Hi, I have an issue using symmetric key encryption in WSS4J. My problem is the following:
My goal is to configure WSS4J to encrypt a (part of) message with a symmetric key (both client and server know in advance that key). I'm using CXF 2.5.1, and WSS4J 1.6.0 I created a symmetricStore with keytool (JDK 1.6.0), and I configured the client: action: Encrypt embeddedKeyCallbackClass: org.openspcoop.wssecurity.SymmetricCallbackHandler encryptionKeyIdentifier: EmbeddedKeyName encryptionPropFile: symmetric-crypto.properties isBSPCompliant: false user: symmetric and the server: action: Encrypt decryptionPropFile: symmetric-crypto.properties encryptionKeyIdentifier: EmbeddedKeyName isBSPCompliant: false PasswordCallbackClass: org.openspcoop.wssecurity.SymmetricCallbackHandler org.openspcoop.wssecurity.SymmetricCallbackHandler class is a custom CallbackHandler which does nothing but set the key in the WsPasswordCallback by calling the setKey(byte[]) method. With such a configuration message is encypted and decrypted correctly. My problem is that such a configuration is not Basic Security Profile compliant. If I set isBSPCompliant to true, I get the following exception on receiver side: org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header (WSSecurityEngine: EncryptedKey does not contain ds:KeyInfo/wsse:SecurityTokenReference) at org.apache.ws.security.processor.ReferenceListProcessor.checkBSPCompliance(ReferenceListProcessor.java:197) at org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:137) at org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:96) at org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:63) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:248) In fact, monitoring the message which is passing, I saw that no SecurityTokenReference is included, and the wsse:Security header looks like: <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:DataReference URI="#ED-29"/> </xenc:ReferenceList> </wsse:Security> I checked the Basic Profile specs about it: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html#Exactly_One_SecurityTokenReference_Child_Element and I'm not sure wheter this SecurityTokenReference should be included: it seems to me that, IF a SecurityTokenReference is provided, it must have exactly one child. Am i getting this right? and if I'm wrong, anybody knows how can I achieve encrypting with symmetric key, in a BSPCompliant way? Thanks in advance! -- Giovanni Bussu