Re: WS-Security error when using BinarySecurityToken

[Mayank Mishra]

Wanner Philippe, Bedag wrote:

Hi Philippe,
Hi Mayank,
Thank you for your answer.

I'm surprised as CXF is using WSS4J I thought that what is explained here

http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many
  
You are using CXF or Axis as SOAP engine? I guess the link is for Axis 
Soap engine and Axis Handlers. Please verify, AFAIK, there handlers are 
used in Axis only.
would also work with CXF.
Is it just that this fuctionality is not yet implemented in CXF or is it 
something that I don't understand?
  
AFAIK, this functionality is not yet implemented in CXF, but it's not a 
big change you require: 1. pass the verify trust successfully (where it 
checks in the server's truststore for the alias of the certificate), and 
2. keep the request certificate in message context so that you can use 
it in response operations.

IMO, Ideally public keys (or call as certificates) are suppose to be 
exchanged before secure communication starts. Apache has a project named 
as "Apache Rahas" for their WS-Trust implmentation.

With Regards,
Mayank



I'll probably not modify the CXF code to do that myself as I definitely don't 
know how to do that ;-)

Best regards
Philippe



Wanner Philippe, Bedag wrote:
  
Hi everybody,

 

I'm trying to encrypt the webservice call response using the client 
BinarySecurityToken embedded in the request soap header.

To do that, 

1)      I changed the "signatureKeyIdentifier" property to "DirectReference" in 
the client.xml WSS4JOutInterceptor definition

2)      I changed the "encryptionUser" property to "useReqSigCert" in the 
service.xml WSS4JOutInterceptor definition

The BinarySecurityToken is embedded in the request soap header (see below) but 
when the service creates the response, and tries to encrypt the generated 
symmetric key used to encrypt the message it seems that it can't find the 
certificate that contains the client public key.

In the org.apache.ws.security.message.WSSecEncrypt class, prepare(Document doc, Crypto 
crypto) method (see below), the line that gets the certificate with  the user 
"useReqSigCert" returns null.

  
    
Hi Philippe,

IMO in CXF, the certificate being sent from the client as 
BinarySecurityToken in the incoming request is not used for the return 
encryption operation. Currently, The code written takes the required 
certificate from the "Server-TrustStore". For your purpose, you can 
modify the code so that certificate can be retained for the whole 
request and response cycle.

With Regards,
Mayank

  
 

 

/*

 * Get the certificate that contains the public key for the public key

 * algorithm that will encrypt the generated symmetric (session) key.

 */

if(this.encryptSymmKey) {

    X509Certificate remoteCert = null;

    if (useThisCert != null) {

        remoteCert = useThisCert;

    } else {

        X509Certificate[] certs = crypto.getCertificates(user);

        if (certs == null || certs.length <= 0) {

            throw new WSSecurityException(WSSecurityException.FAILURE,

                    "invalidX509Data", new Object[] { "for Encryption" });

        }

        remoteCert = certs[0];

    }

    prepareInternal(this.ephemeralKey, remoteCert, crypto);

}

 

 

Request SOAP Header BST

 

<wsse:BinarySecurityToken

                
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";

                
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";

                
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";

                wsu:Id="CertId-7518237"

                
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>

                
MIIDJjCCAo+gAwIBAgIQbAuWL3AdDuWrlipWXiUHIjANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMCWkExIjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9OTFkxHTAbBgNVBAoTFFRoYXd0ZSBDZXJ0aWZpY2F0aW9uMRcwFQYDVQQLEw5URVNUIFRFU1QgVEVTVDEcMBoGA1UEAxMTVGhhd3RlIFRlc3QgQ0EgUm9vdDAeFw0wODAxMDQxMTExMzZaFw0wODAxMjUxMTExMzZaMHIxCzAJBgNVBAYTAkNIMQswCQYDVQQIEwJWRDERMA8GA1UEBxMITGF1c2FubmUxDjAMBgNVBAoTBUJlZGFnMREwDwYDVQQLEwhFU29jaWV0ZTEgMB4GA1UEAxMXd3d3LmRldmVwYXkuZXNvY2lldGUuY2gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJIweOZ2zZDbbNacrWAK6sLXRY90da2f27ZYHwN/b7Te0m5qVJc3XTLDGmjKoF0YN/IZcXJIF+2hfW54HL/ZU1E1bAP06pCqmAkrRnSKqju8cieUf0Np4/NL96geRxCqCCs8SeJcguYIAodCkUoqGzZtV9yvrSNhk0/PrbCEDkjDAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAKZqkoO+USbtbX+cRF0KvXfFjTbrrceeTYoOVhvfn+dkYIc4VeBSbEoofZVtM13EsbVdWDslzw2tCrCYTdRWoOIWTGo5ng1QTrjSy1KJh6bqWiygLr/EYMBsJNG9hOVy4HCymWN2mlFTw6OfmrMMlzMWiYp/Kwu4OgdL4k+UwD7n

</wsse:BinarySecurityToken>

 

 

For the test I'm using the CXF Geeter unit test 
(org.apache.cxf.systest.ws.security).

