Mailing-List: contact wss4j-dev-help@ws.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: neutral (asf.osuosl.org: 194.138.37.40 is neither permitted nor
 denied by domain of werner.dittmann@siemens.com)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----_=_NextPart_001_01C5EAA6.91C58011"
Subject: AW: WSS4J and Kerberos signatures
Date: Wed, 16 Nov 2005 13:09:17 +0100
Message-ID: 
 <A5B453A80186CF47BDA33BBA924EFAE991746A@MCHP7I5A.ww002.siemens.net>
Thread-Topic: WSS4J and Kerberos signatures
Thread-Index: AcXqJcliu1coVGJuQLCnTVzGRp/wnwAA8k7gABRzUIAACZYCwA==
From: "Dittmann, Werner" <werner.dittmann@siemens.com>
To: "Laurence  Brockman" <laurence.brockman@sjrb.ca>, <dims@apache.org>,
   <wss4j-dev@ws.apache.org>

------_=_NextPart_001_01C5EAA6.91C58011
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Laurence, all,

this problem is very strange and pops up only if several
conditions are met:

- Java 5 (I'm using 1.5.0_03), running with XP
- using BouncyCastle
- insert the BC provider at position 2 using the following
  method:=20
  ...Security.insertProviderAt (new BouncyCasteProvider(), 2)

  using the method
  ...Security.addProvider(new BouncyCasteProvider()) the=20
  problem don't show up

Well, during the last weeks I was modifiying the way a
JCE provider is added to WSS4J. During that I overlooked
one place to honor the provider to use (in the decryption
process, EncryptedKeyProcessor). This caused XMLCipher
to use "BC" to encrypt and to use another provider that
provides the algorithm, in fact this is also "BC" - because
it is on position 2, thuse before the SunJCE. If we
use "addProvider" BC is somewhere behind the standard=20
providers.

Therefore, to me it seems it's problem between the BC JCE
provider and the way the Java 5 Cipher implementation
initializes the JCE (in this case BC) provider.

There was no such thing reported on the BC mailing list,=20
I'll inform them about this behaviour.

Attached a small test program. If somebody uses Java 5
please try to run the test to get error reports (just=20
remove / modify the package name).

I'll fix the problem in "EncryptedKeyProcessor" to honor
the provider setting - however, the error remains somewere
deep inside the Java 5 security dungeons :-).

