Mailing-List: contact wss4j-dev-help@ws.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (asf.osuosl.org: local policy)
Date: Wed, 16 Nov 2005 09:15:25 -0700
From: Laurence  Brockman <laurence.brockman@sjrb.ca>
Subject: RE: WSS4J and Kerberos signatures
To: "Dittmann, Werner" <werner.dittmann@siemens.com>, dims@apache.org,
 wss4j-dev@ws.apache.org
Message-id: <EB9BB050C436604DA09F8C11D7AFB8D324636A31@shawmail01.shaw.ca>
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: quoted-printable
Content-class: urn:content-classes:message
Thread-topic: WSS4J and Kerberos signatures
Thread-index: AcXqJcliu1coVGJuQLCnTVzGRp/wnwAA8k7gABRzUIAACZYCwAAJ0iDQ

Thanks so much! I am in fact running this (While developing) on an XP =
Box, so your environment seems to match mine. As soon as I started using =
jdk1.4 everything worked fine. Would you like me to run the test program =
and send the results to the list? (Seeing how we are running similar =
environments, I'm not sure what benefit this would have, but I can if =
you'd like).

Thanks,
Laurence

-----Original Message-----
From: Dittmann, Werner [mailto:werner.dittmann@siemens.com]=20
Sent: November 16, 2005 5:09 AM
To: Laurence Brockman; dims@apache.org; wss4j-dev@ws.apache.org
Subject: AW: WSS4J and Kerberos signatures

Laurence, all,

this problem is very strange and pops up only if several
conditions are met:

- Java 5 (I'm using 1.5.0_03), running with XP
- using BouncyCastle
- insert the BC provider at position 2 using the following
  method:=20
  ...Security.insertProviderAt (new BouncyCasteProvider(), 2)

  using the method
  ...Security.addProvider(new BouncyCasteProvider()) the=20
  problem don't show up

Well, during the last weeks I was modifiying the way a
JCE provider is added to WSS4J. During that I overlooked
one place to honor the provider to use (in the decryption
process, EncryptedKeyProcessor). This caused XMLCipher
to use "BC" to encrypt and to use another provider that
provides the algorithm, in fact this is also "BC" - because
it is on position 2, thuse before the SunJCE. If we
use "addProvider" BC is somewhere behind the standard=20
providers.

Therefore, to me it seems it's problem between the BC JCE
provider and the way the Java 5 Cipher implementation
initializes the JCE (in this case BC) provider.

There was no such thing reported on the BC mailing list,=20
I'll inform them about this behaviour.

Attached a small test program. If somebody uses Java 5
please try to run the test to get error reports (just=20
remove / modify the package name).

I'll fix the problem in "EncryptedKeyProcessor" to honor
the provider setting - however, the error remains somewere
deep inside the Java 5 security dungeons :-).

