I'm unsure where the issue is but perhaps my recent blog entry
(http://www.jroller.com/gmazza/entry/cxf_x509_profile) can help you
figure out the problem. Your version of CXF (2.2.3) is quite old and
ideally should not be used in any context where security is important,
so I would look into upgrading that as well.
Glen
On 10/19/2011 03:48 AM, Kohli, Aman wrote:
[cross posting here and [email protected], as this is using CXF and WSS4J]
Hi All --
Running into a problem on the server implementation (a cxf soap server) of
asymmetric encryption. The intention is the soap body is to be encrypted with
the server's public key. The client (also using cxf) seems to be encrypting the
message body ok.
On receipt of the message, the server implementation raises an exception, with
the reason the alias is null. Here's the stack:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid; nested exception is:
java.lang.Exception: alias is null
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:330)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:104)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:84)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:198)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
at
org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:302)
...
Caused by: java.lang.Exception: alias is null
at
org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:207)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
... 22 more
I added some println statements to the password callback on the server side to
print out the type and id:
*** password callback type 1 class
org.apache.ws.security.WSPasswordCallback
*** password callback id null
The API is used to configure CXF and WSS4j and not the xml configuration. The
messages are not being signed, nor are timestamps being used, just
encryption/decryption, ep is the endpointimpl :
Map<String,Object> inProps1 = new HashMap<String,Object>();
inProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
PasswordCallbackHandler.class.getName());
inProps1.put(WSHandlerConstants.DEC_PROP_FILE,
"server-security.properties");
inProps1.put(WSHandlerConstants.USER, "clientkey");
ep.getServer().getEndpoint().getInInterceptors().add(new
WSS4JInInterceptor(inProps1));
And the properties file is:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/server-encypt.jks
The server cert is self signed:
$ keytool -genkey -alias umpservice -keyalg RSA -sigalg SHA1withRSA
-keypass ump-pass -storepass dummy-service -keystore server-encypt.jks -dname
cn=localhost
$ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA
-keypass client-pass -storepass dummy-service -keystore ump-stub-keystore.jks
-dname cn=umpd
and the certificate was exported using the following:
$ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass
dummy-service -keypass client-pass -alias clientkey -file client-cert.cer
This is the WSDL extract:
<wsp:Policy wsu:Id="AsymEncryption"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<!--<sp:RequireThumbprintReference/> -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<!--<sp:RequireThumbprintReference/> -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<!--<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
-->
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:EncryptedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
...
<wsdl:binding name="CollectionImplServiceSoapBinding"
type="tns:CollectionService">
<wsp:PolicyReference
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
URI="#AsymEncryption"/>
And this is the incoming message:
<output>
INFO: Inbound Message
----------------------------
ID: 1
Address: /FooWS/services/Collection/
Encoding: UTF-8
Content-Type: text/xml; charset=UTF-8
Headers: {content-type=[text/xml; charset=UTF-8], connection=[keep-alive],
Host=[localhost:9198], Content-Length=[2549], SOAPAction=[""],
User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml; charset=U
TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
Payload:<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/
01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1"><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe
thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=umpd</ds:X509IssuerName>
<ds:X509SerialNumber>1316785867</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZualC9D6HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLoRs/N7yspkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl
+7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#EncDataId-1"
/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header><soap:Body><xen
c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EncDataId-1"
Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
1-wss-wssecurity-secext-1.0.xsd" URI="#EncKeyId-A77755F726FB2C832813189733820252"
/></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8lA7rdxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR
WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNPzPn5BsJKa/F
7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc1HJhg4daq0c
LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctotdP3/xLr/WHtz
dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxaynCAL6tY1qgMYi
tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqzBrTBjpywNdhdxE2aBU/
wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb/iIlrIyCk6vSIlB
XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
</output>
On the client side, the WSS4j is setup as:
Map<String,Object> outProps1 = new HashMap<String,Object>();
outProps1.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientCallbackHandler.class.getName());
outProps1.put(WSHandlerConstants.ENC_PROP_FILE,
"client-crypto.properties");
outProps1.put(WSHandlerConstants.ENCRYPTION_USER, "servicekey");
cxfEndpoint.getOutInterceptors().add(new
WSS4JOutInterceptor(outProps1));
and the properties file is:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
org.apache.ws.security.crypto.merlin.keystore.password=clientpass
org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-store.jks
and the cert was imported using the command:
$ keytool -import -trustcacerts -keystore client-store.jks -storepass
clientpass -alias servicekey -file client-cert.cer
Not sure what is going wrong, but there are a lot of steps, so maybe this is a
simple error on my part.
The CXF version is 2.2.3.
Thanks for the help,
Aman
--
Glen Mazza
Talend - http://www.talend.com/apache
Blog - http://www.jroller.com/gmazza
Twitter - glenmazza