Regards,
Werner

> -----Urspr=FCngliche Nachricht-----
> Von: Dittmann, Werner=20
> Gesendet: Mittwoch, 16. November 2005 08:02
> An: Laurence Brockman; dims@apache.org; wss4j-dev@ws.apache.org
> Betreff: AW: WSS4J and Kerberos signatures
>=20
> Laurence,
>=20
> I've the same problem here with jdk1.5, runing on a
> XP box, no problems with jdk1.4 . I'm starting to investigate
> the problem, but it seems to be burried somewhere in
> the crypto code ... I'm not really sure what is wrong.
>=20
> Regards,
> Werner
>=20
> > -----Urspr=FCngliche Nachricht-----
> > Von: Laurence Brockman [mailto:laurence.brockman@sjrb.ca]=20
> > Gesendet: Dienstag, 15. November 2005 22:18
> > An: dims@apache.org; wss4j-dev@ws.apache.org
> > Betreff: RE: WSS4J and Kerberos signatures
> >=20
> > Ok, I've done all that and it is processing more tests then before,
> > however, it is still failing with the following (Again, I am using
> > jdk1.5 and have added the provider to java.security as well as
> > downloading the unlimited strength crypto stuff from sun).
> >=20
> > Any ideas would be awesome!
> >=20
> > org.apache.ws.security.WSSecurityException: Cannot=20
> > encrypt/decrypt data;
> > nested exception is:=20
> > 	org.apache.xml.security.encryption.XMLEncryptionException: pad
> > block corrupted
> > Original Exception was javax.crypto.BadPaddingException: pad block
> > corrupted
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.decrypt
> > DataRef(En
> > cryptedKeyProcessor.java:388)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleE
> > ncryptedKe
> > y(EncryptedKeyProcessor.java:313)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleE
> > ncryptedKe
> > y(EncryptedKeyProcessor.java:81)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleT
> > oken(Encry
> > ptedKeyProcessor.java:75)
> > 	at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > WSSecurity
> > Engine.java:252)
> > 	at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > WSSecurity
> > Engine.java:179)
> > 	at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > WSSecurity
> > Engine.java:132)
> > 	at wssec.TestWSSecurity2.verify(TestWSSecurity2.java:234)
> > 	at
> > wssec.TestWSSecurity2.testEncryptionDecryptionRSA15(TestWSSecu
> > rity2.java
> > :162)
> > 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > 	at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
> > orImpl.jav
> > a:39)
> > 	at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
> > odAccessor
> > Impl.java:25)
> > 	at java.lang.reflect.Method.invoke(Method.java:585)
> > 	at junit.framework.TestCase.runTest(TestCase.java:154)
> > 	at junit.framework.TestCase.runBare(TestCase.java:127)
> > 	at junit.framework.TestResult$1.protect(TestResult.java:106)
> > 	at junit.framework.TestResult.runProtected(TestResult.java:124)
> > 	at junit.framework.TestResult.run(TestResult.java:109)
> > 	at junit.framework.TestCase.run(TestCase.java:118)
> > 	at junit.framework.TestSuite.runTest(TestSuite.java:208)
> > 	at junit.framework.TestSuite.run(TestSuite.java:203)
> > 	at junit.framework.TestSuite.runTest(TestSuite.java:208)
> > 	at junit.framework.TestSuite.run(TestSuite.java:203)
> > 	at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTest
> > s(RemoteTe
> > stRunner.java:478)
> > 	at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(Rem
> > oteTestRun
> > ner.java:344)
> > 	at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(Re
> > moteTestRu
> > nner.java:196)
> > Caused by:=20
> org.apache.xml.security.encryption.XMLEncryptionException:
> > pad block corrupted
> > Original Exception was javax.crypto.BadPaddingException: pad block
> > corrupted
> > 	at
> > org.apache.xml.security.encryption.XMLCipher.decryptToByteArra
> > y(Unknown
> > Source)
> > 	at
> > org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown
> > Source)
> > 	at
> > org.apache.xml.security.encryption.XMLCipher.decryptElementCon
> > tent(Unkno