Regards,
Werner

> -----Urspr=FCngliche Nachricht-----
> Von: Dittmann, Werner=20
> Gesendet: Mittwoch, 16. November 2005 08:02
> An: Laurence Brockman; dims@apache.org; wss4j-dev@ws.apache.org
> Betreff: AW: WSS4J and Kerberos signatures
>=20
> Laurence,
>=20
> I've the same problem here with jdk1.5, runing on a
> XP box, no problems with jdk1.4 . I'm starting to investigate
> the problem, but it seems to be burried somewhere in
> the crypto code ... I'm not really sure what is wrong.
>=20
> Regards,
> Werner
>=20
> > -----Urspr=FCngliche Nachricht-----
> > Von: Laurence Brockman [mailto:laurence.brockman@sjrb.ca]=20
> > Gesendet: Dienstag, 15. November 2005 22:18
> > An: dims@apache.org; wss4j-dev@ws.apache.org
> > Betreff: RE: WSS4J and Kerberos signatures
> >=20
> > Ok, I've done all that and it is processing more tests then before,
> > however, it is still failing with the following (Again, I am using
> > jdk1.5 and have added the provider to java.security as well as
> > downloading the unlimited strength crypto stuff from sun).
> >=20
> > Any ideas would be awesome!
> >=20
> > org.apache.ws.security.WSSecurityException: Cannot=20
> > encrypt/decrypt data;
> > nested exception is:=20
> > 	org.apache.xml.security.encryption.XMLEncryptionException: pad
> > block corrupted
> > Original Exception was javax.crypto.BadPaddingException: pad block
> > corrupted
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.decrypt
> > DataRef(En
> > cryptedKeyProcessor.java:388)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleE
> > ncryptedKe
> > y(EncryptedKeyProcessor.java:313)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleE
> > ncryptedKe
> > y(EncryptedKeyProcessor.java:81)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.handleT
> > oken(Encry
> > ptedKeyProcessor.java:75)
> > 	at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > WSSecurity
> > Engine.java:252)
> > 	at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > WSSecurity
> > Engine.java:179)
> > 	at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > WSSecurity
> > Engine.java:132)
> > 	at wssec.TestWSSecurity2.verify(TestWSSecurity2.java:234)
> > 	at
> > wssec.TestWSSecurity2.testEncryptionDecryptionRSA15(TestWSSecu
> > rity2.java
> > :162)
> > 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > 	at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
> > orImpl.jav
> > a:39)
> > 	at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
> > odAccessor
> > Impl.java:25)
> > 	at java.lang.reflect.Method.invoke(Method.java:585)
> > 	at junit.framework.TestCase.runTest(TestCase.java:154)
> > 	at junit.framework.TestCase.runBare(TestCase.java:127)
> > 	at junit.framework.TestResult$1.protect(TestResult.java:106)
> > 	at junit.framework.TestResult.runProtected(TestResult.java:124)
> > 	at junit.framework.TestResult.run(TestResult.java:109)
> > 	at junit.framework.TestCase.run(TestCase.java:118)
> > 	at junit.framework.TestSuite.runTest(TestSuite.java:208)
> > 	at junit.framework.TestSuite.run(TestSuite.java:203)
> > 	at junit.framework.TestSuite.runTest(TestSuite.java:208)
> > 	at junit.framework.TestSuite.run(TestSuite.java:203)
> > 	at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTest
> > s(RemoteTe
> > stRunner.java:478)
> > 	at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(Rem
> > oteTestRun
> > ner.java:344)
> > 	at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(Re
> > moteTestRu
> > nner.java:196)
> > Caused by:=20
> org.apache.xml.security.encryption.XMLEncryptionException:
> > pad block corrupted
> > Original Exception was javax.crypto.BadPaddingException: pad block
> > corrupted
> > 	at
> > org.apache.xml.security.encryption.XMLCipher.decryptToByteArra
> > y(Unknown
> > Source)
> > 	at
> > org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown
> > Source)
> > 	at
> > org.apache.xml.security.encryption.XMLCipher.decryptElementCon
> > tent(Unkno
> > wn Source)
> > 	at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown
> > Source)
> > 	at
> > org.apache.ws.security.processor.EncryptedKeyProcessor.decrypt
> > DataRef(En
> > cryptedKeyProcessor.java:386)
> > 	... 25 more
> >=20
> >=20
> > -----Original Message-----
> > From: Davanum Srinivas [mailto:davanum@gmail.com]=20
> > Sent: November 15, 2005 1:47 PM
> > To: Laurence Brockman; wss4j-dev@ws.apache.org
> > Subject: Re: WSS4J and Kerberos signatures
> >=20
> > http://www.bouncycastle.org/documentation.html
> > http://www.bouncycastle.org/specifications.html#install
> >=20
> > scroll down a bit on the second link and look for java.security
> >=20
> > -- dims
> >=20
> > PS: Please post directly to the list. So that others may=20
> > answer as well
> > :)
> >=20
> > On 11/15/05, Laurence Brockman <laurence.brockman@sjrb.ca> wrote:
> > > Thanks for such a quick reply! I think the problem is that=20
> > I am using
> > > jdk1.5... Does the bouncycastle.org site have information about
> > > installing the bouncycastle provider or is there any other=20
> > sites I can
> > > get documentation about this?
> > >
> > > Thanks again!
> > > Laurence
> > >
> > > -----Original Message-----
> > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > Sent: November 15, 2005 1:40 PM
> > > To: Laurence Brockman; wss4j-dev@ws.apache.org
> > > Subject: Re: WSS4J and Kerberos signatures
> > >
> > > All the code needed is in the svn itself. you should not need any
> > > additional jars. just get the stuff from SVN. make sure=20
> you have the
> > > strong crypto stuff installed in your JDK (check the=20
> > download site for
> > > the jdk and it is available as a separate download) and=20
> > then run "ant
> > > test". Are u using JDK1.4? (better to use that version, there is
> > > additional steps for jdk1.5 - namely installing the boucnycastle
> > > provider)
> > >
> > > NOTE: don't use the maven build :)
> > >
> > > thanks,
> > > dims
> > >
