Hello,
I use the policy attached to this mail for my service. The request (also
attached) is signed and encrypted and contains a SAML 1.1 token as suporting
token. The service throws always an illegal argument exception:
null alias passed to getCertificateChain.
at
org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineGetCertificateChain(Unknown
Source)
at java.security.KeyStore.getCertificateChain(KeyStore.java:788)
Decrypting seems to work but encrypting the response not. I use "useReqSigCert"
as encryption user as you see in the policy. If I define a specified user like
"peter" for the encryption user, it works. Why can't I use "useReqSigCert" in
combination with this request?
Greetings
Christian
<wsp:Policy wsu:Id="TOKEN_ENCRYPTED"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>root</ramp:user>
<ramp:encryptionUser>useReqSigCert</ramp:encryptionUser>
<ramp:passwordCallbackClass>PasswordCallbackInHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">PKCS12</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">S:\j_axis2_deploy\CertAuthority\new_root.p12</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">geheim</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">PKCS12</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">S:\j_axis2_deploy\CertAuthority\new_root.p12</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">geheim</ramp:property>
</ramp:crypto>
</ramp:encryptionCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_4">hello</a:Action>
<a:MessageID
u:Id="_5">urn:uuid:81843bf6-04c4-44a9-bf10-e1882dc753d7</a:MessageID>
<a:ReplyTo u:Id="_6">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1"
u:Id="_7">http://localhost:7070/axis2/services/HelloWorld</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:BinarySecurityToken
u:Id="uuid-bee5c554-2ac8-40a7-aa9f-1ccfecabdc27-5"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>MIICTDCCAbWgAwIBAgIQRWNaIf5lG/MXKMUfmLenTzANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJERTEMMAoGA1UECBMDTlJXMRAwDgYDVQQHEwdDb2xvZ25lMQ8wDQYDVQQKEwZUZWNEb2MxDzANBgNVBAsTBlRlY0RvYzEcMBoGA1UEAxMTVGVjRG9jIFRlc3QgUm9vdCBDQTAeFw0wODA3MDIwNjU5NTdaFw0zNTExMTcwNjU5NTdaMBgxFjAUBgNVBAMMDVBldGVyIE11ZWxsZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANbrBY8CqJxDHaie2cqbY+gq8hLIWJAJb8lTxaDi7lxCA4YP0lJ3NaNM6YDC8ng+g1qcLtdSEEHgS9kPb4J1mfPvQ0jYiBasyQp3dZ+LZiMocvIZOm+kXJ85Azk4jq6x656nwzb3IiWl2dmlrUbGSllFk9Yiwo95tGHVTURWDNqHAgMBAAGjQjBAMB8GA1UdIwQYMBaAFO4YHI1YS4ZjmMXFyenWwJovPfzHMB0GA1UdDgQWBBQmAgO+qs1TtFeILBeB/80/ueqH1TANBgkqhkiG9w0BAQUFAAOBgQAKkmtYQaKFp3NYwD3zrh94Zl7e8eEXNDw9cP1wF32x6FmaLje+F1kiPCigzJZv9l9i0tCQXAL/NtAPSYdOVn0L+TIb0OjQSUm/q1ADMw1r7YBKTcVlBH8/+qrR9wQe12gGCXmyaN+ARsZc8yJVWVs7vn7nq4SqXFkPkj59a3uA/A==</o:BinarySecurityToken>
<e:EncryptedKey Id="_1" xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<o:SecurityTokenReference>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>7hgcjVhLhmOYxcXJ6dbAmi89/Mc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>ka9wQhfcRf5VNTzKUhLqJM4kcEhwdwSTWmbxcuUy2vVknAKKwqlwYouhQLHGhBzUszaMQZrSyjP4ZHsDy+rqM5f545TwaW4DxfoopW42SVdgPdtyLVG+mOdNKiXIaFk4sZiwqna2A2hPjuU5TVU6UCskxlhFUHsV4t8wR2M5XGM=</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_3"/>
</e:ReferenceList>
</e:EncryptedKey>
<Assertion AssertionID="_6e60ae7d8cd502a6bffef6ea16b9db13"
IssueInstant="2008-11-13T14:46:49.031Z" Issuer="TecDoc SAML 1.1 Token Issuer"
MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<Conditions NotBefore="2008-11-13T14:46:48.125Z"
NotOnOrAfter="2008-11-13T14:51:48.125Z"></Conditions>
<AuthenticationStatement
AuthenticationInstant="2008-11-13T14:46:48.171Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptedKey
Id="EncKeyId-urn:uuid:C6425D78B9B23E84F812265876081092"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5";></xenc:EncryptionMethod>
