Asymmetric Encryption - alias is null during decryption using private key
-------------------------------------------------------------------------
Key: CXF-3865
URL: https://issues.apache.org/jira/browse/CXF-3865
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.2.10
Environment: actually 2.2.3 is the version
running on mac osx lion and windows xp; java 1.6
Reporter: aman kohli
Attachments: cxf-wss4j-asym-crypto-soap.tgz
as raised on mailing list, Colm suggested I upload the test case here. This is
the description from the mailing list
http://mail-archives.apache.org/mod_mbox/ws-users/201110.mbox/%[email protected]%3E
Running into a problem on the server implementation (a cxf soap server) of
asymmetric encryption.
The intention is the soap body is to be encrypted with the server's public
key. The client
(also using cxf) seems to be encrypting the message body ok.
On receipt of the message, the server implementation raises an exception, with
the reason
the alias is null. Here's the stack:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid; nested
exception is:
java.lang.Exception: alias is null
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
at
org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302)
�
Caused by: java.lang.Exception: alias is null
at
org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
... 22 more
I added some println statements to the password callback on the server side to
print out the
type and id:
*** password callback type 1 class
org.apache.ws.security.WSPasswordCallback
*** password callback id null
The API is used to configure CXF and WSS4j and not the xml configuration. The
messages are
not being signed, nor are timestamps being used, just encryption/decryption, ep
is the endpointimpl
:
Map<String,Object> inProps1 = new HashMap<String,Object>();
inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
PasswordCallbackHandler.class.getName());
inProps1.put(WSHandlerConstants.DEC_PROP_FILE,
"server-security.properties");
inProps1.put(WSHandlerConstants.USER, "clientkey");
ep.getServer().getEndpoint().getInInterceptors().add(new
WSS4JInInterceptor(inProps1));
And the properties file is:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks
The server cert is self signed:
$ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA
-keypass ump-pass -storepass
dummy-service -keystore server-encypt.jks -dname cn=localhost
$ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA
-keypass client-pass -storepass
dummy-service -keystore ump-stub-keystore.jks -dname cn=umpd
and the certificate was exported using the following:
$ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass
dummy-service -keypass
client-pass -alias clientkey -file client-cert.cer
This is the WSDL extract:
<wsp:Policy wsu:Id="AsymEncryption"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<!-- <sp:RequireThumbprintReference/> -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<!-- <sp:RequireThumbprintReference/> -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<!-- <sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
-->
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:EncryptedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
�
<wsdl:binding name="CollectionImplServiceSoapBinding"
type="tns:CollectionService">
<wsp:PolicyReference
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
URI="#AsymEncryption"/>
And this is the incoming message:
<output>
INFO: Inbound Message
----------------------------
ID: 1
Address: /FooWS/services/Collection/
Encoding: UTF-8
Content-Type: text/xml; charset=UTF-8
Headers: {content-type=[text/xml; charset=UTF-8],
connection=[keep-alive], Host=[localhost:9198],
Content-Length=[2549], SOAPAction=[""], User-Agent=[Apache CXF 2.2.3],
Content-Type=[text/xml;
charset=U
TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/
01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1"><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe
thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=umpd</ds:X509IssuerName>
<ds:X509SerialNumber>1316785867</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl
+7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#EncDataId-1"
/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen
c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EncDataId-1"
Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
1-wss-wssecurity-secext-1.0.xsd"
URI="#EncKeyId-A77755F726FB2C832813189733820252"
/></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR
WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F
7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c
LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz
dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi
tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/
wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB
XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
</output>
On the client side, the WSS4j is setup as:
Map<String,Object> outProps1 = new HashMap<String,Object>();
outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientCallbackHandler.class.getName());
outProps1.put(WSHandlerConstants.ENC_PROP_FILE,
"client-crypto.properties");
outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey");
cxfEndpoint.getOutInterceptors().add(new
WSS4JOutInterceptor(outProps1));
and the properties file is:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
org.apache.ws.security.crypto.merlin.keystore.password=clientpass
org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks
and the cert was imported using the command:
$ keytool -import -trustcacerts -keystore client-store.jks -storepass
clientpass -alias servicekey
-file client-cert.cer
Not sure what is going wrong, but there are a lot of steps, so maybe this is a
simple error
on my part.
The CXF version is 2.2.3, If I need to redirect this to the cxf-users list,
please let me
know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
