Sure. You want the maven scripts and everything too? Thanks
Aman On 19 Oct 2011, at 09:35, Colm O hEigeartaigh <cohei...@apache.org> wrote: > Hi Aman, > > Could you create a test-case and attach it to a JIRA (in CXF?). > > Colm. > > On Tue, Oct 18, 2011 at 10:47 PM, aman kohli <ako...@yahoo.com> wrote: >> Hi All -- >> >> Running into a problem on the server implementation (a cxf soap server) of >> asymmetric encryption. The intention is the soap body is to be encrypted >> with the server's public key. The client (also using cxf) seems to be >> encrypting the message body ok. >> >> On receipt of the message, the server implementation raises an exception, >> with the reason the alias is null. Here's the stack: >> >> org.apache.ws.security.WSSecurityException: The signature or decryption was >> invalid; nested exception is: >> java.lang.Exception: alias is null >> at >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330) >> at >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104) >> at >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84) >> at >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) >> at >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) >> at >> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198) >> at >> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236) >> at >> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104) >> at >> org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302) >> … >> Caused by: java.lang.Exception: alias is null >> at >> org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207) >> at >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328) >> ... 22 more >> >> I added some println statements to the password callback on the server side >> to print out the type and id: >> *** password callback type 1 class >> org.apache.ws.security.WSPasswordCallback >> *** password callback id null >> >> The API is used to configure CXF and WSS4j and not the xml configuration. >> The messages are not being signed, nor are timestamps being used, just >> encryption/decryption, ep is the endpointimpl : >> >> Map<String,Object> inProps1 = new HashMap<String,Object>(); >> inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT); >> inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, >> PasswordCallbackHandler.class.getName()); >> inProps1.put(WSHandlerConstants.DEC_PROP_FILE, >> "server-security.properties"); >> inProps1.put(WSHandlerConstants.USER, "clientkey"); >> >> ep.getServer().getEndpoint().getInInterceptors().add(new >> WSS4JInInterceptor(inProps1)); >> >> And the properties file is: >> >> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >> org.apache.ws.security.crypto.merlin.keystore.type=jks >> org.apache.ws.security.crypto.merlin.keystore.password=storepass >> org.apache.ws.security.crypto.merlin.keystore.alias=clientkey >> >> org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks >> >> The server cert is self signed: >> >> $ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA >> -keypass ump-pass -storepass dummy-service -keystore server-encypt.jks >> -dname cn=localhost >> $ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA >> -keypass client-pass -storepass dummy-service -keystore >> ump-stub-keystore.jks -dname cn=umpd >> >> and the certificate was exported using the following: >> >> $ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass >> dummy-service -keypass client-pass -alias clientkey -file client-cert.cer >> >> This is the WSDL extract: >> >> <wsp:Policy wsu:Id="AsymEncryption" >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> >> <wsp:ExactlyOne> >> <wsp:All> >> <sp:AsymmetricBinding >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:Policy> >> <sp:InitiatorToken> >> <wsp:Policy> >> <sp:X509Token >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> >> <wsp:Policy> >> <!-- <sp:RequireThumbprintReference/> --> >> </wsp:Policy> >> </sp:X509Token> >> </wsp:Policy> >> </sp:InitiatorToken> >> >> <sp:RecipientToken> >> <wsp:Policy> >> <sp:X509Token >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> >> <wsp:Policy> >> <!-- <sp:RequireThumbprintReference/> --> >> </wsp:Policy> >> </sp:X509Token> >> </wsp:Policy> >> </sp:RecipientToken> >> >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:TripleDesRsa15/> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> >> <sp:Layout> >> <wsp:Policy> >> <sp:Strict/> >> </wsp:Policy> >> </sp:Layout> >> >> <!-- <sp:IncludeTimestamp/> >> <sp:OnlySignEntireHeadersAndBody/> >> --> >> </wsp:Policy> >> </sp:AsymmetricBinding> >> >> <sp:EncryptedParts >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <sp:Body/> >> </sp:EncryptedParts> >> </wsp:All> >> </wsp:ExactlyOne> >> </wsp:Policy> >> >> … >> <wsdl:binding name="CollectionImplServiceSoapBinding" >> type="tns:CollectionService"> >> <wsp:PolicyReference >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >> URI="#AsymEncryption"/> >> >> >> And this is the incoming message: >> >> <output> >> >> INFO: Inbound Message >> ---------------------------- >> ID: 1 >> Address: /FooWS/services/Collection/ >> Encoding: UTF-8 >> Content-Type: text/xml; charset=UTF-8 >> Headers: {content-type=[text/xml; charset=UTF-8], >> connection=[keep-alive], Host=[localhost:9198], Content-Length=[2549], >> SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml; >> charset=U >> TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]} >> Payload: <soap:Envelope >> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; >> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><soap:Header><wsse:Security >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/ >> 01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >> soap:mustUnderstand="1"><xenc:EncryptedKey >> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >> Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe >> thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /><ds:KeyInfo >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <wsse:SecurityTokenReference >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:X509Data> >> <ds:X509IssuerSerial> >> <ds:X509IssuerName>CN=umpd</ds:X509IssuerName> >> <ds:X509SerialNumber>1316785867</ds:X509SerialNumber> >> </ds:X509IssuerSerial> >> </ds:X509Data></wsse:SecurityTokenReference> >> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl >> +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference >> URI="#EncDataId-1" >> /></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen >> c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >> Id="EncDataId-1" >> Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod >> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128- >> cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <wsse:SecurityTokenReference >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 >> 1-wss-wssecurity-secext-1.0.xsd" >> URI="#EncKeyId-A77755F726FB2C832813189733820252" >> /></wsse:SecurityTokenReference> >> </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR >> WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F >> 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c >> LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz >> dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi >> tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/ >> wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB >> XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope> >> >> >> </output> >> >> >> On the client side, the WSS4j is setup as: >> >> Map<String,Object> outProps1 = new HashMap<String,Object>(); >> outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT); >> outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, >> ClientCallbackHandler.class.getName()); >> outProps1.put(WSHandlerConstants.ENC_PROP_FILE, >> "client-crypto.properties"); >> outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey"); >> >> cxfEndpoint.getOutInterceptors().add(new >> WSS4JOutInterceptor(outProps1)); >> >> and the properties file is: >> >> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >> org.apache.ws.security.crypto.merlin.keystore.type=jks >> org.apache.ws.security.crypto.merlin.keystore.alias=servicekey >> org.apache.ws.security.crypto.merlin.keystore.password=clientpass >> org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks >> >> and the cert was imported using the command: >> $ keytool -import -trustcacerts -keystore client-store.jks -storepass >> clientpass -alias servicekey -file client-cert.cer >> >> Not sure what is going wrong, but there are a lot of steps, so maybe this is >> a simple error on my part. >> >> The CXF version is 2.2.3, If I need to redirect this to the cxf-users list, >> please let me know. >> >> Thanks for the help, >> >> Aman > > > > -- > Colm O hEigeartaigh > > http://coheigea.blogspot.com/ > Talend - http://www.talend.com/apache
