question... I've checked out the latest source 
> > from SVN and
> > > I'm
> > > > > trying to run the Ant JUnit tests and they keep failing. 
> > > When I run
> > > > the
> > > > > JUnit tests through eclipse directly they are throwing a 
> > > connection
> > > > > denied exception. I have installed Axis 1.2.1 here but 
> > I have not
> > > > > deployed any test web services so even if I start that up 
> > > they still
> > > > > fail with service not found exceptions. Is there a 
> way to easily
> > > > either
> > > > > test this stuff without deploying the test web services 
> > > or to bypass
> > > > > these tests? I've also installed maven and tried to 
> compile that
> > > way,
> > > > > but it is failing as well.
> > > > >
> > > > > I also noticed in the project.xml file that you have 
> > excluded the
> > > > > wssec/PackageTests.java and the 
> > interop/PackageTests.java. Is that
> > > > > because of the above mentioned errors?
> > > > >
> > > > > After looking through the source code, I believe what I 
> > would want
> > > to
> > > > do
> > > > > would be to create Kerberos token processor and action 
> > classes and
> > > add
> > > > a
> > > > > case into both getAction and getProcessor to point to 
> these new
> > > > classes.
> > > > >
> > > > > Sorry for the barrage of questions.
> > > > >
> > > > > Thanks,
> > > > > Laurence
> > > > >
> > > > > -----Original Message-----
> > > > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > > > Sent: November 14, 2005 3:02 PM
> > > > > To: Laurence Brockman
> > > > > Cc: wss4j-dev@ws.apache.org
> > > > > Subject: Re: WSS4J and Kerberos signatures
> > > > >
> > > > > Please see what is being done for SAML and use that as 
> > a template
> > > for
> > > > > Kerberos.
> > > > >
> > > > > thanks,
> > > > > dims
> > > > >
> > > > > On 11/14/05, Laurence Brockman 
> > <laurence.brockman@sjrb.ca> wrote:
> > > > > > Correct me if I'm wrong here, but this is what I'm thinking:
> > > > > >
> > > > > > After grabbing the source from SVN and looking at the
> > > documentation,
> > > > I
> > > > > > believe the right place for me to start would be to 
> extend the
> > > > > > org.apache.ws.axis.security class to handle the Kerberos
> > > > requirements
> > > > > > specified in the OASIS document.
> > > > > >
> > > > > > Forgive me for so many questions, but I'm new to 
> > > Axis/WSS4J and I
> > > > want
> > > > > > to make sure that I'm heading down the right path.
> > > > > >
> > > > > > Specifically, what we are looking to implement is just the
> > > > > > authentication portion of Kerberos and not the 
> > > encryption portion
> > > > (We
> > > > > > want to authenticate incoming SOAP requests against a 
> > KDC). Down
> > > the
> > > > > > road we will likely look at the encryption portion, but 
> > > that won't
> > > > > > likely be for a few months at least.
> > > > > >
> > > > > > Thanks again!!
> > > > > > Laurence
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > > > > Sent: November 11, 2005 8:18 PM
> > > > > > To: Laurence Brockman
> > > > > > Cc: wss4j-dev@ws.apache.org
> > > > > > Subject: Re: WSS4J and Kerberos signatures
> > > > > >
> > > > > > Laurence,
> > > > > >
> > > > > > I believe you start with taking a look at the Kerberos Token
> > > Profile
> > > > > > at the OASIS WSS TC web site:
> > > > > >
> > > > > > 
> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
> > > > > >
> > > > > > There's lots of refactoring in the latest SVN, which 
> > > makes it easy
> > > > to
> > > > > > plugin a new token profile. So please get the latest 
> > > SVN code and
> > > > > > start asking more questions :)
> > > > > >
> > > > > > thanks,
> > > > > > dims
> > > > > >
> > > > > > On 11/10/05, Laurence Brockman 
> > > <laurence.brockman@sjrb.ca> wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Sorry if this is a FAQ but I have been looking for 
> > answers to
> > > this
> > > > > > high and
> > > > > > > low and have not seen this on the list.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > We are going to try and use Kerberos to 
> > authenticate users on
> > > our
> > > > > SOAP
> > > > > > > server. What we envision is having the client send 
> > > down the SOAP
> > > > > > request
> > > > > > > with a service ticket from a KDC. The server (Axis 
> > using WSS4J
> > > on
> > > > > > Tomcat)
> > > > > > > would then authenticate this user against said KDC. After
> > > briefly
> > > > > > looking at
> > > > > > > the documentation within the WSS4J code I think 
> > what we would
> > > want
> > > > > to
> > > > > > do is
> > > > > > > extend the WSDoAllHandler class (From the
> > > > > > > org.apache.axis.security.handler package). Is this the
> > > > > > > right direction to be going in? Has anybody looked at 
> > > this? I'm
> > > > > > relatively
> > > > > > > new to Axis/WSS4J and some guidance would be awesome!
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > Laurence
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Laurence Brockman
> > > > > > >  Server Specialist, Shaw Operations Centre
> > > > > > >  Shaw Communications Inc.
> > > > > > >  Phone : (403) 303-4805
> > > > > > >  E-mail : laurence.brockman@sjrb.ca
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ACCOUNTABLE    BALANCE    CUSTOMER FOCUSED    INTEGRITY
> > > LOYALTY
> > > > > > > POSITIVE, CAN DO ATTITUDE    TEAM PLAYER
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Davanum Srinivas : http://wso2.com/blogs/
> > > > > >
> > > > > >
> > > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > > > > For additional commands, e-mail: 
> wss4j-dev-help@ws.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Davanum Srinivas : http://wso2.com/blogs/
> > > > >
> > > >
> > > >
> > > > --
> > > > Davanum Srinivas : http://wso2.com/blogs/
> > > >
> > > 
> > > 
> > > --
> > > Davanum Srinivas : http://wso2.com/blogs/
> > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > > 
> > > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > 
> > 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message