I'm using the latest cxf 2.1-snapshot version.

 

I really need this feature as it's nearly impossible to manage to add every 
client's certificate to the server keystore.

 

Is it a bug in the cxf implementation or is it me doing something wrong?

Any idea would be welcome.

Thank you.

 

 

 

client.xml config

 

<jaxws:client name="{http://apache.org/hello_world_soap_http}TimestampSignEncrypt"; 
createdFromAPI="true">

    <jaxws:features>

        <bean class="org.apache.cxf.feature.LoggingFeature"/>

    </jaxws:features>

    <jaxws:outInterceptors>

        <bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>

        <ref bean="TimestampSignEncrypt_Request"/>

    </jaxws:outInterceptors>

    <jaxws:inInterceptors>

        <ref bean="TimestampSignEncrypt_Response"/>

        <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>

    </jaxws:inInterceptors>

</jaxws:client>

 

<bean 

    class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"

    id="TimestampSignEncrypt_Request">

    <constructor-arg>

        <map>

            <entry key="action" value="Timestamp Signature Encrypt"/>

            <entry key="user" value="client"/>

            <entry key="encryptionUser" value="service"/>

            <entry key="signatureKeyIdentifier" value="DirectReference"/>

            <entry key="signaturePropFile" 
value="org/apache/cxf/systest/ws/security/client_security.properties"/>

            <entry key="encryptionPropFile" 
value="org/apache/cxf/systest/ws/security/client_security.properties"/>

            <entry key="encryptionKeyIdentifier" value="SKIKeyIdentifier" />

            <entry key="passwordCallbackClass" 
value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>

            <entry key="signatureParts" 
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>

            <entry key="encryptionParts" 
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>

            <entry key="encryptionKeyTransportAlgorithm" 
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>

            <entry key="encryptionSymAlgorithm" 
value="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>

        </map>

    </constructor-arg>

</bean>

 

<bean 

    class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"

    id="TimestampSignEncrypt_Response">

    <constructor-arg>

        <map>

            <entry key="action" value="Timestamp Signature Encrypt"/>

            <entry key="signaturePropFile" 
value="org/apache/cxf/systest/ws/security/client_security.properties"/>

            <entry key="encryptionPropFile" 
value="org/apache/cxf/systest/ws/security/client_security.properties"/>

            <entry key="passwordCallbackClass" 
value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>

        </map>

    </constructor-arg>

</bean>

 

 

server.xml config

 

<jaxws:endpoint name="{http://apache.org/hello_world_soap_http}TimestampSignEncrypt"; 
createdFromAPI="true">

    <jaxws:features>

        <bean class="org.apache.cxf.feature.LoggingFeature"/>

    </jaxws:features>

    <jaxws:outInterceptors>

        <bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>

        <ref bean="TimestampSignEncrypt_Response"/>

    </jaxws:outInterceptors>

    <jaxws:inInterceptors>

        <ref bean="TimestampSignEncrypt_Request"/>

        <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>

    </jaxws:inInterceptors>

</jaxws:endpoint>

 

<bean 

    class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"

    id="TimestampSignEncrypt_Response">

    <constructor-arg>

        <map>

            <entry key="action" value="Timestamp Signature Encrypt"/>

            <entry key="user" value="service"/>

            <entry key="encryptionUser" value="useReqSigCert"/>

            <entry key="signaturePropFile" 
value="org/apache/cxf/systest/ws/security/server_security.properties"/>

            <entry key="encryptionPropFile" 
value="org/apache/cxf/systest/ws/security/server_security.properties"/>

            <entry key="signatureKeyIdentifier" value="SKIKeyIdentifier"/>

            <entry key="encryptionKeyIdentifier" value="SKIKeyIdentifier" />

            <entry key="passwordCallbackClass" 
value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>

            <entry key="signatureParts" 
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>

            <entry key="encryptionParts" 
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>

            <entry key="encryptionKeyTransportAlgorithm" 
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>

            <entry key="encryptionSymAlgorithm" 
value="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>

        </map>

    </constructor-arg>

</bean>

 

<bean 

    class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"

    id="TimestampSignEncrypt_Request">

    <constructor-arg>

        <map>

            <entry key="action" value="Timestamp Signature Encrypt"/>

            <entry key="signaturePropFile" 
value="org/apache/cxf/systest/ws/security/server_security.properties"/>

            <entry key="encryptionPropFile" 
value="org/apache/cxf/systest/ws/security/server_security.properties"/>

            <entry key="passwordCallbackClass" 
value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>

        </map>

    </constructor-arg>

</bean>

 

                                                                                                              
Philippe Wanner
Software Architect

Bedag Informatique SA
Avenue de Sévelin 46
CH-1004 Lausanne

+41 21 313 20 48 
+41 79 375 81 54
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
www.bedag.ch <http://www.bedag.ch/>