> > wn Source)
> > 	at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown
> > Source)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.decrypt
> > DataRef(En
> > cryptedKeyProcessor.java:386)
> > 	... 25 more
> >=20
> >=20
> > -----Original Message-----
> > From: Davanum Srinivas [mailto:davanum@gmail.com]=20
> > Sent: November 15, 2005 1:47 PM
> > To: Laurence Brockman; wss4j-dev@ws.apache.org
> > Subject: Re: WSS4J and Kerberos signatures
> >=20
> > http://www.bouncycastle.org/documentation.html
> > http://www.bouncycastle.org/specifications.html#install
> >=20
> > scroll down a bit on the second link and look for java.security
> >=20
> > -- dims
> >=20
> > PS: Please post directly to the list. So that others may=20
> > answer as well
> > :)
> >=20
> > On 11/15/05, Laurence Brockman <laurence.brockman@sjrb.ca> wrote:
> > > Thanks for such a quick reply! I think the problem is that=20
> > I am using
> > > jdk1.5... Does the bouncycastle.org site have information about
> > > installing the bouncycastle provider or is there any other=20
> > sites I can
> > > get documentation about this?
> > >
> > > Thanks again!
> > > Laurence
> > >
> > > -----Original Message-----
> > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > Sent: November 15, 2005 1:40 PM
> > > To: Laurence Brockman; wss4j-dev@ws.apache.org
> > > Subject: Re: WSS4J and Kerberos signatures
> > >
> > > All the code needed is in the svn itself. you should not need any
> > > additional jars. just get the stuff from SVN. make sure=20
> you have the
> > > strong crypto stuff installed in your JDK (check the=20
> > download site for
> > > the jdk and it is available as a separate download) and=20
> > then run "ant
> > > test". Are u using JDK1.4? (better to use that version, there is
> > > additional steps for jdk1.5 - namely installing the boucnycastle
> > > provider)
> > >
> > > NOTE: don't use the maven build :)
> > >
> > > thanks,
> > > dims
> > >
> > > On 11/15/05, Laurence Brockman <laurence.brockman@sjrb.ca> wrote:
> > > > Sounds good.
> > > >
> > > > Quick question... I've checked out the latest source=20
> from SVN and
> > I'm
> > > > trying to run the Ant JUnit tests and they keep failing.=20
> > When I run
> > > the
> > > > JUnit tests through eclipse directly they are throwing a=20
> > connection
> > > > denied exception. I have installed Axis 1.2.1 here but=20
> I have not
> > > > deployed any test web services so even if I start that up=20
> > they still
> > > > fail with service not found exceptions. Is there a way to easily
> > > either
> > > > test this stuff without deploying the test web services=20
> > or to bypass
> > > > these tests? I've also installed maven and tried to compile that
> > way,
> > > > but it is failing as well.
> > > >
> > > > I also noticed in the project.xml file that you have=20
> excluded the
> > > > wssec/PackageTests.java and the=20
> interop/PackageTests.java. Is that
> > > > because of the above mentioned errors?
> > > >
> > > > After looking through the source code, I believe what I=20
> would want
> > to
> > > do
> > > > would be to create Kerberos token processor and action=20
> classes and
> > add
> > > a
> > > > case into both getAction and getProcessor to point to these new
> > > classes.
> > > >
> > > > Sorry for the barrage of questions.
> > > >
> > > > Thanks,
> > > > Laurence
> > > >
> > > > -----Original Message-----
> > > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > > Sent: November 14, 2005 3:02 PM
> > > > To: Laurence Brockman
> > > > Cc: wss4j-dev@ws.apache.org
> > > > Subject: Re: WSS4J and Kerberos signatures
> > > >
> > > > Please see what is being done for SAML and use that as=20
> a template
> > for
> > > > Kerberos.
> > > >
> > > > thanks,
> > > > dims
> > > >
> > > > On 11/14/05, Laurence Brockman=20
> <laurence.brockman@sjrb.ca> wrote:
> > > > > Correct me if I'm wrong here, but this is what I'm thinking:
