Thanks Glen, Your blog has been of great help. On the WSS4J thread, Colm has been working with me, looks as if this version of CXF (2.2.3) does have a problem with my scenario, and, in typical rookie mistake mode, my keystores did not have the aliases setup properly for the certificates and keys.
I am going to try and get our team to upgrade to 2.4.x, but this is a big company and these things take time! Aman > -----Original Message----- > From: Glen Mazza [mailto:[email protected]] > Sent: 19 October 2011 17:23 > To: [email protected] > Subject: Re: Asymmetric Encryption - alias is null during decryption using > private key > > I'm unsure where the issue is but perhaps my recent blog entry > (http://www.jroller.com/gmazza/entry/cxf_x509_profile) can help you > figure out the problem. Your version of CXF (2.2.3) is quite old and ideally > should not be used in any context where security is important, so I would > look into upgrading that as well. > > Glen > > > On 10/19/2011 03:48 AM, Kohli, Aman wrote: > > [cross posting here and [email protected], as this is using CXF and > > WSS4J] > > > > Hi All -- > > > > Running into a problem on the server implementation (a cxf soap server) > of asymmetric encryption. The intention is the soap body is to be encrypted > with the server's public key. The client (also using cxf) seems to be > encrypting the message body ok. > > > > On receipt of the message, the server implementation raises an > exception, with the reason the alias is null. Here's the stack: > > > > org.apache.ws.security.WSSecurityException: The signature or decryption > was invalid; nested exception is: > > java.lang.Exception: alias is null > > at > org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncrypted > Key(EncryptedKeyProcessor.java:330) > > at > org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncrypted > Key(EncryptedKeyProcessor.java:104) > > at > org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Enc > ryptedKeyProcessor.java:84) > > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecuri > tyEngine.java:326) > > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecuri > tyEngine.java:243) > > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4 > JInInterceptor.java:198) > > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4 > JInInterceptor.java:77) > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptor > Chain.java:236) > > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiatio > nObserver.java:104) > > at > > org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceReques > > t(JettyHTTPDestination.java:302) > > ... > > Caused by: java.lang.Exception: alias is null > > at > org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(Crypt > oBase.java:207) > > at > org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncrypted > Key(EncryptedKeyProcessor.java:328) > > ... 22 more > > > > I added some println statements to the password callback on the server > side to print out the type and id: > > *** password callback type 1 class > org.apache.ws.security.WSPasswordCallback > > *** password callback id null > > > > The API is used to configure CXF and WSS4j and not the xml configuration. > The messages are not being signed, nor are timestamps being used, just > encryption/decryption, ep is the endpointimpl : > > > > Map<String,Object> inProps1 = new HashMap<String,Object>(); > > inProps1.put(WSHandlerConstants.ACTION, > WSHandlerConstants.ENCRYPT); > > inProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, > PasswordCallbackHandler.class.getName()); > > inProps1.put(WSHandlerConstants.DEC_PROP_FILE, "server- > security.properties"); > > inProps1.put(WSHandlerConstants.USER, "clientkey"); > > > > ep.getServer().getEndpoint().getInInterceptors().add(new > > WSS4JInInterceptor(inProps1)); > > > > And the properties file is: > > > org.apache.ws.security.crypto.provider=org.apache.ws.security.com > ponents.crypto.Merlin > > org.apache.ws.security.crypto.merlin.keystore.type=jks > > org.apache.ws.security.crypto.merlin.keystore.password=storepass > > org.apache.ws.security.crypto.merlin.keystore.alias=clientkey > > > > org.apache.ws.security.crypto.merlin.keystore.file=src/main/keystores/ > > server-encypt.jks > > > > The server cert is self signed: > > > > $ keytool -genkey -alias umpservice -keyalg RSA -sigalg > SHA1withRSA -keypass ump-pass -storepass dummy-service -keystore > server-encypt.jks -dname cn=localhost > > $ keytool -genkey -alias clientkey -keyalg RSA -sigalg SHA1withRSA > > -keypass client-pass -storepass dummy-service -keystore > > ump-stub-keystore.jks -dname cn=umpd > > > > and the certificate was exported using the following: > > > > $ keytool -export -rfc -keystore ump-stub-keystore.jks -storepass > > dummy-service -keypass client-pass -alias clientkey -file > > client-cert.cer > > > > This is the WSDL extract: > > > > <wsp:Policy wsu:Id="AsymEncryption" > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-wssecurity-utility-1.0.xsd" > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws- > sx/ws-securitypolicy/200702"> > > <wsp:Policy> > > <sp:InitiatorToken> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken="http://docs.oasis-open.org/ws- > sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> > > <wsp:Policy> > > <!--<sp:RequireThumbprintReference/> --> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:InitiatorToken> > > > > <sp:RecipientToken> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken="http://docs.oasis-open.org/ws- > sx/ws-securitypolicy/200702/IncludeToken/Never"> > > <wsp:Policy> > > <!