<ds:KeyInfo>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>aADNsZA5+sp3cO1Vffim6Ro1g9I=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>IuRBKbtYXgLRl4Rc6yU0bpY6UJVdQkitbPdsBSVqDOPYyqHvKrTdD4xPQRUv7c8VjNjW09C2snyHz6DkoJGyzJtoibqxA6bYqSC91+q7cXV91iWDY1rOw2az8Qajg3CGlqEVjUsooF6g+kp/sCF5BIFWIpjefwaGOw8GRTTjHgs=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</KeyInfo>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#_6e60ae7d8cd502a6bffef6ea16b9db13">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="code ds kind rw
saml samlp typens #default xsd xsi"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>GECY66hLaQ7mpuPXrOs8VRqz3Yc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>WZE2wSLn02m9w3J4XRgq4vcjkdCT08uTOfqZTuG8MgLXBvWHwrVSbENsKW7zIrpU/ZRGHViEQJ9/V230tmfzUhMbAnTGeLrFkgBPwpfl/Fhp83o1Btq2OGKcF2DFpweFat+zygeumJpqR8ywmT4YZCEIFhgX4tBcTOMte3Ct3W8=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDKzCCApSgAwIBAgIJAJ4O/NNLGMMpMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxEDAOBgNVBAcTB0NvbG9nbmUxDzANBgNVBAoTBlRlY0RvYzEPMA0GA1UECxMGVGVjRG9jMRwwGgYDVQQDExNUZWNEb2MgVGVzdCBSb290IENBMB4XDTA4MDUyODEyMzM1OVoXDTM1MTAxMzEyMzM1OVowbTELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzEQMA4GA1UEBxMHQ29sb2duZTEPMA0GA1UEChMGVGVjRG9jMQ8wDQYDVQQLEwZUZWNEb2MxHDAaBgNVBAMTE1RlY0RvYyBUZXN0IFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMUZceUEEm1GPZZzTcKvxte0Cs8q+4XpAfXSp+fAb0Fjwh8Redr9GPKlIUF/KqIy74cAfLwTOqH36z+6hiruRrno8mRsjZwF7BiXUTpQRQwmJx4f4jaaC+lwCfyF5YnyPy9nKGWPWM7miqI4oA4aCQT3AOfEdmlc8+DIbEshldUnAgMBAAGjgdIwgc8wHQYDVR0OBBYEFO4YHI1YS4ZjmMXFyenWwJovPfzHMIGfBgNVHSMEgZcwgZSAFO4YHI1YS4ZjmMXFyenWwJovPfzHoXGkbzBtMQswCQYDVQQGEwJERTEMMAoGA1UECBMDTlJXMRAwDgYDVQQHEwdDb2xvZ25lMQ8wDQYDVQQKEwZUZWNEb2MxDzANBgNVBAsTBlRlY0RvYzEcMBoGA1UEAxMTVGVjRG9jIFRlc3QgUm9vdCBDQYIJAJ4O/NNLGMMpMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAPcYKhBM+AuU18WD+JsagEnKXhxPvsUFg9Yg/tWrO/DEoV1AvDjALIIioQc3kUZJikLHiKhtFMH8Mm91DHASeUseu81vcA/UqVTcOOYT6053/3wgYESeqnI8CG+byBn6CD8tL3xC7jvc7DPUW5QkS6mVbTC4FgG69oiXVwUfcqYI=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</Assertion>
<c:DerivedKeyToken u:Id="_8"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
<o:SecurityTokenReference>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_6e60ae7d8cd502a6bffef6ea16b9db13</o:KeyIdentifier>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>24</c:Length>
<c:Nonce>fcJCjfHG/M5xpg0FXF4www==</c:Nonce>
</c:DerivedKeyToken>
<Signature Id="_0" xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_2">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>+oEk/B1z4456IZE1AsaN70AJ1E4=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>DXVKp4w/ZNVYnSgmeZ4nltIcKIc=</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Soy4sTcTDkObLdgNPAFHQfd71VU=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>CuNmjfm/U6y2+ZScFHyVRRpkyKQ=</DigestValue>
</Reference>
<Reference URI="#_7">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Him4DUOAkJKj91SdX9cOYr53Z48=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>D61G0tTSIq0749K0pDloGJoL4zet8qc8O0kQ/vxYFw/zbX7h5r1qlhFOLCqlu+y6k065flSpLqfJov/E4L7WKTP9Ag5S0V2BljbR3GbDgWR3xIikP5rsbhvnreKM+Qb/+n0KQCxxhZHj+V8FYlcqLkmWAlyKUzFI4MYynHTpVwU=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
URI="#uuid-bee5c554-2ac8-40a7-aa9f-1ccfecabdc27-5"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>WFoiswB5jwuyqCl+NOcVQsO6mv4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>d3JKPkVVXVnBMwX4GAPYCq/YC3E=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#_8"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_2">
<e:EncryptedData Id="_3" Type="http://www.w3.org/2001/04/xmlenc#Content";
xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<e:CipherData>
<e:CipherValue>KqKeHF4W6tEvhlMRcYahnjok0Qrtd/tvcNmPetrNecX0XICIMfJDb1u3Ff0BuLvZvO4WgS5dVlKKyf38Lr1avFwd32dRtWoCcEj1sv8FYHMP+GzNwcpf5Yot4K5XoVj9</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body></s:Envelope>