> > > > >
> > > > > After grabbing the source from SVN and looking at the
> > documentation,
> > > I
> > > > > believe the right place for me to start would be to extend the
> > > > > org.apache.ws.axis.security class to handle the Kerberos
> > > requirements
> > > > > specified in the OASIS document.
> > > > >
> > > > > Forgive me for so many questions, but I'm new to=20
> > Axis/WSS4J and I
> > > want
> > > > > to make sure that I'm heading down the right path.
> > > > >
> > > > > Specifically, what we are looking to implement is just the
> > > > > authentication portion of Kerberos and not the=20
> > encryption portion
> > > (We
> > > > > want to authenticate incoming SOAP requests against a=20
> KDC). Down
> > the
> > > > > road we will likely look at the encryption portion, but=20
> > that won't
> > > > > likely be for a few months at least.
> > > > >
> > > > > Thanks again!!
> > > > > Laurence
> > > > >
> > > > > -----Original Message-----
> > > > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > > > Sent: November 11, 2005 8:18 PM
> > > > > To: Laurence Brockman
> > > > > Cc: wss4j-dev@ws.apache.org
> > > > > Subject: Re: WSS4J and Kerberos signatures
> > > > >
> > > > > Laurence,
> > > > >
> > > > > I believe you start with taking a look at the Kerberos Token
> > Profile
> > > > > at the OASIS WSS TC web site:
> > > > >
> > > > > =
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=3Dwss
> > > > >
> > > > > There's lots of refactoring in the latest SVN, which=20
> > makes it easy
> > > to
> > > > > plugin a new token profile. So please get the latest=20
> > SVN code and
> > > > > start asking more questions :)
> > > > >
> > > > > thanks,
> > > > > dims
> > > > >
> > > > > On 11/10/05, Laurence Brockman=20
> > <laurence.brockman@sjrb.ca> wrote:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > >
> > > > > >
> > > > > > Sorry if this is a FAQ but I have been looking for=20
> answers to
> > this
> > > > > high and
> > > > > > low and have not seen this on the list.
> > > > > >
> > > > > >
> > > > > >
> > > > > > We are going to try and use Kerberos to=20
> authenticate users on
> > our
> > > > SOAP
> > > > > > server. What we envision is having the client send=20
> > down the SOAP
> > > > > request
> > > > > > with a service ticket from a KDC. The server (Axis=20
> using WSS4J
> > on
> > > > > Tomcat)
> > > > > > would then authenticate this user against said KDC. After
> > briefly
> > > > > looking at
> > > > > > the documentation within the WSS4J code I think=20
> what we would
> > want
> > > > to
> > > > > do is
> > > > > > extend the WSDoAllHandler class (From the
> > > > > > org.apache.axis.security.handler package). Is this the
> > > > > > right direction to be going in? Has anybody looked at=20
> > this? I'm
> > > > > relatively
> > > > > > new to Axis/WSS4J and some guidance would be awesome!
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Laurence
> > > > > >
> > > > > >
> > > > > >
> > > > > > Laurence Brockman
> > > > > >  Server Specialist, Shaw Operations Centre
> > > > > >  Shaw Communications Inc.
> > > > > >  Phone : (403) 303-4805
> > > > > >  E-mail : laurence.brockman@sjrb.ca
> > > > > >
> > > > > >
> > > > > >
> > > > > > ACCOUNTABLE    BALANCE    CUSTOMER FOCUSED    INTEGRITY
> > LOYALTY
> > > > > > POSITIVE, CAN DO ATTITUDE    TEAM PLAYER
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Davanum Srinivas : http://wso2.com/blogs/
> > > > >
> > > > >
> > >=20
> >=20
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > > > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Davanum Srinivas : http://wso2.com/blogs/
> > > >
> > >
> > >
> > > --
> > > Davanum Srinivas : http://wso2.com/blogs/
> > >
> >=20
> >=20
> > --
> > Davanum Srinivas : http://wso2.com/blogs/
> >=20
> >=20
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >=20
> >=20
>=20
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>=20
>=20