--<sp:RequireThumbprintReference/> --> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:RecipientToken> > > > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:TripleDesRsa15/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict/> > > </wsp:Policy> > > </sp:Layout> > > > > <!--<sp:IncludeTimestamp/> > > <sp:OnlySignEntireHeadersAndBody/> > > --> > > </wsp:Policy> > > </sp:AsymmetricBinding> > > > > <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws- > securitypolicy/200702"> > > <sp:Body/> > > </sp:EncryptedParts> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > ... > > <wsdl:binding name="CollectionImplServiceSoapBinding" > type="tns:CollectionService"> > > <wsp:PolicyReference > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > > URI="#AsymEncryption"/> > > > > > > And this is the incoming message: > > > > <output> > > > > INFO: Inbound Message > > ---------------------------- > > ID: 1 > > Address: /FooWS/services/Collection/ > > Encoding: UTF-8 > > Content-Type: text/xml; charset=UTF-8 > > Headers: {content-type=[text/xml; charset=UTF-8], > > connection=[keep-alive], Host=[localhost:9198], Content-Length=[2549], > SOAPAction=[""], User-Agent=[Apache CXF 2.2.3], Content-Type=[text/xml; > charset=U TF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no- > cache]} > > Payload:<soap:Envelope > > xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; > > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><soap:Header><wsse:S > ecu > > rity xmlns:wsse="http://docs.oasis-open.org/wss/2004/ > > 01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > > soap:mustUnderstand="1"><xenc:EncryptedKey > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > Id="EncKeyId-A77755F726FB2C832813189733820252"><xenc:EncryptionMe > > thod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; > > /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > ws > > security-secext-1.0.xsd"><ds:X509Data> > > <ds:X509IssuerSerial> > > <ds:X509IssuerName>CN=umpd</ds:X509IssuerName> > > <ds:X509SerialNumber>1316785867</ds:X509SerialNumber> > > </ds:X509IssuerSerial> > > </ds:X509Data></wsse:SecurityTokenReference> > > > </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>FlnDsQHOdVw0AOZual > C9D6 > > > HvNIl7Hr2zXqf6YTZV5c28QzhwsJnZHLrL49dVPeq0TGT5QeRylc5lSfkUnWqwLo > Rs/N7y > > spkktxshhz7CTu3zzqbo3f82nSAr6d7nLXaI+dsIlDAkmngV/4uOJk1TqavjZl > > > +7XW5XtxGHihzs5Zw=</xenc:CipherValue></xenc:CipherData><xenc:Refere > nce > > +List><xenc:DataReference URI="#EncDataId-1" > > > +/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:He > a > > +der><soap:Body><xen > > c:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > Id="EncDataId-1" > > > Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMet > hod > > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128- > > cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > ws > > security-secext-1.0.xsd"><wsse:Reference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 > > 1-wss-wssecurity-secext-1.0.xsd" > > URI="#EncKeyId-A77755F726FB2C832813189733820252" > > /></wsse:SecurityTokenReference> > > > </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Gbc/CYA8k1XJhCRYO8l > A7r > > dxoUB6X4n7ZxfFSpxg437HUUjlaIImZ9vbX+UxxOuDKgEyN8TayBQR > > > WIl+7npAm1BkzB88XJLf3EoVQI3eJhctspIuUgj/VIoHh090fCdw3bZGPSikqXlNP > zPn5B > > WIl+sJKa/F > > > 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+iTSvudYcMQ5ZcQcl0a4o2NbohFUIc > 1HJhg > > 7Q4MIXjgS7G7L4tBesgsNJEcBx7ftp6Slxw+4daq0c > > > LwvKit9owEQyMNkVXJV/vj6swU+gx9ltbFJJ4uqnx5zCA2obxOZzk61v+VX9ctot > dP3/xL > > r/WHtz > > > dRPsTsM34zguG6vwRq+f1czBKtlkbaN4CxTZDvPkLgFSXX286ki452UWBIzqxayn > CAL6tY > > dRPsTsM34zguG6vwRq+1qgMYi > > > tDbQveW+suDbu4cwN4WtUUJdWmqGAOJOeXTXsmCqEcipN/eqod75QVbqz > BrTBjpywNdhdx > > tDbQveW+E2aBU/ > > > wfXa1HMwhoKw9+Ul3st6I1tpuVbi+wK7amqGIwCo8URtdJEBzbu90g1uWfSgb > /iIlrIyCk > > wfXa1HMwhoKw9+Ul3st6I1tpuVbi+6vSIlB > > > XbLD3VZCx0nlqfaG5GZOaqz1mAxCAfnrYg5y9eGkxIMk</xenc:CipherValue>< > /xenc: > > CipherData></xenc:EncryptedData></soap:Body></soap:Envelope> > > > > > > </output> > > > > > > On the client side, the WSS4j is setup as: > > > > Map<String,Object> outProps1 = new HashMap<String,Object>(); > > outProps1.put(WSHandlerConstants.ACTION, > WSHandlerConstants.ENCRYPT); > > outProps1.put(WSHandlerConstants.PW_CALLBACK_CLASS, > ClientCallbackHandler.class.getName()); > > outProps1.put(WSHandlerConstants.ENC_PROP_FILE, "client- > crypto.properties"); > > outProps1.put(WSHandlerConstants.ENCRYPTION_USER, > > "servicekey"); > > > > cxfEndpoint.getOutInterceptors().add(new > > WSS4JOutInterceptor(outProps1)); > > > > and the properties file is: > > > > > org.apache.ws.security.crypto.provider=org.apache.ws.security.componen > > ts.crypto.Merlin > > org.apache.ws.security.crypto.merlin.keystore.type=jks > > org.apache.ws.security.crypto.merlin.keystore.alias=servicekey > > org.apache.ws.security.crypto.merlin.keystore.password=clientpass > > org.apache.ws.security.crypto.merlin.file=src/main/keystores/client-st > > ore.jks > > > > and the cert was imported using the command: > > $ keytool -import -trustcacerts -keystore client-store.jks -storepass > > clientpass -alias servicekey -file client-cert.cer > > > > Not sure what is going wrong, but there are a lot of steps, so maybe this is > a simple error on my part. > > > > The CXF version is 2.2.3. > > > > Thanks for the help, > > > > Aman > > > > > -- > Glen Mazza > Talend - http://www.talend.com/apache > Blog - http://www.jroller.com/gmazza > Twitter - glenmazza