> > > On 11/15/05, Laurence Brockman <laurence.brockman@sjrb.ca> wrote:
> > > > Sounds good.
> > > >
> > > > Quick question... I've checked out the latest source=20
> from SVN and
> > I'm
> > > > trying to run the Ant JUnit tests and they keep failing.=20
> > When I run
> > > the
> > > > JUnit tests through eclipse directly they are throwing a=20
> > connection
> > > > denied exception. I have installed Axis 1.2.1 here but=20
> I have not
> > > > deployed any test web services so even if I start that up=20
> > they still
> > > > fail with service not found exceptions. Is there a way to easily
> > > either
> > > > test this stuff without deploying the test web services=20
> > or to bypass
> > > > these tests? I've also installed maven and tried to compile that
> > way,
> > > > but it is failing as well.
> > > >
> > > > I also noticed in the project.xml file that you have=20
> excluded the
> > > > wssec/PackageTests.java and the=20
> interop/PackageTests.java. Is that
> > > > because of the above mentioned errors?
> > > >
> > > > After looking through the source code, I believe what I=20
> would want
> > to
> > > do
> > > > would be to create Kerberos token processor and action=20
> classes and
> > add
> > > a
> > > > case into both getAction and getProcessor to point to these new
> > > classes.
> > > >
> > > > Sorry for the barrage of questions.
> > > >
> > > > Thanks,
> > > > Laurence
> > > >
> > > > -----Original Message-----
> > > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > > Sent: November 14, 2005 3:02 PM
> > > > To: Laurence Brockman
> > > > Cc: wss4j-dev@ws.apache.org
> > > > Subject: Re: WSS4J and Kerberos signatures
> > > >
> > > > Please see what is being done for SAML and use that as=20
> a template
> > for
> > > > Kerberos.
> > > >
> > > > thanks,
> > > > dims
> > > >
> > > > On 11/14/05, Laurence Brockman=20
> <laurence.brockman@sjrb.ca> wrote:
> > > > > Correct me if I'm wrong here, but this is what I'm thinking:
> > > > >
> > > > > After grabbing the source from SVN and looking at the
> > documentation,
> > > I
> > > > > believe the right place for me to start would be to extend the
> > > > > org.apache.ws.axis.security class to handle the Kerberos
> > > requirements
> > > > > specified in the OASIS document.
> > > > >
> > > > > Forgive me for so many questions, but I'm new to=20
> > Axis/WSS4J and I
> > > want
> > > > > to make sure that I'm heading down the right path.
> > > > >
> > > > > Specifically, what we are looking to implement is just the
> > > > > authentication portion of Kerberos and not the=20
> > encryption portion
> > > (We
> > > > > want to authenticate incoming SOAP requests against a=20
> KDC). Down
> > the
> > > > > road we will likely look at the encryption portion, but=20
> > that won't
> > > > > likely be for a few months at least.
> > > > >
> > > > > Thanks again!!
> > > > > Laurence
> > > > >
> > > > > -----Original Message-----
> > > > > From: Davanum Srinivas [mailto:davanum@gmail.com]
> > > > > Sent: November 11, 2005 8:18 PM
> > > > > To: Laurence Brockman
> > > > > Cc: wss4j-dev@ws.apache.org
> > > > > Subject: Re: WSS4J and Kerberos signatures
> > > > >
> > > > > Laurence,
> > > > >
> > > > > I believe you start with taking a look at the Kerberos Token
> > Profile
> > > > > at the OASIS WSS TC web site:
> > > > >
> > > > > =
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=3Dwss
> > > > >
> > > > > There's lots of refactoring in the latest SVN, which=20
> > makes it easy
> > > to
> > > > > plugin a new token profile. So please get the latest=20
> > SVN code and
> > > > > start asking more questions :)
> > > > >
> > > > > thanks,
> > > > > dims
> > > > >
> > > > > On 11/10/05, Laurence Brockman=20
> > <laurence.brockman@sjrb.ca> wrote:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > >
> > > > > >
> > > > > > Sorry if this is a FAQ but I have been looking for=20
> answers to
> > this
> > > > > high and
> > > > > > low and have not seen this on the list.
> > > > > >
> > > > > >
> > > > > >
> > > > > > We are going to try and use Kerberos to=20
> authenticate users on
> > our
> > > > SOAP
> > > > > > server. What we envision is having the client send=20
> > down the SOAP
> > > > > request
> > > > > > with a service ticket from a KDC. The server (Axis=20
> using WSS4J
> > on
> > > > > Tomcat)
> > > > > > would then authenticate this user against said KDC. After
> > briefly
> > > > > looking at
> > > > > > the documentation within the WSS4J code I think=20
> what we would
> > want
> > > > to
> > > > > do is
> > > > > > extend the WSDoAllHandler class (From the
> > > > > > org.apache.axis.security.handler package). Is this the
> > > > > > right direction to be going in? Has anybody looked at=20
> > this? I'm
> > > > > relatively
> > > > > > new to Axis/WSS4J and some guidance would be awesome!
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Laurence
> > > > > >
> > > > > >
> > > > > >
> > > > > > Laurence Brockman
> > > > > >  Server Specialist, Shaw Operations Centre
> > > > > >  Shaw Communications Inc.
> > > > > >  Phone : (403) 303-4805
> > > > > >  E-mail : laurence.brockman@sjrb.ca
> > > > > >
> > > > > >
> > > > > >
> > > > > > ACCOUNTABLE    BALANCE    CUSTOMER FOCUSED    INTEGRITY
> > LOYALTY
> > > > > > POSITIVE, CAN DO ATTITUDE    TEAM PLAYER
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Davanum Srinivas : http://wso2.com/blogs/
> > > > >
> > > > >
> > >=20
> >=20
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > > > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Davanum Srinivas : http://wso2.com/blogs/
> > > >
> > >
> > >
> > > --
> > > Davanum Srinivas : http://wso2.com/blogs/
> > >
> >=20
> >=20
> > --
> > Davanum Srinivas : http://wso2.com/blogs/
> >=20
> >=20
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >=20
> >=20
>=20
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>=20
>=20

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org