------_=_NextPart_001_01C5EAA6.91C58011
Content-Type: application/octet-stream;
	name="PlainBCTest.java"
Content-Transfer-Encoding: base64
Content-Description: PlainBCTest.java
Content-Disposition: attachment;
	filename="PlainBCTest.java"

cGFja2FnZSB3c3NlYzsNCg0KaW1wb3J0IGphdmF4LmNyeXB0by5DaXBoZXI7DQppbXBvcnQgamF2
YXguY3J5cHRvLktleUdlbmVyYXRvcjsNCmltcG9ydCBqYXZheC5jcnlwdG8uc3BlYy5JdlBhcmFt
ZXRlclNwZWM7DQoNCmltcG9ydCBqYXZhLnNlY3VyaXR5LktleTsNCg0KaW1wb3J0IG9yZy5ib3Vu
Y3ljYXN0bGUuamNlLnByb3ZpZGVyLkJvdW5jeUNhc3RsZVByb3ZpZGVyOw0KDQpwdWJsaWMgY2xh
c3MgUGxhaW5CQ1Rlc3Qgew0KDQoJU3RyaW5nIHBsYWluRGF0YSA9ICI8bnMxOnRlc3RNZXRob2Qg
eG1sbnM6bnMxPVwidXJpOkxvZ1Rlc3RTZXJ2aWNlMlwiIHhtbG5zOnNvYXBlbnY9XCJodHRwOi8v
c2NoZW1hcy54bWxzb2FwLm9yZy9zb2FwL2VudmVsb3BlL1wiIHhtbG5zOnhlbmM9XCJodHRwOi8v
d3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNcIiB4bWxuczp4c2Q9XCJodHRwOi8vd3d3LnczLm9y
Zy8yMDAxL1hNTFNjaGVtYVwiIHhtbG5zOnhzaT1cImh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1M
U2NoZW1hLWluc3RhbmNlXCI+PC9uczE6dGVzdE1ldGhvZD4iOw0KDQoJS2V5IGtleTsNCg0KCUtl
eUdlbmVyYXRvciBrZXlHZW47DQoNCglDaXBoZXIgZW5jcnlwdDsNCg0KCUNpcGhlciBkZWNyeXB0
Ow0KDQoJcHVibGljIHN0YXRpYyB2b2lkIG1haW4oU3RyaW5nW10gYXJncykgew0KCQlqYXZhLnNl
Y3VyaXR5LlNlY3VyaXR5Lmluc2VydFByb3ZpZGVyQXQobmV3IEJvdW5jeUNhc3RsZVByb3ZpZGVy
KCksIDIpOw0KLy8gICAgICAgIGphdmEuc2VjdXJpdHkuU2VjdXJpdHkuYWRkUHJvdmlkZXIobmV3
IEJvdW5jeUNhc3RsZVByb3ZpZGVyKCkpOw0KCQkNCgkJUGxhaW5CQ1Rlc3QgYmNUZXN0ID0gbmV3
IFBsYWluQkNUZXN0KCk7DQoJCWJjVGVzdC5wZXJmb3JtVGVzdCgpOw0KCX0NCg0KCXZvaWQgcGVy
Zm9ybVRlc3QoKSB7DQoJCWphdmEuc2VjdXJpdHkuU2VjdXJpdHkuYWRkUHJvdmlkZXIobmV3IEJv
dW5jeUNhc3RsZVByb3ZpZGVyKCkpOw0KDQoJCXRyeSB7DQoJCQkvLyAiQkMiIGlzIHRoZSBuYW1l
IG9mIHRoZSBCb3VuY3lDYXN0bGUgcHJvdmlkZXINCgkJCWtleUdlbiA9IEtleUdlbmVyYXRvci5n
ZXRJbnN0YW5jZSgiREVTZWRlIiwgIkJDIik7DQoJCQkvLyBrZXlHZW4uaW5pdCgpOw0KDQoJCQlr
ZXkgPSBrZXlHZW4uZ2VuZXJhdGVLZXkoKTsNCg0KCQkJZW5jcnlwdCA9IENpcGhlci5nZXRJbnN0
YW5jZSgiREVTZWRlL0NCQy9JU08xMDEyNlBhZGRpbmciLCAiQkMiKTsNCgkJCWRlY3J5cHQgPSBD
aXBoZXIuZ2V0SW5zdGFuY2UoIkRFU2VkZS9DQkMvSVNPMTAxMjZQYWRkaW5nIik7DQoJCQlTeXN0
ZW0ub3V0LnByaW50bG4oIk90aGVyIHByb3ZpZGVyOiAiICsgZGVjcnlwdC5nZXRQcm92aWRlcigp
LmdldE5hbWUoKSk7DQoJCQkNCgkJCWVuY3J5cHQuaW5pdChDaXBoZXIuRU5DUllQVF9NT0RFLCBr
ZXkpOw0KCQkJYnl0ZVtdIGVuY3J5cHRlZEJ5dGVzID0gZW5jcnlwdC5kb0ZpbmFsKHBsYWluRGF0
YS5nZXRCeXRlcygiVVRGLTgiKSk7DQoNCgkJCUl2UGFyYW1ldGVyU3BlYyBpdnAgPSBuZXcgSXZQ
YXJhbWV0ZXJTcGVjKGVuY3J5cHQuZ2V0SVYoKSk7CQkNCgkJCQ0KCQkJZGVjcnlwdC5pbml0KENp
cGhlci5ERUNSWVBUX01PREUsIGtleSwgaXZwKTsNCg0KCQkJYnl0ZVtdIHBsYWluQnl0ZXM7DQoJ
CQlwbGFpbkJ5dGVzID0gZGVjcnlwdC5kb0ZpbmFsKGVuY3J5cHRlZEJ5dGVzLCAwLA0KCQkJCQll
bmNyeXB0ZWRCeXRlcy5sZW5ndGgpOw0KCQkJU3lzdGVtLm91dC5wcmludGxuKCInIiArIG5ldyBT
dHJpbmcocGxhaW5CeXRlcykgKyAiJyIpOw0KCQl9IGNhdGNoIChFeGNlcHRpb24gZSkgew0KCQkJ
U3lzdGVtLmVyci5wcmludGxuKGUpOw0KCQkJU3lzdGVtLmV4aXQoMSk7DQoJCX0NCgl9DQp9DQo=


------_=_NextPart_001_01C5EAA6.91C58011
Content-Type: text/plain; charset=us-ascii

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
------_=_NextPart_001_01C5EAA6.91C58011--